Episode 1 built your mindset.
pisode 2 turns that mindset into actual hunting steps.
No theory.
No fluff.
Just how real hunters do recon.
1. Recon Starts with a Single Question:
“What EXACTLY is the company exposing to the internet?”
This sounds simple, but most hunters miss 60% of the attack surface because they only look at WHAT IS PUBLICLY VISIBLE — not what is PUBLICLY ACCESSIBLE.
2. Step-by-Step Practical Recon Workflow
Step 1: Map the real attack surface (not just the main domain)
subfinder -d target.com -all -recursive -o subs.txt dnsx -l subs.txt -resp -o live.txt
Most hunters stop here.
You won’t.
Now expand:
A. Find environments
grep -iE 'dev|stg|qa|test|sandbox|internal' subs.txt
B. Find country-specific apps
grep -iE 'in|eu|uk|us|apac' subs.txt
C. Find tech-specific subdomains
grep -iE 'api|graphql|admin|upload|auth' subs.txt
These categories give you the highest probability of real bugs.
Step 2: Prioritize based on FUNCTIONALITY
Take your live.txt and run HTTPX to fingerprint tech:
httpx -l live.txt -sc -title -server -tech-detect -o data.txt
Now filter for gold mines:
Look for:
- Login pages
- Upload endpoints
- GraphQL
- /admin, /dashboard
- Payment pages
- Old tech (AngularJS 1.x, jQuery 1.x)
- Exposed APIs with 200 OK
grep -iE "login|upload|graphql|admin|dashboard|payment" data.txt
This instantly reduces thousands of hosts to 20–40 high-value assets.
Step 3: Go inside the application (Dynamic recon)
Once you find targets, the goal is to find the messy stuff.
Open the app → DevTools → Network tab.
Then:
Look for:
- Hidden API routes
- Internal features
- /beta, /v2, /private
- Non-visible functionality
- Experimental flags
- 302 redirects to odd places
- Misconfigured 403s
- OPTIONS responses showing available methods
Example:
curl -X OPTIONS https://api.target.com/v2/users
If you get:
Allow: GET, POST, PUT, DELETE
Jackpot.
Step 4: JavaScript Recon (your cheat code)
Download JS files:
cat live.txt | xargs -I % bash -c 'wget -q -O - % | grep -oP "(?<=src=\").*?\.js"'
Then extract endpoints:
grep -RaoE "https?://[a-zA-Z0-9./?=_-]*" js/ | sort -u
Look for:
- Deprecated APIs
- New APIs not yet in UI
- Admin routes
- Parameter formats
- Internal feature flags
Example Jackpot:
A JS file referencing:
/internal/v3/exportData
but the interface has no button for "export data".
95% chance there’s a bug.
Step 5: Find orphan/forgotten applications
Run content discovery on subdomains that look OLD:
ffuf -w wordlists/directory.txt -u https://target.com/FUZZ -t 80 -mc 200,302,403
Look for:
- /old/
- /backup/
- /test/
- /archive/
- /v1/ when current is /v3/
These are the sweet spots for IDOR, SSRF, RCE, CSRF, and Auth bypass.
3. The 80/20 Recon Rule (very practical)
80% of your good bugs will come from:
✔ API misconfigurations
✔ Forgotten subdomains
✔ Old versions of endpoints
✔ Unlinked features
✔ Misconfigured access control
NOT from:
- Running 10 more tools
- Collecting 50k subdomains
- Repeating what everyone else does
Focus on the 20% that actually pays.
4. Practical Examples of High-Value Recon Wins
A. Found a “hidden” endpoint via JS
JS had:
/v1/exportCSV?user_id=123
UI had no “export” feature.
This led to:
- IDOR
- User data leak
- P1
B. Found admin panel on a forgotten subdomain
admin-panel.old.target.com
Tech: PHP 5.6
Never updated → A simple bypass worked.
→ Reported as High.
C. Found a mobile-only API through traffic analysis
Users on web → No access
Mobile → /v4/user/profile/image/upload
Upload endpoints = jackpot.
→ Found unrestricted file upload → SSRF.
5. The Practical Recon Checklist
Use this checklist every single target:
✔ Subdomains
✔ Live hosts
✔ Tech stack
✔ JS endpoints
✔ Hidden routes
✔ API version mismatches
✔ Old environments
✔ Admin panels
✔ Upload functionality
✔ Mobile endpoints
✔ GraphQL
✔ Error responses
✔ Redirect chains
✔ Third-party integrations
This checklist alone will double your bug wins.
🔥 Episode 2 Practical Summary
- Use recon to reverse-engineer the company’s architecture.
- Don’t collect everything — filter aggressively.
- JS files reveal hidden functionality.
- Old systems give the easiest bugs.
- Upload endpoints & APIs give the biggest rewards.
- Prioritize where logic meets exposure.