Recon Step/ Methodology

Vengeance

2 min readJun 17, 2021

This is just a self-note on different steps to perform while approaching a target.

1. Subdomain Enumeration

Tools:

Amass (amass enum -active -d domain.com -o amass-subdomain-result.txt)
Assetfinder (assetfinder -subs-only domain.com | anew assetfinder-subdomain-result.txt)
Subfinder (subfinder -d domain.com -o subfinder-subdomain-result.txt)
Findomain (findomain -t domain.com -u findomain-subdomain-result.txt)

Subdomain Bruteforcing:

amass (amass enum -brute -d domain.com -src)
knockpy
dnsenum
dnsrecon (python3 dnsrecon.py -d domain.com -D subdomains-top1mil-5000.txt -t brt)

Permutations:

altdns (./altdns.py -i known-subdomains.txt -o new_subdomains.txt -r -s domains-google.com.AltDNS.txt)

2. Perform ASN enumeration and find acquisitions of a target

To find acquisitions you can use crunchbase
To find ASN number (http://bgp.he.net) and asnlookup.com. Then, You can use ASN in amass to find seed domains Command: amass intel -asn 46489

3. Probing for live host

httprobe (cat final-subdomain.txt | httprobe | anew probed-subdomain.txt)

4. Take a screenshot of all probed domains and subdomains

EyeWitness (./EyeWitness.py -f probed-subdomain.txt — web -d eyewitness)

5. Perform Port Scan

Perform port scan on all found domains and subdomains. (Not only on probed domains and subdomains)

Masscan
Nmap

You can then use “dnmasscan” (a bash script to automate resolving a file of domain names and subsequentlly scanning them using masscan) to scan all the enumerated subdomains. Then use Nmap to scan further like services, running different scripts, etc. on interesting findings.

You can also use nmap and perfrom following: