Hi there, today I want to talk about Domain discovery in wide recon for bug hunters.
Summary
As a matter of fact, there are many different kinds of Domain discovery methodology. but, I want to write my methodology for this wide recon part. So, let's do it.
Acquisition Discovery
In some bug bounty program scope, you can work on all asset from a company and also Acquisitions company. for instance Ford, Google, Walmart and so on. well, you can with some website such as CRUNCHBASE and other website, finding acquisition for company. And also Google Dork, Certificate search and, reading other hunters write up.
Google Dorks:
"acquired by company"
"company. All Right Resolved"
"company. All Right Resolved" -inurl:company
Certificate search:
There are some Field in certificate is important, such as:
Subject: CN=
Issuer: C=, O=, CN=
Subject Alternative name
Reverse whois on domain name:
For reverse whois, I suggested tow website:
Reading other hunters writeup
With reading other hunters write up. may be finding new domains and acquisitions from company.
Tip:
This shell function, help you for getting domain or subdomains certificate.
certx(){
echo | openssl s_client -showcerts -servername $1 -connect $1:443 2>/dev/null | openssl x509 -inform pem -noout -text
}
The End
Thank you for reading my note about domain discovery in bug bounty.
I hope you use this article