If you want to find real bugs, you have to start with real recon.
Letâs be honest recon is the phase most beginners skip, and the phase most experienced hunters obsess over.
 Why?
Because every vulnerability you find starts with a piece of information you uncovered before anyone else.
Over the past few years, Iâve built a recon routine that has helped me discover assets no scanner ever picked up. In this guide, Iâm sharing that entire workflow the same one I personally use when hunting on platforms like HackerOne and Bugcrowd.
Take a coffee. This oneâs worth reading slowly. â
1. Subdomain Enumeration The Treasure Hunt Begins
Before you attack anything, you need to know what exists. Companies often forget old infrastructure, old dev servers, or staging areasâ-âand those forgotten doors lead to some of the best bugs youâll ever find.
Subfinder My Always First Tool
Fast, clean, and reliable.
subfinder -d example.com -all -o sub.txt
When I just want raw output without banners:
subfinder -d example.com -all -silent -o example.txt
And sometimes I pipe it directly into Naabu:
echo hackerone.com | subfinder -silent -all | naabu -silent -o ports.txt
Youâd be surprised how many hunters skip this combo.
Amass The Deep Diver
Subfinder gives you speed, but Amass gives you depth.
Passive enum:
amass enum -d example.com -o subs.txt
When I want to uncover every possible forgotten asset, I go brute force:
amass brute -d example.com -w wordlist.txt
And save everything:
amass brute -d example.com -w wordlist.txt -o brute_output.txt
Tip:
Treat Amass like a slow cooker let it run in the background while you work on something else.
OSINT Mode (My favorite part)
amass intel -src -d example.com
Want WHOIS-related subdomains?
amass intel -d example.com -whois
Looking up a specific company?
amass intel -org "Example Ltd"
Some of my best findings came from org-based searches.
 Companies rarely clean their DNS history.
Amass Track The âWhatâs New?â Button
This one deserves more hype.
amass track -dir amass_data -d example.com -last 2
Ever wondered what subdomains showed up recently?
 This command literally tells you:
âHereâs what didnât exist last week⌠but exists now.â
Perfect for catching staging domains & newly deployed infrastructure.
** 2. Sublist3r Old but Gold**
Simple, quick, and still useful today.
sublist3r -d example.com
Bruteforce mode:
sublist3r -d example.com --bruteforce
I mostly use it as a second opinion.
 Different tools â different sources â different results.
3. Aquatone Subdomain Screenshotting
Aquatone is like walking into every room of a house and taking a quick photo. Super useful.
aquatone -scan -d example.com
Even better:
assetfinder example.com | aquatone
Aquatone has helped me spot admin panels I wouldâve never noticed from terminal output.
** 4. DNSrecon Old-school DNSÂ magic**
Brute forcing:
dnsrecon -d example.com -t brt
Zone transfer attempt:
dnsrecon -d example.com -t zt
If zone transfer works (rare), itâs basically Christmas morning. đ
5. DNSEnum DNS Discovery but Simpler
dnsenum example.com
I use dnsenum when I want quick DNS insights without the noise.
6. HTTPX The âAlive or Dead?â Checker
Once you have a mountain of subdomains, you need to find out which ones actually respond.
httpx -threads 100 -l subdomains.txt -o alive.txt
More detailed checking:
httpx -threads 100 -l subdomains.txt -o httpx_output.txt \
-t 200 -m GET -follow-redirects -no-color
HTTPX single-handedly cuts down my recon clutter by 80%.
7. ReconFTW Automation Heaven
When Iâm lazy or time-limited:
reconftw example.com
Itâs like hiring a junior hacker to do all the boring parts for you.
** 8. Fingerprinting Understanding the Tech Stack**
Nmap Still the King
Service + OS detection:
sudo nmap -sV -O example.com
Scan from file:
nmap -sV -iL subdomains.txt
Default vulnerability scripts:
nmap -sC -sV example.com
Vulnerability scan:
nmap --script vuln example.com
Even today, Nmap finds stuff modern scanners miss.
9. Rustscan Nmapâs Accelerator
Rustscan is insanely fast.
rustscan -a example.com -t 50 -- -oA rustscan_output
If ulimit complains:
rustscan -a example.com -t 50 --ulimit 5000 -- -oA rustscan_output
Then feed results into Nmap:
nmap -iL rustscan_output -p- -A --script vuln -oA nmap_output
This combo is my weekly go-to.
10. Masscan Internet-Scale Speed
Masscan is the tool for wide port scanning.
masscan -p1-65535 -iL subdomains.txt -oG masscan_results.txt
Want deep service detection?
Masscan â Nmap:
masscan -p1-65535 target.com | awk '{print $6}' | sort -u | xargs -I{} nmap -p{} target.com
Fast + accurate = win.
Recon Is Your Real Superpower
Recon is more than just a step in your workflow itâs your biggest advantage.
 Anyone can fire up a scanner , but only dedicated hunters and security researchers take the time to understand an organizationâs entire digital footprint
When you go deep, you start uncovering the hidden corners the ones that are old , forgotten , outdated , misplaced , or never meant to be exposed .
And trust meâŚ
 thatâs where the gold is buried
**Support My Work**
If this helped you save money, time, or confusion:
Buy Me a Coffee ââ¤ď¸
- written by Purushotham (Security Researcher)
