Recon Step/ Methodology

This is just a self-note on different steps to perform while approaching a target.

1. Subdomain Enumeration

  • Amass (amass enum -active -d -o amass-subdomain-result.txt)
  • Assetfinder (assetfinder -subs-only | anew assetfinder-subdomain-result.txt)
  • Subfinder (subfinder -d -o subfinder-subdomain-result.txt)
  • Findomain (findomain -t -u findomain-subdomain-result.txt)

Subdomain Bruteforcing:

  • amass (amass enum -brute -d -src)
  • knockpy
  • dnsenum
  • dnsrecon (python3 -d -D subdomains-top1mil-5000.txt -t brt)


  • altdns (./ -i known-subdomains.txt -o new_subdomains.txt -r -s

2. Perform ASN enumeration and find acquisitions of a target

  • To find ASN number ( and Then, You can use ASN in amass to find seed domains Command: amass intel -asn 46489

3. Probing for live host

4. Take a screenshot of all probed domains and subdomains

5. Perform Port Scan

  • Masscan
  • Nmap

You can then use “dnmasscan” (a bash script to automate resolving a file of domain names and subsequentlly scanning them using masscan) to scan all the enumerated subdomains. Then use Nmap to scan further like services, running different scripts, etc. on interesting findings.

You can also use nmap and perfrom following:

  • nmap -p- then run command on open ports
  • nmap -p 80, 81, 22, 443 -sC -sV

Together it becomes: nmap -iL list.txt -p- -sC -sV

6. Find Amazon S3 Bucket

  • We can look them up on github: “hackme.tld” + “s3”
  • For Automation: Lazys3

7. Use Nuclei templates to find different vulnerabilities on the list of domains

8. Perform Google Dorking and GitHub Dorking/ Recon

  • Gitrob tool
  • GitDorker


For Passive Recon: