.png)
5 months ago
57 BOOK THIS SPACE FOR AD
ARTICLE AD
Welcome to our third tutorial in the bug bounty hunting series! 🎯 In our previous tutorial, we explored subdomains enumeration. Today, we’re diving into more advanced topics essential for bug bounty hunting. Specifically, we’ll cover DNS testing, email security testing, analyzing historical URLs, performing directory searches, and using BuiltWith to analyze website technologies. Let’s get started! 😎
Before we dive in, it’s important to have a basic understanding of how websites are developed, how they work, and how hosting and domain services are managed. This foundational knowledge will help you understand the importance of these tools and techniques and how they can be used effectively in bug bounty hunting.
How Websites are Developed 🛠️
Websites are created using a combination of programming languages, frameworks, and libraries. Here are some key concepts:
HTML/CSS/JavaScript: The building blocks of web development. HTML structures the content, CSS styles it, and JavaScript adds interactivity. 🌐Frameworks: Tools like React, Angular, and Vue.js help streamline the development process. ⚙️Back-end Development: This involves server-side programming languages like Python, Ruby, PHP, and databases like MySQL, PostgreSQL. 🔙Content Management Systems (CMS): Platforms like WordPress, Joomla, and Drupal simplify website management. 📝How Websites Work 🌍
Client-Server Model: When a user accesses a website, their browser (client) sends a request to the server hosting the website. 🌐➡️🖥️DNS (Domain Name System): Translates domain names into IP addresses so browsers can load internet resources. 🔄HTTP/HTTPS Protocols: Protocols used for transmitting data between the client and the server securely. 🔒How website works: [Video]Managing Hosting and Domain Services 🌐
Web Hosting: Services that provide storage space and access for websites. Examples include shared hosting, VPS, and dedicated servers. 🏠💾Domain Names: The address of a website. Domain registrars like GoDaddy, Namecheap, and Google Domains offer domain registration services. 🌐📝DNS Management: Involves configuring DNS records to point your domain to your hosting server. 🛠️Connect domain to hosting: [Video]What is DNS Testing? 📡
DNS testing involves checking the DNS records of a domain to ensure they are configured correctly and securely. Common DNS records include:
A Record: Points a domain to an IP address. 📍MX Record: Directs email to mail servers. 📬CNAME Record: Alias of one name to another(like subdomain). 🔄TXT Record: Provides text information to sources outside your domain. 📄Tool for DNS Testing 🛠️
MXToolbox: Provides a comprehensive suite of tools for DNS lookup and monitoring. 🛠️Steps: Goto “mxtoolbox.com” ==> “DNS Lookup” ==> Enter (domain name) ==> click “DNS lookup” buttonImportance of Email Security 🚨
Email security is crucial to protect against spoofing and phishing attacks. Key standards include:
SPF (Sender Policy Framework): Prevents email spoofing by verifying sender IP addresses. ✅DKIM (DomainKeys Identified Mail): Uses encryption to verify the sender and integrity of the email. 🔐DMARC (Domain-based Message Authentication, Reporting, and Conformance): Ensures that emails are properly authenticated against SPF and DKIM. 📋Tools for Email Security Testing 🛠️
MXToolbox: Offers tools to test and analyze SPF, DKIM, and DMARC records. 🛠️Steps: Goto “mxtoolbox.com” ==> “Email Health” ==> Enter (domain name) ==> click “Email Health” buttonWhat is the Wayback Machine? 🛠️
The Wayback Machine is an internet archive that allows you to view previous versions of websites. This can be useful for:
Identifying old vulnerabilities: Older versions of a website may have security flaws that have since been patched. 🚨Understanding website changes: Track changes to the website structure and content over time. 📅How to Use the Wayback Url’s ⏳
Download “tomnomnom/waybackurl [Link]” tool using go language.In #KaliLinux, we have to install go language in kali, you can visit my blog “GO INSTALLATION” [Link]What is Directory Search? 🕵️♂️
Directory search involves brute-forcing potential endpoints to find hidden files and directories on a website. This can reveal sensitive information and access points for further exploitation. 🔓
Tools for Directory Search 🛠️
Gobuster: powerful tool for discovering hidden directories and files. 💪# GoBuster commandsgobuster dir -u http://target.com -w /path/to/wordlist.txt -r -x .php,.html,.txt -H "User-Agent: Mozilla/5.0" -o results.txt --delay 500ms
# Flags you can add in your commands
-x .php,.html ==> file extension
-r ==> recessive search (scan any subdirectories it discovers)
-H "User-Agent: Mozilla/5.0" ==> specific user-agent
-n ==> scan without filtering based on response size.
-v ==> get more details during the scan.
-o results.txt ==> save scan output
-t 10 ==> Limit the number of concurrent threads (e.g., 10 threads)
--delay 500ms ==> Delay Between Requests(e.g., 500 milliseconds)
ffuf -u http://target.com/FUZZ -w /path/to/wordlist.txt -recursion -e .php,.html,.txt -H "User-Agent: Mozilla/5.0" -o results.json -of json -rate 100 -p 500ms
# Flags You Can Add to Your Commands
-e .php,.html ==> File Extensions: Search for specific file extensions.
-recursion ==> Recursive Search: Scan any subdirectories it discovers.
-H "User-Agent: Mozilla/5.0" ==> Specific User-Agent: Add a custom User-Agent header.
-mc 200,204,301,302,403 ==> HTTP Status Codes: Specify which HTTP status codes to include in the results.
-x http://proxy:8080 ==> Proxy Support: Use a proxy server for the scan.
-v ==> Verbose Output: Get more details during the scan.
-o results.json ==> Save Scan Output: Save the scan results to a file.
-of json ==> Output Format: Specify the output format (e.g., JSON).
-rate 100 ==> Rate Limiting: Limit the number of requests per second.
-p 500ms ==> Delay Between Requests: Add a delay between requests to avoid triggering rate limits or WAF rules.
dirb http://target.com /path/to/wordlist.txt
# flags you can add in commands
-r ==> Recursive Search (scan any subdirectories it discovers)
-X .php,.html,.txt ==> specific file extensions, such as .php, .html, and .txt.
-u username -P password ==> HTTP basic authentication credentials.
-i ==> Ignore web server responses to continue the scan without interruption.
-o results.txt ==> save output scans
# Final command
dirb http://target.com /path/to/wordlist.txt -r -X .php, .txt -i -o result.txt
What is BuiltWith? 🌐
BuiltWith is a tool that analyzes websites to determine the technologies they are using. This includes:
CMS Platforms: WordPress, Joomla, etc. 📝JavaScript Libraries: jQuery, Angular, etc. 📚Analytics Tools: Google Analytics, etc. 📊How to Use BuiltWith 🛠️
Goto “builtwith.com” ==> enter “facebook.com”. We get all the technology list which are used in facebook development.In conclusion, mastering the intricacies of website development, functionality, and management — from domain hosting to DNS testing and email security — is essential for aspiring bug bounty hunters and penetration testers 🕵️♂️🔍.
Leveraging tools like MXToolbox for DNS and email security testing, Wayback Machine for internet archives 📚, and directory search tools like FFUF, Gobuster, and dirb, alongside technology analyzers like BuiltWith and Wappalyzer, empowers you to uncover vulnerabilities and understand the technology stack behind websites 💻🔧.
By integrating these insights and techniques, you can elevate your expertise, enhance your security assessments, and contribute to a safer digital landscape 🌐🔒.
Keep exploring, stay curious, and continue honing your skills in this ever-evolving field. Happy hunting! 🐾🚀
Bengali (Bangladesh) · 
English (United States) ·