Following the collection of data, we will undertake the assessment by following the stages of 

• Footprinting
• Scanning
• Enumerating

These pre-test phases are critical in determining whether or not a penetration test will provide a thorough picture of the client's exposure. Reconnaissance refers to the three pre-test phases taken together.

Port scanning, system service identification, remote operating system fingerprinting, and firewall and intrusion detection evasion are some of the techniques that will be deployed.

The following approaches would be used for discovery at this phase: passive fingerprinting, port scanning, and service identification, banner grabbing, and mapping suspected vulnerabilities to available exploits.

You can use forward DNS lookup, ping, and even more complex tools like Burp Suite to associate the newly discovered subdomains with their corresponding IP addresses.

To transfer a DNS zone, use the “nslookup” command to find the DNS servers. Websites dedicated to DNS server identification are another alternative. After you've identified all of the DNS servers, use the "dig" command to try to transfer the DNS zone.