Workflow
How It Works
ASRFacet-Rb is intentionally staged so one piece discovers context and the next piece validates or enriches it instead of trying to do everything at once.
| Area | Purpose | Built-In Capability |
|---|---|---|
| Passive Discovery | Collect known assets before touching the target | Certificate transparency, passive DNS, historical archive data |
| Asset Validation | Confirm that discovered assets are real and in scope | DNS lookups, SAN pivots, scoped busting, resolution checks |
| Service Mapping | Identify exposed network services | Connect scans, raw-capable scanner modes, banner collection, and version detection |
| Web Recon | Map HTTP exposure and application behavior | HTTP probing, crawling, JavaScript endpoint mining |
| Monitoring | Highlight change over time | Recon memory, diffs, and change summaries |
Live Workflow View
The website renders the framework flow directly with HTML, CSS, and JavaScript so each stage stays readable and interactive.
Select a stage
Pick any stage to see what it contributes to the full framework workflow.
Workflow
Scan Pipeline
The full scan path is staged so operators can reason about where a finding came from and what should happen next.
01
Passive Runner
Collects baseline hostnames from passive providers before active traffic starts.
-> Output: subdomains, passive warnings
02
DNS + Certificate Discovery
Validates names and expands relationships through records and certificate SANs.
-> Output: IPs, records, certificate edges
03
Busting & Expansion
Tests candidate hosts and grows the known asset set in a controlled way.
-> Output: discovered hosts, candidates
04
Port & Service Mapping
Looks for reachable services on discovered IPs and collects banners, versions, and scanner states.
-> Output: open ports, services, banners, versions
05
HTTP + Crawl + JS
Maps application exposure, follows links, and mines probable endpoints from JavaScript.
-> Output: paths, links, forms, endpoints
06
Correlation + Monitoring
Scores assets, highlights likely findings, and compares the run against saved memory and workspaces.
-> Output: findings, deltas, top assets, reports
Workflow
Passive Sources
Passive mode is the safest first view of a target and a good habit even for experienced operators. The current framework ships seventeen passive sources across archive, passive DNS, code-search, and commercial-enrichment categories.
crt.sh / VirusTotal / SecurityTrails
Certificate and passive DNS
MixedStrong hostname discovery and SAN history.
Wayback / CommonCrawl / URLScan
Historical archive
No KeyOlder hosts, archived URLs, and long-tail exposure.
RapidDNS / BufferOver / AlienVault
Passive DNS
No KeySimple hostname extraction and corroboration.
Shodan / Censys / WhoisXML / GitHub
Commercial and code-search enrichment
MixedBroader enrichment when you have credentials or need code search pivots.
Workflow
Core Modules
Stability depends on keeping ownership tight: orchestration should not drift into engines, and storage should not drift into control flow.
| Layer | Owns | Should Not Own |
|---|---|---|
| Scheduler | Stage ordering, retries, admission control | Probe-specific business logic |
| Engines | Actual DNS, port, HTTP, or crawl work | Global orchestration policy |
| Correlation | Result interpretation and graph links | Competing execution loops |
| Output | Formatting and persistence | Deciding what to scan next |