Attacking organisation with big scope: Part 1

oh grail, holy grail of Bug Bounty Lord!! Bounty Lord: “reconnaissance.”

A while ago, I watched a video on YT which taught a new and creative way of finding bugs & creating much bigger attacking surface then rest in big bounty world.

Reconnaissance is the first and one of the crucial steps in the bug bounty hunting process. It involves gathering as much information as possible about the target to identify potential weakness and entry points. Effective reconnnaissance can significantly enhance the chances of finding valueable bugs.

Identifying Potential Attack Surfaces

Attack surfaces are the various points in a system where an unauthorized user can try to enter data to or extract data from. Identifying these surfaces involves looking at the entire digital footprint of an orgranization, including web applications, network infastructure, API’s and more.

Subdomain EnumerationVHOST IdentificationASN MappingWeb FuzzingDorKING/google hack

SUBDOMAIN ENUMERATION

Identifying subdomain will give you a bigger attack surfaceLook for preprod/env subdomainperform Recursive bruteForcingFUZZ.host → dev.host →FUZZ.dev.hostBBOT comparison to other toolsBBOT COMMANDS

VHOST Identification

Less people deep into VHOSTSIdentifying these will give you targets most people haven’t seen yet

Now, here comes the creativity part we are going hit the HOST Header with all the subdomains & IP’s that been discovered using BurpSuite Intruder.

Hitting HOST HEADER

ASN MAPPING

IP to ASN (Autonomous System Number) mapping is the process of determining the Autonomous System Number (ASN) that is associated with a specific IP address. The ASN is a unique identifier assigned by a regional internet registry (RIR) to a network operator, and it is used to identify the ownership of IP addresses.

IP to ASN mapping is useful for various purposes, such as:

Network ManagementNetwork SecurityNetwork MonitoringGeo-Location

steps:

You can use https://bgp.he.net/ for ASN Mapping.IP INFO using bgp.he.net

2. copy all IP ranges from bgp.he.net or other tools&technique in iplist file.

copying all IP ranges

3. send to prips(prips is tool for print all the Ip in a given range)

4. gather all subdomain you can find for the org,even the ones not resolving

5.BruteForce : IPS:SUBDOMAINS

Bruteforcing IPS:SubDomains

nba2k file is where all ip’s is been store and run against subdomains in nbasubs file using ffuf(fuff web fuzzig tool).

The Last Two Methoologies gonna be explained in my next article.