# Recon

**Blog / Articles / Presentations / Videos:**

* Recon and Discovery - <https://www.youtube.com/watch?v=La3iWKRX-tE>

* <https://blog.usejournal.com/how-recon-helped-samsung-protect-their-production-repositories-of-samsungtv-ecommerce-estores-4c51d6ec4fdd>

* Doing Recon Like a Boss - <https://www.youtube.com/watch?v=1Kg0_53ZEq8>

* <https://blog.zsec.uk/ltr101-method-to-madness/>

* Presentation -<https://github.com/bugcrowd/bugcrowd_university/blob/master/Recon%20and%20Discovery/Bugcrowd%20University%20-%20Recon%20%26%20Discovery.pdf>

* Recon Everything - <https://medium.com/@maverickNerd/recon-everything-48aafbb8987>

* Recon Notes - <https://mavericknerd.github.io/knowledgebase/>

* [https://blog.detectify.com/2020/01/07/guest-blog-streaak-my-recon-techniques-from-201&#x39;**/**](https://blog.detectify.com/2020/01/07/guest-blog-streaak-my-recon-techniques-from-2019/)

* <https://medium.com/@europa_/recoinnassance-7840824b9ef2>&#x20;

* <https://medium.com/@ehsahil/recon-my-way-82b7e5f62e21>&#x20;

* [https://medium.com/bugbountywriteup/whats-tools-i-use-for-my-recon-during-bugbounty-](https://medium.com/bugbountywriteup/whats-tools-i-use-for-my-recon-during-bugbounty-ec25f7f12e6d)[ec25f7f12e6d](https://medium.com/bugbountywriteup/whats-tools-i-use-for-my-recon-during-bugbounty-ec25f7f12e6d)&#x20;

* <https://bugbountytuts.files.wordpress.com/2018/02/dirty-recon.pdf>&#x20;

* <https://blog.usejournal.com/web-application-security-bug-bounty-methodology-reconnaissance-vulnerabilities-reporting-635073cddcf2>&#x20;

* <http://imsoley.tk/mofb/>&#x20;

* <https://blog.detectify.com/2019/01/29/hacking-isnt-an-exact-science/>

* Ben Presentation - <https://docs.google.com/presentation/d/1xgvEScGZ_ukNY0rmfKz1JN0sn-CgZY_rTp2B_SZvijk/edit#slide=id.g3fc0937313_1_68>

* 100 Ways to Discover - <https://sylarsec.com/2019/01/11/100-ways-to-discover-part-1/>

* Asset Enumeration - <https://captmeelo.com/bugbounty/2019/09/02/asset-enumeration.html>

* Hacking Process - Recon - <https://www.youtube.com/watch?v=1bivJl0B_bs&feature=youtu.be>

* <https://medium.com/@shahjerry33/recon-my-way-or-high-way-58a18dab5c95>

* <https://www.offensity.com/de/blog/just-another-recon-guide-pentesters-and-bug-bounty-hunters/>

* <https://medium.com/@smhtahsin33/recon-one-step-advanced-with-otx-8827119566fd>

* <https://eslam3kl.medium.com/simple-recon-methodology-920f5c5936d4>

* [**https://systemweakness.com/ultimate-manual-bug-bounty-recon-guide-f30c900367c8**](https://systemweakness.com/ultimate-manual-bug-bounty-recon-guide-f30c900367c8)

* Google Dorks - <https://ahrefs.com/blog/google-advanced-search-operators/>
  * <https://github.com/HanPac/google-dorks-2018-2019/blob/master/dorks>
  * <https://twitter.com/s0md3v/status/1151759042785632256>
  * Pagodo -<https://twitter.com/search?q=pagodo%20recon&src=typed_query>
  * <https://twitter.com/intigriti/status/1116447376544280578>
  * <https://twitter.com/intigriti/status/1108365683069456385>
  * Tools - <https://github.com/ZephrFish/GoogD0rker/>
  * <https://github.com/1N3/Goohak>
  * <https://twitter.com/Th3G3nt3lman/status/1104111564632797186>
  * <https://blog.deesee.xyz/automation/osint/2020/01/07/semi-automation-dorking.html> - Google Dorks
  * [https://blog.ujwalkr.com/Google-Dorks-Recon/](https://ulogx.com/Google-Dorks-Recon/) - Goolgle Dork
  * <https://github.com/BullsEye0/google_dork_list/blob/master/google_Dorks.txt>
  * <https://gist.github.com/stevenswafford/393c6ec7b5375d5e8cdc>
  * DORK: inurl:wp-config-backup.txt
  * <https://exploitway.com/github-dorks-for-penetration-testing/>
  * <https://gist.github.com/zbetcheckin/04e6a5d7f2d5ef8cfa3c298701f47f9c>
  * <https://www.boxpiper.com/posts/google-dork-list>
  * <https://pastebin.com/zYPZNbMK>
  * Google Dork - <https://github.com/SKVNDR/FastDork>

**Tools:**

* AutoRecon - <https://github.com/JoshuaMart/AutoRecon>
* <https://bugbountyforum.com/tools/recon/> <https://github.com/eldraco/domain_analyzer> <http://www.spiderfoot.net/info/>&#x20;
* <https://dnsdumpster.com/> <https://github.com/codingo/Reconnoitre> NerdyData BuitWith hunter.io&#x20;
* <https://github.com/michenriksen/aquatone> Censys Robtex Shodan Whoxy <https://github.com/DataSploit/datasploit>
* &#x20;<https://github.com/reconned/domained> -- has multiple tools inbuilt&#x20;
* <https://github.com/evilsocket/xray>&#x20;
* <https://github.com/003random/003Recon>
* &#x20;<https://dnstrails.com/>
* <https://github.com/shibli2700/Rekon>
* Automation for Open Threat Exchange - <https://github.com/remonsec/Pri0tx>&#x20;
* Simple tool for get domain relationship.. [https://raw.githubusercontent.com/m4ll0k/Bug-Bounty-Toolz/master/getrelationship.py…](https://t.co/MuLnPJH5SQ?amp=1) -[@Jhaddix](https://twitter.com/Jhaddix)[@TomNomNom](https://twitter.com/TomNomNom)[@stokfredrik](https://twitter.com/stokfredrik)[@NahamSec](https://twitter.com/NahamSec)[@Yassineaboukir](https://twitter.com/Yassineaboukir) [#bugbountytips](https://twitter.com/hashtag/bugbountytips?src=hashtag_click) [#BugBounty](https://twitter.com/hashtag/BugBounty?src=hashtag_click)
* <https://github.com/hackerspider1/EchoPwn>
* <https://github.com/eslam3kl/3klCon>
* <https://github.com/cspshivam/easyrecon>
* [deksterecon](https://github.com/0xdekster/deksterecon)
* <https://github.com/remonsec/SEF>
* <https://github.com/chvancooten/BugBountyScanner>
* <https://github.com/Anon-Artist/R3C0Nizer>
* <https://github.com/dirsoooo/Recon>
* <https://github.com/gokulapap/Reconator>
* <https://github.com/Huntinex/rauton>

**Recon Cheatsheet:**

* <https://pentester.land/cheatsheets/2019/04/15/recon-resources.html>
* <https://github.com/0xhelloworld/public/blob/master/recon%20cheatsheet>
* Awesome Asset Discovery - <https://github.com/redhuntlabs/Awesome-Asset-Discovery>
* Asset Discovery - <https://0xpatrik.com/asset-discovery/?source=post_page--------------------------->

**Twitter Threads:**

* Getting info about Domains than subdomains - <https://twitter.com/gwendallecoguic/status/1187000587612762112>
* If the scope is[ http://example.com ](https://t.co/C9eI6hA592) only - <https://twitter.com/imhaxormad/status/1118289299152072706>
* <https://twitter.com/hackermaderas/status/1181970321588572160>
* <https://twitter.com/nullenc0de/status/1166539906832879616>
* ASN - <https://twitter.com/C1h2e11/status/1163806579474329600>
* ASN -[ oneliner to retrieve ASN numbers of a company. #bugbountytips (ls /tmp/GeoLite2-ASN-CSV.zip||wget --quiet -P /tmp "https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN-CSV.zip…") 2>&1|grep X; unzip -c /tmp/GeoLite2-ASN-CSV.zip|grep -i airbnb|cut -d ',' -f 2|sort -fu https://pastebin.com/G44mnY2x](https://twitter.com/gwendallecoguic/status/1199372098839437317)
* <https://twitter.com/hakluke/status/1199266508280434689> - ASN - whois -h [http://whois.cymru.com](https://t.co/UdRPPDcjcT?amp=1) $(dig +short [http://tesla.com](https://t.co/k4IDtlly9I?amp=1))
* ASN - <https://twitter.com/akita_zen/status/1169792876554969089>
* ASN - <https://twitter.com/_harleo/status/1198210924395597824>
* ASN - <https://twitter.com/hakluke/status/1225264234675597312>
* Quickly get the ASN of an IP address, along with the associated company name and location: curl [http://ipinfo.io](https://t.co/dRvPH4L2GA?amp=1)\<ip> This is a great way to confirm ownership of an IP/domain. It also is a great way to services that might be in use (AWS/Azure/Cloudfront/Akamai, etc.)[<br>](https://twitter.com/hakluke/status/1225264234675597312)
* CRT.sh - <https://twitter.com/Dondata4/status/1226535287930654720>
* Asset Discovery - <https://twitter.com/nullenc0de/status/1226982642295459846> // <https://github.com/cihanmehmet/sub.sh/blob/master/sub.sh>
* Massscan - Take a list of subdomains, resolve them to an IP, remove duplicates and scan each with masscan.

  masscan --rate 10000 -p1-65535 $(\<subdomains.txt xargs -I % getent hosts % | awk {'print $1'} | sort -u | tr '\n' ',' | sed 's/,$//')
* saw this a while ago it might help someone. curl -fsSL "[https://crt.sh/?CN=%25.%25.att.com\&exclude=expired …](http://web.archive.org/web/20200211114144/https://t.co/QR6yewgD6W)" | pup 'td :contains(".att.com") text{}' | sort -n | uniq -c | sort -rn | column -t > /root/Desktop/att-recon/ok.txt

![](https://3284959579-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LmdDaax1PAvLD05wJYt%2F-M8nC19onsU0TnQfIc53%2F-M8nnO6VR3R8CWQBL_V7%2FScreenshot%202020-06-02%20at%2012.22.27%20PM.png?alt=media\&token=4535bb1d-d507-45ea-8283-7186e0b947c7)

{% embed url="<https://twitter.com/streaak/status/1090649652318203904>" %}

{% embed url="<https://twitter.com/nnwakelam/status/1090869257779310592>" %}

{% embed url="<https://twitter.com/anspattnaik/status/1183269184052088832>" %}

{% embed url="<https://twitter.com/hackermaderas/status/1126502858239557633>" %}

{% embed url="<https://twitter.com/hakluke/status/1225264234675597312>" %}

{% embed url="<https://twitter.com/Vulkey_Chen/status/1178323315892449281>" %}

`ASN, CIDR => amass intel => enumeration script 'amass with api keys, findomain with api keys, and subfinder' => massDNS => httprobe => sort live and dead hosts => run a subtakeover script => hakcrawler`

Post Recon - <https://twitter.com/jobertabma/status/998769037445230592>

![https://twitter.com/aish\_kendle/status/1259909336274518016](https://3284959579-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LmdDaax1PAvLD05wJYt%2F-M7Gy_I03CRr2a9O0Ovl%2F-M7GycA1jUOPQWPc4TcJ%2FScreenshot%202020-05-14%20at%2012.28.31%20PM.png?alt=media\&token=81150664-706f-4f8d-a0ca-a9059b044402)

* Asset Discovery tool -<https://twitter.com/NahamSec/status/1260639679696629760>
* <https://github.com/bonino97/LemonBooster-v2>
* <https://github.com/carlospolop/hacktricks/blob/master/external-recon-methodology.md>
* <https://github.com/Quikko/Recon-Methodology>
*

```
DNS tools:

-viewdns.info
-dnslytics.com
-dnsspy.io
-leafdns.com
-dnsdumpster.com
-intodns.com
-www.zonecut.net/dns
-xip.io
-nip.io
-ptrarchive.com
-www.whatsmydns.net
-ceipam.eu/en/dnslookup.php
-spyse.com/tools/dns-lookup
-www.buddyns.com/delegation-lab
```

{% embed url="<https://twitter.com/payloadartist/status/1341053155535011840?s=20>" %}

{% embed url="<https://twitter.com/edu4rdshl/status/1396188826083774469?s=20>" %}

* Recon Roadmap - <https://ahmdhalabi.medium.com/ultimate-reconnaissance-roadmap-for-bug-bounty-hunters-pentesters-507c9a5374d>
* [<br>](https://twitter.com/m4ll0k2/status/1275493397806100480/photo/1)<https://medium.com/@prateek_0490/how-recon-helped-samsung-protect-their-production-repositories-of-samsungtv-ecommerce-estores-4c51d6ec4fdd>
* <https://github.com/Bo0oM/services-names-wordlist/blob/master/list.txt>
* <https://www.slideshare.net/slideshow/hacking-webapps-for-fun-and-profit-how-to-approach-a-target/82377302>
*

```
<figure><img src="https://3284959579-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LmdDaax1PAvLD05wJYt%2Fuploads%2FxPBVNkAW7LlpFxNET8gp%2Fimage.png?alt=media&#x26;token=cf88346f-1f86-43a8-a9c1-8db82f7d5cd1" alt=""><figcaption></figcaption></figure>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gowthams.gitbook.io/bughunter-handbook/list-of-vulnerabilities-bugs/recon-and-osint/recon.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.