Recon Workflow

Recon workflow

  1. IP space discovery

  2. TLDs, Acquisitions, & Relations

  3. Subdomain Enum

  4. Fingerpirnting

  5. Dorking

  6. Content Discovery

  7. Parameter Discovery

ASN Discovery

ASN Discovery of Target:

ASN using whois:

whois -h $(dig +short

NOTE: Be careful cause sometimes you might get ASN for VPSs like digital ocean etc. Don't work on them.

Using Nmap & ASN for discoverying IP related to the targetted ASN

nmap --script targets-asn --script-args targets-asn.asn=<ASN Number>

Gathering Company intel using AMASS

amass intel -org <Organisation name(not domain)>


Site: IPINFO for ASN

Subdomains using ASNs using AMASS:

amass intel -asn <ASN_number>

Discovering Brands

-Looking for acquisition or related orgs to target

  • wikipedia

  • Crunchbase

Crunchbase: Discover innovative companies and the people behind them

  • Owler

  • Accquiredby

AcquiredBy | Definitive list of bootstrapped acquisitions

  • LinkedIn

  • ReverseWhois using amass intel module

    amass intel -d []( -whois

  • BuiltWith


  • Google dork:

intext:"copyright ©️ org_name"

  • Shodan Dork using HTTP favicon hashes


Favicon hash can be found using favfreak



Last updated