Reconnaissance for Bug Bounty Hunters & Pentesters

New to the bug bounty and confused about where to start? Worry not! This reconnaissance for bug bounty hunters guides you to take the first step in bug bounty hunting.

Reconnaissance is the initial step in every penetration test, bug bounty, or ethical hacking. This step aims to gather the target’s information publicly available on the internet.

Publicly available data offers technical details about the network structure and systems. However, it also contains information about personnel and the firm that might be valuable later in the attack.

Two types of cyber reconnaissance are:

  • Passive Information Gathering
  • Active Information Gathering

Let’s utilize some suitable tools and gather the victim’s information passively first. The tools I will use to collect victim’s data will be:

  • Passive Recon Tools
    • Google Dork
    • Netcraft
    • WHOIS
    • Social Media
  • Active Recon Tools
    • Nmap
    • GoBuster
    • Dig

The above-mentioned tools are not the only tools; there are many tools available for data gathering which you can utilize.

Passive Information Gathering

Passive recon is gathering the victim’s information without directly interfering with him, and the target has no means of realizing we are collecting data on them. It relies on public sources (Open-Source Intelligence OSINT) that include data about the victim.

OSINT helps to gather:

  • IP addresses
  • Domain names
  • Email addresses
  • Hostnames
  • DNS records etc.

Google Dorking

Fewer people are aware that Google offers a set of unique keywords and operators that can help us retrieve highly particular data from their massive database.

As an attacker, the Google database might provide crucial insight into possible victims.

Here, I am using the “cache” keyword to display the cached version of the victim’s website.

I am using the below command with different keywords if I need an Excel spreadsheet with email accounts.

filetype:xls inurl:email.xlsv

Netcraft Tool

With the Netcraft tool, I am able to gather the organization’s IP range, its name server, domain name, and hosting history, etc.


WHOIS tool helped me to gather the organization’s IP location, ASN number, total images/links used within the organization’s website, etc.


Social Media OSINT

It is one of the social media where I am able to find the deputy director’s information of the targeted organization. You can use other social media platforms as well to gather the data of the organization’s staff.

Active Information Gathering

Active recon is directly interfering with the victim’s system. It can detect data like,

  • Ports and services
  • a computer’s OS version
  • active processes
  • banner capture
  • host discovery
  • finding weak apps on a server, etc.

The major disadvantage of active reconnaissance over passive reconnaissance is that direct interference with the victim may activate the machine’s IDS/IPS, notifying others of the intruder’s presence.

Nmap Command

Nmap tool pulled out the system info like ports state (open or close), services running on target’s system, port numbers, filtered ports, etc.

Dig Command

With the help of the Dig command, I got to know the type of DNS record (i.e., Address record) running on our target’s server.

Gobuster Tool

The last tool Gobuster tried to find the directories and sub-directories of the target’s website.

In Nutshell

After gathering all the necessary details related to the target, we are ready to attack. Always create a mind-map while gathering the information, as it helps at the end in attacking.

Harvest the information, evaluate it, attack!

Sana Qazi
Sana Qazi is a technical writer specialized in Information Security. She enjoys writing about technology and reading multiple genres like suspense. When not writing, she can be found traveling, dinning out, watching series etc. She manages her medium blog as well.

Most Popular

Why Is Mobile App Hacking Growing In Popularity?

A cybersecurity blog post released by Varonis in March 2021 revealed the shocking truth:  Because of the Covid-19 pandemic, a huge increase in breached...

Protecting Your ID Online in 2021

With recent large hacks and increasing sophisticated schemes, we should also be protecting ourselves with even more sophisticated defensive strategies to protect our identities...

Taking a Look at the Privacy Features of Monero

Many large cryptocurrencies available today market themselves as bastions of business transparency by making their transaction data pseudonymously available on immutable, public databases. Because...

Best Tips on Cybersecurity for Students

Students, teachers, and educational institutions can all be targeted by hackers. In fact, 87% of schools have experienced one or more successful cyberattacks. There is...