Reconnaissance and Information Gathering

It is not the tool, it is the methodology.

Recon is everything. The deeper you dig, the higher your chance of finding assets nobody else is looking at. Responsible disclosure programs (no payout) have fewer hunters - good for beginners to practice.


1. Fingerprinting Web Technologies

Goal: Identify the tech stack (server, framework, CMS, CDN, JS libs) so you can craft targeted attacks later (e.g., PHP extensions for Apache, ASP/ASPX for IIS).

Online / Browser Tools

ToolUse
https://builtwith.comFull tech profile - frameworks, analytics, CDN, payment providers
https://www.wappalyzer.com/Browser extension, real-time fingerprint while browsing
https://similartech.com/Alternative to builtwith
https://securityheaders.comClean view of HTTP response headers + missing security headers

Command Line

# Grab headers and follow redirects (-I = headers only, -L = follow redirect)
curl -IL https://target.com
 
# Port scan - prefer scanning both 80 and 443, not just one
nmap -A -p 80,443 target.com
 
# Full service/version detection
nmap -sV -p 80,443 target.com

Note: If you get CloudFront/Amazon S3 responses instead of the real server, you’re hitting a CDN. Use -L with curl to follow the redirect to the origin.


2. Directory Brute Forcing

Goal: Discover hidden directories, files, and endpoints not linked anywhere.

Always check the program scope before running any automated tooling - many programs explicitly forbid it.

Key Wordlists (Kali built-in)

/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt   # preferred
/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt    # faster, fewer results
/usr/share/wordlists/dirb/common.txt                           # quick wins only

ffuf (Fuzz Faster U Fool)

# Install
sudo apt install ffuf
 
# Basic directory scan
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://target.com/FUZZ -ac -v -c
 
# With file extensions
ffuf -w wordlist.txt:FUZZ -u http://target.com/FUZZ -e .php,.html,.bak,.txt
 
# Recursive scan (depth 2)
ffuf -w wordlist.txt:FUZZ -u http://target.com/FUZZ -recursion -recursion-depth 2
 
# Filter by status code (exclude 404s)
ffuf -w wordlist.txt:FUZZ -u http://target.com/FUZZ -fc 404
 
# Filter by response size (remove uniform false positives)
ffuf -w wordlist.txt:FUZZ -u http://target.com/FUZZ -fs 1234
 
# API discovery
ffuf -u http://TARGET/api/FUZZ -w api.txt -mc 200
 
# Parameter fuzzing
ffuf -u "http://TARGET/page?FUZZ=test" -w params.txt

feroxbuster (preferred - fast + recursive by default)

# Basic scan
feroxbuster --url http://target.com
 
# With wordlist and file extensions
feroxbuster -u http://target.com -w wordlist.txt -x php,txt,html,bak
 
# Increase threads (faster scan)
feroxbuster -u http://target.com -w wordlist.txt -t 100
 
# Filter noise
feroxbuster -u http://target.com -w wordlist.txt -S 1234           # filter by size
feroxbuster -u http://target.com -w wordlist.txt -C 404,403        # filter by status
feroxbuster -u http://target.com -w wordlist.txt --filter-similar-to http://target.com/nonexistent             # filter false-positive pages
 
# Route through Burp Suite
feroxbuster -u http://target.com -w wordlist.txt --burp
 
# Authenticated scan (cookie or header)
feroxbuster -u http://target.com -w wordlist.txt -b "session=abc123"
feroxbuster -u http://target.com -w wordlist.txt -H "Authorization: Bearer TOKEN"

3. Subdomain Enumeration

Goal: Find all subdomains within the wildcard scope (e.g., *.target.com). More subdomains = more attack surface, often with less hardening.

Google Dorking

# Find all indexed subdomains
site:target.com

# Exclude www to surface others
site:target.com -www

# Chain exclusions to dig deeper
site:target.com -www -store

# Find sensitive file types
site:target.com filetype:xlsx
site:target.com filetype:pdf password

Online Tools

ToolNotes
https://crt.shCertificate transparency search - use %.target.com as query
https://www.merklemap.com/Certificate-based subdomain discovery
https://enterno.io/Additional passive recon
https://binsec.tools/Various passive sources

crt.sh example query: %.target.com (the % is the wildcard)


Command Line Tools

# subfinder - fast passive subdomain enumeration
subfinder -d target.com
subfinder -d target.com -o subfinder-results.txt
 
# assetfinder - also finds related domains/entities (Tom Hudson)
assetfinder target.com
assetfinder target.com | grep target.com | sort -u > assetfinder-results.txt
 
# amass - slow but thorough, more data sources
amass enum -d target.com -o amass-results.txt
 
# puredns - brute force domains
puredns bruteforce wordlist.txt target.com

Combine and Deduplicate Results

# Merge all tool outputs → sort unique → final list
cat subfinder-results.txt assetfinder-results.txt amass-results.txt | grep "target.com" | sort -u > all-subdomains.txt

Validate Live Subdomains with httprobe

# Install (requires Go)
go install github.com/tomnomnom/httprobe@latest
 
# Check which subdomains are alive
cat all-subdomains.txt | httprobe | grep https > alive-subdomains.txt

Screenshot Live Subdomains with gowitness

# Create output folder
mkdir target-screenshots
 
# Strip https:// prefix first (gowitness needs bare domains)
sed 's|https://||' alive-subdomains.txt > alive-domains-bare.txt
 
# Take screenshots
gowitness file -f alive-domains-bare.txt -P target-screenshots --no-http

Then open target-screenshots/ and visually triage - look for login panels, admin pages, legacy apps, or anything unusual.


4. Automation

Running all these tools manually for every target is tedious. The goal is a single script that:

  1. Runs all subdomain tools in parallel
  2. Merges and deduplicates
  3. Probes for live hosts
  4. Screenshots everything

Tools Not Yet in Your Workflow

ToolWhat It Adds
httpx (ProjectDiscovery)Faster/richer replacement for httprobe - adds status codes, titles, tech detection
nucleiTemplate-based vulnerability scanner - run after you have live hosts
waybackurls / gauPull historical URLs from Wayback Machine + other sources - finds old endpoints
pureFast DNS brute forcer - validate subdomains via DNS before probing HTTP
katanaWeb crawler - spider live hosts to find additional endpoints

5. Recon Checklist

Before You Start

  • Read the full program scope
  • Identify what is in scope (wildcards, specific domains)
  • Note what is explicitly out of scope
  • Check if automated tooling is permitted
  • Note required headers (e.g., custom X-Bug-Bounty header with your username)

Technology Fingerprinting

  • Run builtwith.com on the main domain
  • Check Wappalyzer while browsing
  • curl -IL https://target.com - check server headers
  • nmap -sV -p 80,443 target.com - check open ports and services
  • securityheaders.com - document missing headers

Directory Brute Forcing

  • Run feroxbuster or ffuf on main domain
  • Include extensions matching the detected stack (.php, .aspx, .html, .bak)
  • Filter out noise (uniform 404 sizes, redirect floods)
  • Repeat on any interesting subdomains discovered

Subdomain Enumeration

  • Google dork: site:target.com -www
  • Google dork: site:target.com filetype:pdf / filetype:xlsx
  • crt.sh: %.target.com
  • subfinder -d target.com
  • assetfinder target.com | grep target.com | sort -u
  • amass enum -d target.com (if time allows)
  • Merge all results: cat *.txt | grep target.com | sort -u > all-subdomains.txt
  • Probe live hosts: cat all-subdomains.txt | httprobe | grep https
  • Screenshot live hosts with gowitness

Manual Browsing (Passive Recon)

  • Click through all main navigation links
  • Note login panels, registration pages, admin paths
  • Identify third-party integrations (HubSpot, Stripe, Okta, etc.)
  • Check JS files for API keys, hardcoded endpoints, internal paths

Triage

  • Review gowitness screenshots - flag anything interesting
  • Prioritize: login panels, admin interfaces, legacy/dev subdomains, APIs
  • Re-run directory brute forcing on interesting subdomains
  • Document all live assets before moving to exploitation phase