LevelUp 0x02 — Bug Bounty Hunter Methodology v3 — Notes

Nick Park

·

Follow

4 min read

·

Jul 4, 2018

--

Share

Overview of Entire Methodology

1. Identify IPs and Main TLDs
2. Domain Scraping for Discovered TLDs
3. Domain Bruteforcing, Resolve && Add new IP Ranges
4. Portscan
5. Visual Identification
6. Platform Identification
7. Content Discovery
8. Parameter Discovery

Discovering IP Space

• Autonomous System Number — http://bgp.he.net
• Arin & Ripe — https://whois.arin.net/ui/query.do
  https://apps.db.ripe.net/db-web-ui/#/fulltextsearch
• Reverse Whois
  https://reverse.report/
• Shodan Organization -
  https://www.shodan.io/search?query=org%3A%22Tesla+Motors%22

Discovering New Targets (Brands & TLDs)

• Linked Discovery
  1) Turn off passive scanning
  2) Set forms auto to submit
  3) Set scope to advanced control and use string of target name
  4) Walk + Browse, Then Spider all hosts recursively
  5) Profit
• Be careful with email generating forms
• Setup Keyword search in host/ip Range
• Right Click all hosts found and click spider — Regex based on keyword

Domlink (Tool)

• Take an assigned domain and lookup on whois…