spiderfoot -l 127.0.0.1:5001
The Philosophy of Automated Correlation
SpiderFoot is an Open-Source Intelligence (OSINT) automation framework. It does not hack WordPress directly. Instead, it acts as a central nervous system for your intelligence gathering.
The true power of an OSINT investigation lies in correlation. Finding a subdomain is useful. Finding an employee's email address is useful. But finding out that the specific employee whose email you scraped is also the registered owner of a hidden staging subdomain running an outdated, vulnerable version of WordPress? That is actionable intelligence.
SpiderFoot automates this entire chain of logic. You feed it a single seed—a domain name like google.com and it queries over 200 distinct modules, cross-referencing DNS records, threat intelligence feeds, public code repositories, and breach databases to build a comprehensive map of the organization's digital footprint.
Arming the Engine: The API Arsenal
Out of the box, SpiderFoot is capable, but it is effectively blind to premium intelligence. To transform it into a high-growth tactical asset, you must arm it with API keys.
Before launching your first automated profile, navigate to the "Settings" tab in the SpiderFoot UI and integrate the following core modules:
- SecurityTrails & BinaryEdge: Essential for historical DNS correlation. If the target recently moved their WordPress site behind Cloudflare, these APIs will pull the historical records, often revealing the true origin IP address.
- Hunter.io: Automates the scraping of corporate email addresses associated with the target domain.
- HaveIBeenPwned (HIBP) & DeHashed: When SpiderFoot finds an email address, it immediately queries these breach databases.
- BuiltWith & Wappalyzer: Automatically fingerprints the technology stack of discovered subdomains.
Defining the Scope: Passive vs. Active Profiling
When you configure a new scan in SpiderFoot, you are presented with a critical operational choice: how loud do you want to be?
The Stealth Paradigm (Passive Scanning)
Selecting the "Passive" module group restricts SpiderFoot to querying third-party databases. It asks Google, Shodan, and VirusTotal what they know about the target. A passive scan never sends a single packet to the target's infrastructure.
The Aggressive Footprint (Active Scanning)
Active scanning instructs SpiderFoot to directly interact with the target by performing zone transfers, querying their specific name servers, and crawling web pages. This yields deeper data but is detectable by the target's SOC.
Visualizing the Attack Surface
SpiderFoot generates an interactive node graph that visually maps the relationships between disparate pieces of intelligence.
The "Shadow IT" Cluster
Look for a node representing a subdomain (e.g., dev.target.com) branching to an IP owned by a cheap VPS provider rather than their primary enterprise host. This represents an unmanaged, likely forgotten server.
The Human Vulnerability Chain
Trace the nodes from the domain to an extracted email address, to a breached password database hit. You now have high-probability credentials for targeted brute forcing.
The Misconfigured Bucket
SpiderFoot aggressively hunts for exposed cloud storage. A node might reveal an open Amazon S3 bucket named target-wp-backups-2025. Download the backups, extract user hashes, and crack them locally.
The Handoff: Intelligence to Action
SpiderFoot represents the culmination and the conclusion of Phase 1.
The OSINT engine has built the target list. The reconnaissance phase is officially closed. Now, it is time to feed this highly refined, contextual data into our active scanning tools. Take the specific IP addresses, subdomains, and administrator emails discovered by SpiderFoot, and move immediately into the Phase 02: Vulnerability Analysis section, beginning with the WPScan API Weaponization masterclass.