====== Discovery ======
===== Find the road less traveled =====
This means find the application (or parts of an application) less tested. In wide scoped projects the flagship application will most liekly be heavily assessed.
* ^.acme.com scope is your friend
* Find domains via Google (and others!)
* Can be automated well via recon-ng and other tools.
* Port scan for obscure web servers or services (on all domains)
* Find acquisitions and the bounty acquisition rules
* Google has a 6 month rule
* Functionality changes or re-designs
* Mobile websites
* New mobile app versions
* Searching parent company by trademark or privacy policy
===== Tool: Recon-ng script (enumall.sh) =====
https://github.com/jhaddix/domain
===== LMGTFY: Let Me GOOGLE That For You =====
site:paypal.com -www.paypal.com -www.sandbox
===== List of Mergers and Acquisitions: =====
https://en.wikipedia.org/wiki/List_of_mergers_and_acquisitions_by_Facebook
===== Port Scanning =====
Port scanning is not just for Netpen! A full port scan of all your new found targets will usually yield #win:
* separate webapps
* extraneous services
* Facebook had Jenkins Script console with no auth
* IIS.net had rdp open vulnerable to MS12_020
''nmap -sS -A -PN -p- --script=http-title dontscanme.bro''
(syn scan, OS + service fingerprint, no ping, all ports, http titles)
===== Zseano Recon Pipeline =====
# Full subdomain pipeline
amass enum -brute -active -d target.com -o amass.txt
subfinder -d target.com >> amass.txt
cat amass.txt | sort -u | httprobe -p http:81 -p http:3000 -p https:8443 -c 50 | tee online.txt
cat amass.txt | dnsgen - | httprobe >> online.txt
cat online.txt | aquatone
# Historical URLs
gau target.com | sort -u > gau.txt
waybackurls target.com | sort -u >> gau.txt
**Google dorks:**
site:target.com inurl:& -movies
site:target.com ext:php | ext:aspx | ext:jsp | ext:bak | ext:xml
**GitHub/Shodan:** search ''"target.com"'' + ''api_key'', ''password'', ''secret''
**Subdomain keywords to prioritize:** ''dev'', ''qa'', ''staging'', ''admin'', ''internal'', ''api''
* [[zseano:recon|Full Zseano Recon Guide]]
====== BBC Ch 5: Recon -- Expanded Techniques ======
//Merged from Bug Bounty Bootcamp Ch 5 by Vickie Li//
===== Manually Walking the Application =====
Before any tools, manually browse every feature:
* Click every link, use every function (payments, uploads, events, admin)
* Create accounts at every privilege level
* Note all data entry points -- these are your attack surface
===== Google Dorking =====
| Operator | Example | Use |
|---|---|---|
| `site:` | `site:*.example.com` | All subdomains |
| `inurl:` | `inurl:app/kibana` | URL pattern |
| `intitle:` | `intitle:"index of"` | Directory listings |
| `filetype:` | `filetype:log` | File extension |
| `-` | `"how to hack" -php` | Exclude term |
site:s3.amazonaws.com COMPANY_NAME
site:example.com ext:php
site:example.com ext:txt password
site:example.com inurl:app/kibana
Check the **Google Hacking Database (GHDB)** at exploit-db.com/google-hacking-database for community-built dorks.
===== WHOIS, IPs, and ASNs =====
whois facebook.com # registrant info
nslookup facebook.com # domain to IP
whois 157.240.2.35 # IP ownership + NetRange
whois -h whois.cymru.com 157.240.2.35 # IP to ASN
If the org has a dedicated ASN (own IP block), all IPs in the range belong to them.
**Reverse WHOIS:** search ViewDNS.info by org name/email to find all domains owned by the same entity.
===== Certificate Parsing =====
curl "https://crt.sh/?q=example.com&output=json" | jq -r '.[].name_value'
Returns all hostnames in the cert's Subject Alternative Name field -- reveals subdomains across all services.
===== Subdomain Enumeration =====
sublist3r -d example.com
gobuster dns -d example.com -w /path/to/wordlist.txt
amass enum -d example.com
sort -u wordlist1.txt wordlist2.txt > combined.txt
Pattern-based: if you find `1.example.com` and `3.example.com`, try `2.example.com`. Use **Altdns** to generate permutations automatically. Run enumeration recursively on discovered subdomains.
===== Service and Port Enumeration =====
nmap example.com -sV # open ports + version detection
Passive alternatives: **Shodan**, **Censys**, **Project Sonar** -- query without touching the target.
Non-standard ports (8080, 8443, 3000, 8888) often host admin panels, dev services, or debug interfaces.
===== Directory Brute-Forcing =====
./dirsearch.py -u example.com -e php
gobuster dir -u https://example.com -w wordlist.txt
* 200: accessible -- check the content
* 403: exists but protected -- attempt bypass (HTTP method, path normalization, header injection)
* 404: doesn't exist
Screenshot all found pages with **EyeWitness** for fast visual triage.
===== Spidering =====
OWASP ZAP: Tools > Spider. Feed a starting URL; ZAP recursively visits all linked pages and builds a site map. Good for finding hidden endpoints not linked from the main nav.
===== S3 Buckets =====
aws s3 ls s3://BUCKET_NAME/
aws s3 cp s3://BUCKET_NAME/FILE /tmp/
# Write test (clean up after):
aws s3 cp testfile s3://BUCKET_NAME/
aws s3 rm s3://BUCKET_NAME/testfile
Tools: **lazys3**, **GrayhatWarfare** (buckets.grayhatwarfare.com), **Bucket Stream**
Exposed buckets can contain credentials, source code, logs, user data. Write access = critical severity.
===== GitHub Recon =====
# Search code for secrets
# GitHub code search: org:COMPANY_NAME password
# or
trufflehog git https://github.com/COMPANY/REPO
gitrob analyze COMPANY_NAME
Look at:
* Issues and Commits sections for unresolved bugs and security patches
* Config files for credentials, bucket URLs, internal endpoints
* Outdated dependencies -- cross-reference with CVE database
* Blame and History for recently removed secrets
Validate credentials: **KeyHacks** (github.com/streaak/keyhacks)
===== OSINT =====
* **Job listings** -- reveal tech stack; "Experience with Flask, EC2, RDS" tells you exactly what they run
* **LinkedIn** -- employee skills = company tech; engineers' blogs and StackOverflow answers leak architecture details
* **Pastebin** -- search the org name; engineers sometimes paste source code or server logs
* **SlideShare** -- conference slides often reveal internal architecture
* **Wayback Machine** + **waybackurls** -- extract all archived URLs; find old endpoints and forgotten subdomains
===== Tech Stack Fingerprinting =====
curl -I https://example.com
# Server: Apache/2.0.6 (Ubuntu)
# X-Powered-By: PHP/5.0.1
# X-Generator: Drupal 8
# Set-Cookie: PHPSESSID=... <- PHP
# Set-Cookie: JSESSIONID=... <- Java/Tomcat
* View source: search for "powered by", "built with", "running"
* File extensions in URLs: `.php`, `.asp`, `.cfm`, `.jsp`
* Directories: `/jinja2/` = Django, `/phpmyadmin/` = PHP+MySQL
* Browser extension: **Wappalyzer** | Website: **BuiltWith.com** | **StackShare.io**
* **Retire.js** for outdated JavaScript libraries
Once you have the version, check CVE database (cve.mitre.org) for public exploits.
===== Recon Bash Script =====
#!/bin/bash
# ./recon.sh -m [nmap-only|dirsearch-only|crt-only] domain1 domain2
PATH_TO_DIRSEARCH="/path/to/dirsearch"
nmap_scan() { nmap $DOMAIN > $DIRECTORY/nmap; }
dirsearch_scan() { $PATH_TO_DIRSEARCH/dirsearch.py -u $DOMAIN -e php --simple-report=$DIRECTORY/dirsearch; }
crt_scan() { curl "https://crt.sh/?q=$DOMAIN&output=json" -o $DIRECTORY/crt; }
while getopts "m:" OPTION; do
case $OPTION in
m) MODE=$OPTARG ;;
esac
done
for i in "${@:$OPTIND:$#}"; do
DOMAIN=$i
DIRECTORY=${DOMAIN}_recon
mkdir -p $DIRECTORY
case $MODE in
nmap-only) nmap_scan ;;
dirsearch-only) dirsearch_scan ;;
crt-only) crt_scan ;;
*) nmap_scan; dirsearch_scan; crt_scan ;;
esac
TODAY=$(date)
echo "Scan: $DOMAIN -- $TODAY" > $DIRECTORY/report
[ -f $DIRECTORY/nmap ] && grep -E "^\s*\S+\s+\S+\s+\S*$" $DIRECTORY/nmap >> $DIRECTORY/report
[ -f $DIRECTORY/dirsearch ] && cat $DIRECTORY/dirsearch >> $DIRECTORY/report
[ -f $DIRECTORY/crt ] && jq -r '.[] | .name_value' $DIRECTORY/crt >> $DIRECTORY/report
done