Hi, I’m z0id and I’m a security researcher at hackerone and bugcrowd and I’m going to show you different approaches to recon for your bug bounty Journeys.
We will follow this check list:
- Approaches to sub domain Enumeration
- Visual Recon
- Google Dorks
- Content Discovery
Approaches to sub domain Enumeration
Sub domain enumeration is the key to discovering domains that can contain potential vulnerabilities, this should be used during any recon process.
I like to use tools like:
I use custom bash alias’s to help me during the recon process eg:
for i in `cat $1`
assetfinder -subs-only $i -c 100 | tee -a "$i".txt
I then issues this command to run a sub domain scan with asset finder with a list of domains:
I like to find information about each domain such as:
- Response Length
- Status Code
This helps for finding interesting sub domains this can be done quite easily with a python script using beautiful soup and requests modules you can make advanced ones with multiprocessing and collects screenshots etc)
Here is a quick function example:
import requestsdef run(host):
status_code = str(r.status_code)
length = str(len(r.text))
title = html.title.text
print(host, status_code, length, title) except
This is what my one looks like:
Once you populate a list of files with the domain mapper you can grep away like a pro.
cat *.txt | sort -u | grep --color "error"
You can also create a word list that fuzzes all the names you want to look for
for i in `cat names` ; do cat *.txt | sort -u | grep --color "$i" ; done
This can also be done with links as well you can spider through each sub domain with burp generate a heap of links, burp feed can help a lot with this.
A tool for passing and adding a list of URLs to Burp's sitemap/target tab, really useful for populating the targets tab…
Once you have all the links export them all out to a file and run the domain mapper to fetch all the info and grep away.
Kinda works the same way as meg which is another useful tool made by TomNomNom Good work!! by the way I use it heaps.
meg is a tool for fetching lots of URLs but still being 'nice' to servers. It can be used to fetch many paths for many…
There are really good tools out there that screenshot each sub domain to visualize what they look like instead of doing it manually.
I use Eyewitness quite a bit just because of it’s simplicity and the way it generates the report.
EyeWitness is designed to take screenshots of websites provide some server header info, and identify default…
sudo apt-get install eyewitness
sudo eyewitness -f <path-hosts> --web --threads <threads> -d <save-path>
Another useful technique of recon is google dorking, this is a way to use googles search engine and special query's to find juicy info such as:
- Vulnerable Sites
- Sub domains
- Open Redirects
- SQL Injection
Here is a useful site to look at to learn google dorking it’s a language in it’s own.
Google Hacking, also named Google Dorking, is a computer hacking technique that uses Google Search and other Google…
Shodan.io is also very good.
Shodan has servers located around the world that crawl the Internet 24/7 to provide the latest Internet intelligence…
site: *.example.com ext:php OR ext:js OR ext:txt OR ext:pdf
Open Redirect example:
site: *.example.com inurl:& AND inurl:url
SQL Injection Example:
site: *.example.com intext:"You have an error in your SQL syntax"
File Type Example:
site: *.example.com filetype:pdf
site: *.example.com inurl:/graphql/
Play around and see what you can come up with.
When you find sub-domains that look interesting a good thing to do is do some sort of content discovery using tools such as:
Will help you find hidden files and endpoints that can be used through out your pentest.
Parameter Fuzzing is also a useful technique to find hidden parameters, I use personally Arjun.
HTTP Parameter Discovery Suite Web applications use parameters (or queries) to accept user input, take the following…
I’ve created a bash profile to help me type it much more quickly so I speed up my recon phase.
So, that’s my recon methodology I’m always finding new ways to make my recon better and level up my skills.
Big thanks!!! to Brett Buerhaus 💙
For helping me level up my skills you legend.
Airbnb recently created a new feature called Experiences which allows you to book things to do rather than places to…
I hope you enjoyed this post and happy hacking peoples.