6 min readJun 6, 2024

The only recon methodology you need to know.


Small Intro:

If you are new here, I am a beginner bug hunter and cyber security enthusiast, I am currently learning bug hunting.

Connect to me on Twitter for more amazing tips and tricks!

You have probably clicked after the title, in this blog I am going to reveal a complete guide to recon using just one tool, People don’t pay much attention to recon resulting in less bugs or duplicates, but after reading this blog you will have a complete idea and understanding of reconnaissance.


First, let’s discuss what actually reconnaissance is.

Recon is the first step of bug hunting which involves finding and gathering information about the target. This includes information such as company’s employees, their emails, domains, sub-domains, certificates, nameservers etc.

To increase your chances of finding a bug, you must be familiar with recon, this will prove to be an essential boost to your bug hunting journey.

Now that you understood what actually recon is and it’s importance, let’s get to the practical part.

So, the tool we are going to use for recon is Netlas. is an open source intelligence platform that helps discover, research and monitor any online assets including web applications or IoT devices, making your bug hunting fast and efficient.

Some features of Netlas are paid but the majority are free. Explore more about Netlas here. can perform various functions and scans that are vital in bug hunting. Such features and scans include:

  • IP/Domain information gathering
  • Investigate websites and web applications, IoT devices and other online assets
  • Penetration tests and bug bounty jobs (reconnaissance stage)
  • Attack surface management
  • Detect shadow IT and phishing domains
  • Search for Domains, Subdomains, Certificates and Technologies
Features of

Reconnaissance using

Recon using is pretty easy, even a beginner bug hunter can perform this easily. Netlas also offers an easy to use GUI for both beginners and professionals. Access the Netlas Application here.

Attack Surface Discovery Tool:

First let’s understand what is an attack surface.

The attack surface is like all the possible ways someone could break into a system. It’s similar to all the weak spots a hacker could use to get in and take information.

Netlas provides an intelligent and up-to-date tool for creating attack surface of a particular organization. You can incorporate items of your interest as nodes, then perform individual searches for each using Netlas data. The tool will autonomously establish connections between the items and include them in the list.

This tool is very useful in reconnaissance as it gives an overall view of the target and the breakpoints where you can attack and perform penetration tests.

Access Netlas Documentation about their Attack Surface Discovery Tool here.

Creating an attack surface in

Creating an attack surface in Netlas is pretty easy, you just have to follow some steps and your attack surface will be ready.

At first you will have to create a new node and an object in it. There are various types of objects in Netlas including IP address, Domain, Address, DNS TXT record, Phone, Organization, Email, ASN, JARM, IP range, Person, Favicon, Text, AS Name, Network Name.

Creating a new node

After creating a new node select an object and enter it.

Entering a domain in a new node

Now that you have created an object click on it and Netlas will start searching it and will display results.


You can add these results by clicking the Add Button or Add & Group button.

Adding & Grouping the results

After adding and grouping several results, here is your attack surface for Microsoft.

Attack Surface for Microsoft

You can also perform other functions on the nodes such as excluding which allows you to exclude a particular node from the attack surface but keep it in the graph.

You can also download this attack surface for future use and for integrating this data in other tools such as Nmap.

Basic Domain Info:

You can find basic information such as registrant, location, registrar, email, phone and exposed ports and software of a domain by entering your target domain in the Host tab. Tabs are present on the upper left side of the interface. Explore more about IP/Domain Info in Netlas here.

Host Tab Domain Search

Organization’s emails:

You can find all emails of an organization or it’s employees by using this dork in the Response Search tab. This can help you contact employees of the company if you find any vulnerability or bug in their website or API.

Emails (red box)

Organization’s details:

You can find all details of a particular organization like city, country, fax, postal code, province and street by using this dork in the Domain WHOIS tab. Explore more about Domain WHOIS tab here.

Organization’s details

Finding Subdomains:

You can find all subdomains related to an organization by using this dork in the DNS Search tab. This will help you get familiar with other services that your target provides.

Finding Subdomains

A good feature of Netlas is that it gives other details such as IP address and MX Record with subdomains making it easier for bug hunters to understand the domain.

Finding domains with a particular extension related to an organization:

You can find all domains with a particular extension (.co, .edu, .com, .tk, .co) by using this dork in the DNS Search tab. This can also help an organization to identify and stop phishing links against them.

domain:*target* AND zone:extension AND level:2
Domains of Microsoft with .cn extension

Finding Nameservers:

You can find nameservers of a particular domain by using this dork in the Domain WHOIS Search tab. This dork will fetch all nameservers related to the domain provided, which will eventually help you in your bug hunt.

Nameservers of Facebook

Finding SSL Certificates:

You can find all SSL Certificates issued to a particular organization by using this dork in the Certificates Search tab. By using this dork you will be able to fetch all SSL Certificates and their details which will help you to understand your target better and get more information about your target. Explore more about finding SSL Certificates in Netlas here.

certificate.subject.organization:"Target Organization"
Finding SSL Certificates

Reputation Score of an IP address or a Domain:

In Netlas we also get an amazing feature which is Reputation Score, which informs you if any particular Domain or IP address has already been a part of security or data breach or have been associated by a cyber threat.

You can get reputation score of a particular Domain or IP address by searching it in the IP/Domain info tab.

Reputation Score

Exploring CVEs found in the organization’s application:

You can explore all CVEs found in your target application by using this dork in the Responses Search tab. Exploring CVEs will help you to know previous bugs and vulnerabilities found in your target.

cve.description:"Target's Name"
CVEs found in Microsoft


In conclusion, Netlas is an amazing tool which can help you in reconnaissance process, it’s easy to use GUI makes it an amazing tool for both beginners and professionals.

You can explore more dorks of here.

I hope this blog helped you in reconnaissance process!

Remember to follow me, for more amazing blogs :)


Bug Hunter | EHE certified | Python Beginner | HTML | Graphic Designer in the past :) | From Pakistan