Ultimate Reconnaissance RoadMap for Bug Bounty Hunters & Pentesters

  1. Active: Involves directly interacting with the system architecture and infrastructure. Like interacting with system’s traffic and requests or physically accessing the company’s area.
  2. Passive: Involves gathering Information without Direct Interaction with the Target. Like using Search Engines and Open Source Intelligences to gather information about the target system.
  • I go for collecting Base information.
  1. WHOIS Information: Useful to check information about domain owners (gather emails, phone numbers) and registration details.
  2. DNS Information: Very useful to understand the domain logistics and start predicting what vulnerabilities related to DNS you can look for.
  3. Acquisitions: Looking for companies acquired by the target domain will in order give you more domains to target, high chances to find more vulnerabilities.
  • Going more advanced, we repeat the 1st and 2nd recon phase for all subdomains that we gather in the coming `Subdomain Enumeration` phase.
  • Combine it with a tool called `gf` and extract patterns from endpoints to test for vulnerabilities like SSRF, SQL Injection and XSS Injection.
  • Pass it to Nuclei for additional scan.
  • Extract important extensions (pdf, db, xlsx, …) that might be cached or forgotten and at the same time contain sensitive information.
  • Extract JavaScript Files and analyze them.
  • Use Sublis3r tool to gather subdomains passively.
  • Use AssetFinder tool to gather subdomains as well.
  • Use Amass Tool in Passive Mode.
  • Use Amass Tool in Active Mode.
  • Remove Duplicated Subdomains Records.
  • Check for Resolving/Live Subdomains.
  • Brute-Forcing Subdomains using Customized Wordlist.
  • Gather Sub-Subdomains Passively.
  • Remove Duplicate Sub-Subdomains Records.
  • Check for Subdomain Takeover.
  • Output the results in multiple files (resolved.txt | unresolved.txt | subsubdomains.txt | subtakeover.txt).



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmad Halabi

Ahmad Halabi

Cyber Security Specialist | Hacker | Founder at Cybit Sec | Managing Director at Resecurity®.