Uploaded byEusebiuDanielBlindu
PDF, PPTX583 views

Bug bounty recon.pdf

This document provides tips and techniques for reconnaissance during a bug bounty program. It discusses researching domains and subdomains using tools like Whois lookups, Shodan, Censys, and Amass. It also covers finding additional subdomains, port scanning, collecting URLs, searching for backups and source code, parameter mining, and tips for using scanners more effectively. The goal is to iteratively expand the scope of testing to uncover vulnerabilities.

Embed presentation

Download as PDF, PPTX
Bug bounty recon @blindu_ch https://www.blindu.ch Eusebiu Daniel Blindu
Context is everything ● Recon is an iterative process ● Recon depends on the bug bounty program ● Recon depends of the scope (limitation)
Finding domains in scope ● Whois lookup ● Google search site:whois.* inurl:domain.com “org: Domain” ● Hurricane Electric (bgp.he.net) ● Shodan/Censys.io ● Acquisitions (crunchbase.com) ● Current and historic databases, documents, leaks and investigations (aleph.occrp.org) ● Website profiler, lead generation, competitive analysis and business intelligence tools (builtwith.com) ● IP ranges -> reverse dns -> domains/subdomains ● Domain search engines ( whoxy.com ) ● Online scanning tools kaeferjaeger.gay ● SSL Certificate info ● Crawling the known domains/subdomains (Acunetix Discovery) ● https://dns.coffee/ ● Amass (https://github.com/owasp-amass/amass ) `amass intel -org 'Netflix'` ● Github
Finding subdomains ● Existing tools: subfinder/sublist3r/amass ● Brute force subdomain scanner ● Crawling the known domains/subdomains that belong to same organization ● https://crt.sh/?q=domain.com ● https://securitytrails.com/list/apex_domain/domain.com ● https://www.shodan.io/search?query=ssl.cert.subject.CN%3Adomain.com ● Censys.io ● https://lab.dynamite.ai/ (search in public pcap files) ● Github ● Google/Bing search ‘site:domain.com’ ● IP ranges -> reverse DNS ● https://github.com/iamthefrogy/frogy ● https://github.com/Cyber-Guy1/domainCollector
Cleaning ● Clean subdomains by same IP (keep max 1 to 3 subdomains that have same IP - with exceptions) ● Check the wildcard subdomains if it makes sense to continue with some of them ● Sort|uniq ● Grab screenshots or other techniques to group similar subdomains together to remove duplicate content ● Subdomains that don’t resolve to (a public) IP - separate from the main list, but keep it
Optional but userful: Continuous asset monitoring Advantages: Some assets(domains, subdomains, ports) might be open at certain times (batch jobs, deploys, test/UAT/staging/QA environments) - and might have lower security, exposing sensitive data Disadvantages: could be a costly implementation
Port scanning Nmap - main tool cat subdomains.txt | httpx -o subdomains_live.txt naabu -list subdomains.txt -top-ports 1000 -exclude-port 80,443,21,22,25 -o ports.txt Some public/paid online websites have ports up to datte
Collecting URL endpoints ● Tools: waybackurls, gau ● Websites: urlscan.io, web.archive.org ● Google/Bing dorking site:domain.com ● Crawling: Scanners (Burp Suite crawl, Acunetix) hakrawler, Xenu ● Brute force: ffuf,dirbuster ● Javascript .js file source code ● Github ● Android/iOS mobile app ● Desktop app ● Public pcap files (lab.dynamite.ai)
Search backup/source code files For https://subdomain.domain.com/ search for: ● https://subdomain.domain.com/subdomain.zip , https://subdomain.domain.com/subdomain.tar.gz, ● https://subdomain.domain.com/domain.zip, https://subdomain.domain.com/domain.tar.gz ● https://subdomain.domain.com/subdomain/subdomain.zip, https://subdomain.domain.com/subdomain/subdomain.tar.gz ● https://subdomain.domain.com/domain/domain.zip, https://subdomain.domain.com/domain/domain.tar.gz
Parameter mining ● Arjun ● ParamSpider ● Param-Miner (Burp) ● Also ffuf can be used too for param discovery
Leaks finding ● gist.github.com ● Gitlab.com ● site: docs.google.com/spreadsheets “company name” ● Site: groups.google.com/ “company name” ● Javascript files .js ● android/iOS source code ● Pcap uploaded by mistake publicly https://lab.dynamite.ai/
One bug found -> scan all your BB subdomains ● Keep a large list of subdomains/urls for multiple BB (preferable a database) ● Once you find a bug, scan all the urls for the same bug ● This can work out to find your favourite next bounty program
HTTP headers - manipulation ● Burp Proxy match/replace functionality ● Blind XSS/Log4Shell - UserAgent/Referal headers ● Modify response code ● Check for reverse proxy `GET https://burpcollab HTTP/1.1`
Scanner tips ● Feed previous gathered endpoints for a target to the scanner, not only the base url ● Combine tools: Use Acunetix/nuclei/ZAP via Burp Proxy/Fiddler with match/replace ● Intercept mobile app traffic , feed the scanner those requests ● Parse pcap public files for requests, feed the scanner ● Intercept SmartTV network traffic feed the scanner
Thank you! @blindu_ch https://www.blindu.ch Eusebiu Daniel Blindu

More Related Content

PDF
A Hacker's perspective on AEM applications security
byMikhail Egorov
 
PPTX
Recon and Bug Bounties - What a great love story!
byAbhijeth D
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
PPTX
網頁安全 Web security 入門 @ Study-Area
byOrange Tsai
 
PDF
Hunting Lateral Movement in Windows Infrastructure
bySergey Soldatov
 
PDF
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
byAbhinav Mishra
 
PPTX
Bug bounty
byn|u - The Open Security Community
 
PDF
I Have the Power(View)
byWill Schroeder
 
A Hacker's perspective on AEM applications security
byMikhail Egorov
 
Recon and Bug Bounties - What a great love story!
byAbhijeth D
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
網頁安全 Web security 入門 @ Study-Area
byOrange Tsai
 
Hunting Lateral Movement in Windows Infrastructure
bySergey Soldatov
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
byAbhinav Mishra
 
Bug bounty
byn|u - The Open Security Community
 
I Have the Power(View)
byWill Schroeder
 

What's hot

PDF
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
byFrans Rosén
 
PDF
Frans Rosén Keynote at BSides Ahmedabad
bySecurity BSides Ahmedabad
 
PPTX
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
PPTX
password cracking using John the ripper, hashcat, Cain&abel
byShweta Sharma
 
PDF
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
PPTX
Attacking thru HTTP Host header
bySergey Belov
 
PPTX
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
bySoroush Dalili
 
PDF
Hashicorp Vault: Open Source Secrets Management at #OPEN18
byKangaroot
 
PDF
Bug Bounty Secrets
byn|u - The Open Security Community
 
PPTX
Learn to pen-test with OWASP ZAP
byPaul Ionescu
 
PDF
REST API Pentester's perspective
bySecuRing
 
PDF
Java Deserialization Vulnerabilities - The Forgotten Bug Class
byCODE WHITE GmbH
 
PDF
Bug bounty null_owasp_2k17
bySagar M Parmar
 
PDF
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
byMikhail Egorov
 
PPTX
Deep dive into ssrf
byn|u - The Open Security Community
 
PDF
Offzone | Another waf bypass
byДмитрий Бумов
 
PDF
DNS exfiltration using sqlmap
byMiroslav Stampar
 
PDF
Attacker's Perspective of Active Directory
bySunny Neo
 
PPTX
Nguyen phuong truong anh a story of bug bounty hunter
bySecurity Bootcamp
 
PDF
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
byFrans Rosén
 
Frans Rosén Keynote at BSides Ahmedabad
bySecurity BSides Ahmedabad
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
password cracking using John the ripper, hashcat, Cain&abel
byShweta Sharma
 
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
Attacking thru HTTP Host header
bySergey Belov
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
bySoroush Dalili
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
byKangaroot
 
Bug Bounty Secrets
byn|u - The Open Security Community
 
Learn to pen-test with OWASP ZAP
byPaul Ionescu
 
REST API Pentester's perspective
bySecuRing
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
byCODE WHITE GmbH
 
Bug bounty null_owasp_2k17
bySagar M Parmar
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
byMikhail Egorov
 
Deep dive into ssrf
byn|u - The Open Security Community
 
Offzone | Another waf bypass
byДмитрий Бумов
 
DNS exfiltration using sqlmap
byMiroslav Stampar
 
Attacker's Perspective of Active Directory
bySunny Neo
 
Nguyen phuong truong anh a story of bug bounty hunter
bySecurity Bootcamp
 
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 

Similar to Bug bounty recon.pdf

PDF
Recon for Bug Bounty by Agnibha Dutta.pdf
bynull - The Open Security Community
 
PPTX
Recon like a pro
byNirmalthapa24
 
PDF
Recon-Fu @BsidesKyiv 2016
byVlad Styran
 
PDF
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...
byVarun Mithran
 
PDF
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
PPTX
Tool presentation - Recon-Lit
byn|u - The Open Security Community
 
PPTX
Recon in Pentesting
byKomal Armarkar
 
PPTX
Saying Hello to Bug Bounty
byNull Bhubaneswar
 
PDF
Reconnaissance not always about resources
byidsecconf
 
PPTX
Reconnaissance - For pentesting and user awareness
byLeon Teale
 
PDF
BugBounty Roadmap with Mohammed Adam
byMohammed Adam
 
PPTX
HackerOne X IoT Lab Bug Bounty 101 with Encryptsaan & IoT Lab at KIIT Univers...
bykumarpriyanshu81
 
PDF
The Web Application Hackers Toolchain
byjasonhaddix
 
PPTX
Bug bounties - cén scéal?
byCiaran McNally
 
PDF
Recon
byUTD Computer Security Group
 
PDF
Black hat usa_2015-bypass_surgery-6_aug2015
bya4202655
 
DOCX
Backtrack Manual Part5
byNutan Kumar Panda
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
PDF
Owasp modern information gathering
byKZA
 
PDF
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
byOntico
 
Recon for Bug Bounty by Agnibha Dutta.pdf
bynull - The Open Security Community
 
Recon like a pro
byNirmalthapa24
 
Recon-Fu @BsidesKyiv 2016
byVlad Styran
 
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...
byVarun Mithran
 
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
Tool presentation - Recon-Lit
byn|u - The Open Security Community
 
Recon in Pentesting
byKomal Armarkar
 
Saying Hello to Bug Bounty
byNull Bhubaneswar
 
Reconnaissance not always about resources
byidsecconf
 
Reconnaissance - For pentesting and user awareness
byLeon Teale
 
BugBounty Roadmap with Mohammed Adam
byMohammed Adam
 
HackerOne X IoT Lab Bug Bounty 101 with Encryptsaan & IoT Lab at KIIT Univers...
bykumarpriyanshu81
 
The Web Application Hackers Toolchain
byjasonhaddix
 
Bug bounties - cén scéal?
byCiaran McNally
 
Recon
byUTD Computer Security Group
 
Black hat usa_2015-bypass_surgery-6_aug2015
bya4202655
 
Backtrack Manual Part5
byNutan Kumar Panda
 
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
Owasp modern information gathering
byKZA
 
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
byOntico
 

Recently uploaded

PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
final.pdf
byomarbishtawi04
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
final.pdf
byomarbishtawi04
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
apidays New York 2025 | AI in Application Security
byapidays
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 

Bug bounty recon.pdf

  • 1.
  • 2.
    Context is everything ●Recon is an iterative process ● Recon depends on the bug bounty program ● Recon depends of the scope (limitation)
  • 3.
    Finding domains inscope ● Whois lookup ● Google search site:whois.* inurl:domain.com “org: Domain” ● Hurricane Electric (bgp.he.net) ● Shodan/Censys.io ● Acquisitions (crunchbase.com) ● Current and historic databases, documents, leaks and investigations (aleph.occrp.org) ● Website profiler, lead generation, competitive analysis and business intelligence tools (builtwith.com) ● IP ranges -> reverse dns -> domains/subdomains ● Domain search engines ( whoxy.com ) ● Online scanning tools kaeferjaeger.gay ● SSL Certificate info ● Crawling the known domains/subdomains (Acunetix Discovery) ● https://dns.coffee/ ● Amass (https://github.com/owasp-amass/amass ) `amass intel -org 'Netflix'` ● Github
  • 4.
    Finding subdomains ● Existingtools: subfinder/sublist3r/amass ● Brute force subdomain scanner ● Crawling the known domains/subdomains that belong to same organization ● https://crt.sh/?q=domain.com ● https://securitytrails.com/list/apex_domain/domain.com ● https://www.shodan.io/search?query=ssl.cert.subject.CN%3Adomain.com ● Censys.io ● https://lab.dynamite.ai/ (search in public pcap files) ● Github ● Google/Bing search ‘site:domain.com’ ● IP ranges -> reverse DNS ● https://github.com/iamthefrogy/frogy ● https://github.com/Cyber-Guy1/domainCollector
  • 5.
    Cleaning ● Clean subdomainsby same IP (keep max 1 to 3 subdomains that have same IP - with exceptions) ● Check the wildcard subdomains if it makes sense to continue with some of them ● Sort|uniq ● Grab screenshots or other techniques to group similar subdomains together to remove duplicate content ● Subdomains that don’t resolve to (a public) IP - separate from the main list, but keep it
  • 6.
    Optional but userful:Continuous asset monitoring Advantages: Some assets(domains, subdomains, ports) might be open at certain times (batch jobs, deploys, test/UAT/staging/QA environments) - and might have lower security, exposing sensitive data Disadvantages: could be a costly implementation
  • 7.
    Port scanning Nmap -main tool cat subdomains.txt | httpx -o subdomains_live.txt naabu -list subdomains.txt -top-ports 1000 -exclude-port 80,443,21,22,25 -o ports.txt Some public/paid online websites have ports up to datte
  • 8.
    Collecting URL endpoints ●Tools: waybackurls, gau ● Websites: urlscan.io, web.archive.org ● Google/Bing dorking site:domain.com ● Crawling: Scanners (Burp Suite crawl, Acunetix) hakrawler, Xenu ● Brute force: ffuf,dirbuster ● Javascript .js file source code ● Github ● Android/iOS mobile app ● Desktop app ● Public pcap files (lab.dynamite.ai)
  • 9.
    Search backup/source codefiles For https://subdomain.domain.com/ search for: ● https://subdomain.domain.com/subdomain.zip , https://subdomain.domain.com/subdomain.tar.gz, ● https://subdomain.domain.com/domain.zip, https://subdomain.domain.com/domain.tar.gz ● https://subdomain.domain.com/subdomain/subdomain.zip, https://subdomain.domain.com/subdomain/subdomain.tar.gz ● https://subdomain.domain.com/domain/domain.zip, https://subdomain.domain.com/domain/domain.tar.gz
  • 10.
    Parameter mining ● Arjun ●ParamSpider ● Param-Miner (Burp) ● Also ffuf can be used too for param discovery
  • 12.
    Leaks finding ● gist.github.com ●Gitlab.com ● site: docs.google.com/spreadsheets “company name” ● Site: groups.google.com/ “company name” ● Javascript files .js ● android/iOS source code ● Pcap uploaded by mistake publicly https://lab.dynamite.ai/
  • 13.
    One bug found-> scan all your BB subdomains ● Keep a large list of subdomains/urls for multiple BB (preferable a database) ● Once you find a bug, scan all the urls for the same bug ● This can work out to find your favourite next bounty program
  • 14.
    HTTP headers -manipulation ● Burp Proxy match/replace functionality ● Blind XSS/Log4Shell - UserAgent/Referal headers ● Modify response code ● Check for reverse proxy `GET https://burpcollab HTTP/1.1`
  • 15.
    Scanner tips ● Feedprevious gathered endpoints for a target to the scanner, not only the base url ● Combine tools: Use Acunetix/nuclei/ZAP via Burp Proxy/Fiddler with match/replace ● Intercept mobile app traffic , feed the scanner those requests ● Parse pcap public files for requests, feed the scanner ● Intercept SmartTV network traffic feed the scanner
  • 16.