Mastering Reconnaissance in Bug Hunting

TL;DR- Bug hunting is a challenging task, but it can be simplified with the right tools and tactics. Read up on the best ways to streamline your process in this article with nine tips and tricks to improve your reconnaissance skills.

Introduction

Recon, short for reconnaissance, is the act of gathering intelligence and information about a target. This target might be a person, a device, or even a website. There are many different types of recon in cybersecurity, but we’re mainly going to focus on active recon methods.

These methods may leave a trace of data in log files that can be discovered by the company you’re pen-testing, so make sure to do your research before using certain methods. That being said, only use any methods listed in this article for white-hat hacking, and do not attempt to maliciously compromise any targets using techniques detailed in this article.

The Top Recon Methods

Resolve DNS Names
The first objective in any bug hunting process should be to identify domains and services behind websites. One of the most popular tools for resolving DNS names is Dig. You can use it to resolve DNS IP addresses, MX records, and NS records.

Determine Location Using IP
You might also want to determine the location of certain servers, which can be done by inputting the IP into an IP to Location tool. Some example tools are listed below →

Host Header Injection
Host Header Injection is a bug used to bypass security controls by injecting a malicious host header into a request. Through tools like Burp Suite or OWASP Zap, you can discover vulnerabilities that can lead to significant security breaches.

WayBackUrls
WayBackUrls is a tool often used for identifying historical versions of a website. This can be useful for identifying past vulnerabilities that may not have been fixed yet, as this comprehensive tool gives a full schematic of the entire site at a given period in time.

Locating Hidden Web Directories
Many websites have hidden, read-only, or admin directories that can contain sensitive information. Dirbuster is a popular tool that can be used to identify these directories, and here’s another article if you recieve any type of 403 error and you’re looking to bypass it to access confidential directories →

Nmap Don’t Ping Scan
Nmap is a well-known tool used for network exploration and security auditing. It’s important to note that Nmap’s default scan option is a ping scan which can be easily blocked by firewalls. In these cases, you should use the -Pn option which skips the ping scan and assumes all hosts are online. This allows Nmap to accurately identify open ports and services even when firewalls are present.

Nmap Service Version Detection
Nmap’s -sV option performs service version detection, which is very valuable for assessing potential security risks and vulnerabilities. This can also help plan and implement effective security measures or determine new attack vectors, depending on if you’re trying to break into the system or trying to fix it.

Google Dorks
Google Dorking is a technique frequently used to find specific information and data that may be available on the internet, but is not easily accessible through normal search methods. To locate this semi-hidden information, you’ll need to input special search queries often referred to as “dorks”. Only then will you be able to search through specially indexed web pages and identify sensitive data, such as usernames and passwords, IP addresses, email addresses, and vulnerable systems.

Shodan Dorks
Shodan is a search engine for internet-connected devices. Unlike common vulnerabilities which can only be discovered on web apps and website interfaces, Shodan dorking can uncover sensitive data in devices such as routers or cameras. Here’s a helpful article with detailed information on using Shodan, Google, and Censys dorking to find simple vulnerabilities →

Thanks for reading about recon in bug hunting! If you’d like to see similar articles, check out more posts on The Gray Area.

To support my content, subscribe to a Medium membership using my referral link. It gives you access to all of my posts, plus every other post from other Medium writers →

Thanks!