What tools I use for my recon during #BugBounty

Hi guys! This is my first article about Bug Bounty and I hope you will like it! I’m a bug hunter on bountyfactory.io and I think it’s cool to share what I know about recon.

I’m literraly a beginner in Bug Bounty and it’s possible that you see some mistakes in this article. Feel free to comment or tweet me! Sharing is caring!

Kudos to you Nico, thank for your help :)

It’s me when I try to bug hunting

Read the rules first

“Thank you, captain obvious”

Yes, it seems to be obvious… but I check rules and scope. This first check is useful to know many things about the target:

  • What is the scope ?
  • What shouldn’t I test ?
  • What type of reports and vulnerabilities are accepted ?
  • Which vulnerabilities have already been reported ? (if public disclosure on HackerOne for example)
  • Rewards $$$ ?

The rules of a program can clearly help to understand what is the purpose of URLs, etc. It saves time to read everything, it then avoids focusing unnecessarily on a domain or an app while it’sout-of-scope.

To be honest, when I see a scope limited to www.domain.com and not *.domain.com I’m a little less enthusiastic. But it can be cool for learning purposes, because we need to focuse only on one domain and understand how the target works.

Enumerate subdomains of a target with Sublist3r

How to not talk about Sublist3r ? This tool is just awesome and helps you to find many and many subdomains. If you scope is *.domain.com you should use Sublist3r.

Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS.
Subbrute was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved wordlist.

You can download Sublist3r here : https://github.com/aboul3la/Sublist3r

Sublist3r is a great tool to help find subdomains

Don’t forget to add -O argument to export subdomains list into a TXT file.

Enumerate subdomains and check for subdomains takeover with Aquatone

4 months ago I discovered a tool called Aquatone. This tool is perfect when your scope is *.domain.com. Aquatone can list subdomains and check for subdomain takeover and scan a large port range too.

AQUATONE is a set of tools for performing reconnaissance on domain names. It can discover subdomains on a given domain by using open sources as well as the more common subdomain dictionary brute force approach. After subdomain discovery, AQUATONE can then scan the hosts for common web ports and HTTP headers, HTML bodies and screenshots can be gathered and consolidated into a report for easy analysis of the attack surface.

A few words about subdomain takeover

You should check “Can I take over XYZ”. It’s a GitHub repository created by Ed Overflow (another awesome guy to follow) and you will know if it’s possible to takeover a subdomain used by a service (GitHub pages, Heroku, CloudFront, etc.) :

Create a global view of a target

The recon part is essential. I needed a few months to understand this because I was focused on finding vulnerabilities. But how is it possible to find them when you do not have a real idea of its cartography?

A SiteMap is useful for having a global view of the website.

When I try to list all endpoints, pages, folders, files and other useful things, I think we have two different things:

  • Public pages we can access without a user account
  • Private pages, only accessible with a user account

To create a first “global picture” of a target, I use online tool Visual Site Mapper (www.visualsitemapper.com). This tool will create a graphical sitemap and can be very useful to list public URLs to understand how the website works and how pages interact behind those.

Use online tool Virtual Site Mapper to create a global view of a target

Now that we have a list of interesting URLs, try to check URLs with GET parameters. After doing many Bug Bounties, I discovered that these URLs were always more interesting. For this part, I do manual tests. It can be automatised, but I prefer to do manual checks. Scripts can’t replace manual testing for everything.

Tell me what you are using, I’ll tell you what is potentially vulnerable

Before you start looking for vulnerabilities, it’s essential to know what your target is using as a technology to work:

  • Do they use a WAF like CloudFront or CloudFlare ?
  • Do they use a CMS like Wordpress, Drupal or Joomla ?
  • Do they use a framework like AngularJS or CakePHP ?
  • What’s the version of Apache ?
  • Do they use template engine like Jinja2 or Smarty ?

When you know which technology they use (and it’s better if you have the version), it will be useful to help you look for vulnerabilities.

For example : Your target have a profil page where you can control input (like name or nickname) which is reflected on a public page. If you know the framework version, you can possibly try XSS PayLoads or others payloads!
If your target use a template engine like Smarty, check the version and try template injection!

To get these information about a target, I installed a plugin called Wappalyzer.

Plugin Wappalyzer can be useful to know what’s a target use

This plugin works on Google Chrome and Firefox. And to use it, you just need to go on your target. You will see a small icon displayed next to the URL.

If you click on it, Wappaylzer should display interesting information about your target. Sometimes you will not see the version, but it can be useful anyway.

Did you say Google Dorks ?

For a good recon, I can’t forget Google Dorks and others tips like that. Google index many URLs and files and it could be useful to try to extract them.

I recommand you to use Google Dorks like that:

site:target.com -www
site:target.com intitle:”test” -support
site:target.com ext:php | ext:html
site:subdomain.target.com
site:target.com inurl:auth
site:target.com inurl:dev

Be creative! If you want to know more about this: https://apollonsky.me/growth-hacking-google-dork

Shodan.io : search engine for Internet-connected devices

If I should present shodan.io in one minute, I would say that it’s like Google but for servers, IoT and all devices which can be connected to Internet.

And like Google, you can use some “dorks” to improve your research. Here are the basic search filters you can use:

  • country: find devices in a particular country
  • geo: you can pass it coordinates
  • hostname: find values that match the hostname
  • net: search based on an IP or /x CIDR
  • os: search based on operating system
  • port: find particular ports that are open
  • before/after: find results within a timeframe
Use “dorks” on shodan.io to improve your research

Censys.io : Another great search engine

Censys is a platform that helps to discover, monitor, and analyze devices that are accessible from the Internet. We can compare this tool with Shodan. It’s an interesting tool and you can find information about target like open port, service, servername, if they use CloudFlare, etc.

censys.io

The perfect wordlist for Bug Bounty

My little experience has allowed me to understand that targets always have a page that should not be public, should not be here or should not be accessible without permission.

To help me discover these “secret” pages, I recommend this excellent GitHub repository where awesome guys share their lists and knowledge.

SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repo onto a new testing box and have access to every type of list that may be needed.

I can’t write here what all this repo has. But believe me, it has helped me repeatedly to discover sensitive content.

They have a list for all common extensions like php, asp, txt, bak, old, conf, config… and lots of interesting filenames, payloads and fuzzing lists.

You can use this list to discover content, directory, subdomains, bruteforce passwords…

An awesome SecList on GitHub

Two good tools for content discovery

To use the SecList, I recommand you to use one of these tools:

You can specify a list of words you want to use and an extension file or extension list. The tool will test one by one all entries and you will see the result directly in the terminal.

Finding hidden GET & POST parameters

During Bug Bounty, I discovered some interesting parameters. Sometimes developers “hide” parameters in GET or POST queries, and sometimes it can be interesting to try to find these parameters and inject payloads into them.

To help me with this hunt, I use a good tool called Arjun. This python script will bruteforce the GET and POST parameters. Try and you will see!

Burp Suite is your friend, JS scripts too

When browsing a website, be sure to run the Burp Suite tool before. I will not explain how Burp Suite works in this article, but this tool is your friend and you must use it.

Community Edition (the free version of Burp Suite) is enough, do not worry!

With Burp Suite, you have a good option to list and find *.JS scripts. I recommend that you do this and export all JS scripts to a file.

If you do Bug Bounty, you probably know Jobert Abma (otherwise, go follow him https://twitter.com/jobertabma). He created a tool called relative-url-extractor.

This python script is really cool and tries to extract URLs endpoints stored in JS scripts. It works well and has helped me many times!

Jobert has created another good tool for recognition. It’s called Virtual Host Discovery and this script can help you find Vhost behind a target. You will be surprised how many targets have a Vhost like “admin” or “beta” that are not properly protected!


Thank you for reading the article to the end, I hope it will be useful for you and will help you to find more vulnerabilities! Feel free to ping me on Twitter!

I would like to thanks all hunters and Bug Bounty community ! Write-up and PoC are essential to learn ❤