Recon is the first and arguably one of the most important phase of hacking, so without wasting much time let's get right into it.

Subdomain Enumeration

There are many tools to find subdomains but I recommend using ProjectDiscovery's subfinder and OWASP's amass

  1. Subfinder : Remember to set up all the API keys to find more subdomains

    subfinder -d target.com -o output.txt
    
  2. Amass: Remember to set up the API keys to find more subdomains

amass enum -d example.com

HTTPX

httpx is one of my favourite tools created by project discovery, you can use it to validate the URL, return the status code and the title and even the tech stack used.

It is an alternative to screenshotting and opening multiple tabs, especially when the target has a huge number of subdomains

cat output.txt | httpx -status-code -title -tech detect | tee aliveres.txt

Automated Vulnerability Scanners

After you're done with subdomain enumeration, it is better to use a vulnerability scanner before you start looking for bugs manually, you might get a lot of duplicates or not find any vulnerabilities though

There are two amazing tools for this

  1. Nuclei: Nuclei by project discovery is a super fast vulnerability scanner with a huge number of templates, you can also create your own templates very easily as they are written in YAML

  2. Smap: smap by Somdev Sangwan is a drop-in replacement for NMAP which uses shodan's API, apart from vulnerability detection it also scans for open ports.

Discovering Endpoints

After scanning for vulnerabilities you might want to start looking for juicy endpoints

There are many tools which can be used for this but I recommend using hakrawler by hakluke and waybackurls by tomnomnom, after that, you might want to use a fuzzer like feroxbuster or ffuf to discover more endpoints and if you encounter some weird or juicy endpoints use Arjun (another amazing tool by Somdev Sangwan) to find endpoints

Take it forward... Craft your own methodology

Now take it forward, be creative you might want to read javascript files to find vulnerabilities, links or API keys, you might want to use dorks to find a misconfigured Django instance, etc. be creative and do something which not a lot of people are doing to stand out from the rest of the crowd.

And Finally, Start Hunting, the point of recon is to find juicy endpoints and information so that you'll have a nice list of attack surfaces, put in the effort to test for vulnerabilities manually and think of all the ways you can try to exploit the web application, maybe the input field uses a regex that is copy-pasted from StackOverflow to validate stuff and you can think of ways to create payloads which will match the regex and therefore you're able to trigger a XSS, the more you understand how a web application is built, the more you can think of ways to exploit it.

HAPPY HUNTING!!