Domain discovery in bug bounty.

Domain discovery in bug bounty.

·

2 min read

Hi there, today I want to talk about Domain discovery in wide recon for bug hunters.


Summary

As a matter of fact, there are many different kinds of Domain discovery methodology. but, I want to write my methodology for this wide recon part. So, let's do it.


Acquisition Discovery

In some bug bounty program scope, you can work on all asset from a company and also Acquisitions company. for instance Ford, Google, Walmart and so on. well, you can with some website such as CRUNCHBASE and other website, finding acquisition for company. And also Google Dork, Certificate search and, reading other hunters write up.


Google Dorks:

"acquired by company"
"company. All Right Resolved"
"company. All Right Resolved" -inurl:company

There are some Field in certificate is important, such as:

  • Subject: CN=

  • Issuer: C=, O=, CN=

  • Subject Alternative name

💡
you can utilize CRT.SH and CENSYS.

Reverse whois on domain name:

For reverse whois, I suggested tow website:

💡
Also, reverse whois on E-mail from company, you can find domains more than normally reverse whois.

Reading other hunters writeup

With reading other hunters write up. may be finding new domains and acquisitions from company.


Tip:

This shell function, help you for getting domain or subdomains certificate.

certx(){
    echo | openssl s_client -showcerts -servername $1 -connect $1:443 2>/dev/null | openssl x509 -inform pem -noout -text
}

The End

Thank you for reading my note about domain discovery in bug bounty.

I hope you use this article

Did you find this article valuable?

Support MadiSec by becoming a sponsor. Any amount is appreciated!