Recon Workflow
- 1.IP space discovery
- 2.TLDs, Acquisitions, & Relations
- 3.Subdomain Enum
- 4.Fingerpirnting
- 5.Dorking
- 6.Content Discovery
- 7.Parameter Discovery
ASN Discovery of Target:
ASN using whois:
whois -h whois.cymru.com $(dig +short example.com)
NOTE: Be careful cause sometimes you might get ASN for VPSs like digital ocean etc. Don't work on them.
Using Nmap & ASN for discoverying IP related to the targetted ASN
nmap --script targets-asn --script-args targets-asn.asn=<ASN Number>
Gathering Company intel using AMASS
amass intel -org <Organisation name(not domain)>
ARIN for ASN:
Site: IPINFO for ASN
Subdomains using ASNs using AMASS:
amass intel -asn <ASN_number>
-Looking for acquisition or related orgs to target
- wikipedia
- Crunchbase
- Owler
- Accquiredby
- LinkedIn
- ReverseWhois using amass intel module
amass intel -d [domain.com](http://domain.com) -whois
- BuiltWith
- Google dork:
intext:"copyright ©️ org_name"
- Shodan Dork using HTTP favicon hashes
http.favicon.hash:<hash>
Last modified 2yr ago