Recon Is Where Engagements Are Won
I've found critical vulnerabilities through solid recon that others missed because they went straight to scanning. Your attack surface map determines what you test and where you focus. Rushing it costs you findings.
Subdomain Enumeration
# Passive
subfinder -d target.com -silent | tee subdomains_passive.txt
amass enum -passive -d target.com >> subdomains_passive.txt
# Active DNS brute force
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
# Certificate transparency
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq '.[].name_value' | sort -u
HTTP Probing
cat subdomains_passive.txt | httpx -silent -title -status-code -tech-detect | tee live_hosts.txt
Content Discovery
feroxbuster -u https://app.target.com \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
-x php,html,js,json --auto-tune
JavaScript Analysis
katana -u https://app.target.com -jc | grep -E "(api|admin|internal|secret|key)"
Parameter Discovery
arjun -u https://app.target.com/api/v1/users -m GET
Defensive Takeaways
- Monitor your own certificate transparency logs — attackers use crt.sh too
- Inventory all subdomains in your DNS quarterly; delete orphaned records
- JavaScript bundles should not contain API keys or internal URLs
- Implement proper robots.txt and security.txt
Keep going
Get the next writeup in your inbox
New posts delivered when I publish. No spam.