June 2, 2026

The 10-Minute Recon Routine That Finds What Scanners Miss

Fast, free, and actually works.

Decline

2 min read

I used to spend hours on recon. Running tools. Waiting for scans. Organizing results.

Then I'd start testing and realize I missed half the attack surface.

Now I have a 10-minute routine I do on every new target. No fancy tools. Just things that work.

– -

Minute 1–2: Google Dorks That Still Work

Everyone says Google dorks are dead. They're not. You just have to use the right ones.

I type these three things every time:

site:*.target.com -www -support -mail

site:target.com intitle:"index of"

site:github.com "target.com" "api"

First one finds subdomains Google indexed that aren't obvious. Second finds open directories. Third finds developers leaking keys and endpoints on GitHub.

Two minutes. Usually find at least one thing my scanners missed.

– -

Minute 3–4: Check Wayback Machine

Go to web.archive.org. Type the target URL.

Look at the oldest snapshots. Sometimes old versions of the site had endpoints that don't exist anymore. But the server might still respond to them.

I once found a /admin/old-backup.zip from 2018 that was still accessible. Contained database credentials for a staging server. Not the main site. But still something.

Also check for parameters. Look at the oldest URLs. See patterns. ?id=, ?page=, ?debug=. Test those.

– -

Minute 5–6: Certificate Logs

Go to crt.sh or use curl if you're fancy.

Search for %.target.com. Shows every SSL certificate ever issued for the domain and subdomains.

This finds subdomains that aren't linked anywhere. Internal servers. Dev environments. Forgotten test sites.

Compare with your subdomain scanner results. Anything new? Test those first.

– -

Minute 7–8: Robots and Sitemaps

Go to target.com/robots.txt and target.com/sitemap.xml.

Most hunters check these. Most also ignore what they find.

Look for Disallow: entries. Those are pages the site doesn't want Google to see. Often admin panels, test pages, internal tools.

Sitemaps sometimes list weird endpoints you'd never guess. products/archive/2019/, users/export, api/v1/internal.

I found a sitemap once that listed every user profile as a separate XML file. That was the bug. The site leaked usernames in a way they didn't realize.

– -

Minute 9–10: Quick Endpoint Check

Type these into your browser. One after another.

/admin

/api

/v1

/swagger

/docs

/graphql

/backup

/old

/test

/dev

Don't overthink it. Just try. Takes 30 seconds.

You'd be shocked how many times /swagger or /docs is wide open. Full API documentation. Every endpoint. Sometimes with example requests that include real API keys.

I found a company's entire internal API docs this way. Could see how to create admin users. Didn't even need to exploit anything. The docs showed me exactly how.

– -

What I Do After 10 Minutes

If I find nothing in these 10 minutes, I don't give up. I just know where to start.

The stuff from Google dorks gets tested first. Then Wayback Machine findings. Then cert log subdomains.

I don't run heavy scans until I've manually checked these. Saves me hours of chasing false positives.

– -

The One Thing You Shouldn't Skip

The robots.txt check. Everyone knows about it. Everyone still skips it.

I almost did once. Saw Disallow: /internal/ and almost moved on. Then I clicked it anyway.

Internal dashboard. No login. Just open.

Three minutes of work. $800.

So yeah. Check the obvious stuff. It's obvious for a reason.

– -

Got a quick recon trick I missed? Drop it in the comments. Always looking to steal good ideas.

And to whoever keeps suggesting topics – you're carrying this blog. Thank you.

If this saved you some time, clap and follow.

Post it. 40 is solid but let's push to 60 by next week.