The document outlines various reconnaissance techniques and tools used in penetration testing and bug bounty hunting, such as subdomain discovery, port scanning, and content discovery. It emphasizes the importance of using custom methodologies and includes references to several tools and resources for effective reconnaissance. Key suggestions involve leveraging Google dorking, Wayback Machine, and various brute-forcing tools to uncover hidden information and vulnerabilities.

1. RECON

2. Whoami
Security Enthusiast
Bug Bounty Hunter
Linux Lover
About me : https://about.me/komal_armarkar

3. ● RECON methodology can be different for every pentester
● This methodology might be helpful
BUT
YOU CAN HAVE YOUR OWN !!!

4. Medico Inc, HealthCare Vendor

6. Reference : Talk by Abhijeth Dugginapeddi - DEF CON 25 Recon Village

7. Reverse WHOIS

8. Reverse IP

9. Subdomain Discovery

10. Tools Used :
Brutesubs
Sublister
Subrute
Knockpy
Recon-ng modules

11. Sub Bruting
Recursively brute forcing to find subdomains in-depth
i.e. To Find Domains like dd1.ebc.th1.website.com
Refer : https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6

12. Port Scanning

13. Port Scanning

14. Visual Identification
● Many a times it happens that the company opens a domain, but there is no
webpage on it. The Sub-domain just redirects to the Main Domain.
● It can be checked by opening up the sub-domain in the browser.
● But, it is unnatural to check so many sub-domains in the browser.

16. Github Recon
Refer : https://medium.com/@ehsahil/recon-my-way-82b7e5f62e21
https://gist.github.com/EdOverflow/7b5057fbef258476fc181d5c8688e11a

17. Google Dork Recon

18. Google Dork for finding public AWS Bucket
Refer : https://medium.com/@ehsahil/recon-my-way-82b7e5f62e21

19. Content Discovery

20. Directory Brute Forcing

21. Tools for Directory Brute Forcing and Content Discovery
Gobuster
BurpSuite Content Discovery
DirBuster - discovering hidden directories
Wfuzz - Discovering hidden files
[ NOTE : To do Content Discovery, and brutforcing one requires and good wordlists which is
available in SECLISTS / RAFT / DIGGER WORDLISTS ]

22. Finding JS Endpoints
The Wayback Machine is an Internet archive, located at
http://archive.org/web/. It’s a collection of more than 349
billion snapshots of web pages saved over time.
This can be things like:
● old forgotten endpoints
● interesting JS files
● sensitive information
● vulnerabilities that do not exist anymore on the site,
like URLs which were vulnerable to directory listing
and reveal interesting files
Refer : https://blog.appsecco.com/static-analysis-of-client-side-javascript-
for-pen-testers-and-bug-bounty-hunters-f1cb1a5d5288
https://pentester.land/podcast/2019/03/01/the-bug-hunter-podcast-02.html

23. ● LinkFinder Tool
● BurpSuite Tool ( Pro )
→Engagement Tools →
Find Scripts
● BurpSuite Tool → Spider
→ Search For only “.JS ”
Files

24. RECAP !
-- IPs and SubDomains
● Sub-SubDomains
● Pics of Working Sub-Domains
-- Open ports
-- Services and their versions
-- Google Dork links for the subdomains
-- Github Info for the subdomains
-- Public AWS buckets for SubDomains
-- JS links for the SubDomains

26. References
https://www.youtube.com/watch?v=NUsJpquFq0Q
https://www.youtube.com/watch?v=vCBAQKLAagA&t=720s
https://medium.com/@ehsahil/recon-my-way-82b7e5f62e21
https://medium.com/@infosecsanyam/bug-bounty-methodology-ttp-tactics-techniques-and-procedures-v-
2-0-2ccd9d7eb2e2
https://blog.appsecco.com/static-analysis-of-client-side-javascript-for-pen-testers-and-bug-bounty-hunters-
f1cb1a5d5288
https://pentester.land/podcast/2019/03/01/the-bug-hunter-podcast-02.html
https://portswigger.net/burp/documentation/desktop/functions/search
https://gist.github.com/EdOverflow/7b5057fbef258476fc181d5c8688e11a