What it is:
Think of “recon” like scouting or doing homework. It’s the phase where someone (an attacker or a defender) quietly gathers information about a target (like a company, website, or network) before taking any direct action.
Analogy: Imagine thieves planning to rob a bank. They wouldn’t just rush in! First, they’d:
✅ Watch the bank’s opening/closing times.
✅ Note security guards and cameras.
✅ Look for unlocked doors or weak spots.
This scouting is recon. In cybersecurity, the “bank” is a computer system or network.
In a Nutshell:
Recon is cybersecurity homework. Attackers do it to find the best way in. Defenders do it to lock the doors and windows first. It’s the critical first step for both sides because you can’t attack or defend what you don’t know about.
Subdomain Enumeration
Uses crt.sh to find subdomains via SSL certificates
curl -s "https://crt.sh/?q=target.com&output=json" | jq -r '.[] | .name_value' | sort -u > subdomains_curl_output.txtAssetfinder
assetfinder --subs-only example.com | sort -uAmass
amass enum -passive -d example.com -o subdomains.txtSubfinder
subfinder -d example.com -all -recursive > subdomain.txtFilter Live Subdomains
cat subdomain.txt | httpx-toolkit -ports 80,443,8080,8000,8888 -threads 200 > subdomains_alive.txtIP Range Discovery
Using WHOIS command
whois -h whois.arin.net "n + target_doamin" | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}'Using curl command
nonce=$(curl -s https://hackertarget.com/as-ip-lookup/ | grep -oP 'name="name_of_nonce_field" value="\K[^"]+'); echo "Nonce received: $nonce"; curl -s 'https://hackertarget.com/as-ip-lookup/' -X POST -H 'Content-Type: application/x-www-form-urlencoded' --data "theinput=<domain_input>&thetest=asnlookup&name_of_nonce_field=$nonce&_wp_http_referer=%2Fas-ip-lookup%2F" | grep -Eo '([0-9]{1,3}.){3}[0-9]{1,3}/[0-9]{1,2}' | grep -vE '^(1\.1\.1\.0/24|8\.8\.8\.0/24)$' Note: Please replace <domain_input> with your desired domain
Using Wayback URL
https://web.archive.org/cdx/search/cdx?url=<domain_input>/*&collapse=urlkey&output=text&fl=original&filter=original:.*\.(xls|xml|xlsx|json|pdf|sql|doc|docx|pptx|txt|zip|targz|tgz|bak|7z|rar|log|cache|secret|db|backup|yml|gz|config|csv|yaml|md|md5|exe|dll|bin|ini|bat|sh|tar|deb|rpm|iso|img|apk|msi|dmg|tmp|crt|pem|key|pub|asc)$
