Information Gathering

Passive reconnaissance

➡️ Physical engagement / Social engineering

Location information like
- satellite images
- drone recon
- building layout (badge readers, security, fencing, etc)
Job information
- employees (name, job title, phone number, etc)
- pictures (badge photos, desk photos, computer photos, etc)

➡️ Web / Host Assessment

target validation
- whois, nslookup, dnsrecon
finding subdomains
- Google, dig, nmap, crt.sh, etc
fingerprinting
- nmap, wappalyzer, netcat, etc
data breaches
- HaveIBeenPwned, Breach-Parse, WeLeakInfo

Target

❗ Always refer to a Bug Bounty program to find valid targets that can be legally tested
🔗 Bugcrowd
🧪 e.g. - Tesla

Read the program details, follow the terms and stay in scope
Following test will be made on the *.tesla.com target

Discovering email addresses

The goal is discovering public email addresses and check if they really exist

➡️ Hunter.io (free registration) - Find email addresses from any company name or website

➡️ Phonebook.cz (free registration) - Phonebook lists all domains, email addresses, or URLs for the given input domain

➡️ VoilaNorbert

➡️ Clearbit Connect (Chrome extension)

➡️ EmailHippo Email address verifiy - Free email address verification tool

➡️ Email-checker

Breached credentials

➡️ HaveIBeenPwned - Check if your email address is in a data breach

➡️ breach-parse - A tool for parsing breached passwords

BreachCompilation password list (44GB) file comes from breached password dumps

breach-parse @tesla.com tesla.txt "~/Downloads/BreachCompilation/data"

Credential stuffing and Password spraying can be done using the results.

➡️ DeHashed.com (subscription) - public data search-engine

Hashed passwords or other data can be found
Collect all the data (email, username, IP, address, etc) with the goal to find patterns, that could be related to personal accounts too
Investigation to tie the data to other accounts, etc
Use tools to try to decrypt the hashed password, like Hashes.com, Google, etc

Hunting subdomains

Identify subdomains

➡️ Sublist3r (outdated) - enumerate subdomains of websites using OSINT

sudo apt install sublist3r

sublist3r -d tesla.com

sublist3r -d tesla.com -t 100 -v

➡️ crt.sh - look for registered certificates and find subdomains or sub-subdomains

➡️ amass - in-depth attack surface mapping and asset discovery

sudo apt install amass

amass enum -d tesla.com

amass enum -d syselement.com

➡️ httprobe - take a list of domains and probe for working (alive) http and https servers

# Go is necessary (installed via pimpmykali.sh)
go install github.com/tomnomnom/httprobe@latest

# or on Kali
sudo apt install httprobe

cat tesla.com/recon/final.txt | httprobe

# Skip default probes, and use only https:443 probe
cat tesla.com/recon/final.txt | httprobe -s -p https:443

# Strip only subdomains from the list
cat tesla.com/recon/final.txt | sort -u | httprobe -s -p https:443 | sed 's/https\?:\/\///' | tr -d ':443'

➡️ assetfinder - find domains and subdomains related to a given domain

# Go is necessary (installed via pimpmykali.sh)
go get -u github.com/tomnomnom/assetfinder

# or on Kali
sudo apt install assetfinder

assetfinder syselement.com

assetfinder --subs-only tesla.com

Screenshotting websites

➡️ gowitness - A golang, web screenshot utility using Chrome Headless

# Go is necessary (installed via pimpmykali.sh)
go install github.com/sensepost/gowitness@latest

# or on Kali
sudo apt install gowitness

gowitness scan single --url "https://tesla.com" --write-db

gowitness scan single --url "https://blog.syselement.com"

Website technologies

➡️ BuiltWith.com - find out what websites are built with

➡️ Wappalyzer.com - via browser extension

by visiting the webpage, interact with the browser extension to check the website technologies

➡️ WhatWeb

whatweb https://blog.syselement.com/

Automated recon script

Little bash script for sub-domains hunting

#!/bin/bash

url=$1

if [ ! -d "$url" ]; then
	mkdir $url
fi

if [ ! -d "$url/recon" ]; then
	mkdir $url/recon
fi

# Assetfinder #
echo "[+] Harvesting subdomains with assetfinder..."
assetfinder $url >> $url/recon/assets.txt
# get only subdomains containing $url
cat $url/recon/assets.txt | grep $1 >> $url/recon/final.txt
rm $url/recon/assets.txt

# Amass #
# echo "[+] Harvesting subdomains with amass..."
# amass enum -d $url >> $url/recon/f.txt
# sort -u $url/recon/f.txt >> $url/recon/final.txt
# rm $url/recon/f.txt

# httprobe #
echo "[+] Probing for alive domains..."
cat $url/recon/final.txt | sort -u | httprobe -s -p https:443 | sed 's/https\?:\/\///' | tr -d ':443' >> $url/recon/alive.txt

###

➡️ sumrecon - web recon script

wget https://raw.githubusercontent.com/Gr1mmie/sumrecon/refs/heads/master/sumrecon.sh

TCM's modified final script
- Creates a directory structure for reconnaissance under a given URL
- Harvests subdomains using assetfinder
- Filters valid subdomains and saves them to final.txt
- Checks for live domains using httprobe
- Identifies potential subdomain takeovers using subjack
- Scans for open ports using nmap
- Scrapes archived URLs from waybackurls
- Extracts parameters from Wayback Machine data
- Categorizes JavaScript, PHP, JSON, JSP, and ASPX files from Wayback Machine data
- Removes temporary files to keep the structure clean
- (Commented out) Could run amass for subdomain discovery and use EyeWitness for screenshots

# 0. Requirements
sudo apt install amass assetfinder httprobe gowitness nmap subjack
go install github.com/tomnomnom/waybackurls@latest

# 1. Copy the code here https://pastebin.com/raw/MhE6zXVt to a new file

# 2. Fix last 2 lines with gowitness and uncomment them
# echo "[+] Running eyewitness against all compiled domains..."
# gowitness scan file -f $url/recon/httprobe/alive.txt

chmod +x finalrecon.sh
./finalrecon.sh syselement.com

Check those additional resources
The Bug Hunter's Methodology - The Bug Hunter's Methodology Full 2-hour Training by Jason Haddix
Nahamsec Recon Playlist