A lightweight reconnaissance setup for bug bounty hunters

October 29, 2017

image

The following is a lightweight reconnaissance setup that should help you quickly gather information on a given target. We will run through the basic installation steps and then take a look at how to use this setup while hunting.

Please keep in mind that there are hundreds of tools out there and there is no way they could all be included in this write-up. This write-up is targeted towards people getting started or for those that want a simple setup. The author assumes that the reader already has a basic understanding of how to use a terminal. If not, the reader may want to start with https://linuxjourney.com/ before reading on.

Sublist3r

πŸ“€ Installation

$ git clone https://github.com/aboul3la/Sublist3r.git
$ cd Sublist3r
$ sudo pip install -r requirements.txt

πŸ’¬ Aliases

alias sublist3r='python /path/to/Sublist3r/sublist3r.py -d '
alias sublist3r-one=". <(cat domains | awk '{print \"sublist3r \"$1 \" -o \" $1 \".txt\"}')"

dirsearch

πŸ“€ Installation

$ git clone https://github.com/maurosoria/dirsearch.git
$ cd dirsearch/db
$ wget https://gist.githubusercontent.com/EdOverflow/c4d6d8c43b315546892aa5dab67fdd6c/raw/7dc210b17d7742b46de340b824a0caa0f25cf3cc/open_redirect_wordlist.txt

πŸ’¬ Aliases

alias dirsearch='python3 /path/to/dirsearch/dirsearch.py -u '
alias dirsearch-one=". <(cat domains | awk '{print \"dirsearch \"\$1 \" -e *\"}')"
alias openredirect=". <(cat domains | awk '{print \"dirsearch \"\$1 \" -w /path/to/dirsearch/db/open_redirect_wordlist.txt -e *\"}')"

webscreenshot

πŸ“€ Installation

Make sure to install PhantomJS too.

$ git clone https://github.com/maaaaz/webscreenshot.git

Steps to take when approaching a target

1) Verify target’s scope (*.example.com);

2) Run Sublist3r on example.com and output all findings to a file called output:

$ sublist3r example.com -o output
...
$ cat output
foo.example.com
bar.example.com
admin.example.com
dev.example.com
www.example.com
git.example.com

3) Check which domains resolve:

$ while read domain; do if host "$domain" > /dev/null; then echo $domain; fi; done < output >> domains

4) Run webscreenshot on the domains file:

$ python webscreenshot.py -i domains output example
...
$ eog example

πŸ’‘ Tip: Look for 404 pages, login panels, directory listings and old-looking pages when reviewing the screenshots.

image

5) Run dirsearch on the domains file:

$ dirsearch-one

6) Check for open redirects using dirsearch on the domains file:

$ openredirect

πŸ“ Exercises

The following tasks are left as exercises for the reader:

1) Write a shell script that performs the entire process when supplied with a single domain (example.com).

2) Practice going through the process by picking a couple bug bounty programs on HackerOne and Bugcrowd.

Conclusion

The author would like to acknowledge the help provided by @TomNomNom. The cover image is by JoΓ£o Silas.