# A lightweight reconnaissance setup for bug bounty hunters

## October 29, 2017

The following is a lightweight reconnaissance setup that should help you quickly gather information on a given target. We will run through the basic installation steps and then take a look at how to use this setup while hunting.

Please keep in mind that there are hundreds of tools out there and there is no way they could all be included in this write-up. This write-up is targeted towards people getting started or for those that want a simple setup. The author assumes that the reader already has a basic understanding of how to use a terminal. If not, the reader may want to start with https://linuxjourney.com/ before reading on.

## Sublist3r

📀 Installation

$git clone https://github.com/aboul3la/Sublist3r.git$ cd Sublist3r
$sudo pip install -r requirements.txt  💬 Aliases alias sublist3r='python /path/to/Sublist3r/sublist3r.py -d '  alias sublist3r-one=". <(cat domains | awk '{print \"sublist3r \"$1 \" -o \" $1 \".txt\"}')"  ## dirsearch 📀 Installation $ git clone https://github.com/maurosoria/dirsearch.git
$cd dirsearch/db$ wget https://gist.githubusercontent.com/EdOverflow/c4d6d8c43b315546892aa5dab67fdd6c/raw/7dc210b17d7742b46de340b824a0caa0f25cf3cc/open_redirect_wordlist.txt


💬 Aliases

alias dirsearch='python3 /path/to/dirsearch/dirsearch.py -u '

alias dirsearch-one=". <(cat domains | awk '{print \"dirsearch \"\$1 \" -e *\"}')"  alias openredirect=". <(cat domains | awk '{print \"dirsearch \"\$1 \" -w /path/to/dirsearch/db/open_redirect_wordlist.txt -e *\"}')"


## webscreenshot

📀 Installation

Make sure to install PhantomJS too.

$git clone https://github.com/maaaaz/webscreenshot.git  ## Steps to take when approaching a target 1) Verify target’s scope (*.example.com); 2) Run Sublist3r on example.com and output all findings to a file called output: $ sublist3r example.com -o output
...
$cat output foo.example.com bar.example.com admin.example.com dev.example.com www.example.com git.example.com  3) Check which domains resolve: $ while read domain; do if host "$domain" > /dev/null; then echo$domain; fi; done < output >> domains


4) Run webscreenshot on the domains file:

$python webscreenshot.py -i domains output example ...$ eog example


💡 Tip: Look for 404 pages, login panels, directory listings and old-looking pages when reviewing the screenshots.

5) Run dirsearch on the domains file:

$dirsearch-one  6) Check for open redirects using dirsearch on the domains file: $ openredirect


## 📝 Exercises

1) Write a shell script that performs the entire process when supplied with a single domain (example.com).