β Back to all modules
π΄ββ οΈ
βοΈ Security Engineers Β· Module 8
Red Teaming Your Home
Run offensive security assessments against your own home network and digital footprint β reconnaissance, scanning, lateral movement testing, and family social engineering.
π
Reconnaissance: Know What Attackers See
The first phase of any red team engagement is reconnaissance β mapping the target's external attack surface. When you do this against yourself, you discover what attackers already know about you.
Passive Reconnaissance (OSINT)
Passive recon gathers information without directly contacting your systems. The target doesn't know you're looking.
Personal OSINT
# 1. Username enumeration across platforms
pip install sherlock-project
sherlock your_username --print-found
# Checks 400+ sites for account existence
# 2. Email breach checking
# https://haveibeenpwned.com/api/v3/breachedaccount/your@email.com
# Or use h8mail for multiple emails:
pip install h8mail
h8mail -t your@email.com
# 3. Google dorking yourself
# "your full name" site:linkedin.com
# "your@email.com" -site:yourdomain.com
# "your_username" site:github.com
# filetype:pdf "your full name"
# "your phone number"
# 4. Data broker search
# Check these sites for your personal info:
# - Spokeo.com
# - WhitePages.com
# - BeenVerified.com
# - FastPeopleSearch.com
# - TruePeopleSearch.com
# Pro tip: search your address to find what's linked to it
# 5. Social media scraping
# Even with "private" profiles, profile pictures, bios,
# friend lists, and metadata may be visible
Domain & Infrastructure OSINT
# If you own a domain:
whois yourdomain.com
dig yourdomain.com any
nslookup -type=any yourdomain.com
# DNS history (shows old records, potential internal hostnames)
# https://securitytrails.com/domain/yourdomain.com/dns
# Certificate transparency (every TLS cert is publicly logged)
curl -s "https://crt.sh/?q=yourdomain.com&output=json" | \
jq -r '.[].name_value' | sort -u
# This reveals ALL subdomains that have had TLS certificates
# You might find: staging.yourdomain.com, api.yourdomain.com,
# internal.yourdomain.com, etc.
# Shodan β what's internet-facing?
# https://www.shodan.io/host/YOUR_HOME_IP
shodan host YOUR_HOME_IP
# Shows open ports, services, and banners visible from the internet
# Censys β alternative to Shodan
# https://search.censys.io/hosts/YOUR_HOME_IP
GitHub Recon
# Your GitHub profile reveals:
# - Email addresses (from commits)
# - Work history (org memberships)
# - Technology stack (repo languages)
# - Activity patterns (contribution graph)
# - Other identities (linked accounts)
# Extract emails from git commits
for repo in $(gh repo list --limit 100 --json name -q '.[].name'); do
git clone --depth 1 "https://github.com/YOUR_USERNAME/$repo" /tmp/"$repo" 2>/dev/null
cd /tmp/"$repo"
git log --format='%ae' | sort -u
cd -
rm -rf /tmp/"$repo"
done
# Search for secrets in public repos
trufflehog github --org=YOUR_USERNAME --token=$GITHUB_TOKEN
Active Reconnaissance
Active recon directly probes your systems. This is where you start testing your own defenses.
# External port scan of your home IP
# (Run from an external VPS, not from inside your network)
nmap -sV -sC -p- YOUR_HOME_IP -oN external_scan.txt
# What should be open:
# - 51820/udp (WireGuard) if you run a VPN
# - Maybe 443/tcp if you host anything
# What should NOT be open:
# - 22 (SSH)
# - 80 (HTTP)
# - 3389 (RDP)
# - 8080, 9090, etc. (dev servers)
# - 445 (SMB)
# - 5432, 3306, 27017 (databases)
Documenting Findings
Create a recon report:
# Personal Recon Report β [Date]
## OSINT Findings
- Email found in X breaches
- Username linked to Y platforms
- Home address discoverable via Z data broker
- GitHub reveals work email in commit history
## External Attack Surface
- Home IP: Open ports: [list]
- Domain: Subdomains found: [list]
- Certificate transparency reveals: [list]
## Risk Assessment
- Critical: [finding]
- High: [finding]
- Medium: [finding]
## Remediation Actions
- [ ] Fix 1
- [ ] Fix 2
Recon is the foundation. You can't defend what you can't see, and you can't prioritize what you haven't assessed.
1 / 5