Recon Step/ Methodology

2 min readJun 17, 2021


This is just a self-note on different steps to perform while approaching a target.

1. Subdomain Enumeration


  • Amass (amass enum -active -d -o amass-subdomain-result.txt)
  • Assetfinder (assetfinder -subs-only | anew assetfinder-subdomain-result.txt)
  • Subfinder (subfinder -d -o subfinder-subdomain-result.txt)
  • Findomain (findomain -t -u findomain-subdomain-result.txt)

Subdomain Bruteforcing:

  • amass (amass enum -brute -d -src)
  • knockpy
  • dnsenum
  • dnsrecon (python3 -d -D subdomains-top1mil-5000.txt -t brt)


  • altdns (./ -i known-subdomains.txt -o new_subdomains.txt -r -s

2. Perform ASN enumeration and find acquisitions of a target

  • To find acquisitions you can use crunchbase
  • To find ASN number ( and Then, You can use ASN in amass to find seed domains Command: amass intel -asn 46489

3. Probing for live host

  • httprobe (cat final-subdomain.txt | httprobe | anew probed-subdomain.txt)

4. Take a screenshot of all probed domains and subdomains

  • EyeWitness (./ -f probed-subdomain.txt — web -d eyewitness)

5. Perform Port Scan

Perform port scan on all found domains and subdomains. (Not only on probed domains and subdomains)

  • Masscan
  • Nmap

You can then use “dnmasscan” (a bash script to automate resolving a file of domain names and subsequentlly scanning them using masscan) to scan all the enumerated subdomains. Then use Nmap to scan further like services, running different scripts, etc. on interesting findings.

You can also use nmap and perfrom following:

  • nmap -p- then run command on open ports
  • nmap -p 80, 81, 22, 443 -sC -sV

Together it becomes: nmap -iL list.txt -p- -sC -sV

6. Find Amazon S3 Bucket

  • Using a google dork to find them: + hackme.tld
  • We can look them up on github: “hackme.tld” + “s3”
  • For Automation: Lazys3

7. Use Nuclei templates to find different vulnerabilities on the list of domains

8. Perform Google Dorking and GitHub Dorking/ Recon

Automation Approach:

  • Gitrob tool
  • GitDorker


For Passive Recon:




Penetration Tester | Trader/ Investor | Cyber Security Enthusiast | Bibliophile