New to the bug bounty and confused about where to start? Worry not! This reconnaissance for bug bounty hunters guides you to take the first step in bug bounty hunting.
Reconnaissance is the initial step in every penetration test, bug bounty, or ethical hacking. This step aims to gather the target’s information publicly available on the internet.
Publicly available data offers technical details about the network structure and systems. However, it also contains information about personnel and the firm that might be valuable later in the attack.
Two types of cyber reconnaissance are:
- Passive Information Gathering
- Active Information Gathering
Let’s utilize some suitable tools and gather the victim’s information passively first. The tools I will use to collect victim’s data will be:
- Passive Recon Tools
- Google Dork
- Netcraft
- WHOIS
- Social Media
- Active Recon Tools
- Nmap
- GoBuster
- Dig
The above-mentioned tools are not the only tools; there are many tools available for data gathering which you can utilize.
Table of Contents
Passive Information Gathering
Passive recon is gathering the victim’s information without directly interfering with him, and the target has no means of realizing we are collecting data on them. It relies on public sources (Open-Source Intelligence OSINT) that include data about the victim.
OSINT helps to gather:
- IP addresses
- Domain names
- Email addresses
- Hostnames
- DNS records etc.
Google Dorking
Fewer people are aware that Google offers a set of unique keywords and operators that can help us retrieve highly particular data from their massive database.
As an attacker, the Google database might provide crucial insight into possible victims.
Here, I am using the “cache” keyword to display the cached version of the victim’s website.
I am using the below command with different keywords if I need an Excel spreadsheet with email accounts.
filetype:xls inurl:email.xlsv
Netcraft Tool
With the Netcraft tool, I am able to gather the organization’s IP range, its name server, domain name, and hosting history, etc.
WHOIS Tool
WHOIS tool helped me to gather the organization’s IP location, ASN number, total images/links used within the organization’s website, etc.
Social Media OSINT
It is one of the social media where I am able to find the deputy director’s information of the targeted organization. You can use other social media platforms as well to gather the data of the organization’s staff.
Active Information Gathering
Active recon is directly interfering with the victim’s system. It can detect data like,
- Ports and services
- a computer’s OS version
- active processes
- banner capture
- host discovery
- finding weak apps on a server, etc.
The major disadvantage of active reconnaissance over passive reconnaissance is that direct interference with the victim may activate the machine’s IDS/IPS, notifying others of the intruder’s presence.
Nmap Command
Nmap tool pulled out the system info like ports state (open or close), services running on target’s system, port numbers, filtered ports, etc.
Dig Command
With the help of the Dig command, I got to know the type of DNS record (i.e., Address record) running on our target’s server.
Gobuster Tool
The last tool Gobuster tried to find the directories and sub-directories of the target’s website.
In Nutshell
After gathering all the necessary details related to the target, we are ready to attack. Always create a mind-map while gathering the information, as it helps at the end in attacking.
Harvest the information, evaluate it, attack!