This means find the application (or parts of an application) less tested. In wide scoped projects the flagship application will most liekly be heavily assessed.

• ^.acme.com scope is your friend
• Find domains via Google (and others!)
• Can be automated well via recon-ng and other tools.
• Port scan for obscure web servers or services (on all domains)
• Find acquisitions and the bounty acquisition rules
• Google has a 6 month rule
• Functionality changes or re-designs
• Mobile websites
• New mobile app versions
• Searching parent company by trademark or privacy policy

https://github.com/jhaddix/domain

site:paypal.com -www.paypal.com -www.sandbox

https://en.wikipedia.org/wiki/List_of_mergers_and_acquisitions_by_Facebook

Port scanning is not just for Netpen! A full port scan of all your new found targets will usually yield #win:

• separate webapps
• extraneous services
• Facebook had Jenkins Script console with no auth
• IIS.net had rdp open vulnerable to MS12_020

nmap -sS -A -PN -p- –script=http-title dontscanme.bro

(syn scan, OS + service fingerprint, no ping, all ports, http titles)

# Full subdomain pipeline
amass enum -brute -active -d target.com -o amass.txt
subfinder -d target.com >> amass.txt
cat amass.txt | sort -u | httprobe -p http:81 -p http:3000 -p https:8443 -c 50 | tee online.txt
cat amass.txt | dnsgen - | httprobe >> online.txt
cat online.txt | aquatone
 
# Historical URLs
gau target.com | sort -u > gau.txt
waybackurls target.com | sort -u >> gau.txt

Google dorks:

site:target.com inurl:& -movies
site:target.com ext:php | ext:aspx | ext:jsp | ext:bak | ext:xml

GitHub/Shodan: search “target.com” + api_key, password, secret

Subdomain keywords to prioritize: dev, qa, staging, admin, internal, api

• Full Zseano Recon Guide

Merged from Bug Bounty Bootcamp Ch 5 by Vickie Li

Before any tools, manually browse every feature:

• Click every link, use every function (payments, uploads, events, admin)
• Create accounts at every privilege level
• Note all data entry points – these are your attack surface

site:s3.amazonaws.com COMPANY_NAME
site:example.com ext:php
site:example.com ext:txt password
site:example.com inurl:app/kibana

Check the Google Hacking Database (GHDB) at exploit-db.com/google-hacking-database for community-built dorks.

whois facebook.com                          # registrant info
nslookup facebook.com                       # domain to IP
whois 157.240.2.35                          # IP ownership + NetRange
whois -h whois.cymru.com 157.240.2.35       # IP to ASN

If the org has a dedicated ASN (own IP block), all IPs in the range belong to them.

Reverse WHOIS: search ViewDNS.info by org name/email to find all domains owned by the same entity.

curl "https://crt.sh/?q=example.com&output=json" | jq -r '.[].name_value'

Returns all hostnames in the cert's Subject Alternative Name field – reveals subdomains across all services.

sublist3r -d example.com
gobuster dns -d example.com -w /path/to/wordlist.txt
amass enum -d example.com
sort -u wordlist1.txt wordlist2.txt > combined.txt

Pattern-based: if you find `1.example.com` and `3.example.com`, try `2.example.com`. Use Altdns to generate permutations automatically. Run enumeration recursively on discovered subdomains.

nmap example.com -sV               # open ports + version detection

Passive alternatives: Shodan, Censys, Project Sonar – query without touching the target.

Non-standard ports (8080, 8443, 3000, 8888) often host admin panels, dev services, or debug interfaces.

./dirsearch.py -u example.com -e php
gobuster dir -u https://example.com -w wordlist.txt

• 200: accessible – check the content
• 403: exists but protected – attempt bypass (HTTP method, path normalization, header injection)
• 404: doesn't exist

Screenshot all found pages with EyeWitness for fast visual triage.

OWASP ZAP: Tools > Spider. Feed a starting URL; ZAP recursively visits all linked pages and builds a site map. Good for finding hidden endpoints not linked from the main nav.

aws s3 ls s3://BUCKET_NAME/
aws s3 cp s3://BUCKET_NAME/FILE /tmp/

# Write test (clean up after):
aws s3 cp testfile s3://BUCKET_NAME/
aws s3 rm s3://BUCKET_NAME/testfile

Tools: lazys3, GrayhatWarfare (buckets.grayhatwarfare.com), Bucket Stream

Exposed buckets can contain credentials, source code, logs, user data. Write access = critical severity.

# Search code for secrets
# GitHub code search: org:COMPANY_NAME password
# or
trufflehog git https://github.com/COMPANY/REPO
gitrob analyze COMPANY_NAME

Look at:

• Issues and Commits sections for unresolved bugs and security patches
• Config files for credentials, bucket URLs, internal endpoints
• Outdated dependencies – cross-reference with CVE database
• Blame and History for recently removed secrets

Validate credentials: KeyHacks (github.com/streaak/keyhacks)

• Job listings – reveal tech stack; “Experience with Flask, EC2, RDS” tells you exactly what they run
• LinkedIn – employee skills = company tech; engineers' blogs and StackOverflow answers leak architecture details
• Pastebin – search the org name; engineers sometimes paste source code or server logs
• SlideShare – conference slides often reveal internal architecture
• Wayback Machine + waybackurls – extract all archived URLs; find old endpoints and forgotten subdomains

curl -I https://example.com
# Server: Apache/2.0.6 (Ubuntu)
# X-Powered-By: PHP/5.0.1
# X-Generator: Drupal 8
# Set-Cookie: PHPSESSID=...        <- PHP
# Set-Cookie: JSESSIONID=...       <- Java/Tomcat

• View source: search for “powered by”, “built with”, “running”
• File extensions in URLs: `.php`, `.asp`, `.cfm`, `.jsp`
• Directories: `/jinja2/` = Django, `/phpmyadmin/` = PHP+MySQL
• Browser extension: Wappalyzer | Website: BuiltWith.com | StackShare.io
• Retire.js for outdated JavaScript libraries

Once you have the version, check CVE database (cve.mitre.org) for public exploits.

#!/bin/bash
# ./recon.sh -m [nmap-only|dirsearch-only|crt-only] domain1 domain2
 
PATH_TO_DIRSEARCH="/path/to/dirsearch"
 
nmap_scan()      { nmap $DOMAIN > $DIRECTORY/nmap; }
dirsearch_scan() { $PATH_TO_DIRSEARCH/dirsearch.py -u $DOMAIN -e php --simple-report=$DIRECTORY/dirsearch; }
crt_scan()       { curl "https://crt.sh/?q=$DOMAIN&output=json" -o $DIRECTORY/crt; }
 
while getopts "m:" OPTION; do
    case $OPTION in
        m) MODE=$OPTARG ;;
    esac
done
 
for i in "${@:$OPTIND:$#}"; do
    DOMAIN=$i
    DIRECTORY=${DOMAIN}_recon
    mkdir -p $DIRECTORY
 
    case $MODE in
        nmap-only)      nmap_scan ;;
        dirsearch-only) dirsearch_scan ;;
        crt-only)       crt_scan ;;
        *)              nmap_scan; dirsearch_scan; crt_scan ;;
    esac
 
    TODAY=$(date)
    echo "Scan: $DOMAIN -- $TODAY" > $DIRECTORY/report
    [ -f $DIRECTORY/nmap ]      && grep -E "^\s*\S+\s+\S+\s+\S*$" $DIRECTORY/nmap >> $DIRECTORY/report
    [ -f $DIRECTORY/dirsearch ] && cat $DIRECTORY/dirsearch >> $DIRECTORY/report
    [ -f $DIRECTORY/crt ]       && jq -r '.[] | .name_value' $DIRECTORY/crt >> $DIRECTORY/report
done