CIP Cyber

Reconnaissance for Bug Bounty Hunters & Pentesters

Table of Contents

New to the bug bounty and confused about where to start? Worry not! This reconnaissance for bug bounty hunters guides you to take the first step in bug bounty hunting.

Reconnaissance is the initial step in every penetration test, bug bounty, or ethical hacking. This step aims to gather the target’s information publicly available on the internet.

Publicly available data offers technical details about the network structure and systems. However, it also contains information about personnel and the firm that might be valuable later in the attack.

Two types of cyber reconnaissance are:

  • Passive Information Gathering
  • Active Information Gathering

Let’s utilize some suitable tools and gather the victim’s information passively first. The tools I will use to collect victim’s data will be:

  • Passive Recon Tools
    • Google Dork
    • Netcraft
    • WHOIS
    • Social Media
  • Active Recon Tools
    • Nmap
    • GoBuster
    • Dig

The above-mentioned tools are not the only tools; there are many tools available for data gathering which you can utilize.

Passive Information Gathering

Passive recon is gathering the victim’s information without directly interfering with him, and the target has no means of realizing we are collecting data on them. It relies on public sources (Open-Source Intelligence OSINT) that include data about the victim.

OSINT helps to gather:

  • IP addresses
  • Domain names
  • Email addresses
  • Hostnames
  • DNS records etc.

Google Dorking

Fewer people are aware that Google offers a set of unique keywords and operators that can help us retrieve highly particular data from their massive database.

As an attacker, the Google database might provide crucial insight into possible victims.

Here, I am using the “cache” keyword to display the cached version of the victim’s website.

I am using the below command with different keywords if I need an Excel spreadsheet with email accounts.

filetype:xls inurl:email.xlsv

Netcraft Tool

With the Netcraft tool, I am able to gather the organization’s IP range, its name server, domain name, and hosting history, etc.

WHOIS Tool

WHOIS tool helped me to gather the organization’s IP location, ASN number, total images/links used within the organization’s website, etc.

 

Social Media OSINT

It is one of the social media where I am able to find the deputy director’s information of the targeted organization. You can use other social media platforms as well to gather the data of the organization’s staff.

Active Information Gathering

Active recon is directly interfering with the victim’s system. It can detect data like,

  • Ports and services
  • a computer’s OS version
  • active processes
  • banner capture
  • host discovery
  • finding weak apps on a server, etc.

The major disadvantage of active reconnaissance over passive reconnaissance is that direct interference with the victim may activate the machine’s IDS/IPS, notifying others of the intruder’s presence.

Nmap Command

Nmap tool pulled out the system info like ports state (open or close), services running on target’s system, port numbers, filtered ports, etc.

Dig Command

With the help of the Dig command, I got to know the type of DNS record (i.e., Address record) running on our target’s server.

Gobuster Tool

The last tool Gobuster tried to find the directories and sub-directories of the target’s website.

In Nutshell

After gathering all the necessary details related to the target, we are ready to attack. Always create a mind-map while gathering the information, as it helps at the end in attacking.

Harvest the information, evaluate it, attack!

SanaQazi

SanaQazi

Most popular

Industrial Cybersecurity

Want always be up to date?

Don't miss the latest news

By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.

CIP Training & Certifications

Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings

Related Articles

Want always be up to date?

Don't miss the latest news

By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.

CIP Training & Certifications

Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings