APT Recon - Bug Hunter’s Guide

APT Recon - Bug Hunter's Guide | by 3L173 H4CK3R 1337 (Elite Hacker 1337) - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original APT Recon - Bug Hunter's Guide Author ~ Elite Hacker 1337 3L173 H4CK3R 1337 (Elite Hacker 1337) Follow ~6 min read · March 22, 2026 (Updated: March 22, 2026) · Free: Yes Author ~ Elite Hacker 1337 APT (Advanced Persistent Threat) operations are long-term, stealthy, highly targeted attacks - usually by nation-states or highly skilled hacking groups. Unlike noisy attacks, APT recon & enumeration is slow, silent, and intelligence-driven . Recon comes before enumeration and long before exploitation . Bad recon → noisy enum → detected → attack fails Good recon → minimal enum → clean access → long persistence — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —- RECONNAISSANCE Reconnaissance is the art of learning everything about a target while letting the target learn nothing about you. Recon is not scanning , not hacking , and not exploitation . It is intelligence collection and analysis . Reconnaissance is the intelligence gathering phase. You are learning about a target without necessarily touching it. The goal is to build a mental model of the target's attack surface — its assets, technologies, people, relationships, and exposure. Think of it as studying a building's blueprints before entering. Attacker Mindset Real attackers don't scan randomly. They build a target dossier — a structured intelligence document that answers: What does this org think its perimeter is? What does its perimeter actually look like from outside? Where are the gaps between those two things? The gap between perceived and actual attack surface is where breaches happen. Your job in recon is to find that gap before the client's security team knows it exists. Strategic patience : APT operators spend 60–80% of their operation in recon. The exploitation phase is almost trivial if recon is thorough. Professional recon operates on the OODA Loop (Observe → Orient → Decide → Act). You're constantly updating your model of the target as new data arrives. The intelligence community distinguishes between: HUMINT (Human Intelligence) → LinkedIn, social engineering research SIGINT (Signals Intelligence) → Network traffic metadata, certificate transparency OSINT (Open Source Intelligence) → Everything publicly accessible TECHINT (Technical Intelligence) → Shodan, infrastructure analysis The Recon Lifecycle PLANNING └─ Define scope, objectives, rules of engagement └─ Identify what "success" looks like └─ Choose passive vs active techniques COLLECTION └─ OSINT: DNS, WHOIS, certs, search engines └─ Active: port scanning, web crawling (authorized) └─ Human: LinkedIn, job postings, conference talks PROCESSING └─ Deduplication, normalization └─ Resolving domains → IPs └─ Correlating data across sources ANALYSIS └─ Prioritizing assets by risk/value └─ Identifying technology patterns └─ Spotting anomalies (forgotten assets, dev envs) REPORTING └─ Attack surface map └─ Risk-prioritized findings └─ Recommended entry points Types of Recon Passive Recon — No packets touch the target. Zero interaction. Certificate transparency logs WHOIS/RDAP Search engine caching GitHub searches Shodan/Censys (they scan, you query) Active Recon — You interact with target infrastructure directly. DNS queries to target's nameservers Port scanning HTTP requests to discovered hosts Banner grabbing Anything active leaves log entries. Even a DNS query to the target's authoritative nameserver is logged. Hybrid — OSINT to narrow scope, then targeted active probing. This is what professional red teamers do: passive to build the map, active to confirm and detail. OPSEC During Recon This is where professionals separate from amateurs. Your recon footprint can alert defenders or burn your infrastructure. Tiered infrastructure model: Your Machine → VPN/Proxy → Recon VPS → Target Never query from your home/office IP. Use: Dedicated cloud VPS (Vultr, DigitalOcean, Hetzner) Rotating residential proxies for web scraping Tor for extremely sensitive passive queries Separate VPS per engagement (burn after use) Tool fingerprinting : Tools have signatures. amass has a known User-Agent. nmap has TCP stack fingerprints. Defenders with good SIEM coverage can identify your tooling. Rate limiting : Aggressive scanning triggers WAF blocks and IDS alerts. APT operators scan slowly — sometimes one port per minute across thousands of hosts. Target Profiling & Intelligence Gathering 1. Concept: Organization Profiling Before touching DNS, you need to understand what you're profiling. A target isn't just a domain — it's a corporate entity with subsidiaries, acquisitions, contractors, and technology vendors. Each of these represents potential attack surface. Corporate intelligence hierarchy: Parent Company ├── Subsidiary A (separate domain, separate infra) ├── Subsidiary B (recently acquired, old security posture) ├── Joint Ventures └── Technology Partners (SaaS, outsourced IT) Subsidiaries from acquisitions are goldmines. The acquiring company inherits the acquired company's entire security debt. Old, forgotten domains, legacy infrastructure, and misconfigured systems become in-scope. 2. Intelligence Sources SEC EDGAR (US) — For public companies: https://www.sec.gov/cgi-bin/browse-edgar?company=TARGET&CIK=&type=10-K&dateb=&owner=include&count=40&search_text=&action=getcompany # 10-K filings name all subsidiaries. # 8-K filings announce acquisitions. # This is legal, public, and ignored by most pentesters. Companies House (UK) / MCA (India) / Orbis (Global) — Similar corporate registries. LinkedIn Intelligence: Search operators: "company:TARGET" employees → map org structure Filter by: Security, IT, DevOps → identify tech stack from job titles Job postings → "We use AWS, Kubernetes, Terraform" = technology disclosure Certifications on profiles → "AWS Certified" = cloud-heavy org Job postings are intelligence gold. A posting for "Senior Engineer — Palo Alto Networks NGFW" tells you their firewall vendor. "Experience with Splunk required" tells you their SIEM. crunchbase.com - Funding rounds reveal acquisitions. pitchbook.com — More detailed M&A history. 3. Tools Recon-ng - Recon-ng is a full-featured reconnaissance framework designed with the goal of providing a powerful environment to conduct open source web-based reconnaissance quickly and thoroughly. Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. # Install pip3 install recon-ng # Launch and create workspace recon-ng > workspaces create TARGET_NAME # Install modules > marketplace install all # Add seed domain > modules load recon/domains-hosts/google_site_web > options set SOURCE target.com > run # Harvest contacts > modules load recon/domains-contacts/whois_pocs > options set SOURCE target.com > run # Export everything > reporting load reporting/html > run Target Domain - https://www.dsci.in/ Crawling ~ Katana - A next-generation crawling and spidering framework. Commands - Max Depth katana -u https://www.dsci.in/ -d 10 -jc -jsl -kf all -pc -xhr -td -c 20 -rl 100 -timeout 15 -o katana_deep.txt -v This one-liner breakdown - -u https://target.com → target website -d 10 → deep crawl (max depth 10) -jc → crawl endpoints inside JavaScript files -jsl → aggressive JS parsing (jsluice – finds hidden APIs, routes, keys) -kf all → crawl robots.txt , sitemap.xml , known files -pc → path climbing ( /admin/login → /admin/ → / ) -xhr → extract XHR/fetch API endpoints -td → technology detection -c 20 → concurrency (speed up crawling) -rl 100 → rate limit (safe + fast) -timeout 15 → better for slow pages -o katana_deep.txt → save output -v → verbose output 2. Aggressive scan katana -u https://www.dsci.in/ -d 15 -jc -jsl -kf all -pc -xhr -hl -aff -fx -td -c 30 -rl 150 -timeout 20 -j -o katana_deep.jsonl This one-liner breakdown - -hl → headless browser (JS-heavy apps) -aff → auto form fill -fx → extract forms & inputs -j → JSONL output (perfect for jq, nuclei, custom parsers) 3. To crawl only endpoints (Deep) katana -u https://www.dsci.in/ -d 10 -jc -jsl -kf all -pc -td -iqp -c 20 -rl 200 4. Simple scan katana -u https://www.dsci.in/ -d 10 #bug-bounty #penetration-testing #bug-bounty-tips #hacking #bug-hunting Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).