Recon & Inforamation Gathering Methodology
Cyber Attacks
This is a Recon & Information Gathering Methodology In Bug Hunting Process
Mostafa Tamam
Oct. 11, 2021, 7:42 p.m.


telescope This is a Recon & Information Gathering Methodology In Bug Hunting Process

Look at Program eyes

  1. First, read the scope policy for this program
  2. Check site tools, versions, library, and what is website do, you should understand the service introduced by the website
  3. What CMS of the program (Version and Tools) It's important to note, however, CMS do much more than help manage the text and image content displayed on webpages.

Check CMS by :

  1. Finally in this step is learning tech you don't have, for example how to perform SQL injection without learning what is SQL query is, you should learn every service introduced by the website


telescope Recon & Info Gathering

1. Perform Subdomain enumeration to your target, in my case is my target



This is a great tool to enumerate subdomains of websites using OSINT using many search engines such as Google, Yahoo, Bing, Baidu, and Ask.

$ python3 -d -o /root/Desktop/subdomain


Subfinder also is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed.

$ subfinder -d -all -silent


DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line program coded purely in C with the ability to gather as much information as possible about a host.

$ dmitry -wnse -o /root/Desktop/dmitry 


Also, you can check virustotal website to get more information about your target and get more subdomain details


2. Check IPs used for your target by,,



nslookup is a web based DNS client that queries DNS records for a given domain name. It allows you to view all the DNS records for a website

$ nslookup 


3. Check SSL/TLS certfication by,



sslscan is a great tool to enumeration of server signature algorithms, scanSSLv2 and SSLv3 protocol

$ sslscan > /root/Desktop/sslscan.txt
$ sslscan > /root/Desktop/sslscan.txt
$ sslscan > /root/Desktop/sslscan.txt


4. Check open/closed/filtered ports & DNS record & OS version by



If you don't know about Nmap close this methodology and go to your bed

$ nmap -sC -sV -p- -A -oN /root/Desktop/nmap


This is an Internet-scale port scanner, It can scan the entire Internet in under 5 minutes, transmitting 10 million packets per second, from a single machine.

$ masscan --ports 0-10000 


RustScan is a modern take on the port scanner. Sleek & fast. All while providing extensive extendability to you.

$ rustscan -T 1500 -b 500 -A -sC 


Nikto is a web server scanner to get some information that may be useful for you

$ nikto -h 


5. Bruteforce directory to get more possible API endpoint don't forget to follow this rule more paths = more files, parameters -> more vulnerability



Gobuster is a tool used to brute-force: URIs (directories and files) in websites, DNS subdomains (with wildcard support), Virtual Host names on target web servers.

$ gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o /root/Desktop/endpoint -x php,txt,js


This tool is great, i usually use it to search paths,links

$ cat EndJS.txt|xargs -n2 [email protected] bash -c "echo -e '\n[URL]: @\n'; python3 -i @ -o cli" >> Endpoint.txt  


TheHarvester is a tool for gathering e-mail accounts and subdomain names from public sources

$ theharvester -d -l 500 -b google 


same thing in gobuster

$ dirb -X php,js,txt 


It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.


6. Screenshotting for server IPs, DNS record, Error message



HTTPScreenshot is a tool for grabbing screenshots and HTML of large numbers of websites. The goal is for it to be both thorough and fast which can sometimes oppose each other.

$ ./ -i \<gnmapFile\> -p -w 40 -a -vH


7. Using a recon-ng tool to enumerate and get more information about target



Recon-ng is a reconnaissance tool with an interface similar to Metasploit. Running recon-ng from the command line, you enter a shell like environment where you can configure options, perform recon and output results to different report types.


8. Find collect possibly several javascript files



I'm recommend this tool you can crawl useful Endpoints and we can also do BLH discovery.

$ python3 -u -d -j -ou /root/Desktop/Endpoint


This tool is great, i usually use it to search for as many javascript files as possible, many companies host their files on third parties, this thing is very for important for a bughunter because then really enumerate a lot js files!

$  gau |grep -iE '\.js'|grep -ivE '\.json'|sort -u  >> GitLabJS.txt


9. Check Google dorks and Github resource



This is a tool by using google dorks for advanced searching in google and other google applications to find security holes in the configuration and computer code that used in the websites

$  python3 


Google Dork Hacking Databases --> Check the link below point_down


10. Happy Hacking fire

zap URLs For Tools


Red Team Recon Inforamation Gathering Recon rootx

Leave a Comment

Comments (0)

No Comments!