🐛 The Ultimate Bug Bounty Course: From Zero to Advanced Hacker 7

Dasiel Ramirez Hernandez

~4 min read · March 27, 2026 (Updated: March 27, 2026) · Free: Yes

Volume 2, Post 7: Active Recon & Mapping the Attack Surface

In our previous post, we mastered Passive Reconnaissance and OSINT, gathering intelligence like ghosts without ever touching the target's servers. Now, it is time to take the gloves off.

Welcome to Active Reconnaissance. In this phase, we will directly interact with the target's infrastructure by sending packets, scanning ports, and brute-forcing directories.

⚠️ CRITICAL WARNING: Active reconnaissance generates significant traffic and leaves logs on the target's servers. Before executing any of the commands in this post, you must absolutely verify that the asset you are testing is explicitly listed in the program's scope (Rules of Engagement),.

Let's build your active reconnaissance workflow.

1. Advanced Subdomain Enumeration (Active Brute-Forcing)

While passive tools (like crt.sh) are excellent, they often miss subdomains that don't have registered SSL certificates or aren't indexed by search engines. To find these hidden assets, we must actively guess subdomain names.

We do this using DNS Brute-forcing. By feeding a massive dictionary of common subdomain names (like dev, staging, vpn, api) into an automated tool, we ask the DNS server if each one exists.

The Wordlist: The industry standard for wordlists is SecLists (created by Daniel Miessler). It contains comprehensive lists for subdomains, passwords, and fuzzing payloads,,.
The Tools:
Gobuster: A blazingly fast tool written in Go. You can use its dns mode to brute-force subdomains,: gobuster dns -d target.com -w /path/to/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
SubFinder & Amass: Tools like SubFinder and OWASP Amass combine passive scraping with active brute-forcing and reverse DNS sweeping, making them incredibly powerful for building a comprehensive list of targets,,,.
Permutations: Once you find a valid subdomain like dev1.target.com, there is a high probability that dev2 or dev-api also exists. Tools like Altdns automatically generate permutations of known subdomains and resolve them to find hidden environments,.

2. Port Scanning (Finding the Open Doors)

Once you have compiled a massive list of valid subdomains and IP addresses, you need to know what services are running on them. A web application might not just run on standard ports 80 (HTTP) and 443 (HTTPS); it could be hiding on port 8080, 8443, or exposing internal databases on port 3306,.

To discover these, we use Port Scanners:

Nmap (Network Mapper): The undisputed king of network scanning. It sends raw IP packets to determine available hosts, running services, and operating system versions,,.
The Hacker's Command: nmap -sV -p- -T4 target.com,.
Breakdown: -sV probes open ports to determine service and version info; -p- forces Nmap to scan all 65,535 ports instead of just the top 1,000; and -T4 speeds up the scan.
Masscan: While Nmap is thorough, it can be slow across a massive infrastructure. Masscan is an asynchronous scanner capable of scanning the entire internet in under six minutes. It is perfect for quickly pinging thousands of IPs specifically for open web ports (e.g., 80, 443, 8080),.

Real-World Example: Hacker Andy Gill earned a $2,500 bounty on PornHub simply by port-scanning a staging subdomain and discovering port 60893 was open and running an exposed Memcache service,.

3. Content Discovery (Directory & File Brute-Forcing)

You have the subdomains and the open ports. Now, you open your browser, visit the website, and see a normal homepage. But what is hidden beneath the surface? Developers frequently leave behind unprotected admin panels (/admin), database backups (/backup.zip), or legacy API endpoints (/api/v1/users).

Because these are not linked anywhere on the homepage, a standard web spider will never find them. We must brute-force the URI paths:

Dirsearch & Gobuster (Dir Mode): These tools take a wordlist (again, use SecLists like quickhits.txt or raft-large-directories.txt) and make thousands of HTTP requests to the server,,.
Command: gobuster dir -u https://target.com -w wordlist.txt.
Command: dirsearch.py -u target.com -e php,txt,bak (The -e flag looks for specific file extensions).
FFuF (Fuzz Faster U Fool): A highly flexible command-line fuzzer that can brute-force directories with extreme speed.
Reading the Responses: You are looking for specific HTTP status codes. 200 OK means the hidden file exists and is accessible. 403 Forbidden means it exists but is protected (which might be bypassed later). 301/302 indicates a redirection,.

4. Visual Reconnaissance (Screenshotting at Scale)

Imagine your subdomain enumeration and port scanning resulted in a list of 500 live web servers. Manually visiting each IP address and port in your browser to see what is hosted there would take days.

Elite bug hunters automate this visual inspection using screenshotting tools:

EyeWitness / Gowitness: You feed these tools your massive list of URLs. They will spin up a headless browser, visit every single URL, take a screenshot of the rendered page, record the server headers, and generate an easy-to-read HTML gallery,,.
Aquatone: Another exceptional tool that clusters similar-looking web pages together, allowing you to instantly ignore hundreds of identical "404 Not Found" pages and focus on the unique, forgotten administrative dashboards.

The Hacker's Map is Complete

By combining Active Subdomain Enumeration, Port Scanning, Content Discovery, and Visual Reconnaissance, you have transformed a single domain name into a vast, detailed map of the organization's entire digital infrastructure. You know where the hidden doors are, what locks they use, and which ones look rusty.

In our next post, we will conclude the Reconnaissance volume by hunting for the ultimate prize: Information Leaks & Secrets (Github recon, exposed .git folders, and metadata analysis).

#beginner #ethical-hacking #bug-bounty #bug-bounty-tips #web-security