Professional Documents
Culture Documents
Offensive Recon //for// Bug Bounty Hunters: By: Harsh Bothra
Offensive Recon //for// Bug Bounty Hunters: By: Harsh Bothra
Offensive Recon
\\for\\
Bug Bounty Hunters
BY: HARSH BOTHRA
@harshbothra_
• InfoSec Blogger
• Lifelong Learner
• Poet
@harshbothra_
Agenda
Offensive Increasing
Approach for Project BHEEM Attack Surface &
Recon Keeping Track
Hack while
Q/A & Wrap-Up
Sleeping
@harshbothra_
RECON 101
Small Scope
Specific Applications in scope.
Medium Scope
*.target.com or set of applications in scope.
Large Scope
Everything in Scope.
What to look for while Recon: • What to look for while Recon:
◦ Tracking & Tracing every possible signatures • Directory Enumeration
of the Target Application (Often there might • Service Enumeration
not be any history on Google related to a
• JS Files for Domains, Sensitive
scope target, but you can still crawl it.)
Information such as Hardcoded APIs &
◦ Subsidiary & Acquisition Enumeration (Depth Secrets
– Max)
• GitHub Recon
◦ DNS Enumeration • Parameter Discovery
◦ SSL Enumeration • Wayback History & Waybackurls
◦ ASN & IP Space Enumeration and Service • Google Dork for Increasing Attack
Identification Surface
◦ Subdomain Enumeration • Internet Search Engine Discovery
◦ Subdomain Takeovers (Shodan, Censys, Fofa, BinaryEdge,
Spyse Etc.)
◦ Misconfigured Third-Party Services
• Potential URL Extraction for
◦ Misconfigured Storage Options (S3 Buckets) Vulnerability Automation (GF Patterns +
◦ Broken Link Hijacking Automation Scripts)
• And any possible Recon Vector
(Network/Web) can be applied.
@harshbothra_
Project BHEEM
@harshbothra_
Nothing Fancy!
Adding Multi-threading
Screen keeps your commands running on the background and doesn’t terminate
jobs if SSH timeouts or force closed.
@harshbothra_
Get in Touch at
Website – https://harshbothra.tech
Twitter - @harshbothra_
Instagram - @harshbothra_
Medium - @hbothra22
LinkedIn - @harshbothra
Facebook - @hrshbothra
Email – hbothra22@gmail.com
@harshbothra_
Thank You