Discovery

Turn a handful of in-scope roots into a complete, validated inventory of domains and live hosts.

Discovery is where you expand a short scope list into the real attack surface. A client hands you example.com and three CIDRs; by the end of discovery you want every subdomain, every resolving host, and every live IP that belongs to them.

The pipeline is a funnel — each stage produces input for the next, and every candidate gets filtered against your scope blacklist before it moves forward:

seed roots ─▶ subdomain enumeration ─▶ DNS resolution ─▶ host discovery ─▶ live hosts
     │              (passive+active)        (which resolve)   (which are up)
     └──◀── certificate transparency & reverse DNS feed new roots back in ◀──┘

The stages

  1. Root domain recon — WHOIS, DNS records, org footprint.
  2. Subdomain enumeration — passive + active + brute.
  3. DNS resolution — which of those names actually resolve, and to what.
  4. Certificate & SSL harvesting — pull more names out of TLS certs.
  5. Host discovery — which IPs are actually alive.

Keep looping: cert harvesting and reverse DNS routinely turn up new root domains. Add the in-scope ones back to scope-domains.txt and re-run enumeration. Discovery is “done” when a full loop produces nothing new.

Root domain recon

Before enumerating subdomains, fingerprint each root. It’s cheap, passive, and orients everything that follows.

while read -r domain; do
  mkdir -p "recon/domains/$domain"
  whois "$domain"        | tee "recon/domains/$domain/whois.txt"
  for rec in A MX NS TXT SOA; do
    dig +noall +answer "$domain" "$rec"
  done                   | tee "recon/domains/$domain/dig.txt"
  # DMARC / SPF often leak infra and partner domains
  dig +short TXT "_dmarc.$domain"  | tee "recon/domains/$domain/dmarc.txt"
done < scope-domains.txt

What I’m looking for in the output:

  • Registrant org / email in WHOIS — pivot to find sibling domains.
  • NS / MX — who hosts DNS and mail; hints at cloud vs. on-prem.
  • SPF / DMARC TXT records — they frequently list partner and infra domains worth investigating (and adding to scope if they belong to the client).

If the client owns IP space, look up their ASN (whois -h whois.radb.net <ip> or bgp.he.net) and pull the announced prefixes. amass intel -asn <ASN> automates this. The CIDRs you recover become new entries in scope-ips.txt.

Continue to Subdomain Enumeration.


Subdomain Enumeration

Passive, active, and brute-force discovery of subdomains for each in-scope root.

DNS Resolution

Resolve enumerated names to IPs at scale, separate live from dead, and turn resolved addresses into IP scope.

Certificate & SSL Harvesting

Pull hostnames out of live TLS certificates to find assets nothing else surfaces.

Host Discovery

Find which IPs in scope are actually alive before you spend time on full port scans.

Last modified July 4, 2026: Post/mobi (#71) (ff64902)