Introduction
Recon is where the real work begins. If you want to find meaningful bugs or do well on bounty programs, a tidy recon routine wins every time.
Think of this as me sitting next to you, showing the exact checklist I follow. Short, direct, practical. No theory-heavy lectures. Just what matters.
This Part builds the foundation. If your scope, notes and lab are messy, your findings will be noisy. Get these basics right and everything else becomes faster and more accurate.
Why we start with a foundation
- Good recon is repeatable.
- One leaked certificate or a misplaced config file often beats a day of noisy scanning.
- If you do not capture and enrich findings immediately, you will lose them.
- Foundation makes recon fast, defensible and shareable.
“A clean desk is not the goal. A clean process is.”
What this Part covers
- Why you need a foundation.
- How to write scope and rules of engagement.
- A copy-paste findings template you can use right away.
- Quick safe lab options and Docker commands.
- Starter automation: merge, dedupe and resolve.
- A small 20-minute lab exercise to build habit.
Tools you’ll actually use (minimal starter kit)
- Notes: Obsidian, Notion, or plain Markdown.
- Tracker: Google Sheet, CSV, or GitHub Issues.
- Lab apps: OWASP Juice Shop, WebGoat, DVWA.
- Containers: Docker, Docker Compose.
- Collectors: amass, subfinder, crt.sh, gau, waybackurls.
- Screenshots: Aquatone or Eyewitness.
- Automation: Small bash or Python scripts for merge/dedupe.
Keep the list small. Add tools you will use daily. Too many tools become shelfware.
Reference: Top Bug Bounty Tools Every Ethical Hacker Should Know (you will find here all tools)
Scope and Rules of Engagement – write this down first
Always write this before you touch the target.
Required fields to record:
- Target domain(s)
- Allowed subdomains and IP ranges
- Allowed ports and services for active scans
- Allowed tests – e.g., passive only, light scan, full tests
- Reporting contact and disclosure window
- Time windows and rate limits
- Proof of permission – screenshot of program scope, email, or bounty rules
If you cannot record proof of permission, do not run intrusive scans.
Findings template – copy-paste this
Use this exact markdown template for every issue (if you don’t have your own report template). Keep it short, repeatable and machine-friendly.
Title
[Short, descriptive title — e.g. Active web session remains valid after account deactivation]
Target
[example.com — Web App / API]
Reported by
[Your name / handle]
Date
[YYYY-MM-DD]
Severity
[Low / Medium / High / Critical]
Summary (1-2 lines)
A single sentence explaining what is wrong and why it matters.
Example: After deactivating an account via the mobile app, existing web sessions are not invalidated and remain usable.
Impact (short bullets)
• Unauthorized access while user believes account is deactivated.
• Privacy risk and potential account takeover.
• Immediate user trust and compliance concern.
Steps to reproduce (exact, minimal)
1. Log in to the same account on mobile app and web browser.
2. On mobile, go to Account → Deactivate and confirm.
3. On the web session, refresh the page or call an authenticated endpoint.
4. Observed: Response is 200 (or page loads) and user actions remain possible.
(Attach request/response or exact HTTP sample if available.)
Proof of concept / Evidence
• Screenshot: session_after_deactivate.png
• HTTP request/response: repro_request.txt
• Video (optional): [paste link]
Root cause (one line if known)
Server does not revoke or validate previously issued session tokens when account status changes.
Suggested Fix / mitigations
• Force logout for all sessions from account settings.
• Shorten token expiry until revocation implemented.
Conclusion
Failure to expire sessions after account deactivation allows continued access, which is a high-severity session management issue.
Attachments
repro_request.txt, session_after_deactivate.png, [video_link]
Note
This report is for authorised testing only. Please do not test without permission.
Save each finding inside the target folder. Name files with timestamp and a short slug.
Where to store notes and tracker
- Create a folder per target.
- Use a master CSV or sheet with these columns: hostname, type, status, priority, owner, first_seen, last_seen.
- Use the tracker to drive your daily triage.
Quick commands
mkdir -p recon/example.com
cd recon/example.com
echo "hostname,type,status,priority,first_seen,last_seen" > tracker.csv
Quick Repo and Automation Structure
Keep scripts, templates and wordlists in a small repo.
mkdir -p recon-scripts/{wordlists,results,templates}
git init recon-scripts
Keep everything version-controlled. It helps when you want to reuse automation later.
Lab setup – fast and safe
Use Docker. Do not test live systems without permission.
Juice Shop
docker pull bkimminich/juice-shop
docker run --rm -p 3000:3000 bkimminich/juice-shop
# Open http://localhost:3000
WebGoat
docker pull webgoat/webgoat-8.0
docker run --rm -p 8080:8080 webgoat/webgoat-8.0
# Open http://localhost:8080/WebGoat
DVWA
docker pull vulnerables/web-dvwa
docker run --rm -p 80:80 vulnerables/web-dvwa
# Open http://localhost
Browser profile
- Create a dedicated browser profile.
- Install Burp or OWASP ZAP.
- Turn off sync and telemetry.
- Do not use your main browser for testing.
Lab safety checklist
- Use isolated environment (VM or container).
- Use throwaway accounts and test data.
- Record proof of scope and permission.
- Turn off automatic backups or telemetry in test profile.
- Keep copies of screenshots and evidence in the target folder.
Merge, dedupe and resolve – starter pattern
You will combine outputs from several tools. Use this pattern to clean the list.
cat subfinder.txt amass.txt crt_subs.txt | sort -u > merged_subs.txt
massdns -r resolvers.txt -t A -o S -w resolved.txt merged_subs.txt
This keeps only unique subdomains and resolves them to live IPs.
Starter workflow – first 30-60 minutes
- Confirm scope and record it.
- Create target folder and tracker.
- Run passive collectors: crt.sh, subfinder, amass passive.
- Merge, dedupe and resolve.
- Take screenshots of any live host found.
- Add promising hosts to a “to-fuzz” list.
Short. Practical. Reproducible.
Mini lab exercise – 20 minutes
Follow these steps to build the habit.
- Spin up Juice Shop locally.
- Create
recon/example-juicefolder. - Run a simple crawler and archive command:
gau localhost:3000 > gau_urls.txt waybackurls localhost:3000 >> gau_urls.txt sort -u gau_urls.txt > all_urls.txt - Open three endpoints in your test browser.
- Save a quick note in
tracker.csvwith the URL and status.
This exercise trains you to capture early findings and store them safely.
Common mistakes and fixes
Mistake: Not saving proof of scope.
Fix: Screenshot program scope or approval email and save.
Mistake: Flooding a target with brute-force without permission.
Fix: Slow down. Ask. Use rate limits.
Mistake: Mixing lab and live accounts.
Fix: Use separate browser profiles and separate VMs.
Templates to add to your repo
Findings template (already above).
Title
Target
Reported by
Date
Severity
Summary (1-2 lines)
Impact (short bullets)
Steps to reproduce (exact, minimal)
Proof of concept / Evidence
Root cause (one line if known)
Suggested Fix / mitigations
Conclusion
Attachments
Save these in recon-scripts/templates so you can copy fast.
What to do next (after this Part)
- Move to passive OSINT and footprinting.
- Feed hostnames into subdomain enumeration.
- Start JS harvesting and URL collection.
- Enrich, tag and prioritize findings so nothing is lost.
Preview of the next post
Part 2 will be all about passive OSINT and footprinting.
Commands, tuned queries, cert stream watchers, Google dorks, and a few automations to add to your pipeline.
We will show exact commands, explain outputs, and give quick triage steps.
Disclaimer
This content is for educational purposes only. Use it ethically and only against targets you own or have explicit permission to test. Do not use any techniques described here in ways that break laws, platform rules or third-party rights. If in doubt, stop and get permission.
