Reconnaissance and Information Gathering
It is not the tool, it is the methodology.
Recon is everything. The deeper you dig, the higher your chance of finding assets nobody else is looking at. Responsible disclosure programs (no payout) have fewer hunters - good for beginners to practice.
1. Fingerprinting Web Technologies
Goal: Identify the tech stack (server, framework, CMS, CDN, JS libs) so you can craft targeted attacks later (e.g., PHP extensions for Apache, ASP/ASPX for IIS).
Online / Browser Tools
| Tool | Use |
|---|---|
| https://builtwith.com | Full tech profile - frameworks, analytics, CDN, payment providers |
| https://www.wappalyzer.com/ | Browser extension, real-time fingerprint while browsing |
| https://similartech.com/ | Alternative to builtwith |
| https://securityheaders.com | Clean view of HTTP response headers + missing security headers |
Command Line
# Grab headers and follow redirects (-I = headers only, -L = follow redirect)
curl -IL https://target.com
# Port scan - prefer scanning both 80 and 443, not just one
nmap -A -p 80,443 target.com
# Full service/version detection
nmap -sV -p 80,443 target.comNote: If you get CloudFront/Amazon S3 responses instead of the real server, you’re hitting a CDN. Use
-Lwith curl to follow the redirect to the origin.
2. Directory Brute Forcing
Goal: Discover hidden directories, files, and endpoints not linked anywhere.
Always check the program scope before running any automated tooling - many programs explicitly forbid it.
Key Wordlists (Kali built-in)
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt # preferred
/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt # faster, fewer results
/usr/share/wordlists/dirb/common.txt # quick wins only
ffuf (Fuzz Faster U Fool)
# Install
sudo apt install ffuf
# Basic directory scan
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://target.com/FUZZ -ac -v -c
# With file extensions
ffuf -w wordlist.txt:FUZZ -u http://target.com/FUZZ -e .php,.html,.bak,.txt
# Recursive scan (depth 2)
ffuf -w wordlist.txt:FUZZ -u http://target.com/FUZZ -recursion -recursion-depth 2
# Filter by status code (exclude 404s)
ffuf -w wordlist.txt:FUZZ -u http://target.com/FUZZ -fc 404
# Filter by response size (remove uniform false positives)
ffuf -w wordlist.txt:FUZZ -u http://target.com/FUZZ -fs 1234
# API discovery
ffuf -u http://TARGET/api/FUZZ -w api.txt -mc 200
# Parameter fuzzing
ffuf -u "http://TARGET/page?FUZZ=test" -w params.txtferoxbuster (preferred - fast + recursive by default)
# Basic scan
feroxbuster --url http://target.com
# With wordlist and file extensions
feroxbuster -u http://target.com -w wordlist.txt -x php,txt,html,bak
# Increase threads (faster scan)
feroxbuster -u http://target.com -w wordlist.txt -t 100
# Filter noise
feroxbuster -u http://target.com -w wordlist.txt -S 1234 # filter by size
feroxbuster -u http://target.com -w wordlist.txt -C 404,403 # filter by status
feroxbuster -u http://target.com -w wordlist.txt --filter-similar-to http://target.com/nonexistent # filter false-positive pages
# Route through Burp Suite
feroxbuster -u http://target.com -w wordlist.txt --burp
# Authenticated scan (cookie or header)
feroxbuster -u http://target.com -w wordlist.txt -b "session=abc123"
feroxbuster -u http://target.com -w wordlist.txt -H "Authorization: Bearer TOKEN"3. Subdomain Enumeration
Goal: Find all subdomains within the wildcard scope (e.g., *.target.com). More subdomains = more attack surface, often with less hardening.
Google Dorking
# Find all indexed subdomains
site:target.com
# Exclude www to surface others
site:target.com -www
# Chain exclusions to dig deeper
site:target.com -www -store
# Find sensitive file types
site:target.com filetype:xlsx
site:target.com filetype:pdf password
Online Tools
| Tool | Notes |
|---|---|
| https://crt.sh | Certificate transparency search - use %.target.com as query |
| https://www.merklemap.com/ | Certificate-based subdomain discovery |
| https://enterno.io/ | Additional passive recon |
| https://binsec.tools/ | Various passive sources |
crt.sh example query: %.target.com (the % is the wildcard)
Command Line Tools
# subfinder - fast passive subdomain enumeration
subfinder -d target.com
subfinder -d target.com -o subfinder-results.txt
# assetfinder - also finds related domains/entities (Tom Hudson)
assetfinder target.com
assetfinder target.com | grep target.com | sort -u > assetfinder-results.txt
# amass - slow but thorough, more data sources
amass enum -d target.com -o amass-results.txt
# puredns - brute force domains
puredns bruteforce wordlist.txt target.comCombine and Deduplicate Results
# Merge all tool outputs → sort unique → final list
cat subfinder-results.txt assetfinder-results.txt amass-results.txt | grep "target.com" | sort -u > all-subdomains.txtValidate Live Subdomains with httprobe
# Install (requires Go)
go install github.com/tomnomnom/httprobe@latest
# Check which subdomains are alive
cat all-subdomains.txt | httprobe | grep https > alive-subdomains.txtScreenshot Live Subdomains with gowitness
# Create output folder
mkdir target-screenshots
# Strip https:// prefix first (gowitness needs bare domains)
sed 's|https://||' alive-subdomains.txt > alive-domains-bare.txt
# Take screenshots
gowitness file -f alive-domains-bare.txt -P target-screenshots --no-httpThen open target-screenshots/ and visually triage - look for login panels, admin pages, legacy apps, or anything unusual.
4. Automation
Running all these tools manually for every target is tedious. The goal is a single script that:
- Runs all subdomain tools in parallel
- Merges and deduplicates
- Probes for live hosts
- Screenshots everything
Tools Not Yet in Your Workflow
| Tool | What It Adds |
|---|---|
httpx (ProjectDiscovery) | Faster/richer replacement for httprobe - adds status codes, titles, tech detection |
nuclei | Template-based vulnerability scanner - run after you have live hosts |
waybackurls / gau | Pull historical URLs from Wayback Machine + other sources - finds old endpoints |
pure | Fast DNS brute forcer - validate subdomains via DNS before probing HTTP |
katana | Web crawler - spider live hosts to find additional endpoints |
5. Recon Checklist
Before You Start
- Read the full program scope
- Identify what is in scope (wildcards, specific domains)
- Note what is explicitly out of scope
- Check if automated tooling is permitted
- Note required headers (e.g., custom
X-Bug-Bountyheader with your username)
Technology Fingerprinting
- Run builtwith.com on the main domain
- Check Wappalyzer while browsing
-
curl -IL https://target.com- check server headers -
nmap -sV -p 80,443 target.com- check open ports and services - securityheaders.com - document missing headers
Directory Brute Forcing
- Run
feroxbusterorffufon main domain - Include extensions matching the detected stack (
.php,.aspx,.html,.bak) - Filter out noise (uniform 404 sizes, redirect floods)
- Repeat on any interesting subdomains discovered
Subdomain Enumeration
- Google dork:
site:target.com -www - Google dork:
site:target.com filetype:pdf/filetype:xlsx - crt.sh:
%.target.com -
subfinder -d target.com -
assetfinder target.com | grep target.com | sort -u -
amass enum -d target.com(if time allows) - Merge all results:
cat *.txt | grep target.com | sort -u > all-subdomains.txt - Probe live hosts:
cat all-subdomains.txt | httprobe | grep https - Screenshot live hosts with
gowitness
Manual Browsing (Passive Recon)
- Click through all main navigation links
- Note login panels, registration pages, admin paths
- Identify third-party integrations (HubSpot, Stripe, Okta, etc.)
- Check JS files for API keys, hardcoded endpoints, internal paths
Triage
- Review gowitness screenshots - flag anything interesting
- Prioritize: login panels, admin interfaces, legacy/dev subdomains, APIs
- Re-run directory brute forcing on interesting subdomains
- Document all live assets before moving to exploitation phase