All Articles

Advanced Asset Discovery

I enjoy testing wide scope targets, and in this post I will write about some of the
techniques I find useful which I often utilize during my reconnaissance process.

I have selected as the target for demonstration purposes.

Table of Contents

  1. Acquisitions
  2. Crawling
  3. Google Dorking
  4. Github Recon
  5. ASNs
  6. whois
  7. Certificate Transparency
  8. Permutations
  9. Favicon.ico Search
  10. Fuzzing
  11. Subdomain Enumeration Tools
  12. Subdomain Monitoring
  13. Port Scanning
  14. Mass Wordlist
  15. Conclusion


An acquisition is when a company buys or takes over another company.

To gather information on target acquisitions, explore sites such as Crunchbase, Wikipedia, and OCCRP Aleph. With ChatGPT, you can also ask about acquisitions, filter domains, IP ranges, sorting, and much more.

I like to use Crunchbase, you simply search for an organization, click on “Financials”, and scroll down to “Acquisitions”.


A crawler is a tool used to explore websites and collect endpoints.
Katana, a powerful crawler, will discover interesting JS files and subdomains.

katana -jc -u

When reading JS, keep an eye out for Domains, Paths (”/ or ’/), Parameters, HTTP methods, Roles, API keys, Sinks.

If the JS is obfuscated, deobfuscate it:

Another similar tool is GetAllUrls, which fetches known URLs for any given domain, you can use it like this to only get domains and remove duplicates:

gau --subs | cut -d / -f 3 | sort -u can also be used to view endpoints:*

Google Dorking

Google dorking is an advanced search technique that can be used to find sensitive information, vulnerable sites and assets.

Start with the target domain. Then, exclude uninteresting pages with a “-” until you get interesting results, like this: -www -fordprotect -accessories -corporate -es

A dork for extensions, often used for script files: ext:php | ext:asp | ext:jsp | ext:pl | ext:cfm

By dorking a subdomain, you may find a interesting path or value:

To find sites with the terms “register”, “registration”, “sign up”, in the URL: inurl:"sign up" | inurl:”register” | inurl:"registration"

Additionally, try dorking for the target copyright, trademark, privacy policy and changing the year to a lower value, 2023 to 2022, 2021, and so on:

"© 2023 Ford Motor Company"
"Ford® Privacy Policy"

Consider dorking on other search engines such as Bing, DuckDuckGo, Yandex, in addition to Google.

Github Recon

This involves analyzing the target organization or an individual’s activity on GitHub. It reveals valuable information about the target, technologies used, and understanding development practices.

Dorking will lead you to interesting findings. Some dorks I find useful include:

token, secret, config, db, todo, pass, password, API_key,
credentials, portal, dev, login, register, http:// & https://

There are automated tools for this, but I prefer the manual approach.

Leverage your creative abilities when dorking. By utilizing GitHub, I have been able to discover valid dev credentials, interesting sites, paths, comments, and tokens of significance.


An ASN is a unique identifier assigned to an autonomous system, which is a collection of IP blocks operated by a single organization or entity.

For organizations with an ASN or IP range, tools like Shodan can be used to check an organizations ASN or IP range for domains. The Hurricane Electric BGP Toolkit helps find ASNs and IP ranges.

  1. To find the ASN of Ford, search the domain on:
  2. Click on “IP Info” & grab the ASN > > AS3389 > Ford Motor Company > > AS3389 > Ford Motor Company
  1. To find more ASNs and IP ranges related to the target, search the discovered ASN number on:

To obtain associated domains with the ASN, I utilize either Shodan or Amass:

amass intel -asn AS3389

Both commands provide you with the capability to retrieve domains associated with the specified ASN.

You can also perform a search on the IP range:



The whois protocol is primarily used for storing ownership information of domains.

By entering an organization name or email address, you can obtain a list of associated domains.

Many services allow you to do a reverse whois search. I find both whoxy and Amass to be useful tools for this:

whoxyrm -company-name "Ford Motor Company"
amass intel -whois -d

Certificate Transparency

A certificate is used to verify a site’s identity. Certificate transparency search is a handy method to discover subdomains that other approaches might miss.

  1. Go to the target site, and find the certificate organization name
  2. Query with that organization name
  3. Query again with the newly discovered organization names

Example, I search for the certificate name “Ford Motor Company”, discovered “Ford Motor Credit Company”, search it and get additional domains, like those:

You can also quickly get domains from using curl:

curl -s '' | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u


A technique that often is overlooked by many yet very useful is using permutations.

You take subdomains that you know exists, then use them as seeds to generate permutations. This is an example on how it would look:

When generating permutations, I do the following

  1. I use the already collected subdomains to generate unique segments:
cat subdomains.txt | tr "." "\n" | sort -u > words.txt
  1. Altdns to generate permutations:
altdns -i subdomains.txt -o altdns-output.txt -w words.txt
  1. Shuffledns will resolve the output from altdns and give me valid domains:
shuffledns -l altdns-output.txt -r /opt/massdns/lists/resolvers.txt -o final.txt

Favicon search involves searching for the favicon icon of the target site, there are various methods to perform this, I use Shodan.

To do a favicon search on shodan, you first have to hash the favicon with this python script and search the hash value on Shodan.

import mmh3, requests, codecs, sys

arg = sys.argv[1]

response = requests.get(arg)
favicon = codecs.encode(response.content,"base64")
hash = mmh3.hash(favicon)

Get the favicon.ico hash:


Once you have the hash, search it on Shodan:



Fuzzing actively searches for subdomains by utilizing a custom wordlist.
To fuzz for subdomains, I use ffuf:

ffuf -u -w /opt/wordlists/best-dns-wordlist.txt -c

I recommend fuzzing for VHosts, especially on IIS servers, as you may uncover content that wasn’t intended to be externally accessible. Here’s how you would do it:

ffuf -u -H "Host:" -w /opt/wordlists/best-dns-wordlist.txt -c

To access the identified virtual host, do a quick match & replace in Burp Suite.

Subdomain Enumeration Tools

I like to use Subfinder but there are many others such as Amass and Assetfinder. I include my 3rd party API keys from Github, Chaos, Shodan, and Securitytrails, to maximize results.

subfinder -dL domains.txt

You can pipe the results into httpx to probe for web servers on multiple ports:

cat domains.txt | httpx -title -wc -sc -cl -ct -td -web-server -asn -p 80,443,900,3000,5000,7070,8000,8008,8080,8443,9090,9000,9200 -threads 75 -location

You can also enable screenshots with httpx by adding -ss.

Subdomain Monitoring

Monitoring will give you an advantage in bug hunting, allowing you to be among the first to hack on the application. The tools I use for this is a VPS, tmux, anew and Notify.

This technique can also be extended to httpx or webanalyze for monitoring ports and website changes.

To implement monitoring, initiate a new tmux session:

tmux new -s ford-bot

If you’re not familiar with tmux, refer to

Configure your provider-config.yaml, and enter the line of code below.
This loop runs subfinder, anew validates new domain entries not previously in subdomains.txt, notify notifies me via Discord, and then pauses for two hours:

while true; do subfinder -silent -all -nW -dL domains.txt | anew subdomains.txt | notify -pc ./provider-config.yaml; sleep 7200; done

Now, detach from the session to have it run in the background: press CTRL + B, release both keys, and then press D.

Port Scanning

To identify ports beyond the usual suspects (e.g., 21, 22, 25, 80, 443) in use by the target. I utilize nmap and naabu as they are reliable and well maintained projects.

Full port scan where I exclude common ports:

naabu -list subdomains.txt -p - -exclude-ports 21,22,25,80,443 -o ports.txt

You can also use nmap within naabu to get the best from both:

naabu -list subdomains.txt -top-ports 1000 -nmap-cli 'nmap -sV -sC' -exclude-ports 21,22,25,80,443 -c 75 -o ports.txt

Mass Wordlist

By now, you probably have a bunch of domains. I would either run a large raft or a very short wordlist against all of the discovered domains to understand the target and see if there are any easy wins.

dirsearch -l alive.txt -w wordlist.txt -o dirsearch.txt -t 75

After that it depends, I might dork for parameters, grep for keywords in my lists, browsing an application to discover interesting functionality, and so on.

These approaches aim to go deeper into the recon process, and uncover applications for further testing.


As a security researcher, it is essential to continually expand your knowledge and explore new techniques. By doing so, you can strengthen your abilities and increase your chances of uncovering vulnerabilities.

So, feel free to apply these techniques in your work, and may they lead you to valuable findings.

Published Jun 1, 2023

Qais Qais is a security professional dedicated to safeguarding digital environments.