web2-reconlisted

# WEB2 RECON PIPELINE Full asset discovery from nothing to a prioritized URL list ready for hunting. --- ## THE 5-MINUTE RULE > If a target shows nothing interesting after 5 minutes of recon, move on. Don't burn hours on dead surface. **5-minute kill signals:** - All subdomains return 403 or static marketing pages - No API endpoints visible in URLs - No JavaScript bundles with interesting endpoint paths - nuclei returns 0 medium/high findings - No forms, no authentication, no user data --- ## STANDARD RECON PIPELINE ### Pre-Hunt: Always Run First ```bash TARGET="target.com" # Step 1: Chaos API (ProjectDiscovery — most comprehensive source) curl -s "https://dns.projectdiscovery.io/dns/$TARGET/subdomains" \ -H "Authorization: 15e77cfb-2300-426a-b8c3-fbfbf0ab17d4" \ | jq -r '.[]' > /tmp/subs.txt echo "[+] Chaos returned $(wc -l < /tmp/subs.txt) subdomains" # Step 2: subfinder (passive multi-source) subfinder -d $TARGET -silent | anew /tmp/subs.txt assetfinder --subs-only $TARGET | anew /tmp/subs.txt echo "[+] Total subdomains after all sources: $(wc -l < /tmp/subs.txt)" # Step 3: DNS resolution + live host check cat /tmp/subs.txt | dnsx -silent | httpx -silent -status-code -title -tech-detect | tee /tmp/live.txt echo "[+] Live hosts: $(wc -l < /tmp/live.txt)" # Step 4: URL crawl cat /tmp/live.txt | awk '{print $1}' | katana -d 3 -jc -kf all -silent | anew /tmp/urls.txt # Step 5: Historical URLs echo $TARGET | waybackurls | anew /tmp/urls.txt gau $TARGET --su