Skip to main content

Getting Started

After installing Ghost Scout, you can begin your reconnaissance workflow. The application provides a web interface accessible at http://localhost:3000.

Typical Workflow

Ghost Scout follows a sequential workflow for building phishing campaigns:
1

Add Target Domain

Navigate to the Domains page and add your target company’s domain
  • Enter the domain (e.g., example.com)
  • Ghost Scout will store the domain and prepare for reconnaissance
  • DNS records will be queued for lookup
2

Start Reconnaissance

Initiate Hunter.io search to find employees and email formats
  • Click “Start Reconnaissance” for the target domain
  • Hunter.io API will search for email addresses
  • Email format patterns will be identified
  • Discovered contacts will be stored in the database
  • Real-time updates will show progress
3

Scrape Sources

Enrich contact information by scraping discovered URLs
  • Review discovered sources for each contact
  • Select sources to scrape for additional information
  • HTML content will be converted to Markdown
  • Source data will be associated with contacts
  • Enriched profiles will include scraped content
4

Generate Profiles

Use AI to generate detailed profiles for discovered contacts
  • Select contacts for profile generation
  • Anthropic API will analyze scraped data
  • AI will generate structured profiles
  • Profiles include key information and context
  • Review generated profiles for accuracy
5

Create Pretexts

Generate personalized phishing emails for each target
  • Select targets for pretext generation
  • Choose prompt template from library
  • AI generates personalized pretexts
  • Review generated emails for quality
  • Edit pretexts as needed
6

Review & Export

Review, approve, and export pretexts for your campaign
  • Review all generated pretexts
  • Make final edits and approvals
  • Export for use in phishing infrastructure
  • Track which pretexts have been used

Feature Usage

Domain Management

  • Add Domain
  • View DNS Records
Adding a Target Domain:
  1. Navigate to the Domains page
  2. Click “Add Domain”
  3. Enter the target domain (without http:// or www)
  4. Click “Submit”
Example:
Domain: targetcompany.com
Ghost Scout will:
  • Store the domain in the database
  • Queue DNS lookups (MX, SPF, DMARC records)
  • Prepare for reconnaissance activities

Reconnaissance

  • Start Reconnaissance
  • Monitor Progress
  • Review Contacts
Initiating Hunter.io Search:
  1. Select a domain from your list
  2. Click “Start Reconnaissance”
  3. Monitor real-time progress updates
What Happens:
  • Hunter.io API searches for email addresses at the domain
  • Email format patterns are identified (e.g., {first}.{last}@domain.com)
  • Discovered contacts are stored with available information
  • Sources (LinkedIn, company websites, etc.) are recorded
  • Real-time updates show discovered contacts

Source Scraping

  • Select Sources
  • Scraping Process
  • Review Scraped Data
Choosing Sources to Scrape:
  1. Navigate to a contact’s detail page
  2. Review discovered sources (URLs)
  3. Select sources likely to contain useful information
  4. Click “Scrape Selected”
Source Types:
  • LinkedIn profiles
  • Company bios
  • Blog posts
  • Social media profiles
  • Company directories

Profile Generation

  • Generate Profiles
  • Profile Quality
  • Edit Profiles
Creating AI Profiles:
  1. Select contacts with scraped data
  2. Click “Generate Profiles”
  3. Monitor queue processing
  4. Review generated profiles
Profile Contents:
  • Professional background
  • Role and responsibilities
  • Interests and activities
  • Public information summary
  • Context for personalization

Pretext Generation

  • Choose Template
  • Generate Pretexts
  • Review & Edit
Selecting Prompt Templates:Ghost Scout includes templates in prompt_library/:
  • IT support pretexts
  • HR/benefits pretexts
  • Executive communication pretexts
  • Vendor/partner pretexts
  • Security awareness pretexts
Choose templates that match your campaign goals.

Export & Campaign Management

  • Export Pretexts
  • Track Usage
  • Data Management
Exporting for Campaigns:Export pretexts for use in phishing tools:
  • CSV format with target information
  • Individual email templates
  • Bulk export functionality
Use exported data in your phishing infrastructure.

Operational Scenarios

Scenario 1: Broad Company Reconnaissance

Goal: Discover as many employees as possible at a target organization
1

Add Primary Domain

Domain: targetcompany.com
2

Start Reconnaissance

Let Hunter.io discover all available contacts at the domain
3

Identify Related Domains

Check for:
  • Subsidiary domains
  • Regional domains
  • Acquired company domains
4

Expand Reconnaissance

Add and search related domains for additional contacts
5

Prioritize Targets

Review all discovered contacts and select high-value targets:
  • Executive leadership
  • IT administrators
  • Finance personnel
  • HR staff

Scenario 2: Targeted Spear Phishing

Goal: Create highly personalized pretexts for specific individuals
1

Identify Targets

Use Hunter.io to find specific individuals:
  • C-level executives
  • Department heads
  • Project managers
2

Comprehensive Source Scraping

Scrape multiple sources per target:
  • LinkedIn profiles
  • Company bios
  • Conference presentations
  • Blog posts
  • Social media
3

Generate Detailed Profiles

Create rich profiles with extensive information
4

Custom Pretexts

Generate pretexts referencing:
  • Recent activities
  • Professional interests
  • Current projects
  • Industry trends relevant to target
5

Manual Refinement

Carefully edit pretexts for maximum believability

Scenario 3: Campaign Template Development

Goal: Develop reusable pretext templates for multiple campaigns
1

Research Multiple Organizations

Conduct reconnaissance on several similar organizations
2

Identify Common Patterns

Find patterns across organizations:
  • Similar roles
  • Common workflows
  • Industry-specific language
  • Shared pain points
3

Create Template Pretexts

Develop pretext templates that work across targets:
  • Generic IT support scenarios
  • Common HR/benefits topics
  • Industry-standard processes
4

Customize Per Campaign

For each engagement, personalize templates with:
  • Organization-specific details
  • Target-specific information
  • Current events/context

OPSEC Best Practices

Follow operational security best practices to avoid detection

Hunter.io Usage

  • Use dedicated API keys for operations
  • Avoid personal/company accounts
  • Consider disposable accounts for sensitive engagements
  • Rotate keys between campaigns
  • Monitor API usage and rate limits
  • Be aware Hunter.io may notify target organizations
  • Space out searches over time
  • Avoid rapid sequential searches
  • Consider search volume limits
  • Document search timestamps
  • Hunter.io searches can be attributed to your account
  • Target organizations may receive alerts
  • Consider using separate accounts per client
  • Be prepared to explain reconnaissance activities
  • Maintain engagement documentation

Infrastructure Security

  • Deploy Ghost Scout on isolated infrastructure
  • Use VPN or dedicated network for operations
  • Separate infrastructure per engagement
  • Avoid using organizational networks
  • Consider cloud-based deployments
  • Encrypt SQLite database files
  • Secure Redis instance with passwords
  • Limit access to Ghost Scout interface
  • Implement authentication and access control
  • Backup data securely
  • Clean up data between engagements
  • Delete reconnaissance data after campaigns
  • Maintain separate instances per client
  • Document data retention policies
  • Secure API keys and credentials

Content Generation

  • Review all AI-generated content carefully
  • Watch for AI artifacts and inconsistencies
  • Verify personalized details are accurate
  • Ensure realistic tone and style
  • Edit for natural language
  • Verify scraped information is current
  • Check that details match target’s reality
  • Avoid outdated or incorrect information
  • Cross-reference multiple sources
  • Update profiles as needed
  • Customize prompt templates for each engagement
  • Test templates with sample data
  • Iterate based on campaign results
  • Document effective templates
  • Maintain template library

Automation Examples

Bulk Profile Generation

# Example: Generate profiles for all contacts without profiles
# This would be done through the web interface, but can be scripted

# 1. Query database for contacts without profiles
# 2. Ensure sources are scraped
# 3. Queue profile generation jobs
# 4. Monitor queue progress
# 5. Review generated profiles

Scheduled Reconnaissance

# Example: Scheduled reconnaissance for ongoing monitoring
# Use cron or scheduled task to periodically update reconnaissance

# Crontab entry (daily reconnaissance at 2 AM)
0 2 * * * cd /path/to/ghost_scout && node scripts/scheduled-recon.js

Export Automation

# Example: Automated export of completed pretexts
# Export pretexts as they're approved for campaign use

# Script to export approved pretexts to campaign infrastructure
node scripts/export-pretexts.js --status=approved --format=csv --output=/path/to/campaign/

Troubleshooting

Possible Causes:
  • Hunter.io has no data for the domain
  • Domain spelling error
  • Private/small organization
  • API key issues
Solutions:
  • Verify domain spelling
  • Check Hunter.io directly for domain data
  • Try related domains
  • Verify API key is valid
  • Check Hunter.io account status
Possible Causes:
  • Source URL is behind authentication
  • Source has anti-scraping protections
  • MarkItDown-API connection issues
  • Rate limiting by source site
Solutions:
  • Verify MarkItDown-API is running
  • Check source URL is accessible
  • Space out scraping requests
  • Skip protected sources
  • Manual data collection for important sources
Possible Causes:
  • Insufficient scraped data
  • Anthropic API key issues
  • API rate limits
  • Prompt template errors
Solutions:
  • Scrape more sources for the target
  • Verify Anthropic API key
  • Check API usage and limits
  • Review prompt template syntax
  • Monitor job queue for errors
Possible Causes:
  • Low-quality profile data
  • Inappropriate template selection
  • Prompt needs customization
  • LLM hallucination
Solutions:
  • Improve profile quality with better sources
  • Choose more appropriate template
  • Customize prompt templates
  • Manually edit generated pretexts
  • Provide more context in prompts
Possible Causes:
  • Socket.io connection issues
  • Redis connection problems
  • Job queue not processing
  • Client-side JavaScript errors
Solutions:
  • Check browser console for errors
  • Verify Redis is running
  • Check Socket.io connection status
  • Restart Ghost Scout application
  • Clear browser cache and reload

Best Practices

Reconnaissance

Start Broad

Begin with company-wide reconnaissance to identify all potential targets

Then Focus

Narrow down to high-value targets for detailed profiling

Multiple Sources

Scrape multiple sources per target for comprehensive profiles

Verify Information

Cross-reference information across sources for accuracy

Profile & Pretext Generation

Quality Over Quantity

Better to have fewer high-quality pretexts than many poor ones

Manual Review

Always review AI-generated content before use

Iterate Templates

Improve prompt templates based on campaign results

Test Pretexts

Test pretexts on internal team before deploying

Campaign Management

Document Everything

Keep detailed records of reconnaissance and campaigns

Track Results

Monitor campaign effectiveness and iterate

Secure Data

Protect reconnaissance data and pretexts

Clean Up

Delete data after engagement completion

Next Steps

Overview

Learn about Ghost Scout features

Installation

Setup and installation guide

Hunter.io API

Hunter.io API documentation