Discovery

Find the road less traveled

This means find the application (or parts of an application) less tested. In wide scoped projects the flagship application will most liekly be heavily assessed.

^.acme.com scope is your friend
Find domains via Google (and others!)
Can be automated well via recon-ng and other tools.
Port scan for obscure web servers or services (on all domains)
Find acquisitions and the bounty acquisition rules
Google has a 6 month rule
Functionality changes or re-designs
Mobile websites
New mobile app versions
Searching parent company by trademark or privacy policy

Tool: Recon-ng script (enumall.sh)

https://github.com/jhaddix/domain

LMGTFY: Let Me GOOGLE That For You

site:paypal.com -www.paypal.com -www.sandbox

List of Mergers and Acquisitions:

https://en.wikipedia.org/wiki/List_of_mergers_and_acquisitions_by_Facebook

Port Scanning

Port scanning is not just for Netpen! A full port scan of all your new found targets will usually yield #win:

separate webapps
extraneous services
Facebook had Jenkins Script console with no auth
IIS.net had rdp open vulnerable to MS12_020

nmap -sS -A -PN -p- –script=http-title dontscanme.bro

(syn scan, OS + service fingerprint, no ping, all ports, http titles)

Zseano Recon Pipeline

# Full subdomain pipeline
amass enum -brute -active -d target.com -o amass.txt
subfinder -d target.com >> amass.txt
cat amass.txt | sort -u | httprobe -p http:81 -p http:3000 -p https:8443 -c 50 | tee online.txt
cat amass.txt | dnsgen - | httprobe >> online.txt
cat online.txt | aquatone
 
# Historical URLs
gau target.com | sort -u > gau.txt
waybackurls target.com | sort -u >> gau.txt

Google dorks:

site:target.com inurl:& -movies
site:target.com ext:php | ext:aspx | ext:jsp | ext:bak | ext:xml

GitHub/Shodan: search “target.com” + api_key, password, secret

Subdomain keywords to prioritize: dev, qa, staging, admin, internal, api

Full Zseano Recon Guide

BBC Ch 5: Recon -- Expanded Techniques

Merged from Bug Bounty Bootcamp Ch 5 by Vickie Li

Manually Walking the Application

Before any tools, manually browse every feature:

Click every link, use every function (payments, uploads, events, admin)
Create accounts at every privilege level
Note all data entry points – these are your attack surface

Google Dorking

Operator	Example	Use
—	—	—
`site:`	`site:*.example.com`	All subdomains
`inurl:`	`inurl:app/kibana`	URL pattern
`intitle:`	`intitle:“index of”`	Directory listings
`filetype:`	`filetype:log`	File extension
`-`	`“how to hack” -php`	Exclude term

site:s3.amazonaws.com COMPANY_NAME
site:example.com ext:php
site:example.com ext:txt password
site:example.com inurl:app/kibana

Check the Google Hacking Database (GHDB) at exploit-db.com/google-hacking-database for community-built dorks.

WHOIS, IPs, and ASNs

whois facebook.com                          # registrant info
nslookup facebook.com                       # domain to IP
whois 157.240.2.35                          # IP ownership + NetRange
whois -h whois.cymru.com 157.240.2.35       # IP to ASN

If the org has a dedicated ASN (own IP block), all IPs in the range belong to them.

Reverse WHOIS: search ViewDNS.info by org name/email to find all domains owned by the same entity.

Certificate Parsing

curl "https://crt.sh/?q=example.com&output=json" | jq -r '.[].name_value'

Returns all hostnames in the cert's Subject Alternative Name field – reveals subdomains across all services.

Subdomain Enumeration

sublist3r -d example.com
gobuster dns -d example.com -w /path/to/wordlist.txt
amass enum -d example.com
sort -u wordlist1.txt wordlist2.txt > combined.txt

Pattern-based: if you find `1.example.com` and `3.example.com`, try `2.example.com`. Use Altdns to generate permutations automatically. Run enumeration recursively on discovered subdomains.

Service and Port Enumeration

nmap example.com -sV               # open ports + version detection

Passive alternatives: Shodan, Censys, Project Sonar – query without touching the target.

Non-standard ports (8080, 8443, 3000, 8888) often host admin panels, dev services, or debug interfaces.

Directory Brute-Forcing

./dirsearch.py -u example.com -e php
gobuster dir -u https://example.com -w wordlist.txt

200: accessible – check the content
403: exists but protected – attempt bypass (HTTP method, path normalization, header injection)
404: doesn't exist

Screenshot all found pages with EyeWitness for fast visual triage.

Spidering

OWASP ZAP: Tools > Spider. Feed a starting URL; ZAP recursively visits all linked pages and builds a site map. Good for finding hidden endpoints not linked from the main nav.

S3 Buckets

aws s3 ls s3://BUCKET_NAME/
aws s3 cp s3://BUCKET_NAME/FILE /tmp/

# Write test (clean up after):
aws s3 cp testfile s3://BUCKET_NAME/
aws s3 rm s3://BUCKET_NAME/testfile

Tools: lazys3, GrayhatWarfare (buckets.grayhatwarfare.com), Bucket Stream

Exposed buckets can contain credentials, source code, logs, user data. Write access = critical severity.

GitHub Recon

# Search code for secrets
# GitHub code search: org:COMPANY_NAME password
# or
trufflehog git https://github.com/COMPANY/REPO
gitrob analyze COMPANY_NAME

Look at:

Issues and Commits sections for unresolved bugs and security patches
Config files for credentials, bucket URLs, internal endpoints
Outdated dependencies – cross-reference with CVE database
Blame and History for recently removed secrets

Validate credentials: KeyHacks (github.com/streaak/keyhacks)

OSINT

Job listings – reveal tech stack; “Experience with Flask, EC2, RDS” tells you exactly what they run
LinkedIn – employee skills = company tech; engineers' blogs and StackOverflow answers leak architecture details
Pastebin – search the org name; engineers sometimes paste source code or server logs
SlideShare – conference slides often reveal internal architecture
Wayback Machine + waybackurls – extract all archived URLs; find old endpoints and forgotten subdomains

Tech Stack Fingerprinting

curl -I https://example.com
# Server: Apache/2.0.6 (Ubuntu)
# X-Powered-By: PHP/5.0.1
# X-Generator: Drupal 8
# Set-Cookie: PHPSESSID=...        <- PHP
# Set-Cookie: JSESSIONID=...       <- Java/Tomcat

View source: search for “powered by”, “built with”, “running”
File extensions in URLs: `.php`, `.asp`, `.cfm`, `.jsp`
Directories: `/jinja2/` = Django, `/phpmyadmin/` = PHP+MySQL
Browser extension: Wappalyzer | Website: BuiltWith.com | StackShare.io
Retire.js for outdated JavaScript libraries

Once you have the version, check CVE database (cve.mitre.org) for public exploits.

Recon Bash Script

#!/bin/bash
# ./recon.sh -m [nmap-only|dirsearch-only|crt-only] domain1 domain2
 
PATH_TO_DIRSEARCH="/path/to/dirsearch"
 
nmap_scan()      { nmap $DOMAIN > $DIRECTORY/nmap; }
dirsearch_scan() { $PATH_TO_DIRSEARCH/dirsearch.py -u $DOMAIN -e php --simple-report=$DIRECTORY/dirsearch; }
crt_scan()       { curl "https://crt.sh/?q=$DOMAIN&output=json" -o $DIRECTORY/crt; }
 
while getopts "m:" OPTION; do
    case $OPTION in
        m) MODE=$OPTARG ;;
    esac
done
 
for i in "${@:$OPTIND:$#}"; do
    DOMAIN=$i
    DIRECTORY=${DOMAIN}_recon
    mkdir -p $DIRECTORY
 
    case $MODE in
        nmap-only)      nmap_scan ;;
        dirsearch-only) dirsearch_scan ;;
        crt-only)       crt_scan ;;
        *)              nmap_scan; dirsearch_scan; crt_scan ;;
    esac
 
    TODAY=$(date)
    echo "Scan: $DOMAIN -- $TODAY" > $DIRECTORY/report
    [ -f $DIRECTORY/nmap ]      && grep -E "^\s*\S+\s+\S+\s+\S*$" $DIRECTORY/nmap >> $DIRECTORY/report
    [ -f $DIRECTORY/dirsearch ] && cat $DIRECTORY/dirsearch >> $DIRECTORY/report
    [ -f $DIRECTORY/crt ]       && jq -r '.[] | .name_value' $DIRECTORY/crt >> $DIRECTORY/report
done

Table of Contents