Contributed by gprime31
Level 5

BARKER Statistics
Total Submissions: 145
131 accepted, 14 rejected

Become a bounty hunter

Practise hacking on a fully functioning website containing real bugs found on bug bounty programs. Use your hacker mindset to uncover as many vulnerabilities as possible!

Gain confidence with us when testing web applications.

Advanced Recon Guide

To everyone that asked for it, Here is my recon guide I put together from multiple sources and refined over the past few months. It is kind of Advanced if you are new to recon, and no links to tools/sources will be provided however a quick google search will find you all the tools used.

Quick and dirty version, straight from my notes, sorry if it's confusing.


  1. TLD= Top Level Domain ( ) This will scan for,, etc... ./ -s -n -f -d site -m plain -o site-tld.txt <-------REMOVE http:// and https:// in notepad after 1-A G.S.A.N: gsan -o site-gsan.txt -f text --->only single domain. put in site-tld.txt

  2. ASN numbers
    ./ -o site (outputs file to asnlookup/output) rename to site-cidr-range.txt

  3. Hurricane Electric. <--- search company name (site) no .com or anything. copy ASN from search results and ranges (make site-asn.txt Don't copy the AS just the number ex: AS13457 <---- only 28551)

  4. AMASS for cidr ranges. amass intel -org site | tee -a site-intel-org.txt ( take asn and put in site-asn.txt -- take cidr and put in site-cidr-range.txt) 4-A feed cidr-range list to amass intel with for loop: for i in $(cat site-cidr-range.txt); do echo"";echo "cidr $i";echo "";amass intel -cidr $i;echo "";done | tee -a site-cidr-range-scanned.txt

  5. NMAP: nmap -T4 -Pn -p 80,4443,4080,443 --script=ssl-cert -iL site-cidr-range.txt -oX site-cidr-ssl-cert-scanned.xml --open nmap -T4 -Pn -p 80,4443,4080,443 --script=banner -iL site-cidr-range.txt -oX site-cidr-banner-scanned.xml --open nmap -T4 -Pn -p 80,4443,4080,443 --script=http-title -iL site-ip.txt -oX site-ip-title-scanned.xml --open

6-A. NMAP PARSE: ./nmap-parse-output /site-cidr-ssl-cert-scanned.xml hosts | tee -a site-ip.txt NMAP PARSE: ./nmap-parse-output /site-cidr-banner-scanned.xml hosts | tee -a site-ip.txt NMAP PARSE: ./nmap-parse-output /site-ip-title-scanned.xml hosts | tee -a site-ip.txt

  1. site-ip.txt to amass for sub/domain ---> for i in $(cat site-ip.txt); do echo"";echo "IP $i";echo "";amass intel -addr $i;echo "";done | tee -a site-ip- scanned.txt cleaner output---> for i in $(cat site-ip.txt); do amass intel -addr $i; done | tee -a site-ip-scanned.txt

  2. feed site-asn.txt to amass intel with for loop ex: for i in $(cat site-asn.txt); do echo"";echo "ASN $i";echo "";amass intel -active -asn $i;echo "";done | tee -a site-asn-scanned.txt

  3. massdns -r resolvers.txt -o S -w site-root.txt site-tld.txt (--hashmap-size 7500 if it slows down internet)

  4. Combine 1. site-root.txt and 3. site-asn-scanned.txt and 4. site-cidr-range-scanned.txt 5. site-ip-scanned.txt into ONE file, sort and unique. and start subdomain enum. site-ready-for-sub-enum.txt (make sure http:// and https:// are removed from all txt files!!!!!!!)

Tip for sort and unique easy do: vim site-ready-for-sub-enum.txt press : type %sort u --press enter you will see how many dupes were found. press : and wq

Now all the Root Domains are found (and a few subs too) Now it's time for SubDomain Enum. Next Article (another 12 steps ) Happy Hunting, Prime.