Comprehensive Reconnaissance Methodology and Tools for Bug Bounty Hunters

In the ever-evolving landscape of cybersecurity, reconnaissance is the cornerstone of every successful bug bounty hunt. Whether you’re dissecting a sprawling enterprise network or probing a nimble startup’s web app, the quality of your recon determines whether you’ll uncover a goldmine of vulnerabilities or walk away empty-handed.

This guide isn’t just another tool dump—it’s a battle-tested methodology refined through years of crawling subdomains, fuzzing endpoints, and outsmarting firewalls. We’ll walk through a Linux-centric recon workflow that blends automation with manual ingenuity, ensuring no stone goes unturned. From subdomain takeover checks to secrets lurking in JavaScript files, you’ll learn how to transform raw data into actionable leads. Grab your terminal, fire up your favorite tools, and let’s turn recon into your superpower.

1. Subdomain Enumeration

Subdomains are the gateway to overlooked attack surfaces.

Tools & Techniques

KnockpybashCopyDownloadPro Tip: Even 404/403 responses may host misconfigured assets—always investigate manually.
GitHub

• A Python-based tool that enumerates subdomains and identifies associated IPs/CDNs.

1knockpy domain.com -o subdomains.txt

Assetfinder + HTTPX Pipeline Assetfinder | HTTPX

• Combine passive subdomain discovery with live host verification:

1assetfinder --subs-only target.com | httpx -title -tech-detect -status-code -o live_subs.txt

Amass Amass

• For deeper enumeration (passive/active DNS, scraping):

1amass enum -d target.com -config ~/amass-config.ini -o amass_results.txt

Subzy Subzy

• Automatically check for subdomain takeovers:

1subzy run -targets live_subs.txt

2. Directory/Path Discovery

Unearth hidden endpoints, APIs, and sensitive files.

Tools & Workflows

Dirsearch Pro Tip: Prioritize 3xx/5xx responses—redirects often leak internal paths.
GitHub

• Fast directory brute-forcing with customizable wordlists:

1dirsearch -u https://target.com -e php,asp,js -w /path/to/wordlist.txt

Waybackurls + Gau Filter for parameters:bashCopyDownloadWaybackurls | Gau

• Extract historical URLs from Wayback Machine and Common Crawl:

1echo target.com | waybackurls | tee urls.txt  
2gau target.com | tee -a urls.txt
3
4cat urls.txt | grep '?.*=' | qsreplace -a

ParamSpider + ArjunParamSpider | Arjun

• ParamSpider: Crawl for parameters in URLs:

1python3 paramspider.py -d target.com --level high

• Arjun: Detect hidden parameters for injection testing:

1arjun -u https://target.com/api/v1?param=1

3. Vulnerability Scanning

Automate detection of low-hanging fruit.

Toolkit

Nuclei Customization Tip: Write YAML templates for proprietary tech stacks.
Nuclei

• Mass-scan subdomains with 2,000+ community templates:

1cat live_subs.txt | nuclei -t ~/nuclei-templates/ -severity critical,high -o nuclei_results.txt

Nikto Nikto

• Legacy but reliable for server misconfigurations:

1nikto -h https://target.com -Tuning 1,2,3 -output nikto_scan.html

Nmap Vulners Alternative: Use cve-bin-tool for software-based CVE checks.

• CVE detection for open ports:

1nmap -sV --script=vulners -p 80,443,8080 target.com

4. Advanced Recon Tactics

A. Favicon Hash Hunting with Shodan

Generate favicon hashes:

1httpx -l live_subs.txt -favicon -hash favicon_hash.txt

Query Shodan for matching infrastructure: Shodan Guide

1shodan search http.favicon.hash:<HASH> --fields ip_str,port

B. Secrets Detection

• TruffleHog: Scan Git/S3 for API keys:

1trufflehog git https://github.com/target/repo.git --json

• GitHound: Find exposed secrets in GitHub: TruffleHog | GitHound

1githound --target target.com --dig-files --dig-commits

C. JavaScript Analysis

LinkFinder: Extract endpoints from JS files:

1python3 linkfinder.py -i https://target.com/app.js -o cli

Subjs: Crawl subdomains for JS files: LinkFinder | Subjs

1subjs -l live_subs.txt -o all_js.txt

5. Automation with Bash

Streamline your workflow with this enhanced script:

1#!/bin/bash
2# Usage: ./recon.sh target.com
3
4TARGET=$1
5OUT_DIR="recon-$TARGET"
6mkdir -p $OUT_DIR
7
8echo "[+] Starting subdomain enumeration..."
9assetfinder --subs-only $TARGET | anew $OUT_DIR/subs.txt
10amass enum -d $TARGET -o $OUT_DIR/amass_subs.txt
11cat $OUT_DIR/*_subs.txt | sort -u | httpx -silent -o $OUT_DIR/live_subs.txt
12
13echo "[+] Scanning for vulnerabilities..."
14cat $OUT_DIR/live_subs.txt | nuclei -t ~/nuclei-templates/ -o $OUT_DIR/nuclei_results.txt
15
16echo "[+] Hunting for secrets..."
17trufflehog filesystem $OUT_DIR --json | jq . > $OUT_DIR/secrets.json
18
19echo "[+] Done! Results saved to $OUT_DIR/"

Dependencies: Install anew, jq, and tools listed above.

Pro Tips & Ethics

• Rate Limiting: Add -rate-limit 100 in HTTPX/Nuclei to avoid overwhelming targets.
• Legality: Always stay within program scope—use -proxy http://localhost:8080 to route traffic through Burp.
• Continuous Learning: Follow @Bugcrowd and HackerOne Hactivity for new techniques.

🚀 Final Thoughts
Recon is an art—combine automation with manual ingenuity. Bookmark these resources:

• Bug Bounty Playbook
• OWASP Testing Guide

Disclaimer: Use these tools ethically and only on authorized targets.

Revision Notes: Added Amass, LinkFinder, automation script, and Shodan workflows; streamlined tool explanations; emphasized ethical hacking practices.