Domain discovery techniques and Recon-ng automation [part 1]
Hello Readers ! Recon is extremely important in pentest jobs. As an example, using recon and public information you can find open TCP ports of your targets without never scanning it... Today we want to share with you all the techniques we use while mapping subdomains of a domain name.🌵 What we want to achieve : 1. Discover as much DNS entries for a domain [example.com] as possible and their associated IPs using various techniques; 2. Manage how we expand the scope not to fall out of scope totally, we need to have a reasonable ground to integrate new targets; 3. If possible, discover domain vulnerabilities while reckoning; 4. Try to make everything automatic ... Let's start our tentative to list all techniques. 1. Subdomains discovery techniques Several tools exist per technique so we wont show all existing tools but only the ones we deem useful or important. As it might be useful to store and organize results, ✅ we will try to present all techniques
