Hi All, So I decide to write about the Love story between Bug Bounties & Recon. First of all I’m not much of an Expert so I’m just sharing my opinion. This blog post will be focusing on recon & where to look for bugs In a Bug Bounty Program, This is not a guide on how to find bugs in a tech sense, but rather a case of tactics you can use to find bugs.
Lets assuming you already know about pentesting, therefore I will not be explaining how to test for vulnerabilities, but rather where to test for them & What things u can use?
This is mainly just a general overview of how someone would map out a target site and efficiently perform reconnaissance to gain as much info on the site as possible before actually beginning their audit. Recon is basically an important part of Penetration Testing.

Competition?

Well Bug Bounty programs are Not very simple you need to remember about bug bounty programs is that there is a lot of competition. when you’re taking part in a bug bounty program, you’re competing against both the security of the site, and also competing against thousands of other people who are taking part in the program. For this reason, it’s important to think critically. This is why passive and active reconnaissance is especially important for bounty programs, as you need to look a lot deeper than you would in a regular pentest.

Importance of Reconnaissance in Pentesting?

Extracting relevant information can play a game changing role in many situations. Extracting this information is pretty simple and somewhat easy. Sometimes recon can go beyond collecting basic information to understand the system and can also identify information which might straight away lead to exploitation, that too sometimes without actually touching the entity being tested. Even after having such significance this phase is not given enough importance and most of the tests focus straight away on exploitation. The key point here is that exploitation is certainly important but performing a thorough recon could prove very helpful in it and also make it easier, faster and stealthier.

Determining the Target?

Ideally you’re going to be wanting to choose a program that has a wide scope. You’re also going to be wanting to look for a bounty program that has a wider range of vulnerabilities within scope. The wider attack surface for the bounty program, and the wider range of vulnerabilities considered valid, then the higher the chance would be of getting a valid payout. After choosing which bounty program you’re going to attempt, the next basic step that would be to map out your attack surface to know more about it.

Time to Map out the target!

Rule No#1 ( That I mostly forgot to follow 😛 and Ended Up messing the day completely) That is properly reading the terms for the bounty and clearly understand which domains are in scope and which forms of vulnerabilities are considered valid reports. Sometimes I forgot to do That and Shit happens :v Submitting things that aren’t within scope of the bounty program, tells the people running the program that you haven’t properly read the terms, and it will lead to them not taking your future reports seriously. I mean Seriously :'(

So Now Before doing any Attack or testing you really need to actively/passively person reconnaissance on your target to effectively map out most of the things you can do to get to know more about your target !

                   “Keep your friends close and your enemies closer?”

So following this phrase i always keep the target closer to my heart xD and Map it out as much as i can 😉 it always give me an idea of how everything is structured & how everything works on the target.

Well i start every program from Taking the information like Whois, Social Accounts,

The larger the scope, the higher the chance of finding a bug. let’s Assume all subdomains are within scope, then one of the first steps would be to enumerate valid subdomains. For That i basically use Different things for that.

The List:

• https://pentest-tools.com/
• https://virustotal.com/
• https://www.shodan.io/
• https://crt.sh/?q=%25taregt.com
• https://dnsdumpster.com/
• https://censys.io
• http://dnsgoodies.com

These are the webs that I Use Everyday 🙂

• https://bitbucket.org/LaNMaSteR53/recon-ng
• https://github.com/michenriksen/aquatone
• https://github.com/aboul3la/Sublist3r
• https://github.com/rbsec/dnscan
• https://github.com/Cleveridge/cleveridge-subdomain-scanner

So now after getting all of the subdomains we should go towards 2nd Step that is That in my opinion is Port scanning. Well We have two methods to that the old fashioned way ( but OLD IS GOLD lol ) that is Running a scan through nmap for limited ports, selected one or maybe 1-50000 God knows what u gonna do 😛

Masscan can also help https://github.com/robertdavidgraham/masscan

The second method that i used many times is using aquatone to scan the subdomains and then use it for scanning the ports you have options to Scan ports like common/large/huge.

It would be best to use aquatone, but ideally you want to be scanning each individual IP address associated with their subdomains and having the output saved to a file, after this look for any services running on unusual ports or any service running on default ports which could be vulnerable (FTP, SSH, etc). You’re also going to want to look for the version info on services running in order to determine whether anything is outdated and potentially vulnerable. it takes Time but it also gives results 😉

Also Just don’t get limited to Subdomains Try extracting vhosts 🙂 tools like

• https://pentest-tools.com/information-gathering/find-virtual-hosts
• https://github.com/jobertabma/virtual-host-discovery

Planing to Move faster try https://github.com/ChrisTruncer/EyeWitness 🙂

or maybe

httpscreenshot https://github.com/breenmachine/httpscreenshot/

You should make notes during the recon to avoid confusion. Take them in whatever manner you want, but since participation in bug bounty programs involves mainly black box testing, it is really important to get a feel of how the site is structured and to map it all out in order to be able to efficiently find bugs.

Well that’s just the basic you might want to look at the headers to see which security options are in place, for example looking for presence of X-XSS-Protection: or X-Frame-Options: deny. Knowing what security measures are in place means you know your limitations. also look out for WAFs and i suggest you can use WafW00f for that

• https://github.com/sandrogauci/wafw00f (WAFW00F identifies and fingerprints Web Application Firewall (WAF) products.)

Also u should also be looking for any information disclosure and laso sometimes for Dir listing or maybe dir scanning can help for other stuff you can use Dirbuster

• https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project

Burp Suite, spider is going to be your best friend.  Just make sure that your scope is set correctly so that you’re not wasting time spidering unneeded domains.  Also, intruder is completely necessary for directory brute-forcing.  Download the https://github.com/danielmiessler/SecLists repository, which has plenty of lists to discover content across multiple platforms.  If you have Burp Suite Pro, I highly recommend utilizing the Reflector extension.  This will show you any parameters that are reflected into the responses as Burp is spidering.

use robots.txt to determine the directories which may contain useful info, look for the disallow rules.

Also spider the host for API endpoints 😉 and Make notes lol

wappalyzer can be good to use for Checking CMS 🙂

extracting S3 buckets during recon is Really nice idea, look for them manually or use Tools Like.

• https://github.com/yasinS/sandcastle
• https://digi.ninja/projects/bucket_finder.php

Well Basically when i’m done with this stuff, I make Notes with name of subdomain/IP or domain.

Mostly My stepwise notes typically contains:

• Whois Information
• Subdomains
• Dir info
• S3 Buckets
• social accounts
• API Endpoints
• emails
• Vhosts
• Backend IP address
• Open Ports / Services running
• Service version info (if applicable)
• server banners
• directory listings
• presence security headers
• WAF (+ WAF type)

Well After this I start Making and capturing requests and responses of all types, accepted user inputs (GET/POST/COOKIES), and Other Points.

Also Don’t forget your best friend Google :p Use google Dorks U can make your own or use make by others 😉

Try it out

• https://pentest-tools.com/information-gathering/google-hacking
• https://github.com/1N3/Goohak/
• https://github.com/ZephrFish/GoogD0rker/

wanna construct your own? Have a Look at https://support.google.com/websearch/answer/2466433?hl=en

Make sure to spend as much time as possible performing recon, until you have a pretty good feel of how the site operates,

There are even occasions where passive recon can lead to some important information Disclosure. i.e. searching github or pastebin for the company name and stumbling across some random source that ended up online after some sloppy dev wrote it.

For that I would prefer

• https://github.com/1N3/Sn1per (for web)
• https://github.com/michenriksen/gitrob (for github)
• https://github.com/dxa4481/truffleHog
• https://github.com/IOActive/RepoSsessed
• https://github.com/anshumanbh/git-all-secrets

I got some good reports payouts using these 🙂

Don’t forget to look deep into Js files well manually you will love it But time saving is the goal so try using tools like

• https://github.com/jobertabma/relative-url-extractor

also One of the best thing is To look for older content that can give u ideas of site structure or maybe vuln endpoints 😉 For that use

• https://web.archive.org/
• https://gist.github.com/mhmdiaa/2742c5e147d49a804b408bfed3d32d07
• https://gist.github.com/mhmdiaa/adf6bff70142e5091792841d4b372050

maybe reversewhois lookup will help to discover more potential targetes but make sure that they are in scope

• http://viewdns.info/reversewhois/?q=

Alright, so then there’s this thing called PunkSpider. (https://www.punkspider.org) “It is a global web application vulnerability search engine. Don’t get too excited though.

PunkSpider is pretty cool to play around with, but it’s not much in-depth. You also can’t use wildcards in your searches, making it a pain to search for multiple sub-domains. But there’s no harm in taking a few minutes to look around. Who knows, maybe you’ll get lucky?

Well That’s almost everything I do During recon & before starting actual Bug Bounty hunting! So Hope i didn’t missed anything for the basic recon i perform… But to help a Bit more Look into these Bug Bounty reference. Sometimes u got lucky enough to Find the same bug that has been reported before in different Bug Bounty Preogram.