Different Approaches For Reconnaissance — Bug Bounty’s

Nov 12 · 4 min read

Hi, I’m z0id and I’m a security researcher at hackerone and bugcrowd and I’m going to show you different approaches to recon for your bug bounty Journeys.

We will follow this check list:

  • Approaches to sub domain Enumeration
  • Visual Recon
  • Google Dorks
  • Content Discovery

Approaches to sub domain Enumeration

Sub domain enumeration is the key to discovering domains that can contain potential vulnerabilities, this should be used during any recon process.

I like to use tools like:

  • Subfinder
  • Assetfinder
  • Aquatone
  • Findomains

I use custom bash alias’s to help me during the recon process eg:

afinderlist() {
for i in `cat $1`
assetfinder -subs-only $i -c 100 | tee -a "$i".txt

I then issues this command to run a sub domain scan with asset finder with a list of domains:

afinderlist hosts

I like to find information about each domain such as:

  • Response Length
  • Title
  • Status Code
  • URL

This helps for finding interesting sub domains this can be done quite easily with a python script using beautiful soup and requests modules you can make advanced ones with multiprocessing and collects screenshots etc)

Here is a quick function example:

import bs4 
import requests
def run(host):
r=requests.get(host, verify=False)
status_code = str(r.status_code)
length = str(len(r.text))
title = html.title.text
print(host, status_code, length, title)

This is what my one looks like:

Domain Mapper

Once you populate a list of files with the domain mapper you can grep away like a pro.

cat *.txt | sort -u | grep --color "error"
Grepping for information

You can also create a word list that fuzzes all the names you want to look for

for i in `cat names` ; do cat *.txt | sort -u | grep --color "$i" ; done

This can also be done with links as well you can spider through each sub domain with burp generate a heap of links, burp feed can help a lot with this.

Once you have all the links export them all out to a file and run the domain mapper to fetch all the info and grep away.

Kinda works the same way as meg which is another useful tool made by TomNomNom Good work!! by the way I use it heaps.

Visual Recon

There are really good tools out there that screenshot each sub domain to visualize what they look like instead of doing it manually.

  • Eyewitness
  • Webscreenshot

I use Eyewitness quite a bit just because of it’s simplicity and the way it generates the report.


sudo apt-get install eyewitness


sudo eyewitness -f <path-hosts> --web --threads <threads> -d <save-path>

Google Dorks

Another useful technique of recon is google dorking, this is a way to use googles search engine and special query's to find juicy info such as:

  • Webcams
  • Servers
  • Vulnerable Sites
  • Sub domains
  • Open Redirects
  • SQL Injection
  • Files

Here is a useful site to look at to learn google dorking it’s a language in it’s own.

Shodan.io is also very good.

Extension Example:

site: *.example.com ext:php OR ext:js OR ext:txt OR ext:pdf

Open Redirect example:

site: *.example.com inurl:& AND inurl:url

SQL Injection Example:

site: *.example.com intext:"You have an error in your SQL syntax"

File Type Example:

site: *.example.com filetype:pdf

GraphQL Example:

site: *.example.com inurl:/graphql/

Play around and see what you can come up with.

Content Discovery

When you find sub-domains that look interesting a good thing to do is do some sort of content discovery using tools such as:

  • dirsearch
  • dirbuster
  • wfuzz

Will help you find hidden files and endpoints that can be used through out your pentest.

Parameter Fuzzing is also a useful technique to find hidden parameters, I use personally Arjun.

I’ve created a bash profile to help me type it much more quickly so I speed up my recon phase.

So, that’s my recon methodology I’m always finding new ways to make my recon better and level up my skills.

Big thanks!!! to Brett Buerhaus 💙

For helping me level up my skills you legend.


I hope you enjoyed this post and happy hacking peoples.


Written by


Just another friendly hacker and bug bounty researcher https://twitter.com/z0idex

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade