This comprehensive tutorial will guide you through the different reconnaissance strategies available in reNgine-ng, helping you choose the right approach for your target assessment.

Understanding the reconnaissance workflow is crucial for effective penetration testing and bug bounty hunting. Here's the recommended approach:

graph TD
    A["🎯 Target Selection"] --> B["📊 Choose Scan Strategy"]
    
    B --> C["🚀 Quick Passive<br/>Initial Scan - Passive with screenshots"]
    B --> D["⚡ Balanced<br/>Initial Scan - reNgine recommended"]
    B --> E["🔍 Import Scope<br/>Initial Scan - Passive (import subdomains)"]
    B --> F["💥 Full Active<br/>Scan - Active"]
    
    C --> G["📸 Screenshots<br/>📧 OSINT<br/>🔍 WAF Detection<br/>🌐 Subdomain Discovery"]
    D --> H["📸 Screenshots<br/>📧 OSINT<br/>🔍 WAF Detection<br/>🌐 Subdomain Discovery<br/>🔗 URL Fetching"]
    E --> I["📸 Screenshots<br/>📧 OSINT<br/>No Subdomain Discovery"]
    F --> J["🔓 Port Scan<br/>📁 Directory Fuzzing<br/>🔗 URL Fetching<br/>🛡️ Vulnerability Scan"]
    
    G --> K["🎯 Subscan Decision"]
    H --> K
    I --> K
    J --> L["📋 Complete Analysis"]
    
    K --> M["🔓 Port Scanning<br/>Subscan - Port scan"]
    K --> N["📁 File Fuzzing<br/>Subscan - File fuzzing"]
    K --> O["🔗 URL Fetching<br/>Subscan - Fetch URLs"]
    K --> P["🛡️ Vulnerability Scan<br/>Subscan - Vulnerabilities"]
    K --> Q["📸 Screenshots<br/>Subscan - Screenshots"]
    K --> R["🔍 WAF Detection<br/>Subscan - WAF Detection"]
    
    M --> S["📊 Results Analysis"]
    N --> S
    O --> S
    P --> S
    Q --> S
    R --> S
    
    S --> T["📈 Report Generation<br/>🤖 LLM Analysis"]
    
    L --> T

Choose your initial scan strategy based on your objectives, time constraints, and resource availability:

Recommended for: First-time reconnaissance, time-sensitive assessments

Speed: ⚡⚡⚡ QUICK SCAN
Resources: 🟢 LOW RESOURCE USAGE
Recommended: ✅ HIGHLY RECOMMENDED ON INITIAL SCAN

# What it does:
- Subdomain Discovery (passive tools)
- Screenshots of discovered services
- OSINT gathering (emails, metadata, employees)
- WAF detection

🎯 Use Case Example:

• Bug bounty initial reconnaissance
• Time-constrained assessments
• Getting a quick overview of the attack surface

📋 What you get:

• Complete subdomain list with visual evidence
• OSINT intelligence for social engineering
• WAF presence information for planning

Recommended for: Balanced approach between speed and depth

Speed: ⚡⚡ MEDIUM SPEED SCAN
Resources: 🟡 MODERATE RESOURCE USAGE
Recommended: ✅ HIGHLY RECOMMENDED ON INITIAL SCAN

# What it does:
- Everything from Passive scan
- Additional URL fetching and endpoint discovery
- More comprehensive OSINT

🎯 Use Case Example:

• Professional penetration testing
• Comprehensive bug bounty assessment
• Balanced time vs. thoroughness approach

📋 What you get:

• Complete attack surface mapping
• Rich endpoint collection for further testing
• Comprehensive intelligence gathering

Recommended for: When you have a predefined scope

Speed: ⚡⚡⚡ QUICKEST SCAN
Resources: 🟢 MINIMAL RESOURCE USAGE
Recommended: ✅ RECOMMENDED WHEN YOU HAVE SUBDOMAIN LIST

# What it does:
- Import your existing subdomain list
- Screenshots and OSINT on known targets
- No additional subdomain discovery

🎯 Use Case Example:

• Scoped penetration tests with defined assets
• Re-assessment of known infrastructure
• Focused testing on specific subdomains

📋 What you get:

• Fast analysis of known assets
• Visual confirmation of services
• Targeted intelligence gathering

Recommended for: Deep, comprehensive analysis

Speed: 🐌 SLOW SCAN
Resources: 🔴 RESOURCE INTENSIVE
Warning: ⚠️ NOT RECOMMENDED ON INITIAL SCAN

# What it does:
- Aggressive port scanning
- Directory and file fuzzing
- Comprehensive URL discovery
- Full vulnerability scanning

🎯 Use Case Example:

• Deep penetration testing with ample time
• Internal network assessments
• Follow-up after initial reconnaissance

📋 What you get:

• Complete port and service enumeration
• Extensive file and directory discovery
• Comprehensive vulnerability assessment

After your initial scan, use targeted subscans to dive deeper into specific areas of interest:

When to use: After identifying interesting subdomains from initial scans

# Features:
- Targeted port scanning on selected subdomains
- Nmap integration for service enumeration
- Customizable port ranges (top-100, top-1000, full)

💡 Pro Tip: Use this on subdomains that look interesting from your initial screenshots.

When to use: On web applications discovered during initial reconnaissance

# Features:
- Directory and file fuzzing
- Customizable wordlists and extensions
- HTTP status code filtering
- Recursive directory traversal options

💡 Pro Tip: Focus on admin panels, login pages, and interesting applications found in screenshots.

When to use: To discover hidden endpoints and parameters

# Features:
- Multiple tools: gospider, hakrawler, waybackurls, katana, gau
- GF pattern matching for vulnerability indicators
- Duplicate endpoint removal
- Custom header support

💡 Pro Tip: Essential for finding API endpoints and hidden functionality.

When to use: After comprehensive reconnaissance to find security issues

# Features:
- Nuclei vulnerability scanning
- Dalfox XSS testing
- CRLF injection testing
- S3 bucket misconfiguration detection
- LLM-powered vulnerability analysis

💡 Pro Tip: Run this on high-value targets after gathering comprehensive endpoint lists.

When to use: To get visual confirmation of services

# Features:
- Visual evidence gathering
- Service identification through screenshots
- Configurable timeout and threading

💡 Pro Tip: Use after port scans to visually confirm discovered services.

When to use: Before launching active attacks

# Features:
- WAF identification using wafw00f
- Protection mechanism detection
- Attack strategy planning

💡 Pro Tip: Essential before vulnerability testing to adapt your approach.

1. Start with: Initial Scan - Passive with screenshots
2. Analyze results: Look for interesting subdomains and technologies
3. Follow up with:
   • Subscan - Fetch URLs on web applications
   • Subscan - Port scan on infrastructure targets
   • Subscan - File fuzzing on admin panels/dashboards
4. Finish with: Subscan - Vulnerabilities on high-value targets

1. Start with: Initial Scan - reNgine recommended
2. Analyze attack surface: Review all discovered assets
3. Deep dive with:
   • Subscan - Port scan on all interesting subdomains
   • Subscan - File fuzzing on web applications
   • Subscan - Fetch URLs for endpoint discovery
4. Vulnerability assessment: Subscan - Vulnerabilities comprehensively
5. Documentation: Generate reports with LLM analysis

1. Start with: Initial Scan - Passive (import subdomains) if scope is defined
2. Quick wins:
   • Subscan - Screenshots for visual confirmation
   • Subscan - WAF Detection for protection assessment
3. Targeted testing: Subscan - Vulnerabilities on critical assets

1. Start with: Scan - Active (if network allows)
2. Comprehensive analysis: Review all discovered services
3. Focused testing: Use targeted subscans based on findings

# Always use realistic User-Agent strings
custom_header: {
  'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0'
}

# Adjust threading based on target sensitivity
threads: 30  # Aggressive
threads: 10  # Conservative
threads: 5   # Stealth

# Set appropriate timeouts
timeout: 10  # Standard
timeout: 5   # Fast
timeout: 30  # Thorough

Subdomain Discovery:

• Use multiple tools for better coverage: ['subfinder', 'ctfr', 'sublist3r', 'tlsx', 'oneforall', 'netlas']
• Configure API keys for maximum results
• Consider amass-active for brute-force when time permits

HTTP Crawling & Port Detection:

• Common Ports: Default behavior tests standard web ports (80, 443, 8080, etc.)
• Uncommon Ports: Enable precrawl_uncommon_ports: true for extended port range (81-55672)
• All Ports: Use precrawl_all_ports: true for comprehensive coverage (slower)
• Batch Processing: Adjust precrawl_batch_size based on target capacity (default: 350)

Port Scanning:

• Start with top-100 for speed
• Use top-1000 for thoroughness
• Reserve full scan for critical targets
• Enable nmap integration for service detection

Directory Fuzzing:

• Use auto_calibration to avoid false positives
• Focus on relevant extensions: ['php', 'asp', 'aspx', 'jsp', 'txt', 'bak']
• Set reasonable max_time limits
• Use recursive_level carefully (exponential time increase)

Vulnerability Scanning:

• Enable fetch_llm_report for detailed analysis
• Filter by severity for initial runs: ['high', 'critical']
• Use custom templates for specific technologies
• Configure rate limiting to avoid blocking

• Always obtain proper authorization before scanning
• Respect rate limits and avoid DoS conditions
• Follow responsible disclosure for any findings
• Document your scope clearly before starting

• Use realistic User-Agent strings in custom headers
• Implement proper rate limiting to avoid detection
• Randomize request timing when possible
• Monitor for blocking and adjust accordingly

• Start with passive scans to understand the target
• Use appropriate thread counts based on target capacity
• Monitor resource usage during intensive scans
• Plan scan timing to avoid peak hours

• Analyze results thoroughly before proceeding
• Adapt your strategy based on findings
• Use subscans strategically rather than running everything
• Document interesting findings for follow-up

1. Screenshot Review: Always review screenshots for:

   • Login panels and admin interfaces
   • Technology indicators (frameworks, servers)
   • Error messages revealing information
   • Unusual or custom applications

2. OSINT Intelligence: Leverage gathered intelligence for:

   • Employee email formats for credential attacks
   • Technology stack information
   • Potential attack vectors through metadata

3. Endpoint Analysis: Focus on endpoints containing:

   • API paths (/api/, /v1/, /graphql)
   • Admin functions (/admin, /dashboard, /manage)
   • Parameter-heavy URLs for injection testing
   • File upload and download functionality

High Priority Targets:

• Admin panels and dashboards
• API endpoints with authentication
• File upload functionality
• Database interfaces
• Custom applications (non-standard tech stack)

Medium Priority Targets:

• Standard web applications
• Common CMS platforms
• Development/staging environments
• Subdomain takeover candidates

Low Priority Targets:

• CDN endpoints
• Static file servers
• Standard marketing pages
• Third-party hosted services

Bug Bounty Optimized Engine:

subdomain_discovery: {
  'uses_tools': ['subfinder', 'ctfr', 'sublist3r', 'tlsx', 'oneforall', 'netlas'],
  'threads': 20,
  'timeout': 5
}
http_crawl: {
  'precrawl_uncommon_ports': true,  # Extended port discovery for hidden services
  'precrawl_batch_size': 300,
  'threads': 25
}
fetch_url: {
  'uses_tools': ['gospider', 'hakrawler', 'waybackurls', 'katana', 'gau'],
  'gf_patterns': ['xss', 'sqli', 'rce', 'lfi', 'ssrf'],
  'threads': 15
}
vulnerability_scan: {
  'run_nuclei': true,
  'intensity': 'normal',
  'fetch_llm_report': true,
  'nuclei': {
    'severities': ['medium', 'high', 'critical']
  }
}

Internal Network Assessment Engine:

http_crawl: {
  'precrawl_all_ports': true,  # Comprehensive port coverage for internal networks
  'precrawl_batch_size': 500,
  'threads': 40
}
port_scan: {
  'ports': ['full'],
  'enable_nmap': true,
  'threads': 50,
  'rate_limit': 1000
}
dir_file_fuzz: {
  'extensions': ['php', 'asp', 'aspx', 'jsp', 'txt', 'bak', 'conf'],
  'recursive_level': 2,
  'threads': 20
}

Remember: The key to successful reconnaissance is understanding your target, choosing the right tools, and iterating based on your findings. Start conservatively and increase intensity based on what you discover!