The Ultimate Bug Bounty Course: From Zero to Advanced Hacker 6

medium.com · Dasiel Ramirez Hernandez · 13 days ago · tutorial
quality 7/10 · good
0 net
Tags
bug-bounty
🐛 The Ultimate Bug Bounty Course: From Zero to Advanced Hacker 6 | by Dasiel Ramirez Hernandez - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original 🐛 The Ultimate Bug Bounty Course: From Zero to Advanced Hacker 6 Volume 2, Post 6: Passive Recon & OSINT (The Art of Invisible Intelligence) Dasiel Ramirez Hernandez Follow ~5 min read · March 26, 2026 (Updated: March 26, 2026) · Free: Yes Volume 2, Post 6: Passive Recon & OSINT (The Art of Invisible Intelligence) Before you launch a single exploit or fire up an automated scanner, you must understand your target. In the Bug Bounty universe, if you only attack the main application (e.g., www.target.com ), you are competing against thousands of other hackers looking at the exact same code. To find high-paying, critical vulnerabilities, you must look where others aren't. You need to uncover forgotten subdomains, hidden administrative panels, and legacy servers. This process is called Reconnaissance (Recon). We divide it into two phases: Passive and Active. In this post, we will master Passive Reconnaissance and OSINT (Open Source Intelligence) . Passive reconnaissance is the process of gathering publicly available information about a target without ever directly interacting with their servers. Because you rely on third-party databases, the target organization has absolutely no idea you are investigating them. Let's dive into the hacker's stealth toolkit. 1. WHOIS & ASN Lookups (Finding the Perimeter) Your first goal is to determine exactly what the target organization owns. Every website, domain name, and IP address has a unique identifier registered in a public directory known as WHOIS. By querying WHOIS databases, you can extract the domain's registration details, technical contacts, and physical locations,. However, the real power for a hacker lies in discovering the Autonomous System Number (ASN) . Large organizations often own massive blocks of IP addresses routed through a unique ASN,. By finding a company's ASN using a reverse WHOIS lookup or tools like whois.cymru.com , you can identify their entire dedicated IP range. If the bug bounty program's policy states that "all corporate assets are in scope," you now have thousands of IP addresses to test, rather than just one domain. 2. Certificate Transparency (Uncovering Hidden Subdomains) Modern web traffic is encrypted using SSL/TLS certificates. Whenever a company registers a new secure subdomain (e.g., dev-api.target.com ), they must register an SSL certificate with a Certificate Authority. To ensure security and prevent rogue certificates, these registrations are logged in public databases called Certificate Transparency (CT) logs. An SSL certificate contains a field called Subject Alternative Name (SAN) , which lists all the hostnames protected by that certificate. As a hacker, you can parse these logs to find hidden subdomains without ever pinging the target's servers. crt.sh: This website allows you to search for any domain and instantly see all the subdomains associated with its registered certificates,. You can even append &output=json to the URL to download the data programmatically for your automated scripts. Wildcard Certificates: Sometimes companies register a wildcard certificate (e.g., *.target.com ). While crt.sh won't show you the exact subdomains for a wildcard, it will give you a unique certificate hash. You can then take this hash and search it on Censys.io , a platform that scans the internet and tracks where certificate hashes are actively deployed, revealing the exact subdomains,. 3. Shodan (The Hacker's Search Engine) If Google is the search engine for websites, Shodan is the search engine for internet-connected devices. While standard search engines crawl text and images, Shodan constantly scans the entire internet, mapping open ports, server banners, routers, industrial control systems, and databases,. Through Shodan, you can conduct highly targeted passive port scanning. Instead of actively scanning a target with Nmap (which is loud and triggers firewalls), you simply ask Shodan what it already knows about the target's IP addresses. You can use specialized queries to find vulnerable infrastructure: org:"Target Company" : Reveals all internet-facing devices owned by the organization. port:22 or port:3306 : Finds specific open ports, like SSH or MySQL databases exposed to the public internet. software:"Apache Tomcat" : Identifies the exact server software and versions running, allowing you to cross-reference them with known public vulnerabilities (CVEs). 4. Google Dorking (Using Google as a Weapon) Google Dorking, or Google Hacking, is an advanced technique that utilizes specific search operators to filter Google's massive index, revealing sensitive information that administrators accidentally left public,. Search engines index everything they can reach, sometimes capturing configuration files, internal documents, and forgotten login panels. Here are the essential operators every hacker must master: site:target.com : Restricts the search exclusively to your target domain. inurl: : Searches for specific strings inside the URL. For example, site:target.com inurl:admin can reveal hidden administrative portals,. filetype: or ext: : Filters results by file extension. Using site:target.com filetype:pdf or ext:log can instantly uncover confidential business reports or exposed server log files containing user session data,. intitle: : Searches the HTML title of the page. A classic dork like intitle:"index of" site:target.com will look for servers with "Directory Listing" enabled, allowing you to browse their internal file structure like a local folder. (Pro-Tip: The Google Hacking Database (GHDB) is an open-source repository containing thousands of pre-built dorks designed to find passwords, vulnerable servers, and exposed API keys,. Use it for inspiration). 5. The Wayback Machine (Time-Travel Hacking) Web applications change constantly. Developers update code and remove links to old functionalities. However, just because a link was removed from the homepage does not mean the vulnerable code was deleted from the backend server. The Wayback Machine (archive.org) is a digital time machine that has been taking snapshots of the internet since 2001,. By inputting your target domain, you can browse what the site looked like years ago. As a hacker, you can use this tool to find deprecated API endpoints, forgotten subdomains, and old JavaScript files that are no longer linked publicly but are still actively running (and usually unpatched) on the target's servers,. Tools like Waybackurls can automate the extraction of every single historical URL associated with your target. Wrapping Up Passive reconnaissance is the foundation of a successful bug bounty hunt. By using WHOIS, Certificate Transparency logs, Shodan, Google Dorks, and the Wayback Machine, you can build a massive, detailed map of your target's infrastructure without triggering a single security alert. In the next post, we will take the gloves off. We will transition into Active Reconnaissance , using tools like Nmap and Gobuster to interact directly with the target, brute-force hidden directories, and map the true attack surface. #web-security #hacking #bug-bounty #security #beginner Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories