2. Context is everything
● Recon is an iterative process
● Recon depends on the bug bounty program
● Recon depends of the scope (limitation)
3. Finding domains in scope
● Whois lookup
● Google search site:whois.* inurl:domain.com “org: Domain”
● Hurricane Electric (bgp.he.net)
● Shodan/Censys.io
● Acquisitions (crunchbase.com)
● Current and historic databases, documents, leaks and investigations
(aleph.occrp.org)
● Website profiler, lead generation, competitive analysis and business intelligence tools
(builtwith.com)
● IP ranges -> reverse dns -> domains/subdomains
● Domain search engines ( whoxy.com )
● Online scanning tools kaeferjaeger.gay
● SSL Certificate info
● Crawling the known domains/subdomains (Acunetix Discovery)
● https://dns.coffee/
● Amass (https://github.com/owasp-amass/amass ) `amass intel -org 'Netflix'`
● Github
4. Finding subdomains
● Existing tools: subfinder/sublist3r/amass
● Brute force subdomain scanner
● Crawling the known domains/subdomains that belong to same organization
● https://crt.sh/?q=domain.com
● https://securitytrails.com/list/apex_domain/domain.com
● https://www.shodan.io/search?query=ssl.cert.subject.CN%3Adomain.com
● Censys.io
● https://lab.dynamite.ai/ (search in public pcap files)
● Github
● Google/Bing search ‘site:domain.com’
● IP ranges -> reverse DNS
● https://github.com/iamthefrogy/frogy
● https://github.com/Cyber-Guy1/domainCollector
5. Cleaning
● Clean subdomains by same IP (keep max 1 to 3 subdomains that have same IP - with exceptions)
● Check the wildcard subdomains if it makes sense to continue with some of them
● Sort|uniq
● Grab screenshots or other techniques to group similar subdomains together to remove duplicate content
● Subdomains that don’t resolve to (a public) IP - separate from the main list, but keep it
6. Optional but userful: Continuous asset monitoring
Advantages: Some assets(domains, subdomains, ports) might be open at certain times (batch jobs,
deploys, test/UAT/staging/QA environments) - and might have lower security, exposing sensitive data
Disadvantages: could be a costly implementation
7. Port scanning
Nmap - main tool
cat subdomains.txt | httpx -o subdomains_live.txt
naabu -list subdomains.txt -top-ports 1000 -exclude-port 80,443,21,22,25 -o ports.txt
Some public/paid online websites have ports up to datte
13. One bug found -> scan all your BB subdomains
● Keep a large list of subdomains/urls for multiple BB (preferable a database)
● Once you find a bug, scan all the urls for the same bug
● This can work out to find your favourite next bounty program
15. Scanner tips
● Feed previous gathered endpoints for a target to the scanner, not only the base url
● Combine tools: Use Acunetix/nuclei/ZAP via Burp Proxy/Fiddler with match/replace
● Intercept mobile app traffic , feed the scanner those requests
● Parse pcap public files for requests, feed the scanner
● Intercept SmartTV network traffic feed the scanner