My 5-Step Recon Workflow (No Fluff, Just Results)
Recon is where bounties get paid. Here's the repeatable process I've dialed in:
1. Surface Mapping — amass intel + crt.sh + shodan Zero-touch passive recon. Grab subdomains, ASN data, exposed services. Don't send a single packet yet.
2. Scope Validation — puredns + httpx + gau Resolve everything, filter live hosts, collect historical URLs. Look for 403s, large response bodies, and wildcard DNS gaps.
3. Fingerprinting & Discovery — katana + feroxbuster + whatweb Recursive crawling + directory brute-force. Hunt for API endpoints, .git leaks, admin panels, and hidden parameter routes.
4. Parameter Analysis — waybackurls | gf | qsreplace Find reflection points — id=, file=, redirect=, next=. Low-hanging XSS, open redirects, and SSRF candidates live here.
5. Service Probing — nmap -sV -sC + nuclei + ffuf (vhost) Targeted port scans + CVE template matching + virtual host fuzzing.
What I recently improved: Switched from passive URL collection to recursive katana crawling with auto form-fill. Started finding hidden POST endpoints and reflected input sinks I was missing before.
Drop your current workflow below. What's one tool you can't live without during recon?