Recon Checklist

Technology Fingerprinting - Identify web server, development language, development framework, CMS.
Check for robots.txt, .git and other common files. (Nikto can be used)
Spider/Crawl the application.
Directory Brute force based on dev language:
- PHP – .php, .txt, .bak, .zip, .html, .xml, .js, .env
- ASPX - .aspx, .ashx, .txt, .bak, .zip, .html, .xml, .js, .env
Google Dorking (fastdork can be used)
- Identify pages and directories
- Identify files (.txt, .zip, .env, .xlsx, etc)
JavaScript (Based on https://gist.github.com/m4ll0k/31ce0505270e0a022410a50c8b6311ff)
- Collect all .js URLs in the application using getSrc, gau and burpsuite’s ‘Find Scripts’. (gau alternatives: waymore, waybackurls).
- Identify paths, links using linkfinder.
- Use collector.py to segregate linkfinder output into files, js, params, paths and URLs.
- Identify hardcoded secrets (apikeys, access token, authorizations) using secretfinder.
- Use gf-patterns to identify potential injections points for xss, sqli, lfi, etc.
- Use httpx to check if the URLs still exist
Identify hidden parameters & headers (Paraminer – Burp Extension)
Cloud Based WAF Bypass – Directly Access the Web Server
- Search Shodan using certificate CN
- Check Historic Hosting IP using security trails
Enumerate for public buckets related to web app. ( http://buckets.grayhatwarfare.com/ or other tools in https://github.com/mxm0z/awesome-sec-s3 )
Port Scanning

Subdomain Enumeration
- Active and Passive Enumeration - subfinder, amass (Use all APIs)
- Generate permutations - altdns
- Brute force - shuffledns.
- Google Dorking.
Identify IP Addresses, Domain Names - Shodan, Censys.
Identify Virtual hosts – Reverse lookup security trails, msn.com ‘ip:’ dork.
Identify IP range using Netblock Owner.
Identify valid webservers (subdomains and Ips) – httpx.
Subdomain takeover – subzy, can-i-take-over-xyz, nuclei: detect-all-takeovers.
GitHub Reconnaissance - https://vsec7.github.io/

Last updated 1 year ago