Different Approaches For Reconnaissance — Bug Bounty’s

Hi, I’m z0id and I’m a security researcher at hackerone and bugcrowd and I’m going to show you different approaches to recon for your bug bounty Journeys.

We will follow this check list:

  • Approaches to sub domain Enumeration
  • Visual Recon
  • Google Dorks
  • Content Discovery

Approaches to sub domain Enumeration

Sub domain enumeration is the key to discovering domains that can contain potential vulnerabilities, this should be used during any recon process.

I like to use tools like:

  • Subfinder
  • Assetfinder
  • Aquatone
  • Findomains

I use custom bash alias’s to help me during the recon process eg:

afinderlist() {
for i in `cat $1`
assetfinder -subs-only $i -c 100 | tee -a "$i".txt

I then issues this command to run a sub domain scan with asset finder with a list of domains:

afinderlist hosts

I like to find information about each domain such as:

  • Response Length
  • Title
  • Status Code
  • URL

This helps for finding interesting sub domains this can be done quite easily with a python script using beautiful soup and requests modules you can make advanced ones with multiprocessing and collects screenshots etc)

Here is a quick function example:

import bs4 
import requests

def run(host):
               r=requests.get(host, verify=False)
               status_code = str(r.status_code)
               length = str(len(r.text))
               title = html.title.text
               print(host, status_code, length, title)         

This is what my one looks like:

Domain Mapper

Once you populate a list of files with the domain mapper you can grep away like a pro.

cat *.txt | sort -u | grep --color "error"

Grepping for information

You can also create a word list that fuzzes all the names you want to look for

for i in `cat names` ; do cat *.txt | sort -u | grep --color "$i" ; done

This can also be done with links as well you can spider through each sub domain with burp generate a heap of links, burp feed can help a lot with this.

A tool for passing and adding a list of URLs to Burp’s sitemap/target tab, really useful for populating the targets tab…

Once you have all the links export them all out to a file and run the domain mapper to fetch all the info and grep away.

Kinda works the same way as meg which is another useful tool made by TomNomNom Good work!! by the way I use it heaps.

meg is a tool for fetching lots of URLs but still being ‘nice’ to servers. It can be used to fetch many paths for many…

Visual Recon

There are really good tools out there that screenshot each sub domain to visualize what they look like instead of doing it manually.

  • Eyewitness
  • Webscreenshot

I use Eyewitness quite a bit just because of it’s simplicity and the way it generates the report.

EyeWitness is designed to take screenshots of websites provide some server header info, and identify default…


sudo apt-get install eyewitness


sudo eyewitness -f  --web --threads  -d 

Google Dorks

Another useful technique of recon is google dorking, this is a way to use googles search engine and special query’s to find juicy info such as:

  • Webcams
  • Servers
  • Vulnerable Sites
  • Sub domains
  • Open Redirects
  • SQL Injection
  • Files

Here is a useful site to look at to learn google dorking it’s a language in it’s own.

Google hacking
Google Hacking, also named Google Dorking, is a computer hacking technique that uses Google Search and other Google…

Shodan.io is also very good.

Shodan has servers located around the world that crawl the Internet 24/7 to provide the latest Internet intelligence…

Extension Example:

site: *.example.com ext:php OR ext:js OR ext:txt OR ext:pdf

Open Redirect example:

site: *.example.com inurl:& AND inurl:url

SQL Injection Example:

site: *.example.com intext:"You have an error in your SQL syntax"

File Type Example:

site: *.example.com filetype:pdf

GraphQL Example:

site: *.example.com inurl:/graphql/

Play around and see what you can come up with.

Content Discovery

When you find sub-domains that look interesting a good thing to do is do some sort of content discovery using tools such as:

  • dirsearch
  • dirbuster
  • wfuzz

Will help you find hidden files and endpoints that can be used through out your pentest.

Parameter Fuzzing is also a useful technique to find hidden parameters, I use personally Arjun.

HTTP Parameter Discovery Suite Web applications use parameters (or queries) to accept user input, take the following…

I’ve created a bash profile to help me type it much more quickly so I speed up my recon phase.

So, that’s my recon methodology I’m always finding new ways to make my recon better and level up my skills.

Big thanks!!! to Brett Buerhaus 💙

For helping me level up my skills you legend.


Brett Buerhaus
Airbnb recently created a new feature called Experiences which allows you to book things to do rather than places to…

I hope you enjoyed this post and happy hacking peoples.


Leave a Reply