Yeah, I said it. And before you close this tab in rage, hear me out. I've been doing bug bounties for three years now, and I've watched countless talented hackers โ people way smarter than me โ completely waste hours (sometimes days) because they're making the same fundamental mistake during reconnaissance.
The "More Tools = Better Results" Trap ๐ชค
Here's what usually happens. A hacker finds a target, let's say target.com. They get excited. They immediately fire up their terminal and start running:
subfinder -d target.com -o subdomains.txt
amass enum -d target.com >> subdomains.txt
assetfinder --subs-only target.com >> subdomains.txt
findomain -t target.com -u findomain_results.txt
chaos -d target.com -o chaos_subs.txtThen they sort, dedupe, and run httpx:
cat *.txt | sort -u | httpx -threads 200 -o live_hosts.txtThey get back 3,400 live subdomains, run nuclei on everything:
nuclei -l live_hosts.txt -t ~/nuclei-templates/ -o nuclei_results.txtAnd thenโฆ crickets. ๐ฆ
They've got data. Lots of it. But no bugs. No understanding. Just a massive list they don't know what to do with.
What Actually Happened to Me ๐
Last year, I was hunting on a fintech program. Big scope ๐ฐ, juicy payouts, lots of competition. I did my usual thing โ ran every recon tool in my arsenal:
# My old "shotgun" approach ๐ซ
subfinder -d fintech-target.com -all -o subs.txt
amass enum -passive -d fintech-target.com -o amass.txt
cat subs.txt amass.txt | sort -u | httpx -silent -threads 200 | tee live.txt
cat live.txt | nuclei -t cves/ -t exposures/ -o nuclei.txtI gathered massive amounts of data, ran automated scanners, and started poking around randomly.
After two weeks, I had found exactly zero bugs. Zilch. Nada. ๐ญ
Meanwhile, this other hacker found a critical IDOR vulnerability in the company's partner portal within three days. When I asked them how (we're in the same Discord), their answer floored me:
"I only looked at five subdomains. But I actually LOOKED at them. Ran them through Burp, mapped every endpoint, understood the logic." ๐ฏ
That hit different.
The Mistake: Breadth Over Depth ๐
Here's what 90% of hackers do wrong: they prioritize coverage over comprehension.
They want to scan EVERYTHING before understanding ANYTHING. The pipeline looks like this:
# The typical broken workflow โ
subdomains โ httpx โ nuclei โ maybe ffuf โ ???But there's no understanding. No analysis. Just automation followed by confusion. ๐ค
What Good Recon Actually Looks Like ๐
Let me break down what changed for me after that wake-up call. Here's my actual current methodology:
Step 1: Focused Subdomain Discovery ๐ฏ
Instead of running five tools, I use one or two max:
# I primarily use subfinder with specific sources
subfinder -d target.com -sources crtsh,alienvault -o subs_initial.txt
# Sometimes I'll add passive amass
amass enum -passive -d target.com -o amass_passive.txt
# Merge and dedupe โจ
cat subs_initial.txt amass_passive.txt | sort -u | tee all_subs.txtThis usually gives me 50โ200 subdomains. Manageable. Not overwhelming. ๐
Step 2: Intelligent Filtering ๐ง
I don't just httpx everything. I actually filter for interesting stuff:
# Check what's live and get tech stack info ๐ง
cat all_subs.txt | httpx -silent -tech-detect -status-code -title -o live_detailed.txt
# Look for interesting patterns ๐
cat live_detailed.txt | grep -iE "admin|staging|dev|test|api|internal|vpn|jenkins|gitlab" | tee interesting.txtNow I've got maybe 10โ20 targets that are actually worth investigating. ๐ฒ
Step 3: Deep Endpoint Discovery ๐ธ๏ธ
Here's where most people mess up. They find admin-panel.target.com and immediately try SQL injection. But they never mapped out what endpoints even exist. ๐คฆโโ๏ธ
I do this:
# Use gospider to crawl and find endpoints ๐ท๏ธ
gospider -s "https://admin-panel.target.com" -o gospider_output -c 10 -d 3
# Extract URLs and parameters
cat gospider_output/* | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort -u | tee endpoints.txt
# Find JavaScript files ๐
cat gospider_output/* | grep "\.js" | tee js_files.txt
# Run GAU (Get All URLs) for historical endpoints โฐ
echo "admin-panel.target.com" | gau --blacklist png,jpg,gif,css | tee gau_urls.txtNow I'm seeing the actual attack surface. Not just domains, but endpoints. ๐บ๏ธ
Step 4: JavaScript Analysis (This is GOLD โก)
Most hackers skip this. Huge mistake. ๐ซ JS files leak API endpoints, hardcoded secrets, logic flaws โ everything.
# Download all JS files ๐ฅ
cat js_files.txt | while read url; do wget -q "$url" -P js_files/; done
# Look for API endpoints in JS ๐
grep -r -E "api|endpoint|/v1/|/v2/" js_files/ | tee api_endpoints.txt
# Hunt for secrets ๐
grep -r -iE "api_key|apikey|secret|token|password|aws_access" js_files/ | tee secrets.txt
# Find interesting parameters ๐๏ธ
grep -r -E "\?[a-zA-Z_]+=|&[a-zA-Z_]+=" js_files/ | tee parameters.txtStep 5: Manual Exploration with Burp ๐ฅ
This is where the magic happens. I'll proxy everything through Burp Suite and actually USE the application:
# Set up Burp as system proxy (on Linux) ๐ง
export http_proxy=http://127.0.0.1:8080
export https_proxy=http://127.0.0.1:8080Then I justโฆ click around. Create accounts. Try features. Watch the HTTP history in Burp. ๐
I'm looking for:
- โ Hidden parameters in responses
- โ Undocumented API endpoints
- โ Inconsistent authentication checks
- โ Interesting headers or cookies
A Real Example with Commands ๐ฐ
Here's a concrete example. I was looking at a SaaS company's bug bounty program. Here's exactly what I did:
# Step 1: Basic recon ๐ฏ
subfinder -d saas-company.com -o subs.txt
cat subs.txt | httpx -silent -status-code -title | tee live.txt
# Found interesting subdomain: api-internal.saas-company.com
# Most people would move on. I didn't. ๐
# Step 2: Created account and proxied through Burp ๐
# Noticed API calls going to api-internal.saas-company.com/v2/
# Step 3: Discovered endpoints with ffuf ๐ฅ
ffuf -w ~/wordlists/api-endpoints.txt -u https://api-internal.saas-company.com/v2/FUZZ -mc 200,401,403
# Found: /v2/users, /v2/teams, /v2/admin/reports ๐
# Step 4: Tested /v2/admin/reports without auth
curl -X GET "https://api-internal.saas-company.com/v2/admin/reports" \
-H "Content-Type: application/json"
# Got back: 401 Unauthorized โ
# Step 5: Tried with my regular user token ๐ซ
curl -X GET "https://api-internal.saas-company.com/v2/admin/reports" \
-H "Authorization: Bearer eyJ0eXAiOiJKV1QiLC..." \
-H "Content-Type: application/json"
# BOOM: 200 OK with all users' PII data ๐ฃ
# Broken authorization = critical IDOR โ
Payout: $4,500 ๐ต for about three hours of focused work.
My Current Recon Script ๐ ๏ธ
I created a simple bash script that embodies this philosophy:
#!/bin/bash
# focused_recon.sh ๐ฏ
TARGET=$1
if [ -z "$TARGET" ]; then
echo "Usage: ./focused_recon.sh target.com"
exit 1
fi
echo "[+] Starting focused recon on $TARGET ๐"
# Subdomain discovery ๐
echo "[+] Finding subdomains..."
subfinder -d $TARGET -silent -o subs.txt
# Check live hosts with tech detection ๐ป
echo "[+] Checking live hosts..."
cat subs.txt | httpx -silent -tech-detect -status-code -title -o live.txt
# Filter interesting ones ๐ฏ
echo "[+] Filtering interesting targets..."
cat live.txt | grep -iE "admin|staging|dev|test|api|internal" | tee interesting.txt
# Crawl each interesting target ๐ท๏ธ
echo "[+] Crawling interesting targets..."
while read url; do
echo "[+] Crawling $url"
gospider -s "$url" -o crawl_output -c 10 -d 2 -t 10
done < interesting.txt
# Extract JS files ๐
echo "[+] Extracting JS files..."
grep -r "\.js" crawl_output/ | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*\.js" | sort -u | tee js_urls.txt
# Download and analyze JS ๐
echo "[+] Analyzing JavaScript files..."
mkdir -p js_files
cat js_urls.txt | while read js_url; do
wget -q "$js_url" -P js_files/
done
echo "[+] Looking for secrets in JS... ๐"
grep -r -iE "api_key|apikey|secret|token|password" js_files/ | tee secrets_found.txt
echo "[+] Looking for API endpoints... ๐บ๏ธ"
grep -r -E "api/|/v1/|/v2/|endpoint" js_files/ | tee api_endpoints.txt
echo "[+] Recon complete! โ
Check the outputs:"
echo " - interesting.txt (focus here first! ๐ฏ)"
echo " - secrets_found.txt ๐"
echo " - api_endpoints.txt ๐บ๏ธ"Usage:
chmod +x focused_recon.sh
./focused_recon.sh target.comThis gives me a focused list to actually investigate, not a firehose of data. ๐ช
Advanced Techniques I Use ๐ฅ
1. Parameter Discovery with Arjun ๐ฏ
When I find an interesting endpoint, I use Arjun to discover hidden parameters:
arjun -u https://api.target.com/v1/users/profile -m GET -o arjun_params.txtThis has found so many hidden params that led to bugs. ๐
2. Fuzzing with ffuf ๐ฅ
For API enumeration:
# Fuzz API versions ๐ข
ffuf -w <(seq 1 10) -u https://api.target.com/vFUZZ/users -mc 200,401,403
# Fuzz endpoints ๐ฒ
ffuf -w ~/wordlists/api_endpoints.txt -u https://api.target.com/v2/FUZZ -mc all -fc 404
# Fuzz parameters ๐๏ธ
ffuf -w ~/wordlists/parameters.txt -u "https://target.com/api/user?FUZZ=test" -mc all -fr "error|invalid"3. Wayback Machine for Historical Endpoints โฐ
# Get all historical URLs ๐
echo "target.com" | waybackurls | tee wayback.txt
# Filter for interesting patterns ๐
cat wayback.txt | grep -E "\.json|\.xml|\.conf|\.sql|\.bak|admin|api" | tee wayback_interesting.txt
# Test if they still work โ
cat wayback_interesting.txt | httpx -silent -status-code -mc 2004. GitHub Dorking for Exposed Secrets ๐
# Use github-search tool ๐
github-search -d target.com -t $GITHUB_TOKEN -o github_results.txt
# Or manual dorks
# Search: "target.com" api_key ๐
# Search: "target.com" password ๐
# Search: "target.com" filename:.env ๐The Mental Shift You Need ๐ง
Stop thinking: "How many subdomains can I find?" โ
Start thinking: "How well do I understand this ONE subdomain?" โ
Your terminal commands should reflect understanding, not just data collection:
Bad approach: ๐ต
huge_tool_output.txt โ ???Good approach: ๐
focused_discovery.txt โ manual_analysis โ testing โ profit ๐ฐWhat I Do Now (My Actual Process) โ
When I start on a new target, here's my exact process:
1. Run focused subdomain discovery (5โ10 minutes) โฑ๏ธ
subfinder -d target.com -o subs.txt
cat subs.txt | httpx -silent -tech-detect | grep -iE "admin|api|dev" | tee interesting.txt2. Pick the most interesting subdomain ๐ฏ
(based on keywords, tech stack, status codes)
3. Deep dive for 1โ2 hours: ๐โโ๏ธ
# Crawl it thoroughly ๐ธ๏ธ
gospider -s "https://interesting-sub.target.com" -d 3 -c 10 -o crawl/
# Extract and analyze JS ๐
# Download JS files ๐ฅ
# grep for secrets and endpoints ๐
# Try the application manually ๐
# Watch Burp HTTP history ๐
# Map functionality ๐บ๏ธ4. Document everything ๐
# I literally use a simple text file
vim notes_target.txt
# Format:
# - Subdomain: api.target.com ๐
# - Tech: Node.js, Express ๐ป
# - Interesting endpoints: /v2/admin/*, /internal/* ๐
# - Weird behavior: accepts any user ID in /users/{id} ๐
# - Next: Test IDOR on /users/{id} endpoint โ
5. Test methodically โ๏ธ
Based on what I learned
Try This Challenge ๐ฎ
Next time you start recon on a target, try this:
# Set a 2-hour timer โฐ
# Pick ONE subdomain from your initial discovery ๐ฏ
# Run this mini-workflow:
TARGET="your-chosen-subdomain.com"
# 1. Crawl (15 min) ๐ท๏ธ
gospider -s "https://$TARGET" -d 3 -c 10 -o crawl_$TARGET/
# 2. Analyze JS (30 min) ๐
# Extract, download, grep for secrets/endpoints
# 3. Map in Burp (45 min) ๐บ๏ธ
# Use the app, watch traffic
# 4. Test findings (30 min) โ๏ธ
# Based on what you learnedI bet you'll find something interesting. And more importantly, you'll start to see why depth matters more than breadth. ๐ก
My Toolset (The Essentials) ๐งฐ
You don't need every tool. Here's what I actually use:
Subdomain Discovery: ๐
subfinder- Fast and reliable โกamass(passive mode only) - Good for historical data ๐
HTTP Probing: ๐ป
httpx- Fast, gives tech stack info ๐ง
Crawling: ๐ท๏ธ
gospider- Great for JS-heavy apps ๐gau- Historical URLs from Wayback โฐ
Fuzzing: ๐ฅ
ffuf- API/endpoint/param discovery ๐ฏ
JS Analysis: ๐
grep- Seriously, just grep ๐- Sometimes
linkfinderfor complex JS ๐
Manual: ๐จโ๐ป
- Burp Suite Pro โ Non-negotiable ๐ฅ
- Browser DevTools โ Underrated ๐
That's it. Five categories. Maybe 8 tools total. Quality over quantity. โจ
The Takeaway ๐ฏ
If you're running 10 different recon tools and collecting thousands of subdomains but not finding bugs, you're probably making this mistake. ๐ซ
The solution isn't more tools. It's not better wordlists. It's not even more automation. ๐ค
It's slowing down and actually understanding what you're looking at. ๐ง
Run fewer commands. But understand every line of their output. ๐
# Instead of this: โ
tool1 && tool2 && tool3 && tool4 && ... && ???
# Do this: โ
tool1 | understand | analyze | test | profit ๐ฐQuality over quantity isn't just a clichรฉ. It's literally the difference between wasting time and getting paid. ๐ต
Final Thoughts ๐ญ
What's your recon process like? Do you have any commands or techniques I should try? Drop your thoughts in the comments โ I'm always down to learn from other hackers' approaches. ๐
Happy hunting, and remember: sometimes the best tool in your arsenal is justโฆ less instead of running more. โก๐
My Essential Tools GitHub Repos: ๐
๐ subfinder: github.com/projectdiscovery/subfinder
๐ httpx: github.com/projectdiscovery/httpx
๐ gospider: github.com/jaeles-project/gospider
๐ ffuf: github.com/ffuf/ffuf
๐ gau: github.com/lc/gau
๐ arjun: github.com/s0md3v/Arjun
Found this helpful? Give it a clap! ๐ Follow me for more bug bounty tips and tricks! ๐