Best Beginner’s Guide For Cybersecurity Recon with Python
Source: Dev.to – Best Beginner’s Guide for Cybersecurity Recon with Python
What You’ll Learn
By the end of this guide you will be able to:
- Understand the difference between passive and active reconnaissance.
- Define the scope and target effectively for any recon project.
- Use Python to query DNS records, subdomains, and certificate‑transparency logs.
- Perform asynchronous network scans for host and service discovery.
- Organise recon data efficiently for analysis and reporting.
- Apply OPSEC and rate‑limiting techniques to stay stealthy during recon.
These skills form a solid foundation for:
- Penetration testing
- Bug bounty hunting
- OSINT investigations
Ready to dive in? Continue to the next sections for hands‑on examples and code snippets.
Prerequisites
Before you begin, make sure you have a Python 3.12 environment ready. The libraries listed below are recommended for reconnaissance tasks.
| Library | Purpose |
|---|---|
asyncio / trio | Handle thousands of tasks concurrently without threads |
httpx | Async HTTP/HTTPS requests with HTTP/2, proxy, and SOCKS support |
aiodns | Asynchronous DNS resolution with DNSSEC support |
ipwhois | ASN and prefix lookups |
rich | Pretty terminal output with progress bars |
pandas | Data organization, CSV/HTML export |
Setup
# Create a virtual environment
python3 -m venv recon
source recon/bin/activate
# Install the required packages
pip install httpx[http2] aiodns ipwhois rich pandasRecon Fundamentals: Active vs Passive
Passive Recon
- No direct interaction with the target.
- Typical sources: WHOIS, crt.sh, Shodan, GitHub, leaked databases.
- Stealthy – leaves no logs on the target system.
Active Recon
- Direct probing: DNS queries, port scans, banner grabbing, web crawling.
- Powerful, but generates logs and can trigger firewalls.
Rule: Always start with passive recon. It’s safer, cost‑free, and helps narrow down what to probe actively.
Canonical Workflow
| # | Phase | Description |
|---|---|---|
| 1 | Scope Definition | Identify IP ranges, domains, and employee aliases. |
| 2 | Passive Recon | Collect publicly available artefacts. |
| 3 | Correlation & Pivot | Deduplicate data, enrich findings, generate leads. |
| 4 | Active Recon | Probe live hosts, services, and versions. |
| 5 | Reporting | Export results in structured JSON or CSV for analysis. |
DNS Records Overview
DNS is the foundation of how the Internet identifies and routes traffic. Understanding record types gives early insights into an organization’s online structure.
A / AAAA – Host‑to‑IP Mapping
- A – IPv4 address.
- AAAA – IPv6 address.
These records reveal where a service is hosted (cloud provider, on‑prem, shared hosting).
CNAME – Aliases and CDNs
blog.example.com → cname → example-blog.hosting.netTypical services revealed:
- CDN providers (Cloudflare, Akamai)
- Email platforms
- SaaS dashboards
- Cloud hosting environments (AWS, GCP, Azure)
NS – Authoritative Servers
NS records indicate which servers are authoritative for a domain, helping you infer:
- Hosting provider
- Whether DNS is self‑managed or outsourced
- Redundancy / failover configuration
- Possible subdomains via zone misconfiguration
Note: Self‑hosted NS servers often signal a large internal infrastructure.
MX – Email Routing
MX records show the mail servers responsible for receiving email and can reveal:
- Use of Google Workspace, Microsoft 365, or custom mail servers
- Legacy or insecure mail systems
- Additional subdomains tied to mail infrastructure
TXT – Security Policies & Verification Artefacts
| Purpose | Example |
|---|---|
| Email authentication | SPF, DKIM, DMARC |
| Domain verification | Cloud/SaaS verification tokens |
| Public disclosures | Security policies, ownership statements |
| Miscellaneous | Custom metadata, API keys (obscured) |
Note: SPF, DKIM, and DMARC together help prevent spoofed emails.
SRV – Service Discovery
SRV records specify a hostname and port for services such as SIP, LDAP, Kerberos, VoIP, Microsoft services, and game servers. They can uncover:
- Internal authentication services
- Directory services
- Infrastructure dependencies not visible on the public web
Subdomain Discovery – Expanding the Attack Surface
Subdomains often host unique applications, APIs, admin panels, or onboarding systems (e.g., api.example.com, vpn.example.com, dev.example.com). Discovering them widens the attack surface.
1. Passive Enumeration
Collect information from external sources that already monitor the Internet:
- Certificate Transparency (CT) logs
- Historical DNS data
- Search‑engine dorks
Each source reveals a different layer of a domain’s evolution.
2. Certificate Transparency Logs
Every HTTPS site must publish its SSL/TLS certificate to public CT logs. This includes subdomains that may have been intended to stay private.
| Tool / Service | Description |
|---|---|
| crt.sh | Public CT‑log search engine |
| bufferover.run | Aggregates CT, DNS, and reverse‑lookup datasets |
Example subdomains found via CT logs
api.example.com
dev.example.com
staging-api.example.com
internal-vpn.example.comBeginner‑friendly Python script to fetch CT logs
import requests
domain = "example.com"
url = f"https://crt.sh/?q=%25.{domain}&output=json"
try:
response = requests.get(url, timeout=10)
response.raise_for_status()
entries = response.json()
subdomains = {entry["name_value"] for entry in entries}
for sub in sorted(subdomains):
print(sub)
except requests.RequestException as e:
print(f"Error fetching CT logs: {e}")Replace example.com with your target domain. The script queries crt.sh for all certificates containing the domain and prints a deduplicated list of discovered subdomains.
3. Next Steps
- Merge passive data with active probing – e.g., send HTTP requests, run port scans.
- Store results in a
pandasDataFrame for easy export to CSV/JSON. - Stay stealthy – implement rate‑limiting (
asyncio.sleep) and randomised user‑agents (httpx).
With these fundamentals you’re ready to build more advanced recon pipelines, integrate additional data sources, and transition smoothly into full‑scale penetration testing or bug‑bounty workflows.