Recon is an essential element of any penetration testing ,if you have more data about target you will have large attack surface.
Bug bounty is very competitive now a days so be ahead of fellow bug bounty hunters is very essential . You are not only competing with website security but also with other peoples who are taking part in that particular program . So doing automated recon & spending more time on actual pretesting is very important.
That’s where prettyrecon comes in easy to use tool to gather as much as possible information about target.
Gather target information:
Finding basic information about site like IP address, DNS name , Organization , Issuer common name & their organization. With simple search in dashboard you will get all this information. Also robots.txt file which usually contains valuable endpoints which are not accessible to normal search engines.
There is lots of tools available to find subdomains, but not a single powerful tool, so its better to combine results of all known tools & unique sort them . In prettyrecon you will get list of resolved domains , their status code , title IP address , CNAME& redirect locations.
Using fast filters you can search subdomain with specific titles, Like Jira suppose you want to find all subdomains having Jira instance so you can try known attack & exploits against them.
Not only with title , you can search with webservers or CNAME to perform other attacks like finding subdomains with 404 status & checking their CNAMES for subdomain takeover etc. (PrettyRecon have automated subdomain tool too).
Finding open ports
Prettyrecon scan target IP’s for most common ports & find open ports for you. You can always search for specific ports like 3000, 8000,9001 ,7001,4443,8080 etc. If you hit any of this you may find some juicy information or exposed development environment .
Finding endpoints related to targets
Prettyrecon have waybackmachine tool which grab endpoints from various sources from internet like webarchive , using search engines ,from github, gitlab etc , then you can easily search for specific keyword like “=/” , “=%2f” , “=htt” to find possible open redirect , SSRF or XSS endpoints or simple “=” to grab GET endpoints . Then you need to manually test them.
Gather hidden endpoints from JS files
Some useful results related to target
We embedded some commonly used open source tools & scanners to find some useful results related to target. We will cover dedicated article for each scanner in future.
- CRLF scan: To scan all subdomain for CRLF vulnerability which usually results in open redirect or XSS .
- Favicon hashes & fingerprinting: Useful for finding services used by target , also you can find more target information by searching hashes related to target on search engines like shodan & censys .
- Domain endpoints results : Sometimes waybackmachine or other search engines do not give newly created endpoints of targets , so its always better to crawl subdomains for it , this tool provide functionality to crawl website to small depth & show endpoints of it.
4. DNS scan results
5. Automated subdomain takeover tool
6. Detect common web panels & admin panels.
7. CVE scanner : To find vulnerable domains for latest CVE.
8. Directory Scanner: To scan all subdomains with daily updated keyword list.
9. Basic server misconfiguration : To find common server misconfiguration like missing headers or find low severity attacks like clickjacking.
Some Other Useful features:
[*] Note taking app : We integrate note taking app so you can take notes about target from any page in website.
[*] Some commonly used tools
- IP CALCULATOR CIDR/SUBNET
- Directory Scanner
- Hidden link finder
- CSRF POC generator
- CORS tester tool
More tools are in development stage & we are planning to add them in upcoming updates.
[*] List of public bug-bounty programs:
We provide daily updated public bug-bounty program list, so you can always start with fresh targets.
We also have some more features which we will cover in next article.
Until then signing off ! Happy hunting 🙂