Step-by-Step Guide with Commands for Effective Reconnaissance
This guide provides a comprehensive reconnaissance The process of gathering information about a target system before testing workflow for bug bounty hunters and penetration testers. Follow these steps to systematically discover vulnerabilities in web applications.
At masaudsec.com, we specialize in cybersecurity, ethical hacking, and penetration testing services. Contact us for professional security assessments.
subfinder -d crunch.co.uk -o subfinder.txt
assetfinder --subs-only crunch.co.uk | tee assetfinder.txt
findomain -t crunch.co.uk -q | tee find-domain.txt
🔍 What it does: These tools collect subdomains by querying different sources like crt.sh, threat intel feeds, and APIs.
🎯 Output: Multiple text files containing discovered subdomains.
cat *.txt > all.txt && sort -u all.txt -o all.txt
🔍 Why? Eliminates duplicate entries from different tools for cleaner results.
🎯 Output: all.txt with unique subdomains.
cat all.txt | httpx -l all.txt -o live_domains.txt
🔍 Why? Only active domains are worth testing further.
🎯 Output: live_domains.txt containing active subdomains.
💡 Pro Tip: Httpx can also grab versions and technologies with additional flags like -title -tech-detect -status-code
waymore -i "crunch.co.uk" -mode U -oU waymore.txt
pip install qurl
cat live_domains.txt | katana -f qurl -silent -kf all -jc -aff -d 5 -o katana-param.txt
🔍 How it works: Waymore pulls from archives while Katana performs live crawling.
🎯 Output: Two files with discovered URLs and endpoints.
Note: Katana requires live domains list while Waymore only needs the main domain.
grep -E -i -o '\S+\.(cobak|backup|swp|old|db|sql|asp|aspx|aspx~|asp~|py|py~|rb|rb~|php|php~|bak|bkp|cache|cgi|conf|csv|html|inc|jar|js|json|jsp|jsp~|lock|log|r(ar|)\.old|sql|sql\.gz|sql\.zip|sql\.tar\.gz|sql~|swp|swp~|tar|tar\.bz2|tar\.gz|txt|wadl|zip|log|xml|json|\.secret$|\.yml$|\.env$|\.config$|\.conf$|\.ini$|\.htaccess$|\.htpasswd$|\.pem$|\.key$|\.crt$|\.cer$|\.pfx$|\.p12$|\.tmp$|\.temp$|\.dump$|\.passwd$|\.shadow$|\.git$|\.svn$|\.DS_Store$|\.idea$|\.vscode$|\.bash_history$|\.zsh_history$|\.ssh$|\.id_rsa$|\.id_dsa$|\.ppk$|\.aws$|\.boto$|\.credentials$|\.token$|\.session$|\.pyc$|\.jar$|\.war$|\.class$|\.apk$|\.ipa$|\.dex$|\.plist$|\.cfg$|\.cnf$|\.properties$|\.sql.gz$|\.tar.gz$|\.backup.sql$|\.backup.gz$|\.access.log$|\.error.log)\b' "waymore.txt" "katana-param.txt" | sort -u > finding.txt
🔍 Why? These files often contain sensitive information like credentials or source code.
🎯 Output: finding.txt containing potentially sensitive file URLs.
cat waymore.txt katana-param.txt | sort -u | egrep -v '\.(css|png|blog|utm_source|utm_content|utm_campaign|utm_medium|jpeg|jpg|svg|gifs|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|gif|wolf)$' > waymore-katana-unfilter-urls.txt
🔍 Why? Focus on dynamic pages that are more likely to contain vulnerabilities.
🎯 Output: waymore-katana-unfilter-urls.txt with useful endpoints only.
cat waymore-katana-unfilter-urls.txt | httpx -t 150 -rl 150 -o waymore-katana-filter-urls.txt
🔍 Why? Ensure you're only testing URLs that are accessible.
🎯 Output: waymore-katana-filter-urls.txt with alive and useful links for testing.
=) – useful for injection testing.
grep -a = "waymore-katana-filter-urls.txt" >> parameters_with_equal.txt
🔍 Why? Parameterized URLs are ideal for testing SQLi, XSS, LFI, and other vulnerabilities.
🎯 Output: parameters_with_equal.txt containing URLs with parameters.
nuclei -l live_domains.txt -o nuclei-result.txt
nuclei -u example.com -o result.txt
🔍 How it works: Nuclei uses community templates to check for known vulnerabilities.
🎯 Output: nuclei-result.txt containing vulnerability findings.
cat waymore-katana-unfilter-urls.txt | parallel -j 10 'curl --proxy http://127.0.0.1:8080 -sk {}' >> /dev/null
cat waymore-katana-filter-urls.txt | parallel -j 10 'curl --proxy http://127.0.0.1:8080 -sk {}' >> /dev/null
🔍 Why? These URLs will appear in Burp Suite's HTTP history for manual analysis.
🎯 Result: All URLs loaded into Burp Suite for in-depth testing.
Get all these commands in a single script file for easy execution.
Automation is crucial in bug bounty hunting for several reasons:
Bug bounty hunting is the process of finding and reporting vulnerabilities in software, websites, or applications in exchange for rewards. Companies run bug bounty programs to crowdsource security testing from ethical hackers.
Reconnaissance is the foundation of successful bug hunting. It helps you:
The learning curve varies, but typically:
Start with these essential tools: