Introduction
Hello everyone,
I am Nitin Yadav from India with another write-up, so please ignore any mistakes 🙂
Without wasting much time, let's roll into the blog.
Recon is one of the most misunderstood phases in bug bounty and penetration testing.
Many beginners (and even some intermediate hunters) believe recon means running a few tools like subfinder or amass, collecting live subdomains, and moving straight to scanning or exploitation. If the tools don't return anything interesting, they assume the target is "secure" or "not worth time."
This assumption is wrong.
Recon is not just about tools.
Recon is about thinking creatively.
Tools only show you what exists right now.
They don't show you what existed before – and that's where most people lose valuable attack surface.
In this blog, I want to talk about one simple but extremely powerful recon technique that I personally use often, and surprisingly, very few people discuss it properly.
This technique combines:
- DNS History
- Archive.org (Wayback Machine)
When used together, they help uncover forgotten subdomains, old endpoints, and abandoned assets that companies no longer monitor but attackers can still abuse.
This blog is not about running fancy scanners.
It's about understanding how companies evolve, migrate, and forget – and how you can turn that forgetfulness into findings.
Let's break it down step by step in the next part.
Why Deleted Subdomains Still Matter
One thing many people don't realize is this:
Removing a subdomain does not erase its history.
When a company deletes or changes a subdomain, they are usually focused on:
• Launching a new version
• Migrating infrastructure
• Cleaning up visible assets
They are not thinking about attackers looking at historical data.
From a security perspective, this creates a dangerous gap.
What Actually Happens When a Subdomain Is Removed?
Let's say a company once had:
dev.target.com
api.target.com
old-admin.target.comOver time, they:
• Shut it down
• Migrated to a new domain
• Changed hosting providers
• Removed DNS records
Today, if you run subfinder or amass, you might see nothing.
Most hunters stop here.
But in reality:
• That subdomain existed
• It served content
• It had endpoints
• It may still be referenced somewhere
And guess who remembers all of this?
The Internet Never Forgets
Two major places keep historical records:
• DNS history databases
• Web archives
DNS history tools store old DNS records:
• A records
• CNAMEs
• MX entries
• IP mappings
Web archives store old HTTP responses:
• Pages
• API endpoints
• JavaScript files
• Parameters
• Sometimes even secrets
So even if a subdomain is dead today, its past version may still expose valuable information.
Why This Matters for Bug Bounty
Old subdomains and URLs are dangerous because they are often:
• Forgotten
• Unmonitored
• Poorly maintained
• Re-used without proper security review
This can lead to real vulnerabilities.
Some common issues I've seen through this approach:
• Subdomain takeover opportunities
• Old S3 buckets still referenced
• APIs working without authentication
• Login panels no one remembers
• Hardcoded keys in archived JavaScript
• Backup files exposed in old paths
None of this shows up in a normal "live-only" recon workflow.
This Is Where Most Hunters Fail
Most people do:
Run tools → Scan → Give upExperienced hunters do:
Understand history → Follow traces → Find forgotten assetsThat difference is not skill.
It's mindset.
Now, I'll explain exactly how I start this process using DNS history tools, and what kind of data you should collect (even if the subdomain is dead).
That's where the real recon begins.
DNS History Lookup (Where Recon Really Starts)
This is the step where most people never go – and that's exactly why it works.
When a subdomain disappears today, recon tools stop showing it.
But DNS history tools don't care about today.
They care about what existed before.
And for recon, past is power.
What DNS History Actually Gives You
DNS history tools store old records such as:
• A records (IP addresses)
• CNAMEs (service mappings)
• MX records (mail servers)
• Hosting provider changes over time
Even if a subdomain is dead now, DNS history can tell you:
• It existed
• Where it pointed
• What service it used
• Whether it might be re-usable or takeover-prone
This is extremely valuable context.
Tools I Use for DNS History
I usually start with these:
• SecurityTrails
• DNSDumpster
• ViewDNS
You don't need all of them every time.
Even one is enough to open doors.
What to Look For
When checking DNS history, don't just glance and move on.
Look carefully for:
• Old subdomains that no longer resolve
• CNAMEs pointing to third-party services (AWS, Azure, GitHub, etc.)
• Repeated IP changes (indicates migrations)
• Weird or forgotten names like:
• old
• dev
• test
• beta
• staging
• internalThese are high-risk assets.
Save Everything (Even Dead Ones)
This part is critical.
Most people make this mistake:
It's not resolving, so it's useless.
That thinking kills good findings.
When I do DNS history recon:
• I save every subdomain
• I don't care if it's dead
• I don't care if it returns NXDOMAIN
Why?
Because DNS history is only Step 1.
Dead subdomains are often:
• Referenced in old JavaScript
• Archived in Wayback Machine
• Re-used later with weak security
• Eligible for subdomain takeover
If you don't save them now, you lose the trail.
Recon Is Not About Speed
At this stage, you're not hacking yet.
You're:
• Building context
• Mapping evolution
• Understanding how the company changed over time
This is slow recon.
But slow recon finds bugs.
Now, I'll show how I take these "dead" subdomains and bring them back to life using Archive.org, and why this step exposes things scanners will never show.
That's where recon turns into time travel
Archive.org (Turning Dead Assets Back On)
This is where things start getting interesting.
At this point, you already have:
• A list of current subdomains
• A list of dead or removed subdomains from DNS history
Most hunters stop here.
This is exactly where I start.
Why Archive.org Is So Powerful
Internet Archive (Wayback Machine) stores historical snapshots of websites over time.
That means:
• Pages that no longer exist
• Endpoints that were removed
• Files that were deleted
• Old JavaScript and API paths
Even if a subdomain is completely dead today, Wayback may still have:
• Full HTML responses
• Parameters
• Forms
• Linked resources
From a recon perspective, this is a goldmine.
How I Use the Wayback Machine
I don't just archive the root domain and leave.
I specifically search for:
• Dead subdomains
• Old paths
• API versions
• Authentication-related pages
Examples:
https://subdomain.target.com/login
https://api.target.com/v1/
https://old.target.com/adminSometimes the root page shows nothing, but a specific path is fully archived.
What You Can Find in Archived Pages
From real-world testing, archived data often reveals:
• Login panels no longer linked anywhere
• Admin dashboards from old builds
• API endpoints that still work
• Hardcoded API keys inside JavaScript
• Internal tool references
• Backup files and debug paths
These findings don't come from scanning.
They come from history.
The Most Dangerous Part: Forgotten APIs
APIs are frequently:
• Versioned
• Deprecated
• Replaced
But developers often:
• Remove them from frontend
• Forget to disable them backend
Using Wayback, you can find:
• /api/v1/
• /api/internal/
• /api/test/
Even if they're not documented today.
If the backend still accepts requests, this becomes a real vulnerability.
Why This Step Is Missed
Most recon workflows are:
Live → Scan → ReportThis approach is:
Past → Understand → Verify → ExploitThat difference changes everything.
Now, I'll explain how I automate this process using Wayback-focused tools and how to filter thousands of URLs down to the ones that actually matter.
This is where recon becomes efficient, not noisy.
Scaling This Technique – Automating Wayback Recon
Manually checking Archive.org is powerful, but it doesn't scale.
Once you start doing this on real bug bounty targets, you'll quickly realize:
• One domain can have thousands of archived URLs
• Manually searching becomes slow
• Important endpoints get buried in noise
This is where automation helps – without turning recon into blind scanning.
Tools That Make Wayback Recon Practical
These tools pull historical URLs from multiple sources, including Wayback Machine and other archives:
• gau (Get All URLs)
• waybackurls
• urlhunter
These tools don't discover new subdomains.
They extract old paths and endpoints tied to domains you already have.
That distinction is important.
What I Actually Do (My Workflow)
Once I have:
• Live subdomains
• Dead subdomains (from DNS history)
I run URL collection tools against all of them.
This gives me:
• Old login URLs
• Deprecated API versions
• Hidden admin panels
• Test and debug endpoints
• File paths that no longer exist in production UI
At this stage, the output is messy – and that's expected.
Recon is messy before it becomes clean.
Filtering Is Where Skill Matters
Raw output is useless without filtering.
I usually filter for keywords like:
• admin
• login
• auth
• backup
• old
• test
• dev
• .git
• .env
• .zip
• .sqlWhy?
Because these paths historically:
• Expose sensitive functionality
• Lead to misconfigurations
• Reveal forgotten assets
• Indicate poor cleanup
This filtering step often reduces thousands of URLs down to a few dozen high-quality targets.
Quality > quantity.
Why Archived URLs Are So Dangerous
Archived URLs often:
• Were never meant to be public long-term
• Were created for internal use
• Lack modern security controls
• Bypass newer frontend protections
Even if:
• The page returns 404 today
• The UI no longer links to it
The backend might still respond.
And that's where vulnerabilities hide.
This Is Not Noise Recon
This approach is not about:
• Spamming requests
• Running loud scanners
• Hoping for low-hanging fruit
It's about:
• Understanding application history
• Following developer mistakes
• Testing what people forgot to remove
Now, I'll explain why this technique works so well in real-world companies, and why modern development workflows accidentally make attackers stronger.
That's the mindset shift most hunters never make.
Why This Technique Works So Well in the Real World
At this point, you might be thinking:
If this is so effective, why don't companies fix it?
The answer is simple.
Because companies move forward, not backward.
Security teams usually focus on:
• What is live today
• What is customer-facing
• What is part of the current release
Very few teams regularly audit:
• Historical subdomains
• Deprecated APIs
• Old paths still reachable
• Archived content leaks
And that gap is exactly where this recon technique wins.
How Modern Development Creates Blind Spots
In real organizations:
• Products are redesigned
• Infrastructure is migrated
• APIs are versioned and replaced
• Cloud providers are changed
• Teams rotate or leave
When this happens:
• Old subdomains are removed from DNS
• Frontend links are deleted
• Documentation is updated
But backend services may:
• Still exist
• Still accept requests
• Still trust old inputs
• Still expose sensitive behavior
No scanner catches this unless you know where to look.
"Security by Deletion" Is a Myth
Many teams assume:
"We removed the page, so the risk is gone."
That's rarely true.
If:
• The endpoint still works
• The API still processes input
• The service still trusts parameters
Then the vulnerability still exists.
Wayback + DNS history help you:
• See what existed
• Understand what was removed
• Test what might still be reachable
This is not guessing.
It's evidence-based recon.
Why Most Hunters Miss This
Most bug bounty hunters:
• Follow the same YouTube workflows
• Use the same tool chains
• Look at the same live assets
So everyone ends up testing:
• The same login page
• The same API endpoints
• The same subdomains
Historical assets are ignored because:
• They don't look "live"
• They don't show up in tools
• They require manual thinking
And that's exactly why they work.
Recon Is About Context, Not Coverage
Good recon is not:
• Finding everything
• Running every tool
• Generating massive output
Good recon is:
• Understanding how the application evolved
• Finding what was forgotten
• Testing assumptions developers made years ago
This technique gives you context, not just data.
So, At last lets wrap this up with how to apply this mindset in your next bug bounty target, and why this approach consistently separates serious hunters from casual ones.
That's where everything comes together.
Final Thoughts – Recon as Time Travel
If there's one idea I want you to take from this blog, it's this:
Recon is not about the present.
Recon is about the past.
Anyone can run subfinder, amass, or screenshots tools.
That only shows what a company wants you to see today.
But real bugs often live in:
• What was rushed
• What was replaced
• What was forgotten
And that's exactly what DNS history and Archive.org reveal.
How to Apply This on Your Next Target
On your next bug bounty or pentest target:
1. Run your normal recon tools
2. Collect live subdomains
3. Pull DNS history and save everything
4. Take dead subdomains to Archive.org
5. Extract historical URLs using Wayback tools
6. Filter for high-risk paths
7. Manually verify what still responds
Don't rush this process.
Slow recon finds deep bugs.
This Is Why It Works
Because:
• Companies move fast
• Teams change
• Security reviews focus on current builds
• Old assets fall out of scope
But the internet never forgets.
And attackers who understand history always have an advantage.
If You're Serious About Bug Bounty
Try this technique seriously on one target.
Not for five minutes.
Not half-heartedly.
Do it properly.
You'll find:
• Endpoints no one tests
• APIs no one monitors
• Panels no one remembers
• Data no one thought was still accessible
Most hunters scan the surface.
You dig deep.
Thanks for reading this write-up. If this helped you think differently about recon, then it did its job.
Happy hunting.