Reconnaissance for Bug Bounty Hunters & Pentesters

New to the bug bounty and confused about where to start? Worry not! This reconnaissance for bug bounty hunters guides you to take the first step in bug bounty hunting.

Reconnaissance is the initial step in every penetration test, bug bounty, or ethical hacking. This step aims to gather the target’s information publicly available on the internet.

Publicly available data offers technical details about the network structure and systems. However, it also contains information about personnel and the firm that might be valuable later in the attack.

Two types of cyber reconnaissance are:

  • Passive Information Gathering
  • Active Information Gathering

Let’s utilize some suitable tools and gather the victim’s information passively first. The tools I will use to collect victim’s data will be:

  • Passive Recon Tools
    • Google Dork
    • Netcraft
    • WHOIS
    • Social Media
  • Active Recon Tools
    • Nmap
    • GoBuster
    • Dig

The above-mentioned tools are not the only tools; there are many tools available for data gathering which you can utilize.

Passive Information Gathering

Passive recon is gathering the victim’s information without directly interfering with him, and the target has no means of realizing we are collecting data on them. It relies on public sources (Open-Source Intelligence OSINT) that include data about the victim.

OSINT helps to gather:

  • IP addresses
  • Domain names
  • Email addresses
  • Hostnames
  • DNS records etc.

Google Dorking

Fewer people are aware that Google offers a set of unique keywords and operators that can help us retrieve highly particular data from their massive database.

As an attacker, the Google database might provide crucial insight into possible victims.

Here, I am using the “cache” keyword to display the cached version of the victim’s website.

I am using the below command with different keywords if I need an Excel spreadsheet with email accounts.

filetype:xls inurl:email.xlsv

Netcraft Tool

With the Netcraft tool, I am able to gather the organization’s IP range, its name server, domain name, and hosting history, etc.


WHOIS tool helped me to gather the organization’s IP location, ASN number, total images/links used within the organization’s website, etc.


Social Media OSINT

It is one of the social media where I am able to find the deputy director’s information of the targeted organization. You can use other social media platforms as well to gather the data of the organization’s staff.

Active Information Gathering

Active recon is directly interfering with the victim’s system. It can detect data like,

  • Ports and services
  • a computer’s OS version
  • active processes
  • banner capture
  • host discovery
  • finding weak apps on a server, etc.

The major disadvantage of active reconnaissance over passive reconnaissance is that direct interference with the victim may activate the machine’s IDS/IPS, notifying others of the intruder’s presence.

Nmap Command

Nmap tool pulled out the system info like ports state (open or close), services running on target’s system, port numbers, filtered ports, etc.

Dig Command

With the help of the Dig command, I got to know the type of DNS record (i.e., Address record) running on our target’s server.

Gobuster Tool

The last tool Gobuster tried to find the directories and sub-directories of the target’s website.

In Nutshell

After gathering all the necessary details related to the target, we are ready to attack. Always create a mind-map while gathering the information, as it helps at the end in attacking.

Harvest the information, evaluate it, attack!

Sana Qazi
Sana Qazi is a technical writer specialized in Information Security. She enjoys writing about technology and reading multiple genres like suspense. When not writing, she can be found traveling, dinning out, watching series etc. She manages her medium blog as well.

Most Popular

What Makes ICS/OT Infrastructure Vulnerable?

Infrastructure security for operational technologies (OT) and industrial control systems (ICS) varies from IT security in several ways, with the inverse confidentiality, integrity, and...

Everything You Must Know About IT/OT Convergence

What is an Operational Technology (OT)? Operational technology (OT) is a technology that primarily monitors and controls physical operations. It can automate and control machines,...

Understand the OT Security and Its Importance

This article discusses OT security and why it is essential for protecting industrial systems from cyberattacks. We will also discuss common control objectives that can...

What is Deepfake, and how does it Affect Cybersecurity?

Producing deepfake is easy. It is hard to detect. They operate with a description of reality rather than reality itself (e.g., a video). Any...