Skip to main content

Full external attack surface report

Full external attack surface report

Overview

This workflow automates complete external attack surface reconnaissance by combining subdomain enumeration, service fingerprinting, SSL/TLS analysis, CVE correlation, directory enumeration, and API endpoint discovery into a unified assessment. It generates a comprehensive HTML report with filterable tables presenting all discovered assets, vulnerabilities, and metadata to provide security teams with actionable intelligence for penetration testing and risk assessment.

How It Works

  1. Target Input Processing: Accepts domain targets and wordlist configurations through input nodes to define reconnaissance scope and enumeration parameters.
  2. Comprehensive Subdomain Discovery: Executes parallel subdomain enumeration using Subfinder for passive intelligence gathering and DNSDumpster for DNS-based discovery, identifying the complete subdomain infrastructure.
  3. Network Service Fingerprinting: Launches Nmap scans against all discovered subdomains to identify open ports, running services, service versions, operating systems, and technology stack across the entire attack surface.
  4. SSL/TLS Security Assessment: Deploys testssl.sh against all HTTPS services to analyze SSL/TLS configurations, certificate validity, weak cipher suites, and protocol vulnerabilities.
  5. CVE Database Correlation: Queries vulnerability databases using identified technologies and service versions to map known CVEs and security weaknesses to discovered services, enabling immediate vulnerability prioritization.
  6. Directory and File Enumeration: Executes Feroxbuster with comprehensive wordlists to brute-force directory structures, hidden paths, backup files, and sensitive endpoints across all web services.
  7. API Endpoint Discovery: Deploys ZAP's crawler and additional fuzzing techniques to systematically discover API endpoints, undocumented interfaces, and application entry points.
  8. HTTP Metadata Collection: Runs httpx against all discovered endpoints to validate accessibility and extract detailed metadata including response codes, content-type headers, body sizes, and server technology fingerprints.
  9. Data Consolidation and Processing: Processes all reconnaissance results through scripting agent nodes to merge, normalize, and structure data from multiple security tools into a unified intelligence dataset.
  10. Comprehensive Report Generation: Produces detailed HTML report with multiple filterable tables organizing findings by subdomains, services, vulnerabilities, directories, and API endpoints, enabling efficient analysis and target prioritization for security assessments.

Who is this for?

  • Penetration testers requiring complete external attack surface intelligence before security engagements
  • Red team operators conducting comprehensive reconnaissance during pre-engagement planning phases
  • Security consultants performing full-scope external security assessments and vulnerability analysis for clients
  • Bug bounty hunters maximizing target discovery and vulnerability identification within authorized scope
  • Security teams conducting periodic external exposure audits and attack surface management reviews
  • Risk assessment professionals evaluating organizational external security posture and threat exposure

What problem does this workflow solve?

  • Eliminates fragmented reconnaissance efforts by consolidating subdomain discovery, service fingerprinting, vulnerability correlation, directory enumeration, and API discovery into a single automated workflow
  • Provides complete external attack surface visibility through comprehensive multi-tool reconnaissance that identifies all discoverable assets, services, and potential entry points
  • Reduces reconnaissance time from days to hours by parallelizing multiple security assessment techniques and automating data collection across entire subdomain infrastructure
  • Enables immediate vulnerability prioritization through automated CVE correlation and SSL/TLS weakness identification integrated directly into reconnaissance results
  • Delivers unified actionable intelligence through consolidated HTML reporting with filterable tables that facilitate efficient manual analysis, target selection, and penetration testing planning
  • Standardizes comprehensive external security assessment methodology ensuring consistent coverage and reducing risk of missed attack vectors across different engagements