Reconnaisance for Bug Bounty Hunting

Manish Basnet
5 min readOct 12, 2022

--

reconnaissance for bug bounty hunting | bug bounty | web security | recon
Photo by Ali Bakhtiari on Unsplash

Remember the days, when you had looked at weather or weather app and prepared yourself for that weather condition on that day. Suppose you saw it will rain today on weather app , so if you are going outside from your home you will carry your umbrella or raincoat to not be affected by rain.

Similarly in bug bounty hunting or web vulnerability testing, you need to look ,research about the target website and prepare yourself for that condition. Suppose the site you are attacking is made on php then you need to look for old php version CVE. There is no sense in looking for nodejs CVE for php website. So you may have question, how do i know about the language,technology,subdomain the website is using?

Well, that is what we are going to discuss on this article. We can know about the tech stack, its network, subdomain, languages used by the target website by doing reconnaissance.

Introduction to reconnaissance

Reconnaissance is the process/methodology of gathering the information as much as you can about target website .Reconnaissance is the first step you should do before attacking any website. Reconnaissance separates good hacker from great ones. If you see famous bug bounty hunters articles/interview, they mostly mention that because of reconnaissance only they were able to find many website bugs . Reconnaissance help in increasing your attack surface massively. Suppose you have given a website domain to attack on,

https://victimsite.com/

You can see you have got only one main domain to attack on, so your attack surface is small.But what if we can enumerate more subdomain of this domain, if we can do so our attack surface will be larger. That’s why reconnaissance is crucial .

How to perform Reconnaissance

Everyone have their own way of doing reconnaissance. Here, I am going to show you how great hackers like hakuluke, tomnomnom, jason haddix perform their reconnaisance.

Port Scanning

The first thing to do when you are given a website to test on is to look for any juicy ports are open or not. You need to do port scanning by nmap(recommended).

$ nmap -sC -sV targetwebsite.com

Here, targetwebsite.com is the website we are targeting. `-sC` flag is for using default script of nmap and `-sV` is for probing open ports to determine service/version information. To learn more about nmap, visit https://nmap.org/.

If you find any juicy port is open which should not be , then you can look for that service version CVE.

Subdomain enumeration

Subdomain enumeration is the process of finding the subdomain of the target domain.To do subdomain some popular tools are :

Amass

Amass tool developed by OWASP can be the only one tool you need to subdomain enumeration.Beside subdomain enumeration it have got many other use cases too.But for us main focus is subdomain enumeration.

$ amass enum -d targetwebsite.com

You can also provide other flag like ` -active ` for doing active reconnaissance where there is higher chance of blocking of your ip address because your system will send the packets to the target server. ` -passive` is the by default flag used in amass where there is less or no chance of blocking or sending packets to target server.

$ amass enum -active targetwebsite.com$ amass enum -passive targetwebsite.com

If you want to save it in a file , then there are many approaches but i mostly save those subdomain in a file by using a tee command. So the above code will be like:

$ amass enum targetwebsite.com | tee -a  subdomains.txt

In the above command all we are doing is piping the output of amass into subdomains.txt . The flag ` -a ` will append the amass output in the subdomains.txt instead of overwriting it .

Check if subdomain are online or not

After doing subdomain enumeration you will get hundreds and thousand of subdomain,it will be hectic for one to go through all subdomain and check if they are available or not. So, to automate this process, there are some great tools like:

EyeWitness

EyeWitness captures the screenshot of all the subdomain and outputs in a folder . Simply,it will crawl through every subdomain and takes screenshot of it.

$ ./EyeWitness.py -f subdomains.txt — web

EyeWitness will expect a domain or a file consiting of domains. Here we are giving it a subdomains.txt file which we received from above subdomain enumeration. ` — web ` flag means that we are telling eyewitness that the subdomains should be treated and website.

Aquatone

Aquatone tool is similar to the eyewitness tool which gives you visual of the domains by taking its screenshot.

$ cat subdomains.txt | aquatone -out ~/aquatone/targetwebsite.com

Here we are piping the subdomains file to aquatone for it to take screenshot and save the output in the ~/aquatone/targetwebite.com

Directory/endpoint bruteforcing

The next step of reconnaissance is to look all the endpoints the domain and subdomain have got, hidden files and hidden directory. To do that there are many tools, some of the popular ones are enlisted below.

Gobuster

Gobuster is the fast directory/file bruteforcing tool written in Go language. It will bruteforce site URL with wordlist and if any word of the wordlist matches then there you go , you have found the directory/file of the target website

$ gobuster dir -u https://targetwebsite.com -w common-folder.txt

In the above command, we are telling gobuster to perform directory searching operation, where ` -u` is the flag for URL, ` -w` is the flag for wordlist and common-folder.txt is the wordlist consisting of common directory to test for on a site

DirSearch

DirSearch is next popular tool for bruteforcing files/directory written in python.I mostly prefer DirSearch for bruteforcing hidden files and files of the website you are targeting for .

$ python3 dirsearch.py -e php,html -u https://targetsite.com -w /path/to/wordlist

Here, you need to have python installed (version 3) , ` -e` flags says the dirsearch to only look for file that have extension php,html , ` -u ` is for URL and ` -w` is for wordlist path . If you don’t provide any wordlist to the dirsearch , it will use its default wordlist.

OWASP ZAP

Zap is the GUI which can be used to discover the endpoints of website and many more.The main drawback of zap is it is slower in comparision to above mentioned tools . But for those who are new to web security , it will easier for you to use GUI like ZAP at first.

Tools I used in this article and more

For port scanning

For Subdomain enumeration

For file and directory bruteforce

For taking screenshot of URL’s

Wordlist

For finding domain’s certifcate information

For tech stack fingerprinting

Note ☠️

I haven’t mentioned tech stack discovery ,google dorking in this article. Well, for doing tech stack discovery , you can simply used extensions like Wappalyzer and builtWith. For google dorking , I am planning to write next article on it because google dorking in itself requires a separate article.

Also note that, everyone have got their own methodology. So it’s not some sort of follow to follow process. But these steps are inspired from great bug bounty hunters.

Wanna Connect With Me 👋

LinkedIn : https://www.linkedin.com/in/manish-basnet-200526213/

Github : https://github.com/maheshbasnet089

--

--

Manish Basnet
Manish Basnet

Written by Manish Basnet

Web Dev | Web Sec | Offensive Security

Responses (1)