Bug Bounty Recon — Tools And Resources

Thexssrat

·

Follow

1 min read

·

Apr 9, 2021

--

Share

General Tools

1. SubFinder
2. Findomain
3. Sublist3r
4. dnssearch
5. Sudomy
6. Assetfinder
7. Vita
8. PureDNS
9. GetAllUrls(GUA)

Frameworks

1. Amass
2. Sudomy
3. ReconFTW
4. DMitry

Dictionary attacks

1. knockPy
2. DNSRecon
3. MassDNS

Datasets

1. crt.sh
2. WaybackURLS
3. Google dork ‘cache:’ (unlike wayback machine , the google cache sometimes has some info that can be easily overlooked and if it’s available then it’s definitely automated) — Thank you HackerPrat

Permutation Scanning

1. AltDNS

DNS Databases

1. DNS Dumpster
2. Shodan
3. Pentest-tools
4. Rapid7 Forward DNS (FDNS)
5. Crobat
6. Subdomain finder by c99.nl
7. BufferOver
8. Spyse

Checking SubDomain Status Code

1. URLChecker
2. HTTProbe

Bash Extra resources

curl -s <https://rapiddns.io/subdomain/example.com?full=1> | grep -oP '_blank">\\K[^<]*' | grep -v http | sort -u

1. curl -s https://rapiddns.io/subdomain/example.com?full=1 >>>> Will download a list of all the domains from rapiddns
2. grep -oP ‘_blank”>\K[^<]*’ >>>> Will grep all the links that open in a new tab
3. Will grep all URLs that start with http
4. Will then sort the list

• https://gowthams.gitbook.io/bughunter-handbook/list-of-vulnerabilities-bugs/recon-and-osint/subdomain-enumeration
• https://github.com/CristinaSolana/subdomain-recon
• https://github.com/ARPSyndicate/kenzer
• https://github.com/bing0o/SubEnum
• https://github.com/gwen001/github-search/blob/master/github-subdomains.py