Summary
Doing recon is like panning for possibilities. As long as you stay within scope then then pan away for possibilities. In this area I mark down the methodology I follow to do recon and it is bound to change over time as I learn more.
Step 1: APEX and Subdomains
There are multiple ways we can grab potential subdomains and if time permits then go ahead and do all of them. Especially if you are coming back future me and still in the process of working this all out.
The ways to acquire subdomains are.
Certification Transparency (Passive)
Use CRT.SH to grab alpha and subdomains
Fingerprinting (Passive)
Use Wappalyzer or Builtwith
Fuzzing (Active)
Use FFUF , Caido, or Burp
Step 2: Check file types (Active)
Fuzzing
Use FFUF, Caido, or Burp
Step 3: Check for Directories (active)
use FFUF , Caido, or Burp
Step 4: Crawl (active)
use ReconSpider