Hi, this is a list of resources on recon.

You might find not too long or not comprehensive, and some of the tools/techniques listed may be obsolete by the time you read this.

But the purpose of this list is just to inspire and help you improve your own recon workflow, as I explained in The Bug Hunter Podcast 5: Recon workflow & Out of the box thinking in day-to-day life.

Also, I didn’t have as much time as I’d like to work on this. Many interesting tweets are missing. So I prefer to share what I have for now and update this page every time I find anything new worth sharing.

Articles #

• Doing RECON the correct way by Enciphers
• A Pentester’s Guide – Part 1 (OSINT – Passive Recon and Discovery of Assets)
• A Pentester’s Guide Part 2 (OSINT – LinkedIn is Not Just for Jobs)
• Reconnaissance: a eulogy in three acts
• “A lightweight reconnaissance setup for bug bounty hunters”
• How To Do Your Reconnaissance Properly Before Chasing A Bug Bounty
• What tools I use for my recon during #BugBounty
• A More Advanced Recon Automation #1 (Subdomains)
• Expanding your scope (Recon automation #2)
• Asset Discovery: Doing Reconnaissance the Hard Way
• Recon — my way.
• [Tools] Visual Recon – A beginners guide
• Recon Methodology
• Practical recon techniques for bug hunters & pen testers
• “Automating your reconnaissance workflow with ‘meg’”
• My methods of recon & testing
• Hacking with ZSeano: Recon Part two by zseano
• How to: Recon and Content Discovery
• Recon Android apps to widen scope
• A More Advanced Recon Automation #1 (Subdomains)
• Expanding your scope (Recon automation #2)
• Get Started; Footprinting and Reconnaissance
• Finding domains belonging to a specific target
• How to Conduct DNS Reconnaissance for $.02 Using Rapid7 Open Data and AWS
• Hacking 101 Episode 2 – Web Recon
• The Lazy Hacker
• Open-Source Intelligence (OSINT) Reconnaissance & BbSpider
• Advanced Recon Automation (Subdomains) case 1
• Bugbounty scope expanding

Slides #

• Dirty recon / Recon Like A Boss
• Bug Bounty Funshop
• Bug Bounty Workshop

Interviews #

• Bug Bounty Forum AMAs

Videos & Podcasts #

• Paul’s Security Weekly #564 with Jason Haddix
• Keith Hoodlet: Bug Bounty Hunting - Paul’s Security Weekly #564
• Web Hacking Pro Tips Deep Dive #3: Advanced Recon with @NahamSec
• Hacking Process - Recon
• SANS Webcast: OSINT for Pentesters Finding Targets and Enumerating Systems

Conference Talks #

• It’s the little things (Disobey 2018) & Doing recon like a boss (LevelUp 2017)
• Automation for Bug Hunters (Bug Bounty Talks)
• The Bug Hunters Methodology v3(ish) (LevelUp 0x02 / 2018)
• Practical recon techniques for bug hunters & pen testers (LevelUp 0x02 / 2018)
• Emergent Recon fresh methodology and tools for hackers in 2018
• Passive-ish Recon Techniques by Tom Hudson
• Recon and Bug Bounties - What a great love story! & Slides
• Bug Bounty Hunting on Steroids
• Supercharge Your Web Recon With Commonspeak
• Domain Discovery:Expanding Your Scope Like A Boss
• Exploiting Vulnerabilities Through Proper Reconnaissance

Tools #

I don’t recommend using all these tools because some of them do redundant tests and some seem to be deprecated.
But I like rummaging through the source code of recon tools for inspiration. So here is a list to start with if you want to do the same. Most of them are wrappers around other task-specific tools.

• List of recon tools by Bug Bounty Forum
• Lazyrecon by @capt-meelo
• LazyRecon by@NahamSec
• LazyRecon by @plenumlab
• 003Recon
• Recon-my-way
• Chomp-scan
• Recon.sh by @JobertAbma
• ReconDog by @s0md3v
• Meg
• AutoRecon by JoshuaMart
• autoRecon by @agrawalsmart7
• quick-recon.py by@si9int
• Domain Analyzer
• gOSINT: OSINT Swiss Army Knife
• Gathering domains/subdomains with IPRanges of organization
• setup_bbty.sh by @AseemShrey
• SubDomainizer
• Domained-master
• Domained
• Recon Pi
• Legion
• Datasploit

Resources #

• Bugbounty Cheatsheet / recon
• Application Security Wiki / Reconnaissance
• Recon cheatsheet

Tweets #

• Collection of Tweets on recon

Related blog posts/podcasts on this site #

• Compilation of recon workflows
• Subdomains Enumeration Cheat Sheet
• The Bug Hunter Podcast Ep. 2: Wayback Machine & Reading ebooks on the move
• The Bug Hunter Podcast Ep. 5: Recon workflow & Out of the box thinking in day-to-day life

Let me know if you have any comments, requests, questions… Feedback is always welcome.

See you next time!