Bug Hunter Handbook
  • Introduction
  • Getting Started in InfoSec and Bug Bounties.
  • Presentations
  • Checklists / Guides
  • Useful Twitter Threads
  • List of Vulnerabilities
    • Recon and OSINT
      • Recon
      • Sensitive information using Github
      • Subdomain Enumeration
        • Resolvers
      • Javascript Enumeration
      • After Recon
      • Finding Information Using Public Resources
      • OSINT
      • Cloud
      • Wayback
      • Parameter / Content Discovery
      • Broken Link Highjacking
    • Host Header
    • Injection
      • Other Injection
    • DNS Rebinding
    • Cross Site Scripting (XSS)
      • Weaponizing XSS
      • WAF Bypass
    • Cross Origin Resource Sharing (CORS)
    • Local / Remote File Inclusion (LFI / RFI)
    • Server Side Request Forgery (SSRF)
    • Remote Code Execution (RCE)
    • XML Entity Injecton (XXE)
    • Price Manipulation
    • Directory / Path Traversal
    • Cross Site Request Forgery (CSRF)
      • JSON CSRF
    • Password Reset
    • Login Page Issues
    • Deserialization Attacks
    • File Upload
    • Account Takeover
    • Insecure Direct Object References (IDOR)
    • Open Redirect
    • Business Logic Flaws
    • Rate Limit Bypass / 2FA / OTP Bypass
    • Ruby on Rails
      • Mass Assginment
    • S3 Bucket
    • Race Condition
    • CRLF
    • SSTI
    • Prototype Pollution
  • Approach
  • API Security
  • Mobile Security
  • Fuzzing / Wordlists
  • BugBounty Short Write-ups
  • Burp Suite Tips and Tricks
  • HackerOne Reports
  • Response Manipulation
  • Client Vs Server Side Vulnerabilities
  • DevSecOps
  • Containers
    • Docker
    • Kubernetes
    • Containers
  • AWS
  • Azure
  • Others
    • Code Review
    • Web Sockets
    • Web Cache
    • HTTP Desync Attacks
    • Zone Transfer
    • CSP Bypass
    • Payment Bypasses
    • Http Parameter Pollution
    • Postmessage
    • Others
    • GraphQL
    • Unix / Linux
    • Email Related
    • Dependency confusion
    • Nginx Misconfigs
    • JIRA
    • OAUTH
  • Chaining of Bugs
  • Bug Bounty Automation
  • Mindmaps
  • Oneliner Collections
  • Red Teaming
  • Blue Teamining
  • Recon One Liners
  • Misc
  • Wordpress
  • Fuzzing / FuFF
  • OWASP ZAP
  • Bug List
  • Setting up burp collaborator
  • Admin Panel PwN
  • Credential Stuffing / Dump / HaveibeenPwned?
  • Tools Required
  • Nuclei Template
  • Other BugBounty Repos / Tips
  • Interview
  • Threat Modelling
  • AppSec
Powered by GitBook
On this page

Was this helpful?

  1. List of Vulnerabilities
  2. Recon and OSINT

Recon

Blog / Articles / Presentations / Videos:

  • Recon and Discovery - https://www.youtube.com/watch?v=La3iWKRX-tE

  • https://blog.usejournal.com/how-recon-helped-samsung-protect-their-production-repositories-of-samsungtv-ecommerce-estores-4c51d6ec4fdd

  • Doing Recon Like a Boss - https://www.youtube.com/watch?v=1Kg0_53ZEq8

  • https://blog.zsec.uk/ltr101-method-to-madness/

  • Presentation -https://github.com/bugcrowd/bugcrowd_university/blob/master/Recon%20and%20Discovery/Bugcrowd%20University%20-%20Recon%20%26%20Discovery.pdf

  • Recon Everything - https://medium.com/@maverickNerd/recon-everything-48aafbb8987

  • Recon Notes - https://mavericknerd.github.io/knowledgebase/

  • https://blog.detectify.com/2020/01/07/guest-blog-streaak-my-recon-techniques-from-2019/

  • https://medium.com/@europa_/recoinnassance-7840824b9ef2

  • https://medium.com/@ehsahil/recon-my-way-82b7e5f62e21

  • https://medium.com/bugbountywriteup/whats-tools-i-use-for-my-recon-during-bugbounty-ec25f7f12e6d

  • https://bugbountytuts.files.wordpress.com/2018/02/dirty-recon.pdf

  • https://blog.usejournal.com/web-application-security-bug-bounty-methodology-reconnaissance-vulnerabilities-reporting-635073cddcf2

  • http://imsoley.tk/mofb/

  • https://blog.detectify.com/2019/01/29/hacking-isnt-an-exact-science/

  • Ben Presentation - https://docs.google.com/presentation/d/1xgvEScGZ_ukNY0rmfKz1JN0sn-CgZY_rTp2B_SZvijk/edit#slide=id.g3fc0937313_1_68

  • 100 Ways to Discover - https://sylarsec.com/2019/01/11/100-ways-to-discover-part-1/

  • Asset Enumeration - https://captmeelo.com/bugbounty/2019/09/02/asset-enumeration.html

  • Hacking Process - Recon - https://www.youtube.com/watch?v=1bivJl0B_bs&feature=youtu.be

  • https://medium.com/@shahjerry33/recon-my-way-or-high-way-58a18dab5c95

  • https://www.offensity.com/de/blog/just-another-recon-guide-pentesters-and-bug-bounty-hunters/

  • https://medium.com/@smhtahsin33/recon-one-step-advanced-with-otx-8827119566fd

  • https://eslam3kl.medium.com/simple-recon-methodology-920f5c5936d4

  • https://systemweakness.com/ultimate-manual-bug-bounty-recon-guide-f30c900367c8

  • Google Dorks - https://ahrefs.com/blog/google-advanced-search-operators/

    • https://github.com/HanPac/google-dorks-2018-2019/blob/master/dorks

    • https://twitter.com/s0md3v/status/1151759042785632256

    • Pagodo -https://twitter.com/search?q=pagodo%20recon&src=typed_query

    • https://twitter.com/intigriti/status/1116447376544280578

    • https://twitter.com/intigriti/status/1108365683069456385

    • Tools - https://github.com/ZephrFish/GoogD0rker/

    • https://github.com/1N3/Goohak

    • https://twitter.com/Th3G3nt3lman/status/1104111564632797186

    • https://blog.deesee.xyz/automation/osint/2020/01/07/semi-automation-dorking.html - Google Dorks

    • https://blog.ujwalkr.com/Google-Dorks-Recon/ - Goolgle Dork

    • https://github.com/BullsEye0/google_dork_list/blob/master/google_Dorks.txt

    • https://gist.github.com/stevenswafford/393c6ec7b5375d5e8cdc

    • DORK: inurl:wp-config-backup.txt

    • https://exploitway.com/github-dorks-for-penetration-testing/

    • https://gist.github.com/zbetcheckin/04e6a5d7f2d5ef8cfa3c298701f47f9c

    • https://www.boxpiper.com/posts/google-dork-list

    • https://pastebin.com/zYPZNbMK

    • Google Dork - https://github.com/SKVNDR/FastDork

Tools:

  • AutoRecon - https://github.com/JoshuaMart/AutoRecon

  • https://bugbountyforum.com/tools/recon/ https://github.com/eldraco/domain_analyzer http://www.spiderfoot.net/info/

  • https://dnsdumpster.com/ https://github.com/codingo/Reconnoitre NerdyData BuitWith hunter.io

  • https://github.com/michenriksen/aquatone Censys Robtex Shodan Whoxy https://github.com/DataSploit/datasploit

  • https://github.com/reconned/domained -- has multiple tools inbuilt

  • https://github.com/evilsocket/xray

  • https://github.com/003random/003Recon

  • https://dnstrails.com/

  • https://github.com/shibli2700/Rekon

  • Automation for Open Threat Exchange - https://github.com/remonsec/Pri0tx

  • Simple tool for get domain relationship.. https://raw.githubusercontent.com/m4ll0k/Bug-Bounty-Toolz/master/getrelationship.py… -@Jhaddix@TomNomNom@stokfredrik@NahamSec@Yassineaboukir #bugbountytips #BugBounty

  • https://github.com/hackerspider1/EchoPwn

  • https://github.com/eslam3kl/3klCon

  • https://github.com/cspshivam/easyrecon

  • deksterecon

  • https://github.com/remonsec/SEF

  • https://github.com/chvancooten/BugBountyScanner

  • https://github.com/Anon-Artist/R3C0Nizer

  • https://github.com/dirsoooo/Recon

  • https://github.com/gokulapap/Reconator

  • https://github.com/Huntinex/rauton

Recon Cheatsheet:

  • https://pentester.land/cheatsheets/2019/04/15/recon-resources.html

  • https://github.com/0xhelloworld/public/blob/master/recon%20cheatsheet

  • Awesome Asset Discovery - https://github.com/redhuntlabs/Awesome-Asset-Discovery

  • Asset Discovery - https://0xpatrik.com/asset-discovery/?source=post_page---------------------------

Twitter Threads:

  • Getting info about Domains than subdomains - https://twitter.com/gwendallecoguic/status/1187000587612762112

  • If the scope is http://example.com only - https://twitter.com/imhaxormad/status/1118289299152072706

  • https://twitter.com/hackermaderas/status/1181970321588572160

  • https://twitter.com/nullenc0de/status/1166539906832879616

  • ASN - https://twitter.com/C1h2e11/status/1163806579474329600

  • ASN - oneliner to retrieve ASN numbers of a company. #bugbountytips (ls /tmp/GeoLite2-ASN-CSV.zip||wget --quiet -P /tmp "https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN-CSV.zip…") 2>&1|grep X; unzip -c /tmp/GeoLite2-ASN-CSV.zip|grep -i airbnb|cut -d ',' -f 2|sort -fu https://pastebin.com/G44mnY2x

  • https://twitter.com/hakluke/status/1199266508280434689 - ASN - whois -h http://whois.cymru.com $(dig +short http://tesla.com)

  • ASN - https://twitter.com/akita_zen/status/1169792876554969089

  • ASN - https://twitter.com/_harleo/status/1198210924395597824

  • ASN - https://twitter.com/hakluke/status/1225264234675597312

  • Quickly get the ASN of an IP address, along with the associated company name and location: curl http://ipinfo.io<ip> This is a great way to confirm ownership of an IP/domain. It also is a great way to services that might be in use (AWS/Azure/Cloudfront/Akamai, etc.)

  • CRT.sh - https://twitter.com/Dondata4/status/1226535287930654720

  • Asset Discovery - https://twitter.com/nullenc0de/status/1226982642295459846 // https://github.com/cihanmehmet/sub.sh/blob/master/sub.sh

  • Massscan - Take a list of subdomains, resolve them to an IP, remove duplicates and scan each with masscan.

    masscan --rate 10000 -p1-65535 $(<subdomains.txt xargs -I % getent hosts % | awk {'print $1'} | sort -u | tr '\n' ',' | sed 's/,$//')

  • saw this a while ago it might help someone. curl -fsSL "https://crt.sh/?CN=%25.%25.att.com&exclude=expired …" | pup 'td :contains(".att.com") text{}' | sort -n | uniq -c | sort -rn | column -t > /root/Desktop/att-recon/ok.txt

ASN, CIDR => amass intel => enumeration script 'amass with api keys, findomain with api keys, and subfinder' => massDNS => httprobe => sort live and dead hosts => run a subtakeover script => hakcrawler

Post Recon - https://twitter.com/jobertabma/status/998769037445230592

  • Asset Discovery tool -https://twitter.com/NahamSec/status/1260639679696629760

  • https://github.com/bonino97/LemonBooster-v2

  • https://github.com/carlospolop/hacktricks/blob/master/external-recon-methodology.md

  • https://github.com/Quikko/Recon-Methodology

DNS tools:

-viewdns.info
-dnslytics.com
-dnsspy.io
-leafdns.com
-dnsdumpster.com
-intodns.com
-www.zonecut.net/dns
-xip.io
-nip.io
-ptrarchive.com
-www.whatsmydns.net
-ceipam.eu/en/dnslookup.php
-spyse.com/tools/dns-lookup
-www.buddyns.com/delegation-lab

  • Recon Roadmap - https://ahmdhalabi.medium.com/ultimate-reconnaissance-roadmap-for-bug-bounty-hunters-pentesters-507c9a5374d

  • https://medium.com/@prateek_0490/how-recon-helped-samsung-protect-their-production-repositories-of-samsungtv-ecommerce-estores-4c51d6ec4fdd

  • https://github.com/Bo0oM/services-names-wordlist/blob/master/list.txt

  • https://www.slideshare.net/slideshow/hacking-webapps-for-fun-and-profit-how-to-approach-a-target/82377302

PreviousRecon and OSINTNextSensitive information using Github

Last updated 5 months ago

Was this helpful?

https://twitter.com/Vulkey_Chen/status/1178323315892449281twitter.com
https://twitter.com/aish_kendle/status/1259909336274518016