Skip to content
/ BBH-Recon Public

This repository aims to provide a comprehensive and structured approach to the reconnaissance (recon) phase of bug bounty hunting. The recon phase is crucial in identifying potential attack surfaces and gathering valuable information about a target before attempting to find vulnerabilities.

License

GPL-3.0 license
27 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

RemmyNine/BBH-Recon

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

BBH-Recon

This repository aims to provide a comprehensive and structured approach to the reconnaissance (recon) phase of bug bounty hunting. The recon phase is crucial in identifying potential attack surfaces and gathering valuable information about a target before attempting to find vulnerabilities.

Table of Content

Wide-Recon

  • Wide Recon
    • Subdomain Enumerating
      • Subfinder - GOAT, Config before you use it. Run it using subfinder -dL target.txt -all -recursive -o output
      • BBot - An alternative to subfinder.
      • DNSDumpster
      • crtSh Postgress DB -- Connect to pqdb and extract subdomains. Also manually use this website for some validations.
      • AbuseIPDB -- Use Atxii Script.
      • Favicon Hash -- Search the hash in Shodan --> Write a script to calculate the mm3 hash and search it in shodan.io
      • Gau -- gau --subs example.com | unfurl -u domain | tee >> subs.txt
      • Waybackurls -- echo domain.com | waybackurls | unfurl -u domains |‌ tee >> wbuRes.txt
      • Host Header fuzzing on IP + URL.tld -> fuf -w wordlist.txt -u "https://domaint.tld" -H "host: FUZZ" -H '### Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Edg/125.0.0.0
      • PTR Record from IP
      • Scan ports 80, 443, and 8080 on the target IP address to discover new URLs.
      • Reverse DNS lookup
      • Adtracker -- Use Udon, BuiltWith to use same Ad ID to search for similar domains/subdomains.
      • DNS BureForce
        • PureDNS --> Do a static DNS bruteforce with multiple worldlist. Assetnote, all.txt by JHaddix and SecLists are good options.
        • Gotator and DNSGen --> This gonna be a second-time/dynamic DNS bruteforce using permutation. DO NOT SKIP THIS PART

Asset-Discovery

  • Asset Discovery
    • Find ASNs + CIDRs + IP, NameServers --> PortScan + Reverse DNS Lookup
    • Unqiue Strings, Copyrights.
    • Find new assets on news, Stock market, Partners, about us.
    • Find new assets on crunchbase and similar websites.
    • Emails --> Reverse email lookup
    • MailServers + Certificate --> Reverse MX + SSL Search (For SSL use crtsh)
    • Search on different search engines (Google, Bing, Yandex)
    • Google Dorks (acquired by company, company. All Rights Reserved., © 2021 company. All Rights Reserved., company. All Rights Reserved." -inurl:company, acquired by target. target subsidiaries)
    • Search SSL on Shodan, FOFA and Censys.
    • Find same DMARC Information DMARC Live

Content-Discovery

About

This repository aims to provide a comprehensive and structured approach to the reconnaissance (recon) phase of bug bounty hunting. The recon phase is crucial in identifying potential attack surfaces and gathering valuable information about a target before attempting to find vulnerabilities.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

27 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published