Recon Workflow

Recon workflow

  1. IP space discovery

  2. TLDs, Acquisitions, & Relations

  3. Subdomain Enum

  4. Fingerpirnting

  5. Dorking

  6. Content Discovery

  7. Parameter Discovery

ASN Discovery

ASN Discovery of Target:

https://bgp.he.net

ASN using whois:

whois -h whois.cymru.com $(dig +short example.com)

NOTE: Be careful cause sometimes you might get ASN for VPSs like digital ocean etc. Don't work on them.

Using Nmap & ASN for discoverying IP related to the targetted ASN

nmap --script targets-asn --script-args targets-asn.asn=<ASN Number>

Gathering Company intel using AMASS

amass intel -org <Organisation name(not domain)>

ARIN for ASN:

https://whois.arin.net

Site: IPINFO for ASN

https://ipinfo.io

Subdomains using ASNs using AMASS:

amass intel -asn <ASN_number>

Discovering Brands

-Looking for acquisition or related orgs to target

  • wikipedia

  • Crunchbase

Crunchbase: Discover innovative companies and the people behind them

  • Owler

  • Accquiredby

AcquiredBy | Definitive list of bootstrapped acquisitions

  • LinkedIn

  • ReverseWhois using amass intel module

    amass intel -d [domain.com](http://domain.com) -whois

  • BuiltWith

BuiltWith

  • Google dork:

intext:"copyright ©️ org_name"

  • Shodan Dork using HTTP favicon hashes

http.favicon.hash:<hash>

Favicon hash can be found using favfreak

Author

Mr._fr3qu3n533

Last updated