A basic reconnaissance methodology workflow for the Osmedeus Engine
This repository provides a reference workflow implementation demonstrating basic reconnaissance methodology. Use it as a starting point to understand Osmedeus workflows and build your own custom automation pipelines.
osmedeus install workflow https://github.com/osmedeus/osmedeus-workflow.gitSee Osmedeus documentation for more details.
For additional workflow examples and patterns, see the test workflows in the main Osmedeus repository.
The workflow follows a phased approach to reconnaissance:
┌─────────────────┐
│ Subdomain │ Phase 1: Discover subdomains using multiple sources
│ Enumeration │ (subfinder, findomain, assetfinder, amass)
└────────┬────────┘
│
▼
┌─────────────────┐
│ Probing │ Phase 2: DNS resolution and HTTP probing
│ (DNS + HTTP) │ (puredns, massdns, httpx, dnsx)
└────────┬────────┘
│
▼
┌─────────────────┐
│ Fingerprint │ Phase 3: Technology detection and fingerprinting
└────────┬────────┘
│
┌────┴────┬──────────┬──────────┐
▼ ▼ ▼ ▼
┌───────┐ ┌───────┐ ┌─────────┐ ┌─────────┐
│Screen │ │Archive│ │IP Space │ │Portscan │ Phase 4+: Parallel analysis
│ shot │ │ │ │ Enum │ │ │
└───┬───┘ └───┬───┘ └────┬────┘ └────┬────┘
│ │ │ │
└─────────┴──────────┴───────────┘
│
┌─────────┴───────────────┐
▼ ▼
┌─────────────────┐ ┌───────────┐
│Vulnerability │ │ Content │ Final: Vulnerability and content discovery
│ Scanning │ │ Discovery │
└─────────────────┘ └───────────┘
| Workflow | Description |
|---|---|
general.yaml |
Full reconnaissance pipeline with all phases |
fast.yaml |
Quick reconnaissance with essential phases only |
deep-recon.yaml |
Deep reconnaissance with extended analysis |
cidr.yaml |
CIDR/IP range reconnaissance |
cidr-extend.yaml |
Extended CIDR reconnaissance with additional phases |
url.yaml |
URL-based reconnaissance workflow |
web-analysis.yaml |
Web application analysis workflow |
| Module | Description |
|---|---|
subdomain-enum.yaml |
Subdomain enumeration (subfinder, findomain, assetfinder) |
dns-probing.yaml |
DNS resolution and probing |
http-fingerprint.yaml |
HTTP fingerprinting and technology detection |
screenshot.yaml |
Visual screenshots of discovered assets |
archive.yaml |
Archive/wayback machine data collection |
ipspace.yaml |
IP space enumeration |
portscan.yaml |
Port scanning |
vulnerability-scan.yaml |
Vulnerability scanning |
content-discovery.yaml |
Directory and content bruteforcing |
spider.yaml |
Web spidering/crawling |
| Event | Description |
|---|---|
simple-emitter.yaml |
Simple event emitter example |
simple-receiver.yaml |
Simple event receiver example |
vuln-scan-receiver.yaml |
Vulnerability scan event receiver |
| Fragment | Description |
|---|---|
subdomain-enum-fragment.yaml |
Subdomain enumeration fragment |
single-target-content-discovery.yaml |
Content discovery for single target |
single-target-vuln-scan.yaml |
Vulnerability scan for single target |
single-target-spider.yaml |
Spider for single target |
single-target-port-scan.yaml |
Port scan for single target |
single-target-http-fingerprint.yaml |
HTTP fingerprint for single target |
# Run the general reconnaissance flow
osmedeus run -f general -t example.com
# Run the fast reconnaissance flow
osmedeus run -f fast -t example.com
# Run a specific module
osmedeus run -m subdomain-enum -t example.com
# Dry-run to preview execution
osmedeus run -f general -t example.com --dry-run- Study the common modules - Each module in
common/demonstrates a specific recon phase - Understand the flow structure - See
general.yamlfor how modules are orchestrated with dependencies - Customize parameters - Modules accept params for threads, wordlists, and toggles
- Chain modules - Use
depends_onto create execution dependencies
Example module structure:
kind: module
name: my-module
description: Description of what this module does
params:
- name: customParam
default: "value"
dependencies:
commands:
- tool1
- tool2
steps:
- name: step-one
type: bash
command: 'tool1 -t {{Target}} -o {{Output}}/results.txt'Osmedeus is made with ♥ by @j3ssie and it is released under the MIT license.
