Skip to content

Reconnaissance Tools Setup and Troubleshooting

Date: 2025-09-01
Status: Critical Infrastructure Fix Completed
Impact: 88x increase in subdomain discovery efficiency

Problem Identification

During initial enumeration phases, our custom Python enumeration tool (tools/surface_enum/enumerate.py) was failing to leverage external reconnaissance tools, reporting:

❌ Error running command: [Errno 2] No such file or directory: 'subfinder'
❌ Error running command: [Errno 2] No such file or directory: 'httpx'  
❌ Error running command: [Errno 2] No such file or directory: 'assetfinder'

This severely limited our attack surface discovery capabilities, as evidenced by dramatically reduced subdomain counts.

Root Cause Analysis

The tools were not installed on the system. Our enumeration script was designed to gracefully degrade when external tools are unavailable, but this meant we were operating with severely limited reconnaissance capabilities.

Solution Implementation

1. Tool Installation

Installed essential Project Discovery and community tools using Go:

# Install Project Discovery tools
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest  
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Install community tools
go install github.com/tomnomnom/assetfinder@latest

2. PATH Configuration

Go installs binaries to $(go env GOPATH)/bin/ (typically /home/user/go/bin/). Added this to PATH:

export PATH="$PATH:/home/pierce/go/bin"

3. Verification

Confirmed all tools are accessible and functional: 

which subfinder httpx nuclei assetfinder
subfinder -version
httpx -version  
nuclei -version

Impact Assessment

Before Fix (Broken Tools): - Sheer.com: 2 subdomains, 4 live services - Limited Discovery: Manual patterns only - Missed Critical Infrastructure: No external API integration

After Fix (Working Tools): - Sheer.com: 176 subdomains, 12 live services
- 88x Improvement: Dramatic increase in discovery - Critical Findings: Revealed extensive dev/admin infrastructure

Newly Discovered Sheer Attack Surface

With working tools, discovered critical infrastructure previously missed:

Administrative: - admin.sheer.com - dev-admin.sheer.com

API Infrastructure: - api.sheer.com - dev-api.sheer.com

Customer Systems: - crm.sheer.com - my.sheer.com - info.sheer.com

Development Environments: - Multiple demo.* subdomains - Multiple dev.* subdomains - beta.sheer.com (already identified as high-risk)

Additional Live Services: - links.sheer.com - visit.sheer.com - sheer-support.com

Tool Capabilities

Subfinder

  • Purpose: Passive subdomain enumeration
  • Sources: 30+ passive sources (certificate transparency, DNS records, search engines)
  • Integration: JSON output for automation

HTTPx

  • Purpose: HTTP service discovery and analysis
  • Features: Technology detection, response analysis, header inspection
  • Output: Detailed JSON with tech stack, response codes, timing

AssetFinder

  • Purpose: Alternative subdomain enumeration
  • Complementary: Different source coverage from subfinder
  • Fast: Lightweight alternative for quick scans

Nuclei

  • Purpose: Vulnerability scanning with templates
  • Templates: 4000+ community templates
  • Use Case: Automated vulnerability discovery on discovered services

Operational Protocols

1. Environment Setup

Always ensure tools are in PATH before enumeration: 

export PATH="$PATH:/home/pierce/go/bin"

2. Tool Verification

Verify tool accessibility before major enumeration campaigns: 

which subfinder httpx nuclei assetfinder || echo "Tools not in PATH"

3. Enumeration Enhancement

Our enumerate.py script now automatically leverages these tools when available, providing: - Comprehensive subdomain discovery - Live service validation
- Technology stack identification - Response analysis and classification

Performance Metrics

Target Before (Manual) After (Tools) Improvement
Sheer 2 subdomains 176 subdomains 88x
Live Services 4 12 3x

Lessons Learned

  1. Infrastructure Verification: Always verify external tool availability before operational phases
  2. Graceful Degradation: While helpful, graceful degradation can mask critical capability gaps
  3. Tool Integration: Proper tool integration dramatically improves discovery effectiveness
  4. PATH Management: Go binary PATH configuration is essential for tool accessibility

Future Improvements

  1. Automation: Add automatic tool installation to setup scripts
  2. Monitoring: Implement tool availability checks in enumeration workflows
  3. Redundancy: Multiple tools per category for comprehensive coverage
  4. Updates: Regular tool updates to maintain latest capabilities

Critical Finding Impact

This fix revealed that Sheer's attack surface is 88x larger than initially assessed, elevating it from a medium-risk target to critical priority due to:

  • Extensive development environment exposure
  • Administrative interface proliferation
  • API infrastructure expansion
  • Customer-facing system discovery

Immediate Action Required: Re-assess all previously enumerated targets with fixed tools to identify missed critical infrastructure.

🐱 "Proper tools reveal the hidden paths. A hunter with sharpened claws catches prey that others miss." - Bastet