Passive Recon‬

‭
Passive reconnaissance is essential in the early stages of bug bounty‬
‭
hunting. This approach allows you to gather information without direct‬
‭
interaction with the target's systems, reducing the likelihood of‬
‭
detection and helping build a detailed picture of the target’s digital‬
‭
footprint. Below is a structured approach for conducting passive recon‬
‭
effectively.‬
‭

Step 1: Selecting a Bug Bounty Hunting‬

‭
Platform‬
‭
1.‬‭
‭ Choose a bug bounty platform‬‭
such as‬‭
HackerOne, Bugcrowd,‬‭
Synack,‬
or Cobalt‬
‭ .‬
‭
2.‬‭
‭ Select a target‬‭
from the platform that fits your expertise‬‭
and‬
allows passive reconnaissance within its scope.‬
‭

Step 2: Identifying Website Technology‬

‭
Understanding the website’s technology stack is crucial to pinpoint‬
‭
potential vulnerabilities. Various tools can help identify these‬
‭
technologies:‬
‭

‭●‬ ‭
Wappalyzer‬
: A browser extension to identify frameworks,‬‭
‭ CMSs,‬
JavaScript libraries, and server software.‬
‭
‭●‬ ‭
BuiltWith‬
: An online tool for analyzing the technology‬‭
‭ stack,‬
including CMS, eCommerce platform, JavaScript libraries, and‬
‭
more.‬
‭
‭●‬ ‭
Netcraft‬
: Provides hosting details, server software,‬‭
‭ SSL‬
certificate information, and other insights into the technology‬
‭
used.‬
‭

WafW00f‬
‭ : A specialized tool to detect the presence‬‭
‭ of a Web‬
Application Firewall (WAF). This is useful for understanding the‬
‭
target’s defensive layers and may indicate specific technologies.‬
‭
bash‬
‭
Copy code‬
‭
wafw00f -a [target-domain]‬
‭

‭●‬

Example:‬
‭

plaintext‬
‭
Copy code‬
‭
https://builtwith.com/[target-domain]‬
‭

Step 3: Gathering Email Addresses‬

‭
Finding email addresses can provide insights into personnel roles and‬
‭
can assist in social engineering tactics or compromised credential‬
‭
checks.‬
‭

‭●‬ ‭
Hunter.io‬
: Enter the domain name to gather a list‬‭
‭ of publicly‬
available email addresses and associated personnel. Target‬
‭
specific roles, such as “Security,” “IT,” or “Admin” for‬
‭
higher-value contacts.‬
‭
‭●‬ ‭
Email Permutator‬
: Use permutations to create potential‬‭
‭ email‬
addresses based on known employee names, which can then be‬
‭
validated in other tools.‬
‭

Example:‬
‭

plaintext‬
‭
Copy code‬
‭
https://hunter.io‬
‭

Step 4: Organizational Search with Netcraft‬

‭
Netcraft‬‭
‭ offers extensive information on a website’s‬‭
infrastructure,‬
including hosting environment and web server technologies:‬
‭
 ‭●‬ ‭
Details from Netcraft include:‬
‭○‬ ‭
Server technologies‬
‭○‬ ‭
SSL certificates‬
‭○‬ ‭
Domain history‬
‭○‬ ‭
Subdomains‬

Example:‬
‭

plaintext‬
‭
Copy code‬
‭
https://netcraft.com‬
‭

Step 5: Searching for Breached Credentials‬

‭
Breached credentials are often accessible through various tools, which‬
‭
may reveal exposed usernames and passwords that can be tested against‬
‭
other accounts within scope.‬
‭

‭●‬ ‭
Breached Parse‬
: Aggregates information from known‬‭
‭ data breaches‬
to identify leaked usernames and passwords related to the target.‬
‭
‭●‬ ‭
Have I Been Pwned?‬
: Checks if the domain has any compromised‬
‭
accounts, making it a quick way to verify if company emails were‬
‭
part of known breaches.‬
‭

Note‬
‭ : Use breached credential information responsibly‬‭
‭ and‬
only for authorized activities.‬
‭

Example:‬
‭

plaintext‬
‭
Copy code‬
‭
https://breachedparse.com‬
‭

Step 6: Subdomain Enumeration‬

‭
Discovering subdomains is essential as they may reveal staging sites,‬
‭
admin portals, or other resources that could contain vulnerabilities.‬
‭
Amass‬
‭ : A powerful OSINT tool for comprehensive domain enumeration.‬
‭
bash‬
‭
Copy code‬
‭
amass enum -d [target-domain]‬
‭

‭●‬

Sublist3r‬
‭ : A Python-based tool that enumerates subdomains‬‭
‭ from sources‬
like Google, Yahoo, Bing, and others.‬
‭
bash‬
‭
Copy code‬
‭
python sublist3r.py -d [target-domain]‬
‭

‭●‬

This step often reveals non-public areas and sensitive data that may‬
‭
lead to valuable reconnaissance.‬
‭

Step 7: DNS Recon and nslookup‬

‭
DNS reconnaissance is fundamental for discovering alternate IPs, MX‬
‭
records, and CNAME records, which can reveal additional infrastructure‬
‭
or misconfigurations.‬
‭

DNSRecon‬
‭ : A tool that enumerates DNS records (A, AAAA,‬‭
‭ MX, etc.) and‬
provides valuable insights.‬
‭
bash‬
‭
Copy code‬
‭
dnsrecon -d [target-domain]‬
‭

‭●‬

nslookup‬
‭ : A basic command-line tool for resolving‬‭
‭ DNS queries.‬
bash‬
‭
Copy code‬
‭
nslookup [target-domain]‬
‭

‭●‬

This can reveal additional servers or services hosted on the target‬

‭
domain.‬
‭
Step 8: Shodan‬
‭
Shodan‬‭
‭ is an internet search engine that indexes information‬‭
about‬
exposed devices and services. This can be instrumental in identifying‬
‭
open ports, public-facing servers, and potential misconfigurations.‬
‭

‭●‬ ‭
Shodan search‬‭
for the target’s IP address or domain‬‭
name to‬
discover open ports, services, SSL certificates, and device‬
‭
types.‬
‭
‭●‬ ‭
Useful for finding vulnerable devices, IoT assets, and publicly‬
exposed web interfaces.‬
‭

Example:‬
‭

plaintext‬
‭
Copy code‬
‭
https://www.shodan.io/search?query=[target-domain]‬
‭

Step 9: GitHub Recon‬

‭
Public GitHub repositories can be a goldmine for sensitive‬
‭
information. Developers often accidentally commit configuration files,‬
‭
credentials, or API keys.‬
‭

Use‬‭
‭ GitHub Dorking‬‭
to search for exposed data in public‬‭
repositories.‬
Example GitHub dorks:‬
‭
plaintext‬
‭
Copy code‬
‭
[target-domain] filename:.env‬
‭
[target-domain] filename:config OR filename:credentials‬
‭

‭●‬
‭●‬ ‭
GitHub Advanced Search‬‭
allows filtering by organization,‬
filename, and other parameters.‬
‭

Example:‬
‭

plaintext‬
‭
Copy code‬
‭
https://github.com/search?q=[target-domain]‬
‭

Step 10: Google Dorking‬

‭
Google Dorking is an effective technique to uncover exposed files,‬
‭
directories, and sensitive data indexed on the internet. Custom dorks‬
‭
can reveal login pages, config files, and even databases.‬
‭

Common Google Dorks for bug bounty reconnaissance:‬

‭
plaintext‬
‭
Copy code‬
‭
site:[target-domain] intitle:"index of"‬
‭
site:[target-domain] inurl:login‬
‭
site:[target-domain] filetype:pdf OR filetype:xls‬
‭

‭●‬
‭●‬ ‭
Combine keywords to locate sensitive directories or files, such‬
as backup files, admin panels, and credentials.‬
‭

Example:‬
‭

plaintext‬
‭
Copy code‬
‭
https://www.google.com/search?q=site:[target-domain]+intitle:%22index+‬
‭
of%22‬
‭

Step 11: Social Media OSINT‬

‭
Social media can reveal valuable details about the company, its‬
‭
employees, and internal structure. Here are some tools and techniques:‬
‭

‭●‬ ‭
LinkedIn‬
: Use LinkedIn to identify current employees,‬‭
‭ their‬
roles, and departments. This can help narrow down targets for‬
‭
social engineering or provide insights into the organization's‬
‭
structure.‬
‭
 ‭●‬ ‭
Twitter, Facebook, Instagram‬
: Employees may post company‬
‭
information on these platforms, which can inadvertently disclose‬
‭
internal systems or projects.‬
‭
‭●‬ ‭
Social Mapper‬
: This OSINT tool can link employees'‬‭
‭ profiles‬
across various social media platforms, useful for building‬
‭
comprehensive social profiles.‬
‭

Example searches:‬
‭

plaintext‬
‭
Copy code‬
‭
"CompanyName" site:linkedin.com‬
‭
"CompanyName" "security team" site:twitter.com‬
‭

Incorporating these advanced passive recon techniques will greatly‬

‭
enhance your intelligence-gathering phase:‬
‭

‭●‬ ‭
Domain Intelligence‬
: Reverse WHOIS, historical DNS,‬‭
‭ Certificate‬
Transparency logs.‬
‭
‭●‬ ‭
Infrastructure Recon‬
: Reverse IP lookups, ASN and‬‭
‭ IP range‬
analysis, Passive DNS.‬
‭
‭●‬ ‭
Metadata and File Analysis‬
: Extracting metadata from‬‭
‭ public‬
documents, GitHub leaks.‬
‭
‭●‬ ‭
Social Media and Employee Profiling‬
: LinkedIn, job‬‭
‭ listing‬
analysis, employee social media profiling.‬
‭
‭●‬ ‭
Internet-wide Scanning‬
: Censys, BinaryEdge, ZoomEye‬‭
‭ for exposed‬
services.‬
‭
‭●‬ ‭
Archived Content and Cloud Bucket Checks‬
: Wayback‬‭
‭ Machine,‬
CommonCrawl, cloud storage enumeration.‬
‭
‭●‬ ‭
Automation and Frameworks‬
: Recon-ng, SpiderFoot, OSINT‬‭
‭ Framework.‬