Bug Bounty Hunting Methodology

Information Gathering

The goal of information gathering is to find as many assets, domains, subdomains, ip addresses, ports etc.

Subfinder

Configure subfinder, supply free API key to the provider config document - this can result in more subdomains and better quality data

vim .config/subfinder/provider-config.yaml

subfinder -d <domain>

Shuffledns

Next we will use shuffledns in order to enumerate valid subdomains

Word Lists:

• SecLists
• Assetnote

Resolvers:

• Trickest Resolvers

We will be using the bruteforce approach in combination with our wordlist:

shuffledns -d <domain> -w wordlist.txt -r resolvers.txt -mode bruteforce

Alterx

Using the domains discovered from the previous step, we will generete a new wordlist

cat domains-from-shuffle.txt | alterx | tee -a subdomains-alterx.txt

Dnsx

We can now pass the subdomain list into dnsx to identify which domains actually exist

cat subdomains-alterx.txt | dnsx | tee -a subdomains-dnsx.txt

Naabu

Now we will identify ports running on the subdomain

cat subdomains-dnsx.txt | naabu -top-ports top 100 | tee -a open-ports.txt

Httpx

cat open-ports.txt | https -title -sc -cl

Katana

Crawling website to find assets

cat open-ports.txt | katana -jsl

Run katana while authenticated

katana -u <domain> -h 'cookie: <COOKIE-VALUE>' -xhr -jsl -aff

Check headers for html, may be possible xss

Chaos client

chaos-client -d <domain> -silent | grep api | alterx -silent | dnsx -silent | naabu -top-ports top 100 -silent

Grep for api, then alterx asking for all permutations, check dnsx to see which has a valid record, then send to naabu so it port scans valid records.

We can then send this to katana and crawl

Conclusion

This blog post served as an introduction to the fundamentals of Bug Bounty Hunting. In my next blog post I will go into more detail on how this workflow works with a live target.

This tutorial was inspired by Nahamsec and his Recon Course and Methodology video