Bug Bounty Hunting: Web Hacking Reconnaissance

In this blog, I will guide how to do reconnaissance. Your comment is always appreciated; if something is missing and you want to add, please leave a comment. The first step in attacking a target is reconnaissance, gathering information about the application’s attack surface. Efficient reconnaissance helps identify all possible entry points before selecting the most effective approach. Avoid testing for irrelevant vulnerabilities; e.g., there is no need to check PHP vulnerabilities if the app doesn’t use PHP. Understanding Bash scripting fundamentals streamlines security operations.

Google Dorking

site: Limits search results to a specific site (e.g., site:example.com).inurl: Finds URLs containing a specific string (e.g., inurl:login site:example.com).intitle: Searches for pages with a specific title (e.g., intitle:"index of" site:example.com).link: Finds pages linking to a specific URL.filetype: Searches for specific file types (e.g., filetype:log site:example.com).Wildcard (*): Replaces unknown characters (e.g., "how to hack * using Google").Quotes (“”): Forces exact match searches.Or (|): Searches for multiple terms (e.g., site:(reddit.com | stackoverflow.com)).Minus (-): Excludes terms from search results (e.g., "how to hack" -php).

Additional resources:

Google Hacking Database: https://www.exploit-db.com/google-hacking-database/Example search: site:*.example.com for subdomains.

Scope Discovery

Verify the scope of your target’s policy before initiating recon.Identify domains, subdomains, and IPs within scope.WHOIS lookup provides domain ownership details.Reverse WHOIS can find all domains registered under an entity (use ViewDNS.info).Use nslookup to find an IP for a known domain (e.g., nslookup facebook.com).Perform reverse IP lookup to find other domains on the same server (ViewDNS.info).Use whois to find IP range ownership whois 157.240.2.35Check Autonomous System Numbers (ASN) to identify owned IP ranges.

Certificate Parsing

SSL certificates contain a Subject Alternative Name field listing multiple hostnames.Tools like crt.sh, Censys, and Cert Spotter help discover these hostnames.Example: Searching crt.sh for facebook.com reveals domains like:*.facebook.com, *.fbcdn.net, messenger.comRetrieve certificate data in JSON format using: https://crt.sh/?q=facebook.com&output=json

Subdomain Enumeration

Each subdomain represents a potential attack surface.Use automation tools like:Sublist3r — Queries search engines and subdomain databases.SubBrute — Brute-forces subdomains.Amass — Combines multiple methods (DNS, certificates, databases).Gobuster — Brute-forces subdomains, directories, and files.

Wordlists are key for enumeration:

SecLists (https://github.com/danielmiessler/SecLists/)Commonspeak2 (https://github.com/assetnote/commonspeak2/)Combine wordlists and remove duplicates using:sort -u wordlist1.txt wordlist2.txtIdentify patterns in subdomains to guess additional ones.Use Altdns (https://github.com/infosec-au/altdns/) for permutations.

Service Enumeration

Discover running services by scanning open ports.Active Scanning (direct interaction)Nmap & Masscan for scanning target machines.Example: nmap scanme.nmap.orgPassive Scanning (stealthy reconnaissance)Shodan, Censys, and Project Sonar reveal open services and vulnerabilities.

Directory Brute-Forcing

Helps find hidden admin panels, config files, outdated software, and exposed databases.Use tools like:Dirsearch — Enumerates directories and files.Gobuster — Brute-forces directories.Example:gobuster dir -u target_url -w wordlistAutomate verification with screenshot tools:EyeWitness (https://github.com/FortyNorthSecurity/EyeWitness/)Snapper (https://github.com/dxa4481/Snapper/)

Web Spidering

Crawls websites to discover all linked pages. Effective for uncovering hidden paths and potential vulnerabilities.OWASP ZAP (https://www.zaproxy.org/)Burp Suite’s crawler

Third-Party Hosting Recon

Amazon S3 Buckets: Look for hidden endpoints, logs, credentials, and sensitive files.Finding S3 Buckets:Google Dorking: site:s3.amazonaws.com COMPANY_NAMESearch the company’s GitHub repositories for S3 URLs.Use GrayhatWarfare or Lazys3 for automated searches.Checking Access: Use AWS CLI to interact with found buckets:List contents: aws s3 ls s3://BUCKET_NAME/Copy files: aws s3 cp s3://BUCKET_NAME/FILE_NAME /local/directoryUpload files: aws s3 cp TEST_FILE s3://BUCKET_NAME/Remove files: aws s3 rm s3://BUCKET_NAME/TEST_FILEImportant: Always report exposed sensitive data instead of exploiting it.

GitHub Reconnaissance

Search the organization’s GitHub repositories for:Hardcoded secrets: API keys, encryption keys, passwords.Sensitive functionalities: Authentication, password reset, and database interactions.Outdated dependencies: Identify old libraries with known vulnerabilities.Tools:Gitrob: Finds sensitive files in repositories.TruffleHog: Detects secrets using regex and entropy analysis.

Other OSINT Techniques

Job Listings: Reveal technologies used (e.g., Python, AWS, Linux, Django).Employee Profiles: Check LinkedIn, blogs, Stack Overflow posts.Google Calendars: Look for publicly shared meeting notes and credentials.Social Media: Employees might leak data in office photos.SlideShare & Pastebin: Check for uploaded internal presentations or logs.Archive.org (Wayback Machine): Extract old endpoints and subdomains.Waybackurls Tool: Automates endpoint extraction.

Tech Stack Fingerprinting

Identify software versions used to find known vulnerabilities (CVEs).Nmap Scan: Use nmap -sV for version detection.CVE Database: Search known vulnerabilities at CVE MITRE.

Automated Tech Stack Detection Tools

Wappalyzer — Browser extension to detect CMS, frameworks, programming languages.BuiltWith — Online tool to analyze a website’s tech stack.StackShare — Platform to check publicly shared tech stacks.Retire.js — Identifies outdated JavaScript and Node.js libraries.

5. Writing Bash Scripts for Recon Automation

Automate reconnaissance tasks like scanning subdomains, enumerating directories.Example Bash script:#!/bin/bash nmap $1 dirsearch.py -u $1 -e phpUse $1 to take a target domain as input.Improve efficiency by adding output redirection:nmap $1 > results/nmap_scan.txt dirsearch.py -u $1 -e php --simple-report=results/dirsearch.txtSet PATH for easier script execution:export PATH="PATH_TO_DIRSEARCH:$PATH"

Running the Script and Managing Permissions

Save the script as recon.sh and make it executable:chmod +x recon.sh ./recon.sh scanme.nmap.orgRedirect output for future analysis:./recon.sh target.com > recon_results.txt

Parsing Scan Results with Grep

Raw scan outputs contain unnecessary data.Use grep with regex to extract relevant information:grep -E "^\S+\s+\S+\s+\S+$" DIRECTORY/nmap > DIRECTORY/nmap_cleaned

Regex operators:

\d → Matches digits\w → Matches word characters^ → Matches start of a line$ → Matches end of a line*, +, {} → Specify repetition rules