Back to Methodologies

Advanced Recon Methodology

#methodology#recon

Commands

subfinder -d example.com -all -recursive > subdomain.txt
For finding subdomains
cat subdomain.txt | httpx-toolkit -ports 80,443,8080,8000,8888 -threads 200 > subdomains_alive.txt
For filter out live subdomains
katana -u subdomains_alive.txt -d 5 -ps -pss waybackarchive,commoncrawl,alienvault -kf -jc -fx -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg -o allurls.txt
For fetching passive urls
cat allurls.txt | grep -E '\.xls|\.xml|\.xlsx|\.json|\.pdf|\.sql|\.doc|\.docx|\.pptx|\.txt|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5'
For finding sensitive files

Tips & Best Practices

Always verify live subdomains before further testing

Use rate limiting to avoid getting blocked

Combine passive and active recon for better results

Check for common misconfigurations in cloud services

Monitor for sensitive data exposure in public files

Verify potential vulnerabilities before reporting

Use multiple tools to ensure comprehensive coverage

Document your findings and methodology