Workflow
How It Works
ASRFacet-Rb is intentionally staged so one piece discovers context and the next piece validates or enriches it instead of trying to do everything at once.
| Area | Purpose | Built-In Capability |
|---|---|---|
| Passive Discovery | Collect known assets before touching the target | Certificate transparency, passive DNS, historical archive data |
| Asset Validation | Confirm that discovered assets are real and in scope | DNS lookups, SAN pivots, scoped busting, resolution checks |
| Service Mapping | Identify exposed network services | Threaded TCP scanning and banner collection |
| Web Recon | Map HTTP exposure and application behavior | HTTP probing, crawling, JavaScript endpoint mining |
| Monitoring | Highlight change over time | Recon memory, diffs, and change summaries |
Live Workflow View
The website renders the framework flow directly with HTML, CSS, and JavaScript so each stage stays readable and interactive.
Select a stage
Pick any stage to see what it contributes to the full framework workflow.
Workflow
Scan Pipeline
The full scan path is staged so operators can reason about where a finding came from and what should happen next.
01
Passive Runner
Collects baseline hostnames from passive providers before active traffic starts.
→ Output: subdomains, passive warnings
02
DNS + Certificate Discovery
Validates names and expands relationships through records and certificate SANs.
→ Output: IPs, records, certificate edges
03
Busting & Expansion
Tests candidate hosts and grows the known asset set in a controlled way.
→ Output: discovered hosts, candidates
04
Port & Service Mapping
Looks for reachable services on discovered IPs and collects basic banners.
→ Output: open ports, services, banners
05
HTTP + Crawl + JS
Maps application exposure, follows links, and mines probable endpoints from JavaScript.
→ Output: paths, links, forms, endpoints
06
Correlation + Monitoring
Scores assets, highlights likely findings, and compares the run against saved memory.
→ Output: findings, deltas, top assets, reports
Workflow
Passive Sources
Passive mode is the safest first view of a target and a good habit even for experienced operators.
crt.sh
Certificate Transparency
No KeyGreat for SAN-derived hostnames
Wayback
Historical Archive
No KeyOlder hosts and archived URLs
RapidDNS
Passive DNS
No KeySimple hostname extraction
Shodan
Passive DNS
--shodan-keyOptional enrichment when you have a key
Workflow
Core Modules
Stability depends on keeping ownership tight: orchestration should not drift into engines, and storage should not drift into control flow.
| Layer | Owns | Should Not Own |
|---|---|---|
| Scheduler | Stage ordering, retries, admission control | Probe-specific business logic |
| Engines | Actual DNS, port, HTTP, or crawl work | Global orchestration policy |
| Correlation | Result interpretation and graph links | Competing execution loops |
| Output | Formatting and persistence | Deciding what to scan next |