Bug_Bounty Deep Reconnaissance

---

---

This Roadmap For BugBounty or Penetration Testing a comprehensive overview of the reconnaissance activities conducted during the bug bounty program. The aim of the reconnaissance phase was to identify potential attack surfaces, subdomains, vulnerabilities, and possible areas of exploitation.

---

Table of Contents

    Acquisitions

    ASN

    Seeds

    Shodan.io

    Cloud

    Subdomains Discovery

    Subdomain Enumeration

    Duplicate Subdomains Resolution

    Port Analysis

    Alive Subdomains

    Screenshot

    Dorking

    Subdomain Take Over

The reconnaissance phase provided valuable insights into the target's attack surface, potential vulnerabilities, and areas of focus for further testing. The information collected through various tools and techniques will be instrumental in planning and executing subsequent phases of the bug bounty program.

---

---

DeeP_RecoN:

---

• Find Acquisitions:

Crunchbase

• ASN:

Manually:

BGP.he.net

ARIN Whois

Domain Research Suite

Automated:

metabigor:

echo 'ASN_NUMBER' | metabigor net --asn -o asn

Amass:

amass intel --asn [ASN NUMBER]

• Find Seeds:

Builtwith:

Check the website with the BuiltWith extension: Go to Relationship BuiltWith

WHOXY

DomLink :

python domLink.py -D  {domain.com} -o target.out.txt

• CLOUD:

SNI-IP-Ranges

Extract using commands... :

 cat  *.txt | grep "\.Target\.com" | awk -F'-- ' '{print $2}'| tr ' ' '\n' | tr '[' ' ' | sed 's/ //' | sed 's/\]//' 

• Find Subdomains:

Client-Side Linked Discovery:

LinkFinder:

python3 linkfinder.py -i {Path of js Domain} -d 2 -r "https?://(www\.)?example\.com" -o cli

SecretFinder:

python3 SecretFinder.py -i {Path of js Domain} -o cli >> secretfinder.txt

Add Regex:

{
    "URLs": [
        "\\bhttps?://[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}\\b",
        "\\b(?:http|ftp)s?://\\S+\\b"
    ]
}

Burpsuite Pro:

Turn on Passive Scan

• Subdomains Enumeration:

Infrastructure Source:

Censys

DNS Dumpster

Web Archive

Shodan

SecurityTrails

Subdomain finder C99

Certificate Sources:

CRT.sh

SSLMate Certspotter

Security Sources:

VirusTotal

Tools:

Amass:

amass enum -passive -norecursive -noalts -d {target_domain} -o amass.txt

BRUTE FORCING:

amass enum -brute -d {target_domain} -rf

Assetfinder:

echo {target_domain} | assetfinder --subs-only | tee assetfinder.txt

Subfinder:

subfinder -d {target_domain} -o subfinder.txt

Shuffledns:

shuffledns -d [DOMAIN] -w wordlist.txt -r resolvers.txt >> shuffledns.txt

Github-subdomains:

python github-subdomains.py --organization <organization_name> --token <your_github_token> >> git_subd.txt

FFUF :

ffuf -u https://FUZZ.{target_domain} -w /usr/share/wordlists/dirb/common.txt -p 1 -o ffuf_subdom.txt

BBOT:

bbot -t {target_domain} -f subdomain-enum >> bbot.txt

Script_autom :

[ python recon.py ]: Enumerated and Collected subdomains + unique subdomains and Resolve duplicate + Check alive or statut 200

haktrails + hakrawler :

echo {target_domain} | haktrails subdomains | hakrawler hak.txt‌

• Resolve & Check Alive:

httpx :

httpx -l Input_file_sub.txt -o active_sub.txt -threads 200 -status-code -follow-redirects | tee alive_sub.txt

• Screenshot:

EyeWitness :

./EyeWitness -f alive.txt --web

• Port Analysis:

masscan:

masscan -p1-65535 -iL list.txt --rate 10000 | sort -u >> results.txt

nmap:

nmap -p- -iL list.txt -oN results.txt

naabu:

naabu -list list.txt -top-ports 1000 -exclude-ports 80,443,21,22,25 -o ports.txt

CHECK FOR DEFAULT CREDS:

brutespray:

python brutespray.py -h <TARGET_IP_FILE> -U <USER_LIST> -P <PASS_LIST> -s <SERVICE>

• Collecting URL Endpoint:

Burpsuite Pro : Automate Web Crawling {Crawl} // manually

Gau :

for i in $(cat alive_sub.txt); do gau $i | egrep -vE "\.(woff|woff2|ttf|toff|eot|webp|gif|tiff|bmp|wav|png|jpg|jpeg|svg|ico|css|mp4|m4v)" | httpx -silent -fc 404 | tee -a domain-archive.txt; done

Find Endpoint in JS files :

katana :

katana -u https://{target_domain} --js-crawl -d 5 -hl -field endpoint | anew endpoint.txt

hakrawler :

echo {target_domain} / cat urls.txt | hakrawler

Brute Forcing :

ffuf -w wordlist -u {target_domain/FUZZ}

[ ] Search for {drive.google / docs.google / document}:

cat alive_sub.txt | katana -silent | while read url; do cu=$(curl -s $url | grep -E'(drive.google|docs.google|spreadsheet\/d|document.\/d\/)';echo -e "==> $url" "\n"" $cu";done

• Dorking:

Google Dorking :

Leaked credentials on Google :

site:docs.Google.com/spreadsheets "company name"

site:groups.Google.com "company name"

Find Sensitive Data in Cloud Storage :

site:http://s3.amazonaws.com "{target_domain}"

site:http://blob.core.windows.net "{target_domain}"

site:http://googleapis.com "{target_domain}"

site:http://drive.google.com "{target_domain}"

 #exclued add  -www / -example .....
 #show me in the URL  inurl:api /inurl:v1 /login...
 #show me in the title  intitle:login
 #Looking for File Type  filetype:pdf /filetype:pdf / filetype:txt / filetype:php
 #search extension  ext:php /ext:aspx /....
 #look for every parameter  inurl:"&"
 #look for keyword name  inurl:"name"

Shodan Dorking :

ssl:"target[.]com" 200 http.title:"dashboard" --unauthenticated dashboard

org:"{target_domain}  " x-jenkins 200 --- unauthenticated jenkins server

ssl:"{target_domain} " 200 proftpd port:21 --- proftpd port:21 org:"{target_domain} "

http.html:zabbix ---CVE-2022-24255 Main & Admin Portals : Authentication

Bypass org:"{target_domain} " http.title:"phpmyadmin" --- PHP My Admin

ssl:"{target_domain} " http.title:"BIG-IP --- F5 BIG-IP using CVE-2020-5902

Github Dorking :

Find endpoints and subdomains

Make custom wordlists for each target based on technologies discovered

After searching, check "Languages for scripting languages"
Check for recently submitted repos
Identify users that work at the organization but are not listed under the Org's main repo (look for them on Linkedin to confirm)

Search Queries :

filename:config.json

filename:secrets

filename:.env

filename:docker-compose.yml

filename:aws_keys

filename:.pem

filename:.gitconfig

filename:database.yml

filename:oauth

filename:slack_token

filename:prod.exs

GitHub Dorking Tools:

gitleaks :

finding secrets and sensitive files in Git repositories

trufflehog :

searches for sensitive data in code and commits

gitrob :

scan GitHub repositories for sensitive files and information

shhgit :

identifying secrets and sensitive files across GitHub

• Find Source / Backups Files:

subdomain.target.com :

subdomain.target.com/subdomain.zip - target.zip - admin.zip - backup.zip

subdomain.target.com/subdomain/subdomain.zip - target.zip - admin.zip - backup.zip

subdomain.target.com/target/subdomain.zip - target.zip - admin.zip - backup.zip

subdomain.target.com/admin/subdomain.zip - target.zip - admin.zip - backup.zip

dirsearch :

dirsearch -u https://{target_domain} -e php,html,js,css,txt,log,old,inc,backup,bak,swp,zip,tar.gz,tar,sql -w /usr/share/wordlists/dirb/common.txt -x 403,404 -t 50 -r -o results.txt

gobuster:

gobuster dir -u https://{target_domain} -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.css,.txt,.log,.old,.inc,.backup,.bak,.swp,.zip,.tar.gz,.tar,.sql -t 50 -r -o results.txt

fuzzuli:

fuzzuli -f alive_sub.txt -w 32 -ex .rar,.zip,.tar.gz,.7z,backup,log,txt,old -p

• Subdomain Take Over:

can-i-take-over-xyz :

    1/Go to the repository and access the list of vulnerable domains.
    2/ Browse the list to find potential takeover candidates.
    3/ Manually assess the domains to see if they are indeed vulnerable and if they can be taken over.

SubOver :

python3 subover.py -l subdomains.txt

nuclei :

nuclei -t takeovers -l subdomains.txt

---

---

Note :

    Remember, this roadmap is meant to be used responsibly and legally, with proper authorization. 
    Dive into the world of deep reconnaissance and strengthen your bug bounty and penetration testing capabilities with this comprehensive guide. 
 

My Github

My Youtube Channel

Author: [RooT0x2TN]