Home Upgrade Search Memberlist Extras Hacker Tools Award Goals Help Wiki Follow Contact

HF Rulez the UniverseHF Rulez the Universe
Sekhmet
[user@HF:]
Bug Bounty Enumeration Recon Methodology Whois Osint

[Series Bug Bounty Hunting] Vol.1 Information gathering | Methods | Tools [ Bug Bounty Hunting]

Posted 11-22-2022, 06:38 PM
[Image: CNRcDxL.gif]
Hello Hackforums Members And Followers
This will be full series on web apps bounty hunting
[Image: 4d84Uk2.png]
Vol.1 Information Gathering
Introduction :
Information gathering considered the most important part at our journey of bug hunting , it means  we should collect as much as you can of information's about your target in order to be able to hack it.
and to get results from multiple places at once , more information's equal to more opportunity to get what you want from your target it's considered the Black Magic art that every hacker should master

my plan is to dive with you into this big topic and cover as much as i can from it and teach you the technics and tricks and show you example of methodology of information gathering art so you can preform it in understandable manners.

[Image: 4d84Uk2.png]

Methodology :

this is changeable by the target you work on this means not all targets should be treated the same way some websites you will start with enumeration the subdomains as your first step and other targets you may start with brute-forcing directory's and hidden files so don't take this as typical just use your intellect but in general we will do :
  • Discover target subdomains
  • Determine the target ip
  • [b]Discover the open ports and running services[/b]
  • Fingerprint the OS
  • Discover folders and Hidden content
  • Collect staff e-mails

Tools :
  • Dnsdumpster ( Subdomain enumeration tool )
  • Nmap ( Network Mapper)
  • DirBuster ( Multi-threaded Directory/Files Brute-forcing Tool )
  • The Harvester ( scrap website e-mails )
[Image: 4d84Uk2.png]
Discover Target Subdomains and Real IP
[Image: 4d84Uk2.png]
Most of the time when you enumerate the subdomains also be able to define the real ip of the target and sometimes not so don't take it as promise.

Dnsdumpster :

Quote:i like to use this tool because it give much information's more than you can imagine in just one press actually it's the most high quality dns recon & search i have seen , you can use the website or download it from github and start using it on your machine

Ex :

[Image: 6BeI0O8.png]
[Image: 91dYAQo.png]

Features :

  • DNS Server
  • MX Records
  • Host Records
  • Subdomains
  • Site Technology
  • Reverse IP Lookup
[Image: 4d84Uk2.png]
Nmap :


Quote:Nmap is High quality network mapper tool that can scan/enumerate/brute-force not just one ip but a full network at once it's the best choice for any penetration tester , Nmap is used to discover hosts and services on a network by sending packets and analyzing the responses

Ex :

[Image: b8QCUuQ.png]
Features :

  • Discover Hosts
  • Scanning Open Ports
  • Version Detection
  • TCP/IP Stack Fingerprinting
  • Script system that interact with the targeted device


Basic Nmap Cheat Sheet :

Code
nmap -p 1-65535 -sV -sS -T4 target |  Full TCP port scan using with service version detection

Code
nmap -v -sS -A -T4 target | Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + trace route and scripts against target services.

Code
nmap -v -sV -O -sS -T5 target | Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection.

Code
nmap -v -p 1-65535 -sV -O -sS -T4 target | Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + full port range scan.

[Image: 4d84Uk2.png]
DirBuster :


Quote:DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers
--->>> Kali.org

Ex :

[Image: dirbuster.png]

it's very self explanatory so nothing to dive into it here

[Image: 4d84Uk2.png]

The Harvester :

Quote:it's very powerfull tool designed to preform open source intelligence (OSINT) and it's used by all professional penetration testers

Ex :

[Image: 1*-hPh74OGmurbhduZNGcMLg.png]

Features :
  • Collect Names
  • Collect E-mails
  • Collect IP's
  • Collect Subdomains
  • Collect External URLS

[Image: HAVz5sS.png]

I have mentioned the most common tools used in bug bounty hunting and some of it's usage i hope this thread can benefit you in a way or another , the next Blog i will walk more inside bug bounty hunting Live


Please Leave Comment with any suggestion or edit you think i should do
12-03-2022, 10:41 PM
Good blog. It's good to read stuff like this in this forum. Keep writing!