This means find the application (or parts of an application) less tested. In wide scoped projects the flagship application will most liekly be heavily assessed.

• ^.acme.com scope is your friend
• Find domains via Google (and others!)
• Can be automated well via recon-ng and other tools.
• Port scan for obscure web servers or services (on all domains)
• Find acquisitions and the bounty acquisition rules
• Google has a 6 month rule
• Functionality changes or re-designs
• Mobile websites
• New mobile app versions
• Searching parent company by trademark or privacy policy

https://github.com/jhaddix/domain

site:paypal.com -www.paypal.com -www.sandbox

https://en.wikipedia.org/wiki/List_of_mergers_and_acquisitions_by_Facebook

Port scanning is not just for Netpen! A full port scan of all your new found targets will usually yield #win:

• separate webapps
• extraneous services
• Facebook had Jenkins Script console with no auth
• IIS.net had rdp open vulnerable to MS12_020

nmap -sS -A -PN -p- –script=http-title dontscanme.bro

(syn scan, OS + service fingerprint, no ping, all ports, http titles)

# Full subdomain pipeline
amass enum -brute -active -d target.com -o amass.txt
subfinder -d target.com >> amass.txt
cat amass.txt | sort -u | httprobe -p http:81 -p http:3000 -p https:8443 -c 50 | tee online.txt
cat amass.txt | dnsgen - | httprobe >> online.txt
cat online.txt | aquatone
 
# Historical URLs
gau target.com | sort -u > gau.txt
waybackurls target.com | sort -u >> gau.txt

Google dorks:

site:target.com inurl:& -movies
site:target.com ext:php | ext:aspx | ext:jsp | ext:bak | ext:xml

GitHub/Shodan: search “target.com” + api_key, password, secret

Subdomain keywords to prioritize: dev, qa, staging, admin, internal, api

• Full Zseano Recon Guide