How I do my recon and end up finding hidden assets and vulnerabilities before anyone else Pt.1

As most of you knows I been doing bug bounties for more than 5 years, and I would say 30-40% of the vulnerabilities I found was because of my recon methodology that I built within those years with the help of real-life scenarios and some friends

Anyways, The first thing you should keep in mind that you’re not actually hunting on a subdomain nor a domain, most companies will accept submissions on other domains/subdomains as long as it belongs to them or impact the main application, that means you’re hunting on the company itself

With that said, Your target is the domains in scope, any other domains that do belong to that company, acquisitions of other companies that do belong now to that company, and the company employees too and I will walk you through all of that in this article.

The usual method is using Crunchbase as it lists the acquisitions easily but with some limitation, Keep in mind though that Crunchbase might miss some acquisitions doing some googling might help you find more acquired companies

Using Crunchbase, all we have to do is check the company profile, for example GitHub

And just like that, We just extended our scope, instead of just hunting on GitHub.com we have 8 more applications to hunt on, that GitHub will accept submissions for as-long-as they impact something in-scope

GitHub related tip: Companies acquired by GitHub are usually merged to the main application, implemented as features, dependabot for example isn’t a separate service but something inside GitHub itself

This is where things get a bit tricky, but we can actually get all the related domains to a company with a simple reverse whois lookup using Whoxy

We need to find the email that did register the domain first, and then we can do that using a simple whois command or domaintools, but I will use domaintools here since I’m on windows

Applying this on slack, we can find that hostmaster@slack-corp.com did actually register the domain slack.com

Getting back to Whoxy and searching with that email, we would end up with 1900+ domains registered using that email, you don’t have full access to all results but I think it costs 2$ or something to craft those results

With that said, You know the technique you just need to find a free service or something that do have an email search and you’re good to go, We just extended our scope

Now all you have to do is follow the standard recon process on all of those domains, finding subdomains, sorting them, validating then checking them, you would end up finding 90% more assets than doing that on slack.com

There’s no better place to hunt company employees than GitHub, developers profiles are more like CVs, they must mention that they work or worked for the company cause it’s for their good, making it too easy to verify if their accounts are worth checking.

Through the years I identified a pattern that developers follow, most of them publish their dotfiles as it’s required to have that in most companies, to speed up the development and setup something

You just need to find the domain that the employees emails are under, for slack it’s @slack-corp.com, That means with a simple GitHub query like this

We can identify some Slack Corp members accounts

Now you can actually look for secrets inside their accounts, scanning all the repos there, specially the dotfiles repo most of the time these developers forgets their GitHub token there, finding such a thing will give access to the company GitHub org which is at least Critical 9.0 depending on your permissions

That’s just an easier way than searching all the repos in GitHub, you can still find more results hunting them manually from the “People” section in the Company LinkedIn page, but that’s too time-consuming if you ask for my opinions, and most of them wouldn’t have something worth scanning anyways.

This article isn’t to show you how to do your recon or explain bug bounty tools to you, there’s TONS of articles out there explaining this process I don’t have to re-explain all of that, I’m just showing you my recon setup and what I do when I hop on a target, I already do have recon scripts for all of that that I run on every domain/application I find, I might write about this later

Yeah that’s it, You can follow me on LinkedIn for more technical content: https://www.linkedin.com/in/mohamed-dief-b87649184/ or contact me personally on X: https://x.com/DemoniaSlash

Stay safe