How I do my recon and end up finding hidden assets and vulnerabilities before anyone else Pt.2

The secret to bug bounty is literally recon and automation, I remember days where I would just code and chill all day just to come at night or the next day to see the findings on my recon, Life were so much easier I swear to god

I have to admit though, right now doing this got much harder as the security community is growing, and with the new tools out there, it became more challenging to find such an easy findings just using automation, but it’s still possible to catch some vulnerabilities here and then, anyways let’s get into the technical part

Watching many bug bounty hunters collect subdomains, I noticed a pattern where almost all of them would pick a tool or two for subdomains, cause it’s the same sources right? But it didn’t actually feel right cause almost every time I used a tool or two to collect subdomains I would feel like something is missing, I would find new subdomains in BurpSuite that wasn’t actually in the list I collected, so I did some testing

I used multiple tools to collect subdomains for a target and I noticed that almost every tool had different subdomains than the other one, yeah most tools had lots of duplicate subdomains but almost every tools had unique subdomains as results

With that I knew for sure my recon setup must have as much tools as I can add, and I ended up building a script that collects all those tools outputs: Amass, Assetfinder, Subfinder, Findomain, Github-subdomains and even though the subdomains collection process took so much time but I ended up with much better results than just using subfinder or assetfinder

Why amass is my favorite tool of all time

Amass is just better than all of those tools, much heavier yes and required me to upgrade my VPS twice but it was worth it, upon testing those tools amass would have the most unique subdomains compared to all of those other tools, So if your machine can handle it I would honestly recommend you add amass to your recon flow/scripts

How to actually build your own subdomain collection script

You can obviously use any programming/scripting language for this, but since we’re on Linux ( I assume you’re on Linux ) bash would be the best option for you, and it’s really easy you just put commands in order, and whenever you need to store data you just write it to local files, anyways a script would be something similar to this

Let me explain what the script does in details, It’s simply using as different subdomain enumeration tools and storing their output to local files in the system, upon those tools are finished, the subdomains are getting filtered from duplicates using sort -u in Linux, then we filter the alive hosts only that can actually get resolved from those subdomains list

Once we have the resolved list, we can do a quick httpx and httprobe checks for a quick list that I can navigate through while the rest of the recon is going, and yeah I use both httpx and httprobe cause I do believe httpx miss some results, and httprobe do actually print both active protocols http and https which is actually helpful when you pass it to a scanner or something.

With that said, You can actually build your own script following the same pattern, I would still recommend you learn some bash first though as it would be really helpful for you as a bug bounty hunter.

You must wonder by now, why would I just filter the resolved subdomains instead of just using httpx or httprobe directly on the collected subdomains, well what’s a subdomain? It’s just an easier way to visit your server’s public IP address and as we know your machine can actually have a web server running on literally any port, httpx and httprobe would just check for http:80 and https:443 on the server, and that’s what most people would go for, but if you really look into it, httpx would return 70 subdomains or something when the resolved hosts are like 100, that’s 30 alive hosts missed out, don’t you think atleast 10 of them have a web server running on them?

If you really want to find hidden assets no one would find, you have to spend more time than them doing the recon, that’s why you always have to make sure you scan all 65,535 ports on the server, and trust me even though a port scan like that would take a day or two to finish but it will be really worth it, I can’t even tell you how many times I found dashboards and instances that haven’t been configured yet on those ports, and if you really put time into it that’s some really easy findings.

What to use? I would recommend rustscan on a target that have no WAFs, as rustscan can get you banned within 10 seconds, 5000 ports a second is crazy, yet the safer option is to use naabu, it’s not the fastest but you would get some nice results without getting banned.

Again, this article isn’t to explain bug bounty/recon tools to you, I’m just showing you my mindset, and some tools I use so I can inspire you to build your own scripts, also of course this article doesn’t contain all the information as we haven’t discussed many matters like dorking, monitoring, digging into JavaScript files and using services like Censys and Shodan but that would need a book to cover not an article, and if you can’t search for information on your own, that’s actually your problem.

Still, I hope you find this article helpful, maybe come up with your own recon script or find some vulnerabilities, I would be happy for you either ways

Make sure to follow me on twitch: https://www.twitch.tv/mohammeddief as I will be going live coding and doing bug bounty soon, also follow me on X for updates: https://x.com/DemoniaSlash

That’s it, stay tuned for part 3 and wish you the best.