Home / Bug Bounty / Recon
Methodology

🔍 Bug Bounty Recon Methodology

🧠 Recon is Everything

The success of a bug bounty hunter depends 80% on reconnaissance. More targets found = more vulnerabilities discovered. This guide covers systematic reconnaissance methodology.

Golden Rule: The more you know about a target, the easier it is to find bugs. Never skip recon.

🕵️ Passive Reconnaissance

2.1 Domain Enumeration

Certificate Transparency Logs:

# CTFR (Python tool for CT enumeration)
python3 ctfr.py -d target.com -o subdomains.txt

# Using amass (passive)
amass enum -passive -d target.com -o amass_passive.txt

# ctsearch (online tool)
# https://ctsearch.entropy.xyz/

# crt.sh
curl -s "https://crt.sh/?q=target.com&output=json" | jq -r '.[].name_value' | sort -u

DNS Aggregators:

# DNS dumpster
curl -s "https://dnsdumpster.com/static/json/target.com.json"

# Riddler
curl -s "https://riddler.io/search?q=pld:target.com"

# VirusTotal
curl -s "https://www.virustotal.com/api/v3/domains/target.com" \
  -H "x-apikey: YOUR_API_KEY" | jq '.data.subsamples'

Subdomain Aggregators:

# Subfinder (passive + API sources)
subfinder -d target.com -o subfinder.txt

# Assetfinder
assetfinder target.com > assetfinder.txt

# Findomain
findomain -t target.com -u findomain.txt

# Chaos
curl -s "https://dns.projectdiscovery.io/dns/target.com/domain" \
  -H "Authorization: YOUR_API_KEY" | jq '.subdomains'

🔎 Active Reconnaissance

3.1 DNS Bruteforce

Bruteforce Wordlists:

# MassDNS (fast DNS resolver)
massdns -r resolvers.txt -t A -o S targets.txt | grep -E '\.com\.$' | awk '{print $1}'

# Using shuffledns (bruteforce + DNS)
shuffledns -d target.com -w wordlist.txt -r resolvers.txt -o output.txt

# DNSX (fast DNS probing)
dnsx -d target.com -w wordlist.txt -o dnsx.txt

# aiodns (async DNS)
aiodns brute target.com wordlist.txt

Common Wordlists:

  • Assetnote wordlist (5000) - High quality small list
  • SecLists (DNS) - Comprehensive DNS wordlist
  • ShuffledNS default - Fast bruteforce
  • Jason Haddix's top10000 - Most common subdomains

🌐 Web Application Discovery

4.1 Port Scanning

# Nmap quick scan (top 100 ports)
nmap -T4 -F target.com -oN nmap_quick.txt

# Masscan (fast internet scanning)
masscan -p80,443,8080,8443 10.0.0.0/24 --rate=1000

# Naabu (fast port scanner)
naabu -host target.com -top-ports 100 -o naabu.txt

# Rustscan (modern alternative)
rustscan -t 1500 -b 2000 --range 1-65535 target.com

4.2 Directory/File Discovery

# FFUF (fast fuzzing)
ffuf -u http://target.com/FUZZ -w wordlist.txt -mc 200,204,301,302,307,401 -o ffuf.json

# dirsearch
python3 dirsearch.py -u http://target.com -w wordlist.txt -e php,html,js

# gobuster
gobuster dir -u http://target.com -w wordlist.txt -x php,html,js

# Nuclei for technology detection
nuclei -t discovery/technologies/ -u https://target.com

4.3 Parameter Discovery

# Arjun (parameter discovery)
python3 arjun.py -u http://target.com/product?id=1

# Param-miner (Burp extension)
# Automatic parameter discovery

# gau (waybackurls)
cat targets.txt | while read t; do echo $t; gau $t | grep '\?'; done

# katana (parameter extraction)
katana -u https://target.com -ps -efq

📜 JavaScript Analysis

Endpoint Extraction from JS:

# SecretFinder (find API keys, tokens, endpoints)
python3 secretfinder.py -i https://target.com/js/app.js -o output.txt

# LinkFinder
python3 linkfinder.py -i https://target.com/js/app.js -o output.txt

# JSParser
python3 jjsp.py --url https://target.com/js/main.js

# From gau output
cat urls.txt | grep -E '\.js$' | while read url; do
  curl -s $url | grep -oE '"/[a-zA-Z0-9/]+/[a-zA-Z0-9]+"' | sort -u
done

Hardcoded Secrets:

# TruffleHog (find secrets in repos)
trufflehog --json https://github.com/target/repo

# gitLeaks
gitleaks detect --source .

# KeyHunter
python3 keyhunter.py -d target.com

🌍 ASN & IP Space

# Find ASN for company
amass intel -org "Target Inc"

# BGP lookup
curl -s "https://api.bgpview.io/search?query=target.com" | jq

# Shodan
curl -s "https://api.shodan.io/shodan/host/search?key=API_KEY&query=hostname:target.com"

# Host.io
curl -s "https://host.io/api/full/target.com"

# Reverse DNS
dnsx -ptr -l target.com -o ptr.txt

💥 Vulnerability Discovery

7.1 Nuclei Template Scanning

# Update templates
nuclei -ut

# Critical vulnerabilities
nuclei -l targets.txt -t cves/ -severity critical,high -o nuclei_critical.txt

# Custom templates
nuclei -l targets.txt -t ~/custom-templates/ -o custom.txt

# Fast scan
nuclei -l targets.txt -t vulnerabilities/ -rate 150 -bulk-size 25

7.2 Custom Testing

TypePayload CategoryTargets
IDORObject IDs, sequential numbersAPI endpoints, user profiles
SSTI{{7*7}}, {{config}}Template engines
SQLi', ", OR 1=1Parameters, forms
XSSAll user input
SSRFlocalhost, 169.254.169.254URL parameters
Open Redirectjavascript:, data:Redirect parameters

🛠️ Essential Tools

Amass

Comprehensive subdomain enumeration with passive and active modes.

Subfinder

Fast subdomain discovery from multiple sources.

Nuclei

Template-based vulnerability scanner.

FFUF

Fast web fuzzer for directories and parameters.

Gau

Fetch known URLs from various sources.

httpx

Fast HTTP probe and screenshot tool.

📋 Complete Workflow

Automated Pipeline (One-liner): 
# Complete recon pipeline
subfinder -d target.com -silent | httpx -silent -follow-redirects | \
  nuclei -t vulnerabilities/ -o nuclei.txt

Step-by-Step:

  1. Subdomain Enumeration: subfinder + amass + chaos
  2. DNS Resolution: shuffledns + dnsx
  3. HTTP Probing: httpx + naabu
  4. Screenshots: aquatone + gowitness
  5. Technology Detection: wappalyzer + whatweb
  6. Vulnerability Scan: nuclei + nmap
  7. Manual Testing: Focus on critical findings
Back to Bug Bounty