Post cover image
Learn how reconnaissance can uncover 100+ assets without scanning a single port. Understand the Domain → Subdomain → ASN → IP Range → Attack Surface chain.

June 9, 2026

How I Discovered 100+ Assets Without Scanning a Single Port

Most beginners think reconnaissance starts with port scanning.

Disaster

3 min read

It doesn't.

In fact, some of the biggest attack surfaces I've ever mapped were discovered before a single Nmap scan touched a target. The reality is that modern reconnaissance isn't about finding open ports first. It's about finding everything connected to the organization.

And that's where most newcomers miss the bigger picture.

They run a port scan against one domain and think they've mapped the target.

Meanwhile, experienced recon hunters are uncovering dozens — or hundreds - of assets hidden behind subdomains, cloud infrastructure, ASN ranges, forgotten servers, and acquisitions.

This guide will show you the exact chain that turns one domain into a massive attack surface.

The Mistake Most Beginners Make

Imagine you're given a target:

example.com

Most people immediately do this:

nmap example.com

Then they stop.

That's like standing outside a shopping mall, checking one door, and assuming you've seen the entire building.

The real question isn't:

"What ports are open?

The real question is:

"What assets belong to this organization?"

Everything changes when you ask that question.

The Attack Surface Expansion Chain

Here's the framework that experienced reconnaissance practitioners follow:

Domain

Subdomains

ASN

IP Ranges

Attack Surface

Every step reveals more infrastructure than the previous one.

Let's break it down.

Step 1: Start With The Domain

A domain is simply the starting point.

For example:

example.com

At first glance, it looks like a single website.

But organizations rarely operate from a single host.

Behind that domain are usually:

  • Development environments
  • Internal portals
  • API endpoints
  • Legacy systems
  • Cloud resources
  • Regional infrastructure

The domain is only the front door.

The interesting assets are often hidden elsewhere.

Step 2: Discover Subdomains

This is where recon starts getting exciting.

Using tools such as:

  • Recon-ng
  • Amass
  • Sublist3r

You can uncover subdomains associated with the organization.

Example:

www.example.com
api.example.com
mail.example.com
vpn.example.com
dev.example.com
staging.example.com
portal.example.com

Suddenly, one domain becomes multiple targets.

And here's the interesting part.

Many security issues are found on forgotten subdomains rather than the primary website.

Think about it:

The main website is maintained constantly.

A staging server from three years ago?

Maybe not.

Why Subdomains Matter So Much

Imagine discovering:

staging.example.com

That single asset might reveal:

  • Different technologies
  • Older software versions
  • Debug pages
  • Test credentials
  • Internal information

All without touching a port scanner.

You're simply expanding visibility.

And we're still only getting started.

Step 3: Pivot Into ASN Enumeration

Most beginners stop at subdomains.

Experienced recon hunters don't.

They ask:

"What network owns these systems?"

That's where ASN enumeration comes in.

An Autonomous System Number (ASN) identifies networks owned by an organization.

For example:

example.com

ASN 64500

Now you're no longer looking at individual domains.

You're looking at the organization's infrastructure footprint.

This is where attack surface discovery starts scaling dramatically.

What ASN Enumeration Reveals

When you identify an ASN, you can often discover:

  • Additional IP ranges
  • Unknown servers
  • Regional infrastructure
  • Acquired company assets
  • Forgotten internet-facing systems

Think of the ASN as the organization's digital property map.

The website is one building.

The ASN shows the entire neighborhood.

Step 4: Expand Into IP Ranges

Once you've identified the ASN, you can enumerate associated IP ranges.

Example:

192.0.2.0/24
198.51.100.0/24
203.0.113.0/24

Now the scope expands again.

Instead of investigating:

example.com

You're investigating hundreds of potential hosts.

This is where many hidden assets appear.

Servers that aren't linked to any domain.

Legacy systems.

Cloud deployments.

Development infrastructure.

And services nobody remembers exist.

The Snowball Effect

Let's make this concrete.

You start with:

example.com

You find:

25 subdomains

From those subdomains, you identify:

1 ASN

That ASN reveals:

8 IP ranges

Those ranges contain:

100+ hosts

And all of that happened before your first vulnerability scan.

That's the power of reconnaissance.

How Tools Like Amass, Recon-ng, and Sublist3r Fit Together

Each tool contributes a piece of the puzzle.

Recon-ng

Great for gathering intelligence from multiple data sources.

Useful for:

  • Domain enumeration
  • Contact discovery
  • Infrastructure mapping

Amass

One of the most powerful tools for attack surface mapping.

Useful for:

  • Subdomain enumeration
  • ASN discovery
  • Infrastructure correlation

Sublist3r

Fast and beginner-friendly.

Useful for:

  • Passive subdomain discovery
  • Quick reconnaissance

The magic isn't the individual tools.

The magic is connecting the data between them.

Where Most Vulnerability Scanners Fall Short

A scanner can only scan what you give it.

If you only know about:

www.example.com

Then that's all you'll scan.

But if reconnaissance reveals:

api.example.com
vpn.example.com
dev.example.com
portal.example.com
50 additional hosts

Your visibility changes completely.

The scanner didn't become smarter.

You simply gave it a larger attack surface.

That's why reconnaissance often produces more valuable findings than scanning itself.

Think Like an Explorer, Not a Scanner

Here's the mindset shift.

Beginners ask:

"What vulnerabilities exist on this server?"

Advanced recon practitioners ask:

"What infrastructure exists that nobody is looking at?"

The second question usually leads to more discoveries.

Because hidden assets create opportunities.

And hidden assets are found through reconnaissance.

Not through aggressive scanning.

Final Thoughts

The biggest lesson isn't how to use Amass, Recon-ng, or Sublist3r.

It's understanding the chain.

Domain

Subdomains

ASN

IP Ranges

Attack Surface

Once you understand this flow, you'll stop seeing a target as a single website.

You'll start seeing it as an ecosystem.

And that's when reconnaissance becomes truly powerful.

Before you launch your next vulnerability scan, ask yourself one question:

Have I actually discovered the full attack surface yet?

Because the answer is usually no.