← Back to blog

Modern Recon for Red Teams: Uncovering Shadow Infrastructure

6 min read hard
Tags:

If your reconnaissance phase begins and ends with running an off-the-shelf subdomain scraper against a primary target domain, you are competing for the exact same attack surface as everyone else. The days of finding critical vulnerabilities on obvious subdomains are mostly over.

Modern recon for red teams and bug bounty hunters is an iterative, non-linear process. You are hunting for the assets the organization forgot they owned: newly acquired apex domains, integration servers spun up for an hour, and shadow infrastructure hosted in the cloud. Every time you discover a new apex domain, you effectively quadruple your chances of successfully compromising the target, as each apex typically brings four to twelve unique subdomains with it.

Here is the methodology to find the infrastructure that standard tooling misses.

ASN and Owned Infrastructure Discovery

Before touching any cloud assets, map the target’s owned IPv4 space by identifying their Autonomous System Numbers (ASNs).

The primary source for this is Hurricane Electric’s BGP toolkit (bgp.he.net). Unlike command-line tools that blindly pull IP space based on generic keyword matches — which risks taking you out of scope — Hurricane Electric allows for a manual, verified freeform text search. Once you identify the correct ASN, navigate to the Prefixes v4 tab to extract all owned CIDR ranges.

The Hybrid Cloud MX Pivot

If your target’s primary domain resolves to an AWS or Akamai IP, do not assume they lack owned infrastructure. Organizations routinely front their main sites with cloud providers.

Use dnschecker to look up the DNS records for the apex domain. Scroll past the A records to the MX (Mail Exchange) records. Often, the MX records will point directly to the organization’s owned infrastructure. Grab the ASN associated with that MX record and feed it back into bgp.he.net to reveal their hidden /17 or /24 networks.

Apex Domains and Acquisitions

Finding subdomains is good; finding entirely new root domains is better.

Historically, attackers used the CheckMDI API to enumerate all federated email domains managed by a target’s Microsoft tenant, instantly revealing unlisted sibling companies and acquisitions. Microsoft shut this down, but the bug bounty community maintains an archived snapshot of every tenant ID and domain globally. Use the tenantdomains.sh script to query this historical dataset and pull apex domains.

# Extract all known email domains associated with a target's Microsoft Tenant
bash tenant-domains.sh -d target.com

For fresh data, monitor acquisitions. When a target acquires a company, they absorb its infrastructure — and its technical debt. Skip Crunchbase and use Tracxn or Pitchbook. Pitchbook is particularly valuable because it tracks low-value acquisitions that other databases ignore, which often lack proper security integration.

Uncovering Cloud Infrastructure via SSL Metadata

Stop using crt.sh. It entirely drops certificates that render errors, meaning you will never see expired or self-signed certificates via its interface. Dev servers and internal APIs frequently use self-signed certs.

To find your target’s hybrid cloud footprint, you must parse the Subject Alternative Name (SAN) and Common Name fields of SSL certificates across the entire IPv4 space of major cloud providers.

You have two paths:

  • Active: Download the published IP ranges for AWS, GCP, Azure, and DigitalOcean (curated in repositories like Lord Alfred’s). Use Caduceus to scan port 443 across the entire AWS IP space in about three days, parsing out all certificate metadata.

  • Passive: Download the monthly SNI datasets provided by the KaeferJaeger project. Simply grep for your target’s apex domains across their pre-scanned AWS/GCP output to instantly map where your target lives in the cloud.

Subdomain Scraping Architecture

Out of the box, SubFinder will find the exact same assets as everyone else. To find the remaining 10%, you must configure external data sources.

Ensure you register for a free API key from ProjectDiscovery’s Chaos dataset, which yields a 5–15% increase in discovered hosts. More importantly, configure multiple GitHub Classic Tokens across several sock-puppet accounts in your SubFinder configuration to bypass GitHub’s aggressive API rate limiting and pagination drops.

For maximum coverage, run SubFinder and BBot in parallel. BBot consistently identifies 5–8% more subdomains out-of-the-box compared to an unconfigured SubFinder.

# Run in parallel, concatenate, and deduplicate
subfinder -d target.com -all -silent > subfinder.txt
bbot -t target.com -p subdomain-enum > bbot.txt
cat subfinder.txt bbot.txt | sort -u > unique_subs.txt

High-Speed Port Scanning

Once you have compiled your massive list of IP ranges and resolved subdomains, you need to port scan. Nmap is too slow for internet-wide ranges, and Masscan drops packets and misses open ports.

The modern professional workflow chains three tools: asnmap, naabu, and nmap.

# Map the ASN to IPs, fast-scan with Nabu, and strictly service-scan open ports with Nmap
echo "AS46489" | asnmap -silent | naabu -nmap-cli 'nmap -sV -oX nmap-output'

nabu handles the high-speed SYN port discovery. Only when Nabu confirms a port is open does it pass that specific IP and port to Nmap for deep service fingerprinting.

Passive Vulnerability Discovery with Shodan

Before launching a single aggressive packet, utilize Karma. Karma is a wrapper around the Shodan API that operates like a vulnerability scanner, but completely passively.

By feeding Karma your target’s IP ranges, it queries Shodan using custom dorks to identify exposed Spring Boot Actuators, vulnerable Grafana instances, or phpinfo() pages.

# Example custom Karma signature for phpinfo
name: PHP Info Exposed
type: shodan
query: 'http.title:"phpinfo()"'

This allows you to map high-value CVE targets across an entire ASN without ever touching the target’s infrastructure.

Where to Go From Here

The natural next layer on top of this recon workflow is content discovery against the infrastructure you’ve just mapped. Most teams run ffuf or feroxbuster against primary domains. Almost nobody runs them against the shadow subdomains and acquired apex domains this methodology surfaces — which is exactly where the interesting endpoints live.

The SecLists Discovery/Web-Content/raft-large-directories.txt wordlist paired with -fc 404 and a custom X-Forwarded-For: 127.0.0.1 header catches a surprising number of internally-routed endpoints that reject public requests by IP but not by header.

For program scoping: the highest-yield targets are companies that made an acquisition in the last 18 months with a broad wildcard scope. The acquired company’s infrastructure is rarely fully integrated, security tooling is inconsistent, and the parent’s bug bounty scope frequently absorbs it by default. Tracxn and Pitchbook acquisition filters, combined with Gungnir CT log monitoring on the parent domain, will notify you the moment acquired infrastructure starts issuing certificates under the parent’s namespace.

For blue team detection: this methodology leaves minimal signatures, but not zero. naabu SYN scans generate half-open connection logs on any stateful firewall or IDS with TCP anomaly detection enabled. Shodan queries are invisible, but active SSL scanning across cloud ranges via Caduceus appears as port 443 connection attempts from residential or VPS IP space with no subsequent TLS handshake completion. Rate-limit scans and rotate source IPs to stay below threshold-based alerting. Gungnir CT monitoring is entirely passive and leaves no trace on the target’s infrastructure.