Recon (external)
Sections Recon (external)
External attack surface discovery. Domain in scope, find what is exposed. For internal host enum use 01 Recon & Enum .
DOMAIN=target.com
WL=/usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
RESOLVERS=/usr/share/wordlists/resolvers.txt
Build a fresh resolver list, dead resolvers wreck mass brute-force speed:
curl -sL https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt -o "$RESOLVERS"
i. Subdomain enum, passive first
Passive uses cert logs and public datasets, no traffic to target:
subfinder -d "$DOMAIN" -all -silent -o subs-passive.txt
assetfinder --subs-only "$DOMAIN" | tee -a subs-passive.txt
amass enum -passive -d "$DOMAIN" -o subs-amass.txt
crt.sh, fast and free, one curl:
curl -s "https://crt.sh/?q=%25.$DOMAIN&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
Merge:
cat subs-passive.txt subs-amass.txt | sort -u > subs.txt
ii. Active brute force
puredns, fastest mass DNS bruteforce, uses your resolver list:
puredns bruteforce "$WL" "$DOMAIN" -r "$RESOLVERS" -w subs-brute.txt
dnsx, validate the merged list and also brute permutations:
dnsx -d "$DOMAIN" -w "$WL" -r "$RESOLVERS" -o subs-dnsx.txt
## Permutation: alterx generates variants like staging-api, api-staging, etc.
alterx -l subs.txt | dnsx -r "$RESOLVERS" -o subs-perm.txt
Merge everything:
cat subs-passive.txt subs-brute.txt subs-perm.txt | sort -u > all-subs.txt
iii. Probe alive HTTP
httpx-toolkit, one tool, tons of fingerprints:
httpx -l all-subs.txt -title -tech-detect -status-code -ip -cname -web-server -o alive.txt
## Just alive hosts:
httpx -l all-subs.txt -silent -o alive-bare.txt
Common interesting ports beyond 80/443:
httpx -l all-subs.txt -ports 80,443,8000,8080,8443,8888,3000,5000,7001,9000,9090,9200 -o alive-ports.txt
iv. Port scanning external IPs
naabu for fast TCP port scan across a domain set:
naabu -l all-subs.txt -top-ports 1000 -rate 5000 -o ports.txt
nmap follow-up on the live ports:
awk -F: '{print $1}' ports.txt | sort -u > ips.txt
nmap -iL ips.txt -sCV --open -Pn -oA nmap-ext
Scanning AWS/GCP/Azure-hosted IPs at high rate can violate ToS even when the target authorizes you. Stick to --rate 1000 or below, and confirm the scope covers cloud-hosted assets.
v. Screenshot at scale
gowitness scan file -f alive-bare.txt --threads 10
## or eyewitness:
EyeWitness --web -f alive-bare.txt --threads 10 -d screenshots/
Then visually triage report.html. Catches default panels, abandoned staging sites, dev artifacts.
vi. ASN and IP space
Find the company’s own netblocks:
## by org name
amass intel -org "Target Inc"
## by ASN
amass intel -asn 12345
## quick lookup
whois -h whois.cymru.com " -v 8.8.8.8"
bgp.he.net for visual ASN exploration. Once you have ASN, expand to all prefixes:
curl -s "https://api.bgpview.io/asn/12345/prefixes" | jq -r '.data.ipv4_prefixes[].prefix'
vii. Cloud asset discovery
S3 buckets, blob storage, GCS:
## S3 permutations from a domain name
cloud_enum -k "$DOMAIN" -k "target" -k "target-prod"
## or trufflehog for leaked creds in public S3:
trufflehog s3 --bucket=target-bucket
viii. GitHub recon
Find code repos, leaked secrets:
trufflehog github --org=target-inc --concurrency=10
## by user or repo
trufflehog github --repo=https://github.com/target-inc/code --only-verified
Search GitHub directly for the domain:
"target.com" filename:.env
"target.com" password
"target.com" extension:pem
ix. Wayback and historical data
URLs the target had in the past, often expose dead admin panels or old endpoints still alive:
waybackurls "$DOMAIN" | tee wayback.txt
gau "$DOMAIN" | tee -a wayback.txt
sort -u wayback.txt > urls.txt
## Filter for interesting extensions
grep -E '\.(env|bak|old|sql|json|config|zip|tar|gz)(\?|$)' urls.txt
x. Google dorks worth saving
site:target.com -www
site:target.com filetype:pdf
site:target.com inurl:admin
site:target.com intitle:"index of"
site:*.target.com -site:www.target.com
site:pastebin.com "target.com"
site:github.com "target.com" password
xi. Full pipeline, one shot
subfinder -d "$DOMAIN" -all -silent | \
dnsx -silent -r "$RESOLVERS" | \
naabu -silent -top-ports 1000 | \
httpx -silent -title -tech-detect -status-code -o final.txt
Output is a ready-to-triage list of live hosts with tech stacks. From here, feed the URLs into 00 Web MOC .