🧭 Quick overview the recon story:
- Collect subdomains(Subfinder + TheHarvester) — find the attack surface.
- Scan each discovered host (Nmap) — discover open ports & service versions.
- Gather passive URLs (Gau) — find endpoints, parameters, old paths.
- Fuzz directories (ffuf) — find hidden panels, backups, endpoints to test.
🧰 Tools & why we picked them
- Subfinder — fast, passive-first subdomain discovery (Project Discovery).
- TheHarvester — OSINT subdomain/email discovery via public data sources.
- Nmap — classic network/service/port scanner with version detection.
- Gau (getallurls) — collects known URLs for domains from public archives and link indexes (Wayback, CommonCrawl, etc.).
- Ffuf — fast web fuzzer for directories/files (flexible, easy to tune).
───────────────────────────────────────────────
🛡️ Tool #1 — Subdomain discovery (Subfinder + TheHarvester)
✅ What you get
A combined, list of subdomains (eg. staging.example.com, dev.example.com, api.example.com). This grows your attack surface and exposes forgotten or high-value hosts.
🧠 Why it matters
Hidden subdomains often host staging panels, old APIs, or admin consoles and they're frequently in scope for bug bounty programs. The more subdomains you know, the more likely you are to find a vulnerable asset.
🖥️ Commands
# 1) Subfinder - passive & fast (saves to file)
subfinder -d example.com -silent -o subfinder.txt
# 2) TheHarvester - use multiple sources (bing, google, etc.)
theharvester -d example.com -b all -f theharvester.html───────────────────────────────────────────────
🛡️ Tool #2 — NMAP: ports, services, versions
✅ What you get
Open ports, service names, version strings, and optional scripts result (HTTP tiles, SSL info, basic vulnerabilities/tests).
🧠 Why it matters
A subdomain that resolves but has no web ports isn't useful for web testing. Conversely, an unexpectedly open port or an old service version point to different classes of vulnerability.
🖥️ Commands
# Full port scan with version detection + default scripts (more thorough)
nmap -p- -sV -sC -T4 example.com -oN nmap_full_example.txt───────────────────────────────────────────────
🛡️ Tool #3 — Gau (getallurls): passive URL collection
✅ What you get
A large list of URLs historically or currency associated with the domain: endpoints, query parameters, archived pages, and endpoints that might no longer be linked but exist in archives.
🧠 Why it matters
You find forgotten endpoints (eg. /old-admin/, /api/v1/backup/) and parameters (?id=, ?file=) that can be tested for injection, LFI, SSRF, etc. Gau gives you context without hammering the target.
🖥️ Commands
# Basic usage: fetch URLs for domain(s)
gau example.com───────────────────────────────────────────────
🛡️ Tool #4 — ffuf: fuzz directories & find hidden endpoints
✅ What you get
Discovery of hidden directories, admin panels, backup files, and unlinked endpoints by brute forcing wordlists against a web root.
🧠 Why it matters
Even if Gau shows past URLs, ffuf finds currently accessible but unrefernced endpoints (eg. /admin, /uploads, /backup.zip). It's fast and easy to tailor.
🖥️ Commands
# Basic directory fuzz (common wordlist from SecLists)
ffuf -u https://example.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -t 50 -mc 200,301,302,403 ───────────────────────────────────────────────
🧠 Pro tips & beginner mistakes to avoid
- Start passive first (Subfinder/TheHarvester → Gau). Passive reduces noise and avoids tripping WAFs immediately.
- Respect scope — only test hosts listed in the bounty program's scope. If in doubt, don't probe.
- Rate limit your ffuf and nmap runs on production targets to avoid DoS or getting blocked. Use
-t,-T,-presponsibly. - Use SecLists (
/usr/share/seclists/) as your wordlist repo; pick lists appropriate for the target size.
⚖️Ethics & legal reminder
Only run the above commands against assets you have permission to test (in-scope bug bounty programs, you own lab, or explicitly authorized targets). Unauthorized scanning or fuzzing may be illegal.
