Host Module

The host analysis module examines the infrastructure behind discovered assets, including port scanning, CDN detection, WAF identification, cloud enumeration, and geolocation.

Module Overview

Function

Purpose

Tools

portscan

Port discovery (passive + active)

nmap, smap

cdnprovider

CDN detection and filtering

cdncheck

waf_checks

WAF detection

wafw00f

favicon

Real IP discovery via favicon

fav-up

cloud_extra_providers

Extra cloud storage enumeration

curl

geo_info

IP geolocation

ipinfo

banner_grabber

Service banner extraction

nmap

Configuration Options

# In reconftw.cfg

# Master toggle
PORTSCANNER=true

# Port scanning
PORTSCAN_PASSIVE=true     # Shodan-based (requires API key)
PORTSCAN_ACTIVE=true      # Nmap-based

# Nmap options
PORTSCAN_ACTIVE_OPTIONS="--top-ports 200 -sV -n -Pn --open --max-retries 2 --script vulners"

# Other host checks
FAVICON=true              # Favicon IP discovery
CDN_IP=true               # CDN detection
GEO_INFO=true             # Geolocation
WAF_DETECTION=true        # WAF detection

# IPv6
IPV6_SCAN=true            # IPv6 discovery

Port Scanning

Passive Port Scanning (Shodan)

Uses Shodan API to retrieve port/service information without touching the target.

How It Works:

IP addresses → smap (Shodan query) → 
→ Return known open ports → hosts/portscan_passive.txt

Advantages:

No direct target interaction
Historical data available
Fast results

Limitations:

Requires Shodan API key
Data may be outdated
Only indexed hosts

Output:

hosts/portscan_passive.txt

Sample Output:

192.168.1.10
  22/tcp    ssh         OpenSSH 8.2
  80/tcp    http        nginx 1.18
  443/tcp   https       nginx 1.18
  3306/tcp  mysql       MySQL 8.0

Configuration:

PORTSCAN_PASSIVE=true
SHODAN_API_KEY="your_key"  # In secrets.cfg

Active Port Scanning (Nmap)

Performs direct port scanning against target IPs.

How It Works:

IP addresses (non-CDN) → nmap → 
→ Scan ports → Service detection → Vuln scripts → Output

Default Scan Options:

PORTSCAN_ACTIVE_OPTIONS="--top-ports 200 -sV -n -Pn --open --max-retries 2 --script vulners"

Option Breakdown:

Option

Description

--top-ports 200

Scan top 200 ports

-sV

Version detection

-n

No DNS resolution

-Pn

Skip host discovery

--open

Show only open ports

--max-retries 2

Retry limit

--script vulners

Check for CVEs

Output:

hosts/portscan_active.txt      # Human readable
hosts/portscan_active.xml      # Nmap XML format
hosts/portscan_active.gnmap    # Greppable format

Sample Output:

Nmap scan report for 192.168.1.10
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 8.2p1
| vulners: 
|   CVE-2020-15778  6.8
80/tcp    open  http       nginx 1.18.0
443/tcp   open  ssl/https  nginx 1.18.0
3306/tcp  open  mysql      MySQL 8.0.26

Configuration:

PORTSCAN_ACTIVE=true
PORTSCAN_ACTIVE_OPTIONS="--top-ports 200 -sV -n -Pn --open"

Custom Scan Profiles:

# Quick scan (top 100 ports)
PORTSCAN_ACTIVE_OPTIONS="--top-ports 100 -Pn --open"

# Full port scan (all ports)
PORTSCAN_ACTIVE_OPTIONS="-p- -sV -sC -Pn --open"

# Stealth scan (slower, less detectable)
PORTSCAN_ACTIVE_OPTIONS="-sS -T2 --top-ports 1000 -Pn"

CDN Detection

`cdnprovider` - CDN Identification

Identifies IPs behind CDN providers to avoid scanning CDN infrastructure.

Why It Matters:

CDN IPs don't represent the actual target
Scanning CDNs wastes resources
May violate CDN terms of service
Focus on real infrastructure

CDN Providers Detected:

Cloudflare
Akamai
Fastly
CloudFront
Incapsula
And many more...

How It Works:

All IPs → cdncheck → 
→ Identify CDN IPs → Separate into cdn.txt and non-cdn IPs

Output:

hosts/cdn.txt          # CDN IPs (excluded from active scans)
hosts/ips.txt          # Non-CDN IPs (scanned)

Sample Output:

# cdn.txt
104.16.132.229 [cloudflare]
151.101.1.195 [fastly]
13.32.123.45 [cloudfront]

# ips.txt (non-CDN, will be scanned)
192.168.1.10
10.0.0.5

Configuration:

CDN_IP=true

WAF Detection

`waf_checks` - Web Application Firewall Detection

Identifies WAF/security products protecting web applications.

WAFs Detected:

Cloudflare
AWS WAF
Akamai
Imperva/Incapsula
ModSecurity
Sucuri
F5 BIG-IP
And 100+ more...

How It Works:

webs.txt → wafw00f → 
→ Send probe requests → Analyze responses → Identify WAF

Output:

hosts/waf.txt

Sample Output:

https://www.example.com
  WAF: Cloudflare
  Detected by: Response headers, Server header
  
https://api.example.com
  WAF: AWS WAF
  Detected by: Response behavior
  
https://admin.example.com
  WAF: None detected

Why It Matters:

Adjust attack strategies
Understand defensive posture
Identify bypass opportunities
Report in findings

Configuration:

WAF_DETECTION=true

Favicon Analysis

`favicon` - Real IP Discovery

Discovers real IP addresses behind CDN/proxy by analyzing favicon hashes.

How It Works:

Known favicon hash → Shodan search → 
→ Find servers with same favicon → Potential real IPs

Technique:

Download favicon from target
Calculate hash (MurmurHash3)
Search Shodan for matching hashes
Servers with same favicon may be the real origin

Output:

hosts/favicontest.txt

Sample Output:

# Favicon hash: -1234567890
Real IP candidates:
  192.168.1.100 (Direct match)
  10.0.0.50 (Partial match)

Configuration:

FAVICON=true
SHODAN_API_KEY="your_key"  # Required

Geolocation

`geo_info` - IP Geolocation

Retrieves geographic information for discovered IP addresses.

Information Gathered:

Country
Region/State
City
Organization/ISP
ASN

How It Works:

IP addresses → ipinfo.io API → 
→ Geolocation data → hosts/geo.txt

Output:

hosts/geo.txt

Sample Output:

192.168.1.10
  Country: United States
  Region: California
  City: San Francisco
  Org: Example Hosting Inc.
  ASN: AS12345
  
10.0.0.5
  Country: Germany
  Region: Hesse
  City: Frankfurt
  Org: AWS
  ASN: AS16509

Use Cases:

Understand infrastructure distribution
Identify hosting providers
Compliance/jurisdiction issues
Attack surface mapping

Configuration:

GEO_INFO=true

Cloud Storage Enumeration

`cloud_extra_providers` - Extra Cloud Provider Checks

Discovers misconfigured cloud storage buckets beyond standard S3 enumeration.

Cloud Providers Checked:

Google Cloud Storage (GCS)
- https://storage.googleapis.com/{name}/
- https://{name}.storage.googleapis.com/
Azure Blob Storage
- https://{name}.blob.core.windows.net/{container}
- Tests common containers: public, static, media, images, assets, backup, files, cdn

How It Works:

Domain → Extract company/brand names → 
→ Generate candidate bucket names → Test cloud URLs →
→ Check for public access (200/403) → Report findings

Name Generation:

Domain root (e.g., "example" from "example.com")
Company name variations
Subdomain prefixes (e.g., "api", "dev", "staging")
Combined with common container names

Output:

subdomains/cloud_extra.txt

Sample Output:

GCS examplecorp https://storage.googleapis.com/examplecorp/ 
GCS example-backup https://example-backup.storage.googleapis.com/
AZURE examplecorp/public https://examplecorp.blob.core.windows.net/public
AZURE example-dev/static https://example-dev.blob.core.windows.net/static

What It Finds:

Publicly accessible storage buckets
Buckets returning 403 (exist but restricted - worth manual testing)
Misconfigured backup/static file storage

Security Implications:

Public buckets may contain sensitive data
403 responses confirm bucket existence (enumeration value)
Backup buckets often contain valuable data

Note: This complements the OSINT module's cloud_enum function by testing additional providers and name variations.

IPv6 Scanning

IPv6 Discovery and Scanning

Discovers and scans IPv6 addresses when available.

How It Works:

Subdomains → DNS AAAA records → 
→ IPv6 addresses → Include in scanning

Configuration:

IPV6_SCAN=true

Note: IPv6 scanning may reveal additional attack surface not visible via IPv4.

Data Flow

┌─────────────────────────────────────────────────────────────────────┐
│                      Host Analysis Flow                              │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│  ┌────────────────┐                                                  │
│  │ subdomains.txt │                                                  │
│  └───────┬────────┘                                                  │
│          │                                                           │
│          ▼                                                           │
│  ┌────────────────┐                                                  │
│  │  DNS Resolution│ (sub_dns)                                        │
│  └───────┬────────┘                                                  │
│          │                                                           │
│          ▼                                                           │
│  ┌────────────────┐                                                  │
│  │   All IPs      │                                                  │
│  └───────┬────────┘                                                  │
│          │                                                           │
│          ▼                                                           │
│  ┌────────────────┐     ┌────────────────┐                          │
│  │  cdnprovider   │────▶│    cdn.txt     │ (excluded)               │
│  └───────┬────────┘     └────────────────┘                          │
│          │                                                           │
│          ▼                                                           │
│  ┌────────────────┐                                                  │
│  │  Non-CDN IPs   │                                                  │
│  └───────┬────────┘                                                  │
│          │                                                           │
│    ┌─────┴─────┬─────────────┬─────────────┐                        │
│    ▼           ▼             ▼             ▼                        │
│ ┌──────┐  ┌────────┐   ┌─────────┐   ┌─────────┐                   │
│ │ nmap │  │ shodan │   │ wafw00f │   │ geo_info│                   │
│ │active│  │passive │   │  (WAF)  │   │  (geo)  │                   │
│ └──┬───┘  └───┬────┘   └────┬────┘   └────┬────┘                   │
│    │          │             │             │                         │
│    ▼          ▼             ▼             ▼                         │
│ portscan_  portscan_     waf.txt      geo.txt                       │
│ active.txt passive.txt                                               │
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘

Output Files Summary

File

Content

hosts/ips.txt

All resolved IP addresses

hosts/cdn.txt

IPs identified as CDN

hosts/portscan_passive.txt

Shodan port results

hosts/portscan_active.txt

Nmap scan results

hosts/portscan_active.xml

Nmap XML output

hosts/portscan_active.gnmap

Nmap greppable output

hosts/waf.txt

WAF detection results

hosts/geo.txt

Geolocation data

hosts/favicontest.txt

Favicon real IP discovery

hosts/grpc_reflection.txt

gRPC services with reflection

subdomains/cloud_extra.txt

Extra cloud storage findings

Integration with Vulnerability Scanning

Host analysis results feed into vulnerability scanning:

Port scan results → Password spraying targets
Service versions → CVE matching (vulners script)
Non-CDN IPs → Focus active testing
WAF detection → Adjust attack strategies

Best Practices

CDN Awareness: Don't waste resources scanning CDN IPs
Rate Limiting: Aggressive port scans can trigger alerts
Authorization: Ensure port scanning is in scope
Service Detection: Version info helps identify vulnerabilities
Passive First: Start with Shodan to minimize noise
IPv6 Coverage: Don't forget IPv6 attack surface

Nmap Scan Customization

Quick Discovery

PORTSCAN_ACTIVE_OPTIONS="--top-ports 100 -Pn -T4"

Full Scan

PORTSCAN_ACTIVE_OPTIONS="-p- -sV -sC -Pn"

Stealth Scan

PORTSCAN_ACTIVE_OPTIONS="-sS -T2 --top-ports 1000 -Pn"

Service Focus

PORTSCAN_ACTIVE_OPTIONS="-p 21,22,23,25,80,443,3306,5432,6379,27017 -sV -Pn"

Next Steps

Tools Reference - All integrated tools
Output Interpretation - Understand results

PreviousVulnerability Module NextIntegrated Tools

Last updated 2 minutes ago

Good afternoon

hashtagModule Overview

hashtagConfiguration Options

hashtagPort Scanning

hashtagPassive Port Scanning (Shodan)

hashtagActive Port Scanning (Nmap)

hashtagCDN Detection

hashtagcdnprovider - CDN Identification

hashtagWAF Detection

hashtagwaf_checks - Web Application Firewall Detection

hashtagFavicon Analysis

hashtagfavicon - Real IP Discovery

hashtagGeolocation

hashtaggeo_info - IP Geolocation

hashtagCloud Storage Enumeration

hashtagcloud_extra_providers - Extra Cloud Provider Checks

hashtagIPv6 Scanning

hashtagIPv6 Discovery and Scanning

hashtagData Flow

hashtagOutput Files Summary

hashtagIntegration with Vulnerability Scanning

hashtagBest Practices

hashtagNmap Scan Customization

hashtagQuick Discovery

hashtagFull Scan

hashtagStealth Scan

hashtagService Focus

hashtagNext Steps

Module Overview

Configuration Options

Port Scanning

Passive Port Scanning (Shodan)

Active Port Scanning (Nmap)

CDN Detection

`cdnprovider` - CDN Identification

WAF Detection

`waf_checks` - Web Application Firewall Detection

Favicon Analysis

`favicon` - Real IP Discovery

Geolocation

`geo_info` - IP Geolocation

Cloud Storage Enumeration

`cloud_extra_providers` - Extra Cloud Provider Checks

IPv6 Scanning

IPv6 Discovery and Scanning

Data Flow

Output Files Summary

Integration with Vulnerability Scanning

Best Practices

Nmap Scan Customization

Quick Discovery

Full Scan

Stealth Scan

Service Focus

Next Steps