My Personal Favorite Recon Method to Find URL Endpoints 🌐🔍

Hey everyone...! 👋

In this article, I will share information about a manual recon process through which you can find juicy endpoints 🍒 and possibly discover the original IP 🌍, which can be useful for chaining critical vulnerabilities! 🔓

Three services are used in this process:

---

1) VirusTotal.com 🦠

This service is widely used in various tools, like Subdinder, etc.
Here, we use their API key to fetch data regarding the domain.

URL:
https://www.virustotal.com/vtapi/v2/domain/report?domain=<domain>&apikey=<API_KEY>




Simply replace <domain> with your target and <API_KEY> with your own API key 🔑, and you're good to go! ✅

---

2) AlienVault.com 👽

This service is also well-known for the recon process.
Many of you may not be aware of this manual recon process, so here’s how you can use it:

API endpoint:
https://otx.alienvault.com/api/v1/indicators/hostname/<DOMAIN>/url_list?limit=500&page=1




Just replace <DOMAIN> with your target subdomain, and you’re all set!
Note: No API key is needed for this one! 🚫🔑

---

3) URLScan.io 🔍

URLScan allows you to search for domain-related information. While some features require a subscription 💳, you can still access a lot of data with the free plan! 🎉

API endpoint:
https://urlscan.io/api/v1/search/?q=domain:<DOMAIN>&size=10000




Again, replace <DOMAIN> with your target subdomain.

---

Conclusion:

With the help of these tools 🛠️, you can find JavaScript files, sensitive text files 📄, PDFs with exposed information 🔓, and even the original IP addresses 🌐!

If you have any doubts, feel free to DM me on LinkedIn or leave a comment below! 💬