FFUF-ing RECON

, or how to get to P1–P3 from a slightly different recon

When it comes to recon, especially looking for subdomains, there have been a ton of tools and writeups since the beginning of hacking. But, somehow the least discussed approach is the one that can yield the most amazing results (not always though), and I had only found one tool dealing with it before ffuf existed, but I gave up on it (could be I was doing it wrong, but whatever (: ). I’m talking about vhost discovery using ffuf, which can also be used for regular subdomain discovery with easier to configure…