Recon Workflow

Recon workflow

  1. 1.
    IP space discovery
  2. 2.
    TLDs, Acquisitions, & Relations
  3. 3.
    Subdomain Enum
  4. 4.
  5. 5.
  6. 6.
    Content Discovery
  7. 7.
    Parameter Discovery

ASN Discovery

ASN Discovery of Target:
ASN using whois:
whois -h $(dig +short
NOTE: Be careful cause sometimes you might get ASN for VPSs like digital ocean etc. Don't work on them.
Using Nmap & ASN for discoverying IP related to the targetted ASN
nmap --script targets-asn --script-args targets-asn.asn=<ASN Number>
Gathering Company intel using AMASS
amass intel -org <Organisation name(not domain)>
Site: IPINFO for ASN
Subdomains using ASNs using AMASS:
amass intel -asn <ASN_number>

Discovering Brands

-Looking for acquisition or related orgs to target
  • wikipedia
  • Crunchbase
  • Owler
  • Accquiredby
  • LinkedIn
  • ReverseWhois using amass intel module
    amass intel -d []( -whois
  • BuiltWith
  • Google dork:
intext:"copyright ©️ org_name"
  • Shodan Dork using HTTP favicon hashes
Favicon hash can be found using favfreak​