Reconnaissance: mapping the attack surface

You can’t test what you can’t see. Find subdomains, live hosts, endpoints and the technologies behind them.

9 min read

Most bounties are won in recon. The researcher who finds the forgotten staging box, the new API, or the dangling subdomain tests things nobody else is looking at.

The pipeline

Subdomain enumeration — subfinder, passive sources (crt.sh, Shodan, SecurityTrails) to find *.target.com.
Resolution — dnsx / puredns to keep only hosts that actually resolve.
Probing — httpx to find which are alive, their status, title and tech stack.
Crawling — katana to collect endpoints, parameters and JavaScript files.
JS mining — jsluice to pull hidden API routes and leaked secrets out of bundles.

subfinder -d target.com -all -silent \
  | dnsx -silent \
  | httpx -silent -title -tech-detect -status-code

Recon is most valuable when it’s continuous. New subdomains and endpoints appear constantly — diffing today against yesterday is where fresh, undup’d bugs come from.

Stay in scope

Every tool above can wander outside the authorised targets. Always filter discovered hosts against the program’s scope before you probe them — a fail-closed allowlist is the safe default.