Menu
Bug bounty and pentest reconnaissance methodology
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
| name | recon-methodology |
| description | Bug bounty and pentest reconnaissance methodology |
| tags | ["recon","enumeration","osint","subdomain"] |
| version | 1.0 |
# Certificate Transparency
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sort -u
# SecurityTrails
curl -s "https://api.securitytrails.com/v1/domain/target.com/subdomains" \
-H "APIKEY: $API_KEY"
# Subfinder (passive)
subfinder -d target.com -silent
# Amass (passive)
amass enum -passive -d target.com
# Combined approach
subfinder -d target.com -silent | anew subs.txt
amass enum -passive -d target.com | anew subs.txt
# Wayback Machine URLs
echo "target.com" | waybackurls | tee wayback.txt
# GAU (GetAllURLs)
echo "target.com" | gau --threads 5 | tee gau.txt
# Combined historical
cat wayback.txt gau.txt | sort -u | tee historical_urls.txt
# Find parameters
cat historical_urls.txt | grep "=" | qsreplace "FUZZ" | sort -u
# Wappalyzer CLI
wappalyzer https://target.com
# WhatWeb
whatweb -a 3 https://target.com
# BuiltWith API
curl "https://api.builtwith.com/v19/api.json?KEY=$KEY&LOOKUP=target.com"
# DNS records
dig target.com ANY +noall +answer
dig target.com MX +short
dig target.com TXT +short
dig target.com NS +short
# Zone transfer attempt
dig axfr @ns1.target.com target.com
# DNSRecon
dnsrecon -d target.com -t std
# Subdomain brute force
puredns bruteforce wordlist.txt target.com -r resolvers.txt
# Resolve discovered subdomains
cat subs.txt | dnsx -silent -a -resp | tee resolved.txt
# Filter live hosts
cat resolved.txt | httpx -silent -title -status-code -tech-detect | tee live_hosts.txt
# Screenshot
cat live_hosts.txt | cut -d' ' -f1 | gowitness file -f - --threads 10
# Fast scan (top 100)
nmap -F -sV target.com
# Full TCP scan
nmap -p- -T4 --min-rate 1000 target.com
# UDP scan (top 20)
nmap -sU --top-ports 20 target.com
# Service version detection
nmap -sV -sC -p 80,443,8080 target.com
# Masscan (fast)
masscan -p1-65535 --rate 10000 -oJ scan.json target.com
# Feroxbuster
feroxbuster -u https://target.com -w /path/to/wordlist.txt -x php,asp,html
# FFUF
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302,403
# Dirsearch
dirsearch -u https://target.com -e php,asp,html -t 50
# Gobuster
gobuster dir -u https://target.com -w wordlist.txt -x php,html -t 50
# Arjun
arjun -u https://target.com/page
# ParamSpider
python3 paramspider.py -d target.com
# FFUF parameter fuzzing
ffuf -u "https://target.com/page?FUZZ=value" -w params.txt -mc 200
# Extract JS files
cat live_hosts.txt | getJS --complete | tee js_files.txt
# Find endpoints in JS
cat js_files.txt | xargs -I{} sh -c 'curl -s {} | linkfinder -i -'
# Find secrets in JS
cat js_files.txt | xargs -I{} sh -c 'curl -s {} | secretfinder -i -'
# Nuclei JS analysis
nuclei -l js_files.txt -t exposures/
# Nuclei (comprehensive)
nuclei -l live_hosts.txt -t nuclei-templates/ -o nuclei_results.txt
# Nikto
nikto -h https://target.com -output nikto.txt
# WPScan (WordPress)
wpscan --url https://target.com --enumerate u,p,t
1. Authentication
- Login forms
- Password reset
- Registration
- Session management
2. Authorization
- IDOR on IDs
- Horizontal privilege escalation
- Vertical privilege escalation
3. Input Validation
- All parameters (GET, POST)
- Headers (Host, Referer, User-Agent)
- Cookies
- File uploads
4. Business Logic
- Price manipulation
- Quantity tampering
- Skip steps
- Race conditions
Target Domain
│
├── Passive Subdomain Enumeration
│ ├── crt.sh, SecurityTrails
│ ├── Subfinder, Amass (passive)
│ └── Historical data (wayback, gau)
│
├── DNS Enumeration
│ ├── Record types (A, MX, TXT, NS)
│ └── Zone transfer attempt
│
├── Active Subdomain Enumeration
│ └── Brute force (puredns)
│
├── Resolution & Probing
│ ├── dnsx (resolve)
│ └── httpx (probe)
│
├── Port Scanning
│ └── nmap / masscan
│
├── Content Discovery
│ ├── Directory fuzzing
│ ├── Parameter discovery
│ └── JavaScript analysis
│
└── Vulnerability Scanning
├── Nuclei
└── Manual testing
| Purpose | Recommended Wordlist |
|---|---|
| Subdomains | SecLists/Discovery/DNS/subdomains-top1million-5000.txt |
| Directories | SecLists/Discovery/Web-Content/raft-medium-directories.txt |
| Files | SecLists/Discovery/Web-Content/raft-medium-files.txt |
| Parameters | SecLists/Discovery/Web-Content/burp-parameter-names.txt |
| Passwords | SecLists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt |