Manish'sBlog

Bug Bounty Methodology Part 02 | In Depth Recon

Tue Jul 23 2024
#Bug_Bounty#Recon

Table of Contents

Check The Alive Subdomains

I use the tool httprobe to find the alive subdomains from the list

🔗tomnomnom/httprobe

Post

After finding the Alive Subdomains, I use a tool to view them all

Screenshot

I use the tool aquatone to take a screenshot of all the alive subdomains and view them all in a organized report and then seperate out the subdomains that I find interesting.

🔗michenriksen/aquatone

Post

Automated Scanners

Then Next thing I do is use automated scanners to find any low hanging bugs and information about the targets.

The Triple N — Nuclei, Nmap, Nikto

Nuclei

Post


Nmap

Post

nmap -sVC means enumerate all versions, -T4 means it uses 4 threads to make network scanning faster.

Nikto

Post

Finding Known Tech

So from the automatic scanners you must already know a lot of information about the tech used in the website but we still need more information you can do this using some extensions like

🔗Wappalyzer

or websites like builtwith, whatruns etc.

For Example -

Post

After finding the versions of the tech used we can search for any vulnerabilities available for those versions, if found you can report it.

Low Hanging Fruits

Next I use some automated scanners to find some easy bugs if present.

  1. Subdomain takeover
Post

🔗GitHub - PentestPad/subzy: Subdomain takeover vulnerability

2. Broken Link Hijacking

Post

🔗GitHub - utkusen/socialhunter: crawls the website and finds broken social media links

3. XSS

Post

🔗GitHub - devanshbatham/ParamSpider: Mining URLs from dark corners of Web Archives for bug

URLs

Next thing I do is find the urls for all the subdomains using the tools like waybackurls and gau.

PostPost

Then I search for keywords on the urls found like config,ini,admin using grep command

Post

Google Dorking

Google dorking is another very good way to do recon.

I use this website for my google dorking- 🔗Bug Bounty Search Engine

You can just enter your target domain and click the buttons, and it’ll automatically do it for you

Post

Github Recon

This is a very interesting method,

Many times people commit sensitive information in their github, we can attempt to search those by using the github search option for exampleif we have kingfisher.com

Post

Post

That’s It for this Part, we will continue the remaining in the next part

Thank you for reading till the end

Please Consider Commenting if you found it helpful.

Leave a comment 💬

All Comments

No comments yet.