.png)
4 months ago
37 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello Everyone,
In this blog I am going to share how I perform recon on a Bug Bounty Target. I will keep this Blog short and simple.
I have also created a Youtube Channel, So for those who don’t Like reading or need a demonstration, I have made a video demonstrating the recon process on a real target. So you can go check it out, and make sure to subscribe if you like it :)
Note that I am not any Big Bug bounty hunter, I write these posts to share what I’ve learned in a way that would have helped me when I was starting out. My goal is to make cybersecurity easier to understand for others who are also beginning their journey.
So Let’s Begin,
The first and most important thing to do after choosing a target is to go through the scope of the target, because that is going to be the most important thing for our recon process.
So for example we have a large scope *.target.com
The First thing I do is
So what I do is I use 4,5 tools to collect the subdomains and then merge them and sort out the duplicate ones.
Assetfinderassetfinder target.com -subs-only | tee -a asset.txt2. CrtSh
crtsh -d target.com | tee -a crtsh.txt3. Findomain
findomain -t target.com -o4. Subfinder
subfinder -d target.com5. Github-Subdomains
github-subdomains -d target.comNow I use the tool Anew By tomnomnom to sort out the unique ones
cat filename.txt | anew filename2.txtYou can also use other tools or make a script to combine these all but I like to do it this way, The Next Thing I do is
I use the tool httprobe to find the alive subdomains from the list
cat subs.txt | httprobe | tee -a alivesubs.txtAfter finding the Alive Subdomains, I use a tool to view them all
I use the tool aquatone to take a screenshot of all the alive subdomains and view them all in a organized report and then seperate out the subdomains that I find interesting.
cat subs.txt | aquatoneYou can view the demo in the youtube video
Then Next thing I do is use automated scanners to find any low hanging bugs and information about the targets.
The Triple N — Nuclei, Nmap, Nikto
Nuclei
cat subs.txt | nucleiNmap
nmap -sVC -T4 target.comNikto
nikto -host target.comSo from the automatic scanners you must already know a lot of information about the tech used in the website but we still need more information you can do this using some extensions like
or websites like builtwith, whatruns etc.
For Example -
After finding the versions of the tech used we can search for any vulnerabilities available for those versions, if found you can report it.
Next I use some automated scanners to find some easy bugs if present.
Subdomain takeoversubzy run --targets alivesubs.txt2. Broken Link Hijacking
socialhunter -f alivesubs.txt3. XSS
paramspider -d target.com | qsreplace '"/><script>confirm(1)</script>' > xss.txt | while read host do ; do curl --silent --path-as-is --insecure "$host" | grep -qs "<script>confirm(1)" && echo "$host \033[0;31mVulnerable\n" || echo "$host \033[0;32mNot Vulnerable\n";doneNext thing I do is find the urls for all the subdomains using the tools like waybackurls and gau
cat alivesubs.txt | waybackurls | tee -a urls.txtcat urls.txt | httprobe | tee -a aliveurls.txtThen I search for keywords on the urls found like config,ini,admin using grep command
cat aliveurls.txt | grep configGoogle dorking is another very good way to do recon.
I use this website for my google dorking-
You can just enter your target domain and click the buttons, and it’ll automatically do it for you
This is a very interesting method,
Many times people commit sensitive information in their github, we can attempt to search those by using the github search option for exampleif we have kingfisher.com
That’s It for this Part, we will continue the remaining in the next part
Thank you for reading till the end
Please Consider following and liking if you found it helpful.
Youtube: https://www.youtube.com/channel/UCwkLClGh4CZtWfI-aGv6kIA
You can also support me through:
Bengali (Bangladesh) · 
English (United States) ·