Recon Methodology

Hi there my self Alan, this is my first blog about the methodolgy that i follow during the recon process. so i am beginner to this bug bounty program. I have gone through some of the most well known bug hunter in this field on their methods tools etc. So from that knowledge and my own experience in this recon i am sharing with you guys.

So as far we’ll choose a target web app from the platform hackerone, bug crowd etc you can choose from any VDP sites. This is a confusing stage for a beginner so from my side going for a govt web will be much better. so without any further delay we can start.

The target is abc.com so we got the domain now from there we need to check the details of the domain like the ip address name servers mail servers etc for that we can use tools such as NSLOOKUP , DNSRECON , WHOIS this are the common tools that i have used in the program. So now we have the information of the domain , if you need any additional information of the domain use Shodan web or tool for it. afterwards i go for the SSL/TLS certificates, using QUALYS can help you with this it’s important to know the target strength of the communication. from there rather going for subdomains i go for the acquisition of the company this will help very well in the coming sections. so use CRUNCHBASE for this , from there subdomains finding you can do it through active or in passive way i do it on both the ways like using SUBLIST3R ,SUBFINDER etc . nowadays i’m using subdomainfinder website it’s a passive way of getting the subdomain. so getting from there i need to know whether the domain is alive for the purpose using HTTPX or automation tools by our self will help . Screenshots will help you to so this called as visual recon. Finding directories is the next task so this can be done by brute forcing the directory DIRB , DIRBUSTER are the tool i have used. in dirbuster go for recursive you’ll get more dircetory. So choosing one subdomain and doing the test will be much better cause the main domain will be always difficult to break . Use same thing that done on the domain in directory part , also using nmap you can find what are the services that are running in the web app. Shodan and censys are also a good platform you can always relay on it’ll also say you the services that are running on the webapp. So this is a basic level recon that you can refer during your bug bounty learning i am also researching for new methods and tools if i got it i’ll post it in the upcoming blogs. So that’s all about the methodology.