# Recon

**Blog / Articles / Presentations / Videos:**

* Recon and Discovery - <https://www.youtube.com/watch?v=La3iWKRX-tE>

* <https://blog.usejournal.com/how-recon-helped-samsung-protect-their-production-repositories-of-samsungtv-ecommerce-estores-4c51d6ec4fdd>

* Doing Recon Like a Boss - <https://www.youtube.com/watch?v=1Kg0_53ZEq8>

* <https://blog.zsec.uk/ltr101-method-to-madness/>

* Presentation -<https://github.com/bugcrowd/bugcrowd_university/blob/master/Recon%20and%20Discovery/Bugcrowd%20University%20-%20Recon%20%26%20Discovery.pdf>

* Recon Everything - <https://medium.com/@maverickNerd/recon-everything-48aafbb8987>

* Recon Notes - <https://mavericknerd.github.io/knowledgebase/>

* [https://blog.detectify.com/2020/01/07/guest-blog-streaak-my-recon-techniques-from-201&#x39;**/**](https://blog.detectify.com/2020/01/07/guest-blog-streaak-my-recon-techniques-from-2019/)

* <https://medium.com/@europa_/recoinnassance-7840824b9ef2>&#x20;

* <https://medium.com/@ehsahil/recon-my-way-82b7e5f62e21>&#x20;

* [https://medium.com/bugbountywriteup/whats-tools-i-use-for-my-recon-during-bugbounty-](https://medium.com/bugbountywriteup/whats-tools-i-use-for-my-recon-during-bugbounty-ec25f7f12e6d)[ec25f7f12e6d](https://medium.com/bugbountywriteup/whats-tools-i-use-for-my-recon-during-bugbounty-ec25f7f12e6d)&#x20;

* <https://bugbountytuts.files.wordpress.com/2018/02/dirty-recon.pdf>&#x20;

* <https://blog.usejournal.com/web-application-security-bug-bounty-methodology-reconnaissance-vulnerabilities-reporting-635073cddcf2>&#x20;

* <http://imsoley.tk/mofb/>&#x20;

* <https://blog.detectify.com/2019/01/29/hacking-isnt-an-exact-science/>

* Ben Presentation - <https://docs.google.com/presentation/d/1xgvEScGZ_ukNY0rmfKz1JN0sn-CgZY_rTp2B_SZvijk/edit#slide=id.g3fc0937313_1_68>

* 100 Ways to Discover - <https://sylarsec.com/2019/01/11/100-ways-to-discover-part-1/>

* Asset Enumeration - <https://captmeelo.com/bugbounty/2019/09/02/asset-enumeration.html>

* Hacking Process - Recon - <https://www.youtube.com/watch?v=1bivJl0B_bs&feature=youtu.be>

* <https://medium.com/@shahjerry33/recon-my-way-or-high-way-58a18dab5c95>

* <https://www.offensity.com/de/blog/just-another-recon-guide-pentesters-and-bug-bounty-hunters/>

* <https://medium.com/@smhtahsin33/recon-one-step-advanced-with-otx-8827119566fd>

* <https://eslam3kl.medium.com/simple-recon-methodology-920f5c5936d4>

* [**https://systemweakness.com/ultimate-manual-bug-bounty-recon-guide-f30c900367c8**](https://systemweakness.com/ultimate-manual-bug-bounty-recon-guide-f30c900367c8)

* Google Dorks - <https://ahrefs.com/blog/google-advanced-search-operators/>
  * <https://github.com/HanPac/google-dorks-2018-2019/blob/master/dorks>
  * <https://twitter.com/s0md3v/status/1151759042785632256>
  * Pagodo -<https://twitter.com/search?q=pagodo%20recon&src=typed_query>
  * <https://twitter.com/intigriti/status/1116447376544280578>
  * <https://twitter.com/intigriti/status/1108365683069456385>
  * Tools - <https://github.com/ZephrFish/GoogD0rker/>
  * <https://github.com/1N3/Goohak>
  * <https://twitter.com/Th3G3nt3lman/status/1104111564632797186>
  * <https://blog.deesee.xyz/automation/osint/2020/01/07/semi-automation-dorking.html> - Google Dorks
  * [https://blog.ujwalkr.com/Google-Dorks-Recon/](https://ulogx.com/Google-Dorks-Recon/) - Goolgle Dork
  * <https://github.com/BullsEye0/google_dork_list/blob/master/google_Dorks.txt>
  * <https://gist.github.com/stevenswafford/393c6ec7b5375d5e8cdc>
  * DORK: inurl:wp-config-backup.txt
  * <https://exploitway.com/github-dorks-for-penetration-testing/>
  * <https://gist.github.com/zbetcheckin/04e6a5d7f2d5ef8cfa3c298701f47f9c>
  * <https://www.boxpiper.com/posts/google-dork-list>
  * <https://pastebin.com/zYPZNbMK>
  * Google Dork - <https://github.com/SKVNDR/FastDork>

**Tools:**

* AutoRecon - <https://github.com/JoshuaMart/AutoRecon>
* <https://bugbountyforum.com/tools/recon/> <https://github.com/eldraco/domain_analyzer> <http://www.spiderfoot.net/info/>&#x20;
* <https://dnsdumpster.com/> <https://github.com/codingo/Reconnoitre> NerdyData BuitWith hunter.io&#x20;
* <https://github.com/michenriksen/aquatone> Censys Robtex Shodan Whoxy <https://github.com/DataSploit/datasploit>
* &#x20;<https://github.com/reconned/domained> -- has multiple tools inbuilt&#x20;
* <https://github.com/evilsocket/xray>&#x20;
* <https://github.com/003random/003Recon>
* &#x20;<https://dnstrails.com/>
* <https://github.com/shibli2700/Rekon>
* Automation for Open Threat Exchange - <https://github.com/remonsec/Pri0tx>&#x20;
* Simple tool for get domain relationship.. [https://raw.githubusercontent.com/m4ll0k/Bug-Bounty-Toolz/master/getrelationship.py…](https://t.co/MuLnPJH5SQ?amp=1) -[@Jhaddix](https://twitter.com/Jhaddix)[@TomNomNom](https://twitter.com/TomNomNom)[@stokfredrik](https://twitter.com/stokfredrik)[@NahamSec](https://twitter.com/NahamSec)[@Yassineaboukir](https://twitter.com/Yassineaboukir) [#bugbountytips](https://twitter.com/hashtag/bugbountytips?src=hashtag_click) [#BugBounty](https://twitter.com/hashtag/BugBounty?src=hashtag_click)
* <https://github.com/hackerspider1/EchoPwn>
* <https://github.com/eslam3kl/3klCon>
* <https://github.com/cspshivam/easyrecon>
* [deksterecon](https://github.com/0xdekster/deksterecon)
* <https://github.com/remonsec/SEF>
* <https://github.com/chvancooten/BugBountyScanner>
* <https://github.com/Anon-Artist/R3C0Nizer>
* <https://github.com/dirsoooo/Recon>
* <https://github.com/gokulapap/Reconator>
* <https://github.com/Huntinex/rauton>

**Recon Cheatsheet:**

* <https://pentester.land/cheatsheets/2019/04/15/recon-resources.html>
* <https://github.com/0xhelloworld/public/blob/master/recon%20cheatsheet>
* Awesome Asset Discovery - <https://github.com/redhuntlabs/Awesome-Asset-Discovery>
* Asset Discovery - <https://0xpatrik.com/asset-discovery/?source=post_page--------------------------->

**Twitter Threads:**

* Getting info about Domains than subdomains - <https://twitter.com/gwendallecoguic/status/1187000587612762112>
* If the scope is[ http://example.com ](https://t.co/C9eI6hA592) only - <https://twitter.com/imhaxormad/status/1118289299152072706>
* <https://twitter.com/hackermaderas/status/1181970321588572160>
* <https://twitter.com/nullenc0de/status/1166539906832879616>
* ASN - <https://twitter.com/C1h2e11/status/1163806579474329600>
* ASN -[ oneliner to retrieve ASN numbers of a company. #bugbountytips (ls /tmp/GeoLite2-ASN-CSV.zip||wget --quiet -P /tmp "https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN-CSV.zip…") 2>&1|grep X; unzip -c /tmp/GeoLite2-ASN-CSV.zip|grep -i airbnb|cut -d ',' -f 2|sort -fu https://pastebin.com/G44mnY2x](https://twitter.com/gwendallecoguic/status/1199372098839437317)
* <https://twitter.com/hakluke/status/1199266508280434689> - ASN - whois -h [http://whois.cymru.com](https://t.co/UdRPPDcjcT?amp=1) $(dig +short [http://tesla.com](https://t.co/k4IDtlly9I?amp=1))
* ASN - <https://twitter.com/akita_zen/status/1169792876554969089>
* ASN - <https://twitter.com/_harleo/status/1198210924395597824>
* ASN - <https://twitter.com/hakluke/status/1225264234675597312>
* Quickly get the ASN of an IP address, along with the associated company name and location: curl [http://ipinfo.io](https://t.co/dRvPH4L2GA?amp=1)\<ip> This is a great way to confirm ownership of an IP/domain. It also is a great way to services that might be in use (AWS/Azure/Cloudfront/Akamai, etc.)[<br>](https://twitter.com/hakluke/status/1225264234675597312)
* CRT.sh - <https://twitter.com/Dondata4/status/1226535287930654720>
* Asset Discovery - <https://twitter.com/nullenc0de/status/1226982642295459846> // <https://github.com/cihanmehmet/sub.sh/blob/master/sub.sh>
* Massscan - Take a list of subdomains, resolve them to an IP, remove duplicates and scan each with masscan.

  masscan --rate 10000 -p1-65535 $(\<subdomains.txt xargs -I % getent hosts % | awk {'print $1'} | sort -u | tr '\n' ',' | sed 's/,$//')
* saw this a while ago it might help someone. curl -fsSL "[https://crt.sh/?CN=%25.%25.att.com\&exclude=expired …](http://web.archive.org/web/20200211114144/https://t.co/QR6yewgD6W)" | pup 'td :contains(".att.com") text{}' | sort -n | uniq -c | sort -rn | column -t > /root/Desktop/att-recon/ok.txt

![](https://3284959579-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LmdDaax1PAvLD05wJYt%2F-M8nC19onsU0TnQfIc53%2F-M8nnO6VR3R8CWQBL_V7%2FScreenshot%202020-06-02%20at%2012.22.27%20PM.png?alt=media\&token=4535bb1d-d507-45ea-8283-7186e0b947c7)

{% embed url="<https://twitter.com/streaak/status/1090649652318203904>" %}

{% embed url="<https://twitter.com/nnwakelam/status/1090869257779310592>" %}

{% embed url="<https://twitter.com/anspattnaik/status/1183269184052088832>" %}

{% embed url="<https://twitter.com/hackermaderas/status/1126502858239557633>" %}

{% embed url="<https://twitter.com/hakluke/status/1225264234675597312>" %}

{% embed url="<https://twitter.com/Vulkey_Chen/status/1178323315892449281>" %}

`ASN, CIDR => amass intel => enumeration script 'amass with api keys, findomain with api keys, and subfinder' => massDNS => httprobe => sort live and dead hosts => run a subtakeover script => hakcrawler`

Post Recon - <https://twitter.com/jobertabma/status/998769037445230592>

![https://twitter.com/aish\_kendle/status/1259909336274518016](https://3284959579-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LmdDaax1PAvLD05wJYt%2F-M7Gy_I03CRr2a9O0Ovl%2F-M7GycA1jUOPQWPc4TcJ%2FScreenshot%202020-05-14%20at%2012.28.31%20PM.png?alt=media\&token=81150664-706f-4f8d-a0ca-a9059b044402)

* Asset Discovery tool -<https://twitter.com/NahamSec/status/1260639679696629760>
* <https://github.com/bonino97/LemonBooster-v2>
* <https://github.com/carlospolop/hacktricks/blob/master/external-recon-methodology.md>
* <https://github.com/Quikko/Recon-Methodology>
*

```
DNS tools:

-viewdns.info
-dnslytics.com
-dnsspy.io
-leafdns.com
-dnsdumpster.com
-intodns.com
-www.zonecut.net/dns
-xip.io
-nip.io
-ptrarchive.com
-www.whatsmydns.net
-ceipam.eu/en/dnslookup.php
-spyse.com/tools/dns-lookup
-www.buddyns.com/delegation-lab
```

{% embed url="<https://twitter.com/payloadartist/status/1341053155535011840?s=20>" %}

{% embed url="<https://twitter.com/edu4rdshl/status/1396188826083774469?s=20>" %}

* Recon Roadmap - <https://ahmdhalabi.medium.com/ultimate-reconnaissance-roadmap-for-bug-bounty-hunters-pentesters-507c9a5374d>
* [<br>](https://twitter.com/m4ll0k2/status/1275493397806100480/photo/1)<https://medium.com/@prateek_0490/how-recon-helped-samsung-protect-their-production-repositories-of-samsungtv-ecommerce-estores-4c51d6ec4fdd>
* <https://github.com/Bo0oM/services-names-wordlist/blob/master/list.txt>
* <https://www.slideshare.net/slideshow/hacking-webapps-for-fun-and-profit-how-to-approach-a-target/82377302>
*

```
<figure><img src="https://3284959579-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LmdDaax1PAvLD05wJYt%2Fuploads%2FxPBVNkAW7LlpFxNET8gp%2Fimage.png?alt=media&#x26;token=cf88346f-1f86-43a8-a9c1-8db82f7d5cd1" alt=""><figcaption></figcaption></figure>
```