Bug Hunter Handbook
  • Introduction
  • Getting Started in InfoSec and Bug Bounties.
  • Presentations
  • Checklists / Guides
  • Useful Twitter Threads
  • List of Vulnerabilities
    • Recon and OSINT
      • Recon
      • Sensitive information using Github
      • Subdomain Enumeration
        • Resolvers
      • Javascript Enumeration
      • After Recon
      • Finding Information Using Public Resources
      • OSINT
      • Cloud
      • Wayback
      • Parameter / Content Discovery
      • Broken Link Highjacking
    • Host Header
    • Injection
      • Other Injection
    • DNS Rebinding
    • Cross Site Scripting (XSS)
      • Weaponizing XSS
      • WAF Bypass
    • Cross Origin Resource Sharing (CORS)
    • Local / Remote File Inclusion (LFI / RFI)
    • Server Side Request Forgery (SSRF)
    • Remote Code Execution (RCE)
    • XML Entity Injecton (XXE)
    • Price Manipulation
    • Directory / Path Traversal
    • Cross Site Request Forgery (CSRF)
      • JSON CSRF
    • Password Reset
    • Login Page Issues
    • Deserialization Attacks
    • File Upload
    • Account Takeover
    • Insecure Direct Object References (IDOR)
    • Open Redirect
    • Business Logic Flaws
    • Rate Limit Bypass / 2FA / OTP Bypass
    • Ruby on Rails
      • Mass Assginment
    • S3 Bucket
    • Race Condition
    • CRLF
    • SSTI
    • Prototype Pollution
  • Approach
  • API Security
  • Mobile Security
  • Fuzzing / Wordlists
  • BugBounty Short Write-ups
  • Burp Suite Tips and Tricks
  • HackerOne Reports
  • Response Manipulation
  • Client Vs Server Side Vulnerabilities
  • DevSecOps
  • Containers
    • Docker
    • Kubernetes
    • Containers
  • AWS
  • Azure
  • Others
    • Code Review
    • Web Sockets
    • Web Cache
    • HTTP Desync Attacks
    • Zone Transfer
    • CSP Bypass
    • Payment Bypasses
    • Http Parameter Pollution
    • Postmessage
    • Others
    • GraphQL
    • Unix / Linux
    • Email Related
    • Dependency confusion
    • Nginx Misconfigs
    • JIRA
    • OAUTH
  • Chaining of Bugs
  • Bug Bounty Automation
  • Mindmaps
  • Oneliner Collections
  • Red Teaming
  • Blue Teamining
  • Recon One Liners
  • Misc
  • Wordpress
  • Fuzzing / FuFF
  • OWASP ZAP
  • Bug List
  • Setting up burp collaborator
  • Admin Panel PwN
  • Credential Stuffing / Dump / HaveibeenPwned?
  • Tools Required
  • Nuclei Template
  • Other BugBounty Repos / Tips
  • Interview
  • Threat Modelling
  • AppSec
Powered by GitBook
On this page

Was this helpful?

  1. List of Vulnerabilities
  2. Recon and OSINT

Recon

PreviousRecon and OSINTNextSensitive information using Github

Last updated 7 months ago

Was this helpful?

Blog / Articles / Presentations / Videos:

  • Recon and Discovery -

  • Doing Recon Like a Boss -

  • Presentation -

  • Recon Everything -

  • Recon Notes -

  • Ben Presentation -

  • 100 Ways to Discover -

  • Asset Enumeration -

  • Hacking Process - Recon -

    • DORK: inurl:wp-config-backup.txt

Tools:

Recon Cheatsheet:

Twitter Threads:

  • Massscan - Take a list of subdomains, resolve them to an IP, remove duplicates and scan each with masscan.

    masscan --rate 10000 -p1-65535 $(<subdomains.txt xargs -I % getent hosts % | awk {'print $1'} | sort -u | tr '\n' ',' | sed 's/,$//')

ASN, CIDR => amass intel => enumeration script 'amass with api keys, findomain with api keys, and subfinder' => massDNS => httprobe => sort live and dead hosts => run a subtakeover script => hakcrawler

DNS tools:

-viewdns.info
-dnslytics.com
-dnsspy.io
-leafdns.com
-dnsdumpster.com
-intodns.com
-www.zonecut.net/dns
-xip.io
-nip.io
-ptrarchive.com
-www.whatsmydns.net
-ceipam.eu/en/dnslookup.php
-spyse.com/tools/dns-lookup
-www.buddyns.com/delegation-lab

Google Dorks -

Pagodo -

Tools -

- Google Dorks

- Goolgle Dork

Google Dork -

AutoRecon -

NerdyData BuitWith hunter.io

Censys Robtex Shodan Whoxy

-- has multiple tools inbuilt

Automation for Open Threat Exchange -

Simple tool for get domain relationship.. -

Awesome Asset Discovery -

Asset Discovery -

Getting info about Domains than subdomains -

If the scope is only -

ASN -

ASN -

- ASN - whois -h $(dig +short )

ASN -

ASN -

ASN -

Quickly get the ASN of an IP address, along with the associated company name and location: curl <ip> This is a great way to confirm ownership of an IP/domain. It also is a great way to services that might be in use (AWS/Azure/Cloudfront/Akamai, etc.)

CRT.sh -

Asset Discovery - //

saw this a while ago it might help someone. curl -fsSL "" | pup 'td :contains(".att.com") text{}' | sort -n | uniq -c | sort -rn | column -t > /root/Desktop/att-recon/ok.txt

Post Recon -

Asset Discovery tool -

Recon Roadmap -

https://www.youtube.com/watch?v=La3iWKRX-tE
https://blog.usejournal.com/how-recon-helped-samsung-protect-their-production-repositories-of-samsungtv-ecommerce-estores-4c51d6ec4fdd
https://www.youtube.com/watch?v=1Kg0_53ZEq8
https://blog.zsec.uk/ltr101-method-to-madness/
https://github.com/bugcrowd/bugcrowd_university/blob/master/Recon%20and%20Discovery/Bugcrowd%20University%20-%20Recon%20%26%20Discovery.pdf
https://medium.com/@maverickNerd/recon-everything-48aafbb8987
https://mavericknerd.github.io/knowledgebase/
https://blog.detectify.com/2020/01/07/guest-blog-streaak-my-recon-techniques-from-2019/
https://medium.com/@europa_/recoinnassance-7840824b9ef2
https://medium.com/@ehsahil/recon-my-way-82b7e5f62e21
https://medium.com/bugbountywriteup/whats-tools-i-use-for-my-recon-during-bugbounty-
ec25f7f12e6d
https://bugbountytuts.files.wordpress.com/2018/02/dirty-recon.pdf
https://blog.usejournal.com/web-application-security-bug-bounty-methodology-reconnaissance-vulnerabilities-reporting-635073cddcf2
http://imsoley.tk/mofb/
https://blog.detectify.com/2019/01/29/hacking-isnt-an-exact-science/
https://docs.google.com/presentation/d/1xgvEScGZ_ukNY0rmfKz1JN0sn-CgZY_rTp2B_SZvijk/edit#slide=id.g3fc0937313_1_68
https://sylarsec.com/2019/01/11/100-ways-to-discover-part-1/
https://captmeelo.com/bugbounty/2019/09/02/asset-enumeration.html
https://www.youtube.com/watch?v=1bivJl0B_bs&feature=youtu.be
https://medium.com/@shahjerry33/recon-my-way-or-high-way-58a18dab5c95
https://www.offensity.com/de/blog/just-another-recon-guide-pentesters-and-bug-bounty-hunters/
https://medium.com/@smhtahsin33/recon-one-step-advanced-with-otx-8827119566fd
https://eslam3kl.medium.com/simple-recon-methodology-920f5c5936d4
https://systemweakness.com/ultimate-manual-bug-bounty-recon-guide-f30c900367c8
https://ahrefs.com/blog/google-advanced-search-operators/
https://github.com/HanPac/google-dorks-2018-2019/blob/master/dorks
https://twitter.com/s0md3v/status/1151759042785632256
https://twitter.com/search?q=pagodo%20recon&src=typed_query
https://twitter.com/intigriti/status/1116447376544280578
https://twitter.com/intigriti/status/1108365683069456385
https://github.com/ZephrFish/GoogD0rker/
https://github.com/1N3/Goohak
https://twitter.com/Th3G3nt3lman/status/1104111564632797186
https://blog.deesee.xyz/automation/osint/2020/01/07/semi-automation-dorking.html
https://blog.ujwalkr.com/Google-Dorks-Recon/
https://github.com/BullsEye0/google_dork_list/blob/master/google_Dorks.txt
https://gist.github.com/stevenswafford/393c6ec7b5375d5e8cdc
https://exploitway.com/github-dorks-for-penetration-testing/
https://gist.github.com/zbetcheckin/04e6a5d7f2d5ef8cfa3c298701f47f9c
https://www.boxpiper.com/posts/google-dork-list
https://pastebin.com/zYPZNbMK
https://github.com/SKVNDR/FastDork
https://github.com/JoshuaMart/AutoRecon
https://bugbountyforum.com/tools/recon/
https://github.com/eldraco/domain_analyzer
http://www.spiderfoot.net/info/
https://dnsdumpster.com/
https://github.com/codingo/Reconnoitre
https://github.com/michenriksen/aquatone
https://github.com/DataSploit/datasploit
https://github.com/reconned/domained
https://github.com/evilsocket/xray
https://github.com/003random/003Recon
https://dnstrails.com/
https://github.com/shibli2700/Rekon
https://github.com/remonsec/Pri0tx
https://raw.githubusercontent.com/m4ll0k/Bug-Bounty-Toolz/master/getrelationship.py…
@Jhaddix
@TomNomNom
@stokfredrik
@NahamSec
@Yassineaboukir
#bugbountytips
#BugBounty
https://github.com/hackerspider1/EchoPwn
https://github.com/eslam3kl/3klCon
https://github.com/cspshivam/easyrecon
deksterecon
https://github.com/remonsec/SEF
https://github.com/chvancooten/BugBountyScanner
https://github.com/Anon-Artist/R3C0Nizer
https://github.com/dirsoooo/Recon
https://github.com/gokulapap/Reconator
https://github.com/Huntinex/rauton
https://pentester.land/cheatsheets/2019/04/15/recon-resources.html
https://github.com/0xhelloworld/public/blob/master/recon%20cheatsheet
https://github.com/redhuntlabs/Awesome-Asset-Discovery
https://0xpatrik.com/asset-discovery/?source=post_page---------------------------
https://twitter.com/gwendallecoguic/status/1187000587612762112
http://example.com
https://twitter.com/imhaxormad/status/1118289299152072706
https://twitter.com/hackermaderas/status/1181970321588572160
https://twitter.com/nullenc0de/status/1166539906832879616
https://twitter.com/C1h2e11/status/1163806579474329600
oneliner to retrieve ASN numbers of a company. #bugbountytips (ls /tmp/GeoLite2-ASN-CSV.zip||wget --quiet -P /tmp "https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN-CSV.zip…") 2>&1|grep X; unzip -c /tmp/GeoLite2-ASN-CSV.zip|grep -i airbnb|cut -d ',' -f 2|sort -fu https://pastebin.com/G44mnY2x
https://twitter.com/hakluke/status/1199266508280434689
http://whois.cymru.com
http://tesla.com
https://twitter.com/akita_zen/status/1169792876554969089
https://twitter.com/_harleo/status/1198210924395597824
https://twitter.com/hakluke/status/1225264234675597312
http://ipinfo.io
https://twitter.com/Dondata4/status/1226535287930654720
https://twitter.com/nullenc0de/status/1226982642295459846
https://github.com/cihanmehmet/sub.sh/blob/master/sub.sh
https://crt.sh/?CN=%25.%25.att.com&exclude=expired …
https://twitter.com/jobertabma/status/998769037445230592
https://twitter.com/NahamSec/status/1260639679696629760
https://github.com/bonino97/LemonBooster-v2
https://github.com/carlospolop/hacktricks/blob/master/external-recon-methodology.md
https://github.com/Quikko/Recon-Methodology
https://ahmdhalabi.medium.com/ultimate-reconnaissance-roadmap-for-bug-bounty-hunters-pentesters-507c9a5374d
https://medium.com/@prateek_0490/how-recon-helped-samsung-protect-their-production-repositories-of-samsungtv-ecommerce-estores-4c51d6ec4fdd
https://github.com/Bo0oM/services-names-wordlist/blob/master/list.txt
https://www.slideshare.net/slideshow/hacking-webapps-for-fun-and-profit-how-to-approach-a-target/82377302
https://twitter.com/Vulkey_Chen/status/1178323315892449281twitter.com
https://twitter.com/aish_kendle/status/1259909336274518016