My recon process (command-line)

6 min readJan 9, 2023


My recon methods and tools I use in Linux

Photo by Gabriel Heinzer on Unsplash

hello 👋

I thought it would be helpful to go over my recon process so you guys can pick out what you find helpful and add it to your own methodology and start earning some sweet bounties.

This is just basic stuff, but there might be some helpful things in here for you. For people just starting out, there’s a whole bag of goodies in here that I think you’ll like.

So lets start…

Subdomain enumeration

My subdomain enumeration process is pretty normal to other hunters, but here are some tips for people just getting into these sorts of tools. The first tool I use is Knock, which is an amazing subdomain enumeration tool that tells you the response code and server the site is running on.


Tip: Even if the response code for some sites is 404, 403, etc., you should still visit them or webcrawl them because there may be something interesting on them.

Another method i use whitch i find the most helpful for subdomain enumeration is “assetfinder” using this command:

assetfinder --subs-only $TARGET | tee -a $subtxt

Once done, you can use “httpX” to show live sites and, with this command, and their server and response code.

cat $subtxt | httpx -title -tech-detect -status-code | tee -a $subhttp.txt

Once you have done all these, you can run all your subdomains through a tool called “Subzy” that uses EdOverflow’s “can-i-take-over-xyz” that checks for subdomain takeover. (Video of this method in order)

subzy -targets $HTTPfile.txt
Example video of the tools in order




Directory/Path discovery

This part of recon is my favourite as you don’t know what sorts of things you’re going to find. This part will also include parameter finding among other things.

The first tool I always use in directory discovery is “Dirsearch,which is an amazing tool by Maurosoria and is extremely fast and easy to use. I have found some bugs with Dirsearch, like exposed server endpoints.


Tip: Don’t just look at the 200s; look at the 302, 301, 500s, and so on; they may show a detailed error page or a hidden, unsanitized parameter vulnerable to XSS and ect.

Another amazing content/directory discovery tool is Tomnomnom’s “Waybackurls”, which gives you an entire list of the sites’ endpoints. This can be extremely helpful for fuzzing, JS files, API endpoints, etc.

waybackurls | tee -a file.txt

waybackurls subs.txt | tee -a file.txt

Waybackurls can also find pramaters, which would be great for some good old fuzzing. I suggest doing some more research on this amazing tool.

There’s a good parameter finder tool called “ParamSpider” that also shows hidden parameters that might not be protected from XSS or SQL injection I highly recommend it .

python3 --domain




Vulnerability scanning/scrape

This part of recon is always fun. It’s not much work; just sit back, sip on a cold drink, and let your tools run; occasionally, something will pop up, so here are the vulnerability scanners I use in my recon process.

The most awesome and best one I use is “Nuclei.” It’s extremely good and you can make your own templates in YAML and use thousands of other templates by other hackers. I have found a couple of bugs with Nuclei, and I love to use it in my recon process.

It’s extremely easy to use, and you can use it on a subdomain list. Keep in mind that it will send out a lot of requests, so keep an eye on that.

cat subs.txt | nuclei 

cat subs.txt | nuclei -t /nuclei-templates/<your template>

There’s also another amazing tool by Sullo called “Nikto,” which does take awhile but can bring up things you wouldn’t find on any other command-line tool. It’s written in Perl, and it does send out a lot of requests, so again, be careful. I suggest doing your own research into this awesome tool, as it has so many other options and features!

Another fantastic tool is “CVEscan,” which works similarly to an nmap plugin and scans open ports for known CVEs and provides the exploit/PoC URL along with the exploits that you can use in Metasploit. I highly recommend CVEscan, especially if you are doing networking. You can’t use this tool in Kali, only in Ubuntu and Arch, so you can go with the nmap NSE scripts for CVE scanning, which also work fine.

cvescan <ip> # cvescan for ubuntu/arch users

nmap -sV --script=vulners <ip> # nmap scan for kali users
( nmap vunlers example )

There are loads of other great vulnerability scanners, but I would be here all day explaining them.





“Shodan” is another tool I use from time to time, but a little less than I should. Shodan is an amazing tool, and I am just getting into it, but I have been using something cool that you might find helpful. HttpX (the tool we went over before) allows you to gain hashes from the favicon file, which can then be looked up in Shodan for more recon.

cat subs.txt | httpx -favicon | tee -a file.txt

This can be very useful for more in-depth recon. Once you have the hashes, you can look them up in Shodan’s command-line tool or on their website using these commands:

# web 
# command-line
shodan search org:"Target" http.favicon.hash:<hash>--fields ip_str,port --separator " " | awk '{print $1":"$2}'


Last but not least, “TruffleHog,” a fantastic tool that finds API keys hidden in JS files, as well as passwords, tokens, and other information, in a manner similar to burp’s JS miner. Trufflehog can come as a Chrome or Firefox addon but also has its own command-line tool, which I use on S3 buckets. It’s easy to use and install. A great hunter called At0m has a video on it i recommend checking it out and researching more into this amazing tool. (

URL: (chrome addon)

URL: (firefox addon)

URL: (command-line tool)


My recommendation is that if you’re going to use all these tools or some of them, I suggest you code a simple bash script so you don’t have to go through all the hassle of doing it one by one. Here’s a simple script as an example from my subdomain enumeration method.

#! /bin/bash 

read -p 'host?:' TARGET
read -p 'output file name?:' SUB

# you must have all these tool's to run this script

echo "running assetfinder"
sleep 1
assetfinder --subs-only $TARGET | tee -a $SUB
echo "done"

read -p 'status code output file?:' CODE
sleep 1
cat $SUB | httpx -title -tech-detect -status-code | tee -a $CODE

read -p 'look it over:' # press enter when you looked it over
sleep 1

read -p 'http file output?:' HTTP
sleep 1
cat $SUB | httpx | tee -a $HTTP
sleep 1

subzy -targets $HTTP

echo "done"

This is just a simple script; if you want to use it and play around with it, be my guest. If you’re new to bug bounty, I highly recommend learning Bash.

Also, please don’t use any of these for illegal methods, as a wise man once said, “Don’t waste your life on just a few tools.” ~ Dualcore

Anway that’s all from me If you want to see a full video of my recon process, let me know, and if you have any improvements to suggest to my method, I would love to hear them!

Best of luck out there ~CoffeeAddict