Reconnaissance

Recon is the process by which you collect more information about your target, such as subdomains, links, open ports, hidden directories, service information, etc. In this page, I will explain my web recon methodology.

for bug hunters, this approach may not work with all targets, as each target has its own scope. Some companies will list all their assets in scope

Worldpay

sony

IBM

while others will list specific domains or subdomains. I will cover broader scopes to address all points.

Quick Note

Always use WHOIS data to verify each step. WHOIS provides information about domain name registrations, helping you confirm if an asset (like an IP or subdomain) belongs to your target.

1. Collect Acquisitions

An acquisition means the company has bought another company, and the new assets they now own, like websites or apps, are included in the bug bounty program for testing. This includes all the companies under the control of the main company.

How to Collect Acquisitions? The best website for this is Crunchbase. By searching for the company name, you can find all the acquisitions they have made. Collect this information and add it to your target scope and start recon on them.

2. Collect IPs

This involves various steps:

2.1 Collect ASNs

An Autonomous System Number (ASN) is a globally unique identifier that defines a group of one or more IP prefixes run by one or more networks. These ASNs will help track down external IPs belonging to the organization you are engaging with. Keep in mind that not all assets will be identified by these ASNs due to cloud environments like Azure, AWS, etc.

Best Way to Collect ASNs: well, the best way here is to conduct a manual search for your target ASN and collect them from various websites. You can also use bgp.net.

2.2 Collect CIDRs

ASNs contain ranges of IP addresses (CIDRs). To get IP ranges from an ASN, use the following command:

whois -h whois.radb.net -- '-i origin AS16509' | grep -Eo "([0-9.]+){4}/[0-9]+" | uniq

Now you have all the ranges (CIDRs).

2.3 Find IPs from the CIDRs

To convert CIDRs to IP addresses :

nmap -n -sn 13.35.121.0/24 | grep "for" | cut -d " " -f 5 >> IP.txt

Create a script to run this command for all your ranges. this command performs a ping sweep using Nmap to discover live hosts in the specified IP range.

Note: While this method is fast, it may not be the most effective. Some hosts might appear down due to firewalls blocking ping (ICMP) requests or other types of probes. To address this, we can use masscan (which is faster than Nmap) to perform a port scan across all the CIDRs :

sudo masscan 13.35.121.0/24 -p0-65535 --rate=250000 // you can use it after the nmaap command because if you use it in all the IPs it may take some time

Make a script to run it for all your ranges. You can increase or decrease the --rate=250000 (the number of packets sent per second) based on your network proficiency.

Now you have all the IPs; save them in IPs.txt. For better organization, we should put every IP running services in a single file.

Organizing IPs by Port

You can use the following Python script to organize the IPs based on the services they run:

import re
input_file = input("Enter the input file name: ")
ports_dict = {}
with open(input_file, 'r') as file:
    for line in file:
        match = re.search(r'Discovered open port (\d+/tcp) on (\d+\.\d+\.\d+\.\d+)', line)
        if match:
            port = match.group(1)
            ip = match.group(2)
            if port not in ports_dict:
                ports_dict[port] = []
            ports_dict[port].append(ip)
for port, ips in ports_dict.items():
    port_file = f"{port.split('/')[0]}.txt"
    with open(port_file, 'w') as f:
        f.write('\n'.join(ips))

What i do after that is extracting the IPs running HTTP/S services that are accessible through a browser, usually on ports 80, 443, 8080, 8443, 8000, 8888, and 5000, and put them in a one file. You can then run httpx on these IPs and keep the results organized.

and in Attack Victors by port page, i will exaplin all the other services and their potential vulnerabilities.

3. Collect Subdmains

3.1 Subfinder

Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.

To get the most out of Subfinder, go to its and add your API keys at the end of the config.yaml file from these platforms:

• binaryedge

• censys

• chaos

• github

• intelx

• robtex

• securitytrails

• shodan

• spyse

• urlscan

• virustotal

• zoomeye

Just sign up for accounts on these sites, and you can get your API keys from the settings section. Keep in mind that these API keys are free but have a limited number of requests, so change them out now and then.

Once you’ve added the APIs, run Subfinder again and see how much more you uncover compared to before!

3.2 Amass

Amass is a powerful tool for network mapping and external asset discovery. It combines both passive and active techniques to uncover subdomains linked to a target.

For passive enumeration, you can run the following command:

amass enum --passive -d example.com -o example.com.subs

This command will gather subdomains without actively probing the target.

For active enumeration, which includes brute-forcing and resolving IP addresses, use:

amass enum -src -ip -brute -min-for-recursive 2 -d example.com -o example.com.subs

This command not only discovers subdomains but also gathers source information and performs IP resolution, providing a more comprehensive view of your target.

By leveraging Amass, you'll be able to effectively uncover a wide range of subdomains, significantly enhancing your reconnaissance efforts!

3.3 Assetfinder

it can find domains and subdomains related to a given domain, and find the subdaomins of the subdaomins :

assetfinder -subs-only target.com // find subdomains for a domain
assetfinder -subs-only sub.target.com // find subdomains of a specific subdomain

3.4 some good website

there is also some good websites like crt.sh and subdomainfinder