Recon is the single highest-leverage activity in bug bounty hunting — but most beginners do it wrong. They run every tool, collect 200,000 subdomains, and then stare at the wall. This is the recon pipeline used by hunters who consistently hit the leaderboard.
The Mental Model
Recon has three stages and you should never skip ahead:
- Asset discovery — what exists?
- Surface analysis — what does it do?
- Bug discovery — where does it break?
Most beginners go straight from step 1 to step 3 with nuclei -t cves/. The 6-figure hunters spend most of their time in step 2.
Stage 1: Asset Discovery
Subdomain Enumeration
# Passive — pull from public CT logs, search engines, scrape DBs
subfinder -d target.com -all -silent > passive.txt
amass enum -passive -d target.com -o amass.txt
assetfinder --subs-only target.com >> passive.txt
# Active — DNS brute force against your list of resolvers
puredns bruteforce wordlist.txt target.com -r resolvers.txt -w bruted.txt
# Permutation — alterations of known names (api-dev, api-staging)
gotator -sub passive.txt -perm permutations.txt -depth 1 -numbers 5 | puredns resolve -r resolvers.txt
Deduplicate and dedupe: sort -u all_subs.txt > final.txt.
Resolution & Probing
# Resolve to IPs
dnsx -l final.txt -a -resp -o resolved.txt
# Probe HTTP(S)
httpx -l final.txt -tech-detect -title -status-code -threads 200 -o probed.txt
Port Surface
For each in-scope IP/ASN:
naabu -iL ips.txt -top-ports 1000 -o ports.txt
nmap -sV -p- --min-rate 5000 -iL hot_ips.txt -oA full_tcp
Stage 2: Surface Analysis
This is where the money is. For every “interesting” subdomain (admin panels, API docs, login portals):
Content Discovery
# Common content
ffuf -u https://target/FUZZ -w wordlist.txt -mc 200,204,301,302,401,403 \
-ac -o content.json -of json
# Backup/sensitive extensions
ffuf -u https://target/FUZZ -w wordlist.txt -e .bak,.old,.zip,.tar.gz,.swp,.txt
Wordlists that matter: SecLists Discovery/Web-Content/, assetnote wordlists, and Jhaddix’s all.txt for subdomains.
JavaScript Mining
Modern apps leak API endpoints, secrets, and feature flags in JS bundles.
# Pull every JS reference
katana -u https://target -d 5 -jc -kf all -o crawl.txt
# Extract endpoints from JS
cat crawl.txt | grep -E '\.js(\?|$)' | uniq > js_files.txt
xargs -I{} curl -s "{}" < js_files.txt | grep -Eo '"/[a-zA-Z0-9_/-]{4,}"' | sort -u
# Find secrets
trufflehog filesystem ./downloaded_js/
Parameter Mining
# Hidden GET parameters
arjun -u https://target/api/users -t 50
# From request body
arjun -u https://target/api/users -m POST -d '{}' -t 50
History
Wayback and CommonCrawl URLs:
gau target.com | sort -u > history.txt
waybackurls target.com | sort -u >> history.txt
History reveals:
- Deprecated endpoints still serving
- Parameters no longer in current code
- Files that should have been deleted
Stage 3: Bug Discovery
Now and only now do you run targeted scanners.
# Nuclei with curated templates
nuclei -l probed.txt -t ~/nuclei-templates/ -severity medium,high,critical -rate-limit 50
# Custom templates for the program's tech stack
nuclei -l probed.txt -t custom-templates/jira/ -t custom-templates/aws/
Nuclei is a force multiplier for known issues — it will never find a logic flaw, an IDOR, or a privilege escalation. Those come from manual testing of the surfaces you discovered in Stage 2.
Prioritization
You will end Stage 2 with hundreds of candidate URLs. Prioritize by:
- Authentication mismatches — endpoints with both authenticated and unauthenticated handlers
- Admin/internal endpoints leaked to public domains
- API endpoints with object IDs (IDOR / BOLA candidates)
- File upload / download functionality
- Endpoints that accept URLs (SSRF / open redirect)
Common Mistakes
- Recon-only loops — collecting subdomains forever, never reading one
- No notes — re-doing the same recon every session
- Ignoring scope —
*.target.comdoesn’t always include*.target-foo.com - Running scanners without throttling — getting banned and losing access to the program