Scan Types

Understand different reconnaissance methods and scan types available in rengine

Last updated: July 13, 2024

Scan Types

rengine offers various scan types and reconnaissance methods to comprehensively assess your targets. Understanding these different approaches will help you choose the right methodology for your security testing needs.

Overview

rengine automates multiple reconnaissance techniques, each serving different purposes in the information gathering process. You can run individual scan types or combine them for comprehensive coverage.

Available Scan Types

🔍 Subdomain Discovery

Purpose: Find all subdomains associated with your target domain

Techniques used:

  • DNS enumeration
  • Certificate transparency logs
  • Search engine dorking
  • Brute force with wordlists
  • Third-party APIs (SecurityTrails, VirusTotal, etc.)

When to use: Initial reconnaissance phase to map the attack surface

🌐 Port Scanning

Purpose: Identify open ports and running services

Features:

  • TCP/UDP port scanning
  • Service version detection
  • OS fingerprinting
  • Custom port ranges
  • Stealth scanning options

When to use: After subdomain discovery to identify accessible services

🔧 Web Application Scanning

Purpose: Identify web application vulnerabilities

Checks include:

  • SQL injection
  • Cross-site scripting (XSS)
  • Directory traversal
  • Insecure configurations
  • Common web vulnerabilities

When to use: For web applications and services discovered during port scanning

📊 Technology Stack Detection

Purpose: Identify technologies used by the target

Detects:

  • Web frameworks
  • Content management systems
  • Server software
  • JavaScript libraries
  • Third-party services

When to use: To understand the technology landscape and potential attack vectors

📸 Screenshot Capture

Purpose: Visual reconnaissance of web interfaces

Features:

  • Automated screenshot capture
  • Multiple resolution support
  • Responsive design testing
  • Visual change detection

When to use: For manual review and visual confirmation of discovered services

📋 Comprehensive Reporting

Purpose: Consolidate all findings into actionable reports

Report formats:

  • PDF reports
  • JSON exports
  • CSV data
  • Custom templates

When to use: After completing reconnaissance for analysis and documentation

Scan Configurations

Quick Scan

  • Basic subdomain discovery
  • Top 1000 ports
  • Basic vulnerability checks
  • Time: 15-30 minutes
  • Use case: Initial assessment

Standard Scan

  • Comprehensive subdomain discovery
  • All common ports
  • Web application scanning
  • Technology detection
  • Time: 1-3 hours
  • Use case: Regular security testing

Deep Scan

  • Extensive subdomain enumeration
  • Full port range scanning
  • Comprehensive vulnerability assessment
  • Visual reconnaissance
  • Time: 4-8 hours
  • Use case: Thorough security audit

Custom Scan

  • User-defined scope
  • Selected scan types
  • Custom wordlists
  • Tailored configurations
  • Time: Variable
  • Use case: Specific requirements

Best Practices

🎯 Scope Definition

  • Clearly define your target scope
  • Obtain proper authorization
  • Document all targets and exclusions
  • Respect rate limits and timing

⚡ Performance Optimization

  • Start with quick scans for large targets
  • Use custom wordlists for efficiency
  • Configure appropriate threading
  • Monitor resource usage

🔒 Operational Security

  • Use VPN or proxy when appropriate
  • Randomize scan timing
  • Avoid aggressive scanning patterns
  • Maintain scan logs

📈 Results Analysis

  • Review all findings manually
  • Correlate data across scan types
  • Prioritize findings by risk
  • Document false positives

Advanced Features

Custom Wordlists

Upload and manage custom wordlists for:

  • Subdomain enumeration
  • Directory discovery
  • Parameter fuzzing
  • Technology-specific testing

API Integration

Integrate with external services:

  • Threat intelligence feeds
  • Vulnerability databases
  • Custom notification systems
  • Third-party security tools

Scheduled Scanning

Automate regular assessments:

  • Continuous monitoring
  • Change detection
  • Automated reporting
  • Alert notifications

Choosing the Right Scan Type

For Bug Bounty Hunting

  1. Subdomain Discovery - Map the full attack surface
  2. Port Scanning - Find unusual services
  3. Web App Scanning - Identify common vulnerabilities
  4. Technology Detection - Look for outdated components

For Penetration Testing

  1. Quick Scan - Initial reconnaissance
  2. Deep Scan - Comprehensive assessment
  3. Custom Scan - Targeted testing
  4. Manual Review - Verify automated findings

For Continuous Monitoring

  1. Scheduled Quick Scans - Regular monitoring
  2. Change Detection - Identify new assets
  3. Vulnerability Scanning - Ongoing security checks
  4. Automated Reporting - Regular status updates

Getting Started

Ready to start scanning? Check out these guides:

Authorization Required

Always ensure you have proper authorization before scanning any targets. Unauthorized scanning may violate laws and terms of service.

Need Help?