> For the complete documentation index, see [llms.txt](https://d4rk1337.gitbook.io/the-pentesters-cheat-sheet/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://d4rk1337.gitbook.io/the-pentesters-cheat-sheet/reconnaissance/01-reconnaissance.md).

# Recon

## Related

[Bug bounty/Tools](/the-pentesters-cheat-sheet/bug-bounty/02-tools.md)

## Subdomain discovery

### SSL/TLS Certificates

Find subdomains via ssl-certificates.\
E.g. using [crt.sh](https://crt.sh)

### Google

Exclude default `www` subdomain and look for any other subdomains.

```
-site:www.domain.com site:*.domain.com
```

### dnsrecon

```bash
dnsrecon -t brt -d <domain>
```

### Sublist3r

> Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT.\
> [Sublist3r](https://github.com/aboul3la/Sublist3r)

```bash
/sublist3r.py -d <domain>
```

### Non-public DNS

E.g. private DNS server or specified locally in `/etc/hosts`

### fuff

See also [Webserver scanning](/the-pentesters-cheat-sheet/enumeration/03-webserver-scanning.md)

```bash
ffuf -w <wordlist-file> -H "Host: FUZZ.domain.com" -u http://<ip>
```
