prettyRECON BLOG prettyRECON

Subdomain Enumeration & Bug bounty

Subdomains play a very important role in bug bounty programs when it comes to reconnaissance.

Hunters often want to extend their scope for the programs.

If a program has a very large scope consider *.domain then hunters usually try to find more and more subdomains for hunting bugs.

To find subdomains every time a hunter has to run command-line tools and save the output to files or somewhere and then filter the results with some other command-line tools.

This is where prettyRecon comes in handy.

So instead of running each tool one by one or even combined there’s an alternative way of finding all the useful recon data directly using a single tool with a very user-friendly UI.

Consider a domain fireeye.com with a scope *.fireeye.com

For recon using prettyRecon simply login to your prettyRecon account and provide the domain in the search box and wait for the job to complete.

Once done you will find all the subdomains linked to the domain.

prettyRecon Dashboard

Alongside subdomain names, prettyRecon provides other details that are very useful for the hunters for their initial steps.

Details include

  • SubDomain Name
  • Title
  • IP Address
  • Canonical Names
  • Size
  • Useful information from Headers like Webserver Version
  • Is Virtual host
  • Proper URI to subdomain

Apart from the details mentioned above the UI provides very handy filters like for search, include, exclude using any of the above details.

Like if we want to search for all subdomains running on the Nginx web server then we could easily apply filters according to it.

prettyRecon Filters

Pretty Easy right?

This enables hunters directly to find bugs using vulnerable web server versions or via title if it’s running any interesting application.

If we check reports among top Bug Hunting platforms we can find more than 80% of the bugs reported are found on the subdomains only.

Some shared findings using prettyRecon

  • Open Url Redirect(Found using Filtering Location options)
Findings
  • Account takeover (Found using filtering known development/testing servers on sub domains such as wampp & xampp)
Development subdomains using prettyrecon

What next?

Along with full automation, friendly UI, useful details, and filters we are updating and adding more features to this section very often and we hope you will find it useful too.