Bug Bounty Recon

Reconnaissance: The First Step in Understanding Your Web App Target

When it comes to hacking or even performing ethical security testing, reconnaissance is the fundamental phase you should never skip. It’s like gathering intelligence before launching an operation. Whether you’re targeting a company, a specific web application, or even a “hack the box” machine, having the right information can make or break your success.

In this blog, we’ll explore the basic steps of reconnaissance and the essential tools you can use to gather vital data about your target.

Understanding the Target:
Start by diving deep into the workings of the company and the web application you’re interested in. The more you understand their structure, technologies used, and potential vulnerabilities, the better prepared you’ll be to find loopholes.

Web App Interaction:
Before you start scanning for vulnerabilities, navigate the web app just like a regular user. Pay close attention to any unusual behavior or errors you encounter during this exploration phase, and make sure to take notes of anything that seems out of place.

Before we delve into the content, I recommend creating dedicated directories for each of the results to keep your findings organized and easily accessible.
- for example – mkdir Crunchbase_Acquisitions

Crunchbase.com – Understanding Company’s Acquisitions:
Crunchbase.com is a valuable resource for gathering information about a company’s acquisitions and mergers. Acquisitions can provide essential insights into a company’s expansion strategy, the technologies they integrate, and the potential security implications of combining different systems

By researching a company’s acquisitions on Crunchbase, you can uncover details about the acquired companies’ web applications, technologies they were using, and any potential vulnerabilities that might have been inherited during the acquisition process. This information helps you better understand the expanded attack surface and potential weak points in the web app’s ecosystem.

BGP.he.net – Exploring ASN Numbers:
BGP.he.net is a useful tool for exploring Autonomous System Numbers (ASNs). ASNs are unique identifiers assigned to companies, internet service providers, and organizations that manage IP address blocks. By obtaining the ASN associated with the target company, you can gain valuable knowledge about its network infrastructure.

Understanding the company’s ASN numbers allows you to perform more accurate network reconnaissance, including IP range identification and network topology mapping. This information can help you identify external-facing systems, subdomains, and other network-related assets, all of which contribute to a comprehensive picture of the web app’s attack surface.

- Enhanced Reconnaissance with Metabigor and asnlookup:
  To streamline your web app reconnaissance, consider utilizing powerful command line tools such as Metabigor and asnlookup.

- Metabigor: Developed by j3ssie, Metabigor allows you to discover ASN data from keywords extracted through BGP and asnlookup. This tool streamlines the process of gathering ASN-related information, enriching your reconnaissance with critical network insights. You can find Metabigor here.

- asnlookup: Another essential cmdline tool, asnlookup, complements your reconnaissance toolkit by providing a straightforward means of looking up ASNs directly from the command line. This simplifies the process of obtaining ASN details, enabling faster and more efficient network analysis. You can find asnlookup here.

Amass,
with the provided ASN number, performs ASN Enumeration to find seed domains linked to that particular Autonomous System Number. For instance, running “amass intel -asn 12345” would search for domains associated with ASN 12345. This process uncovers domains like “example.com,” “subdomain.example.com,” and others that are part of the target organization’s network.

By uncovering more seed/root domains, we can explore a larger number of subdomains. This leads to a more thorough vulnerability assessment, enhancing security and protection against potential threats.

- Here’s the proper command for conducting ASN Enumeration with AMASS

amass intel -asn <ASN_Number>

Crt.sh (ssl/tls certificate)

- Go to crt.sh: Visit crt.sh, a website that allows you to search for SSL/TLS certificates issued for specific domains.
- Perform Wildcard Searches: Utilize wildcard characters to expand your search. For example:
  - Search for all subdomains under yahoo.com with “%.yahoo.com.“
  - Find subdomains with “yahoo” as the second-level domain and any top-level domain with “www.yahoo.%“.
  - Discover subdomains with “api” as a subdomain by using “%25api%25.yahoo.com“.
  - Look for subs like “stg.yahoo.com” with “%25stg%25.yahoo.com“.
  - Explore deep subdomains like “xyz.abc.def.yahoo.com” using “%25%25%25%25.yahoo.com“.

- Identify Important Subdomains: Pay attention to critical subs that may reveal potential vulnerabilities. Some key subdomains to note are:
  - “stage.yahoo.com“: Often used for testing new features or changes before deployment.
  - “repo.yahoo.com“: Might indicate a repository used for version control.
  - “jenkins.yahoo.com“: Could be a Jenkins server used for continuous integration and deployment.
  - “dev.yahoo.com“: May represent a development environment.
  - “qa.yahoo.com“: Likely used for quality assurance and testing.

- Other Potentially Sensitive Subdomains: Keep an eye out for subdomains that might expose sensitive information or access points, such as “private,” “devops,” “git,” “test,” “db,” “staff,” and more.

Certspotter
- Certspotter is another useful tool that can be used to discover subdomains and SSL/TLS certificates associated with a domain.

- Run Certspotter for yahoo.com: To search for subdomains and SSL/TLS certificates associated with yahoo.com, use the following command:

certspotter yahoo.com

Collecting all Subdomains

After obtaining all the subdomains from sources such as crt.sh, Certspotter, and AMASS, you can further enhance your collection by leveraging different automated tools like Subfinder. Here are a few more examples of such tools:

1. Subfinder: A versatile tool that efficiently identifies subdomains associated with a target domain.
2. Amass: Apart from ASN Enumeration, Amass also provides robust subdomain discovery capabilities.
3. Assetnote: Offers comprehensive subdomain enumeration and monitoring services.
4. Findomain: Utilizes various techniques to extract subdomains and is particularly effective with large domains.

Once you have gathered all the subdomains using these tools, you can consolidate them into a single file using the following command:

cat *.txt > all_subs.txt

Collecting alive subdomains

Once you have collected all the subdomains, the next step is to determine which of these subdomains are “alive.” In this context, “alive” refers to subdomains that are currently active and responsive on the internet, meaning they are reachable and return valid responses to web requests.

To identify the alive subdomains, you can employ tools like httprobe and httpx. These tools send HTTP requests to the list of subdomains and record the ones that successfully respond with valid HTTP statuses.

Here’s a command that utilizes httpx to check the alive status of the subdomains and gather additional information:

cat all_subs.txt | httpx -title -wc -sc -cl -ct -web-server -asn -o httpx.txt -p 8000,80,8443,443,8008,3000,5000,9090,900,7070,9200,15672,9000 -t 75 -location.

Collecting Screenshots

Once you’ve found the websites that are active and working, it’s important to take pictures of what these websites look like. This is like taking snapshots of them. Here are three tools that can help you with this:

1. WebScreenshots: This tool takes pictures of websites so you can see what they look like. It’s like taking a photo of a webpage to remember how it appears.
2. Aquatone: Aquatone is a tool that not only takes pictures of websites but also helps you figure out what technology they’re using. It’s like getting more information about the websites by looking at them.
3. EyeWitness: EyeWitness takes pictures of websites too, but it also gives you a report about the websites. It’s like taking pictures and writing down notes about what you see.

Taking pictures of websites is important because:

- Seeing is Believing: Pictures show you exactly how the websites appear, so you have proof of what they look like.
- Complete Picture: Looking at the pictures helps you understand how the websites are designed and if there are any potential problems.
- Spotting Issues: Pictures might reveal things like passwords or errors that could be risky.
- Knowing the Tools: By looking at the pictures, you can also find out what tools and systems the websites are using.
- Easy Sharing: You can show these pictures to others to explain what you found and discuss any issues.

Continuing the Hunt

After analyzing the screenshots and conducting initial assessments of the alive subdomains, you can proceed with the following steps to ensure a thorough and effective web application security assessment:

Vulnerability Scanning: Utilize automated vulnerability scanning tools to systematically scan the web applications for known security vulnerabilities. These tools can help identify common issues such as outdated software, misconfigurations, and potential entry points for attackers.
Manual Testing: Perform manual security testing to uncover more complex vulnerabilities that automated tools might miss. This could involve techniques like input validation testing, authentication testing, authorization testing, and more.
Web Application Firewall (WAF) Testing: If applicable, test the effectiveness of any web application firewalls in place. Try to bypass or evade the WAF’s protections to identify potential weaknesses.
Authentication and Authorization Testing: Focus on testing the authentication and authorization mechanisms of the web applications. Look for flaws that could allow unauthorized access to sensitive areas or functions.
Data Sensitivity Review: Identify and review any sensitive data being handled by the web applications. Ensure that proper encryption, storage, and access controls are in place to protect sensitive information.
Secure Configuration Review: Check the configuration of the web servers, databases, and other components to ensure they adhere to best security practices. Look for any unnecessary services or features that could be potential entry points.
Code Review: If you have access to the source code, perform a code review to identify coding vulnerabilities such as SQL injection, cross-site scripting (XSS), and other security flaws.
API Testing: If the web applications have APIs, thoroughly test them for vulnerabilities, including authentication bypass, data exposure, and injection attacks.
Business Logic Testing: Test the business logic of the web applications to ensure that they behave as expected and cannot be manipulated to perform unauthorized actions.
Reporting and Remediation: Document all findings, including vulnerabilities, risks, and recommended mitigation steps.

This is just a brief overview of how you should approach your target. In future, I will be bringing more specific blogs, so stay tuned. Keep learning, Keep Hacking!

You may also like:

https://hackedyou.org/top-10-linux-distros-for-hacking-pentesting/

https://hackedyou.org/what-is-linux-file-system-simplified/

https://hackedyou.org/mastering-kali-linux-essential-file-system-shortcuts/

https://hackedyou.org/kali-linux-a-complete-beginners-guide/

https://hackedyou.org/the-power-of-linux-and-kali-linux-the-hackers-toolkit/

https://hackedyou.org/5-phases-of-penetration-testing/

https://hackedyou.org/mobile-app-security-protecting-your-apps/

https://hackedyou.org/how-does-the-internet-work-simplified/

https://hackedyou.org/tcp-ip-model/

https://hackedyou.org/tcp-ip-vs-osi-model/

https://hackedyou.org/http-status-codes-explained-all/