The following is a lightweight reconnaissance setup that should help you quickly gather information on a given target. We will run through the basic installation steps and then take a look at how to use this setup while hunting.

Please keep in mind that there are hundreds of tools out there and there is no way they could all be included in this write-up. This write-up is targeted towards people getting started or for those that want a simple setup. The author assumes that the reader already has a basic understanding of how to use a terminal. If not, the reader may want to start with before reading on.


📀 Installation

$ git clone
$ cd Sublist3r
$ sudo pip install -r requirements.txt

💬 Aliases

alias sublist3r='python /path/to/Sublist3r/ -d '
alias sublist3r-one=". <(cat domains | awk '{print \"sublist3r \"$1 \" -o \" $1 \".txt\"}')"


📀 Installation

$ git clone
$ cd dirsearch/db
$ wget

💬 Aliases

alias dirsearch='python3 /path/to/dirsearch/ -u '
alias dirsearch-one=". <(cat domains | awk '{print \"dirsearch \"\$1 \" -e *\"}')"
alias openredirect=". <(cat domains | awk '{print \"dirsearch \"\$1 \" -w /path/to/dirsearch/db/open_redirect_wordlist.txt -e *\"}')"


📀 Installation

Make sure to install PhantomJS too.

$ git clone

Steps to take when approaching a target

  1. Verify target’s scope (*;

  2. Run Sublist3r on and output all findings to a file called output:

$ sublist3r -o output
$ cat output
  1. Check which domains resolve:
$ while read domain; do if host "$domain" > /dev/null; then echo $domain; fi; done < output >> domains
  1. Run webscreenshot on the domains file:
$ python -i domains output example
$ eog example

💡 Tip: Look for 404 pages, login panels, directory listings and old-looking pages when reviewing the screenshots.


  1. Run dirsearch on the domains file:
$ dirsearch-one
  1. Check for open redirects using dirsearch on the domains file:
$ openredirect

📝 Exercises

The following tasks are left as exercises for the reader:

  1. Write a shell script that performs the entire process when supplied with a single domain (

  2. Practice going through the process by picking a couple bug bounty programs on HackerOne and Bugcrowd.


The author would like to acknowledge the help provided by @TomNomNom. The cover image is by João Silas.