What After choosing a target ? Recon Methodology— Bug Bounty Restart Phase 3

Hello Everyone,

In the last blog we saw how to choose a good target and how to understand the application properly, in today’s blog we will see a basic methodology for recon which you can change according to you. So let’s start.

Not a medium member? Read this story for free here

What is Recon ?

It is the process of collecting information about a target in order to identify vulnerabilities, its the first and most important step in bug bounties because -

• It helps you understand your target better
• It reveals hidden assets
• Saves time

So let’s see the recon methodology -

1. Subdomain Enumeration

So the first and most important thing we are going to do is subdomain enumeration as it helps us in finding the hidden assets and target the one’s which looks more prone to vulnerabilities. There are many different tools for subdomain enumeration, here are few of them which I use the most -

1. Assetfinder

assetfinder target.com -subs-only | tee -a asset.txt

2. Crtsh

crtsh -d target.com | tee -a crtsh.txt

3. Findomain

findomain -t target.com -o

4. Github Subdomains

github-subdomains -d target.com

Now we can use this great tool by tomnomnom to filter out the unique domains from the results of all tools -

GitHub - tomnomnom/anew: A tool for adding new lines to files, skipping duplicates

cat filename.txt | anew filename2.txt

there are many other subdomain tools available online, you can use any tool of your choice, once we have found the subdomains the next step is -

2. Find the Alive Subdomains