DEV Community

Cover image for A lightweight reconnaissance setup for bug bounty hunters
EdOverflow 🐸
EdOverflow 🐸

Posted on • Originally published at edoverflow.com on

A lightweight reconnaissance setup for bug bounty hunters

The following is a lightweight reconnaissance setup that should help you quickly gather information on a given target. We will run through the basic installation steps and then take a look at how to use this setup while hunting.

Please keep in mind that there are hundreds of tools out there and there is no way they could all be included in this write-up. This write-up is targeted towards people getting started or for those that want a simple setup. The author assumes that the reader already has a basic understanding of how to use a terminal. If not, the reader may want to start with https://linuxjourney.com/ before reading on.

Sublist3r

📀 Installation

$ git clone https://github.com/aboul3la/Sublist3r.git
$ cd Sublist3r
$ sudo pip install -r requirements.txt
Enter fullscreen mode Exit fullscreen mode

💬 Aliases

alias sublist3r='python /path/to/Sublist3r/sublist3r.py -d '

alias sublist3r-one=". <(cat domains | awk '{print \"sublist3r \"$1 \" -o \" $1 \".txt\"}')"
Enter fullscreen mode Exit fullscreen mode

dirsearch

📀 Installation

$ git clone https://github.com/maurosoria/dirsearch.git
$ cd dirsearch/db
$ wget https://gist.githubusercontent.com/EdOverflow/c4d6d8c43b315546892aa5dab67fdd6c/raw/7dc210b17d7742b46de340b824a0caa0f25cf3cc/open_redirect_wordlist.txt
Enter fullscreen mode Exit fullscreen mode

💬 Aliases

alias dirsearch='python3 /path/to/dirsearch/dirsearch.py -u '

alias dirsearch-one=". <(cat domains | awk '{print \"dirsearch \"\$1 \" -e *\"}')"

alias openredirect=". <(cat domains | awk '{print \"dirsearch \"\$1 \" -w /path/to/dirsearch/db/open_redirect_wordlist.txt -e *\"}')"
Enter fullscreen mode Exit fullscreen mode

webscreenshot

📀 Installation

Make sure to install PhantomJS too.

$ git clone https://github.com/maaaaz/webscreenshot.git
Enter fullscreen mode Exit fullscreen mode

Steps to take when approaching a target

1) Verify target’s scope (*.example.com);

2) Run Sublist3r on example.com and output all findings to a file called output:

$ sublist3r example.com -o output
...
$ cat output
foo.example.com
bar.example.com
admin.example.com
dev.example.com
www.example.com
git.example.com
Enter fullscreen mode Exit fullscreen mode

3) Check which domains resolve:

$ while read domain; do if host "$domain" > /dev/null; then echo $domain; fi; done < output >> domains
Enter fullscreen mode Exit fullscreen mode

4) Run webscreenshot on the domains file:

$ python webscreenshot.py -i domains output example
...
$ eog example
Enter fullscreen mode Exit fullscreen mode

💡 Tip: Look for 404 pages, login panels, directory listings and old-looking pages when reviewing the screenshots.

image

5) Run dirsearch on the domains file:

$ dirsearch-one
Enter fullscreen mode Exit fullscreen mode

6) Check for open redirects using dirsearch on the domains file:

$ openredirect
Enter fullscreen mode Exit fullscreen mode

📝 Exercises

The following tasks are left as exercises for the reader:

1) Write a shell script that performs the entire process when supplied with a single domain (example.com).

2) Practice going through the process by picking a couple bug bounty programs on HackerOne and Bugcrowd.

Conclusion

The author would like to acknowledge the help provided by @TomNomNom. The cover image is by João Silas.

Top comments (0)