Recon Is Stalking With Extra Steps

Let me describe what I built this month in the most unflattering terms possible, because honesty is a feature. I built a tool whose entire purpose is to find every door and window on a building the owner forgot they had. It is called subhunter, it enumerates subdomains, and yes, this is just stalking with a JSON output.

The legal-and-also-correct version: reconnaissance is where you map the real attack surface, which is almost always bigger than the target thinks it is. Companies spin up staging., dev., old-admin., that-thing-marketing-needed-in-2019. and then forget. Those forgotten corners are where the soft spots live.

subhunter does it two ways. Passively, it queries Certificate Transparency logs through crt.sh, which is a genuinely beautiful trick: every time someone gets a TLS certificate it is logged publicly, forever, so the CT log is basically a confession of every subdomain a company has ever bothered to secure. Actively, it brute-forces names against a wordlist and resolves whatever answers to find the hosts that are actually alive.

The active brute-forcing only ever runs against my own lab; the passive crt.sh lookups against example.com, because there is a bright legal line between “querying a public log” and “throwing ten thousand DNS requests at someone else’s infrastructure.” I intend to stay on the correct side of that line for the rest of my life.

The satisfying part: I wrapped pyscan and subhunter into one thin CLI, recon-suite. One command, point it at a domain, get a combined picture back. It is small. I do not care that it is small. It composes two things I built into one thing that does more than either, and that is the whole point of building your own tools instead of renting someone else’s.

Find the doors first. You cannot pick a lock you never knew was there.