hG(+*%+*/GG A%J+*"G A%J+*T+

!"#$%&'()*%+ ,'(*-./0*1.(/

L5"*'/8(*!*F.((*2(2#(.Q5+$0*&@5.0*$(F@*@'%&
25+@'K
A%J+*"G*F5.*a()%"2*/+)*J(@*/+*(^@./*5+(

-./'/2*3(2($ 45$$56

758*9:;*<:<< = >*2%+*.(/) = =
?%&@(+

A/8(

!"#$%&'()#*'+
*,'&(%)-.#/0123#4%(5
6,,+7)#8,9:%&+;
<)&-=-;#>&?#05,?>&
TL;DR- One of the simplest and
surprisingly paid bounties out there.
This post is great for any bug-hunter
who’s just starting out, or developing a
real interest in the industry.

1&(9,?'@(%,&
OSINT. Open Source Intelligence. This is
a pretty popular term in cybersecurity,
and if you’re gathering any sort of
information on a potential target or
attack vector, that’s an important term to
know. If you’re just starting out, take a
look at this post on the best resources
I’ve found for cybersecurity beginners →

35)#A,>?#(,
B9,C)--%,&>7#A)?DE
3)>F#G>@:)9
,?BCDE*1$$*5F*@'(
G'0&%H/$*@55$&;I
.(G5&%@5.%(&;
2()%"2KH52
6(#&%@(&;*/+)
5G(./@%+J*&0&@(2&
05"*H5"$)*G5&&%#$0
+(()*@5*#(H52(*/I
I’ll be using Shodan, Censys and a few
other popular methods to search for
subdomains today, similar to my last
article that I wrote about subdomain
enumeration.

That article includes a great write-up

about how exposing the wrong
subdomain can lead to pretty significant
consequences. This post is going to go
into a larger variety of ways to search for
domain related vulnerabilities.

Disclaimer: any information learned in this

article or posted is to be used strictly for
legal, ‘white-hat’ hacking uses only. I am
not responsible for any malicious action
taken by readers of this post.

Plain and simple, your goal is to find

information or websites that aren’t
supposed to be available to the general
public (aka, you). Things like admin
pages are great because they might
occasionally pose a sign up feature
giving you elevated access to a service.
Or, they might pose a potential vector for
otherwise hacking an often less secure
login page.

Regardless, there’s plenty of methods out

there to find these kinds of pages. Here’s
a couple of my favorites →

HI#6,,+7)#8,9:%&+
Probably the oldest method on this list,
but it still works like a charm if you’re in
a pinch. A few great dorks to try and find
admin login pages include the following:

site:target.com inurl:admin
intitle:login site:website.com
intitle:/admin site:website.com
inurl:admin

intitle:admin
intext:admin

Feel free to swap ‘admin’ with any of the

following for best results:

administrator | debug | login |

root | wp-login | master |
superuser

These dorks are just generally good to

know, but they don’t provide the most
functionality with the sites we’re trying
to pen-test. This next method takes it a
step further.

JI#K-%&+#/L)&#0,'9@)#3,,7-
These do what we just did with Google
dorking, but fast and far more
efficiently. These tools automate the
process to let us sit back and have them
do the hard work while they run their
scripts. Here are three great resources I
found on Github that I’ve tested:

6%(G'M#D
N)5>?O7P'9>-5%QE
(KAR.#G%(#S>7%?#KAR
L5"*H/+M@*G(.F5.2
@'/@*/H@%5+*/@*@'%&I
@%2(K*L5"*&%J+()*%+
J%@'"#KH52
6%@'*/+5@'(.*@/#*5.
6%+)56K*L5"*&%J+()
5"@*%+*/+5@'(.*@/#
5.I
6%(G'M#D
F1@G=OFA>2)Q,E
>?F%&C%&?)9J.#T
1)2%+*G/+($*F%+)(.
O?F%&#L>&)7#C%&?)9
N*1)2%+*?5J%+*!/JI
Q#O?F%&#R,+%&
4%+)(.*O*¢σ∂є∂*ву
B>+)#U%&?)9#V
J%@'"#KH52
*P Q R* *Q
¢σ∂є∂#ву# E
-%@S"#*Q
2THS012D/7(N5U/
)2%+F%+)(.VE*W
1)2%+I
6%(G'M#D#(5)D
@"?J9Q>?F%&DE
C%&?)9.#*7>W%&+#C>-(
X$/Y%+J*F/&@*/)2%+
>?F%&#L>&)7#C%&?)9
G/+($*F%+)(.*6%@'I
X%(5#>-=&@%,#>&?
/&0+H%5*/+)*/%5'@@G
>%,5((L
J%@'"#KH52
Q*-%@S"#*Q*@'(Q
H:)V.N/)2%+Q
F%+)(.E*X$/Y%+J*F/&@
/)2%+*G/+($I
These repositories have been tested and
work as of 11/9/22. As a bonus, I’ve
included my personal automation tool
that I use for subdomain enumeration
bugs and all sorts of other bounties →

6%(G'M#D
+9>5>FW)F)7Q4E
G)@:0@>&&)9.#O
Z.%@@(+*#0*-./'/2
5>@:%&+#(,,7#C,9
3(2($;*"&%+J*7%U@5I
M'+#M,'&(%)-I
7"H$(%;*A[$2/G;
05>9%&+#>&?
J%@'"#KH52
1+(6;*-/";*/+)
F,?%C=%&+#%-E
25.(\*A[$2/G;*/
@55$*F5.*@(&@%+J*&[$
%+](H@%5+I
YI#K-%&+#5((LZ#[,&)#,C#F=#C>S,9%()#F)(5,?-\
Httpx is a great tool that’s a lot like the
one’s listed above but requires a bit of
technical know-how and command line
knowledge to get started with. If you’d
rather just have a complete graphical
interface and not worry about command
prompts, skip to the #1 tool that I’ve
found works best for website
information gathering.

Nearing 4K stars on Github, it’s a super

popular tool because of it’s simple
concept but incredible implementations.
Here’s a few commands to best utilize it
in bug hunting:

httpx -l hosts.txt -paths

/root/login.txt -threads 50 -
random-agent -x GET, POST -
tech-detect -status-code -
follow-redirects -title -
content-length
httpx -l hosts.txt -ports
80,443,8009,8080,8081,8090,8180
,8443 -paths /root/login.txt -
threads 50 -random-agent -x
GET, POST -tech-detect -status-
code -follow-redirects -title -
content-length

It runs through all the website hosts

inside ‘hosts.txt’, checks if their
responses match your bug criteria, and
and hands you bugs and potential
vulnerabilities on a silver platter if they
do.

Here’s the source code from Github →

6%(G'M#D
L9,])@(?%-@,S)9=QE
((LZ.#5((LZ#%-#>#C>-(
'@@G^*%&*/*F/&@*/+)
>&?#F'7(%DL'9L,-)
2"$@%QG".G5&(I
G33B#(,,7:%(#(5>(
S,,!*@55$U%@*@'/@
>77,X-#9'&&%&+E
J%@'"#KH52
/$$56&*."++%+J
2"$@%G$(*G.5#(&
"&%+J*@'(
.(@.0/#$('@@G
!I#0)>9@5#)&+%&)-I#2,;#&,(#(5)#5'F>&#,&)-I
$%#./.0K*T@I
Search engines are a phenomenal
resource for bug hunting, and they
usually provide the best data, and best
formatted data so that you’re not wasting
any time sifting through terminal
outputs or that sort of thing.

These are the best internet search

engines I’ve found that look for
machines instead of at user queries like
Google does →

Shodan

ssl.cert.subject.cn:"website.co
m" http.title:"admin"
ssl: "website.com" http.title:
"admin"
ssl.cert.subject.cn:"website.co
m" admin
ssl: "website.com" admin

Fofa

cert = "website.com" && title =

"admin"
cert.subject = "website.com" &&
title = "admin"
cert = "website.com" && body =
"admin"

Censys

(services.tls.certificates.leaf
_data.issuer.common_name:
website.com) AND
services.http.response.html_tit
le: admin
(services.tls.certificates.leaf
_data.issuer.common_name:
website.com) AND
services.http.response.body:
admin

In my opinion, these get the best results

for things like bug hunting. I highly
suggest checking out that other article
on Censys if you’re interested in some
quick and easy bugs that require
virtually no work →

0)>9@5%&+#C,9
0'M?,F>%&E
^'7&)9>M%7%(%)-
,?BCDQ*1*_'56Q@5`
'-%&+#<)&-=-
5+*"@%$%Y%+J*/*J.(/@I
@55$*@'/@*@/U(&*@'(
2()%"2KH52
H5+H(G@*5F*_-55J$(
)5.U%+J`*@5*/*6'5$(
+(6*$(8($K*,'%&I
If you end up finding a good bug that you
can submit to a bug bounty program like
HackerOne, make sure to review this
post for creating the perfect report →

G,X#3,#<9>C(#O
B9,C)--%,&>7#*'+E
*,'&(=#A)L,9(
,?BCDQ
[_Z(9>#``\
C5H"2(+@%+J*@'(I
#"J&*5.
2()%"2KH52
8"$+(./#%$%@%(&
05"`8(*F5"+)*%&*@'(
$/&@*&@(G*%+*#"J
'"+@%+J;*2/U(*&".(
@5*F%+%&'*&@.5+JI

Thanks for reading! If you enjoyed this

post, hold down the clap button for a few
seconds to show your support. To read
similar posts, check out more from The
Gray Area. To help me create more
content, sign up for a Medium
membership with my referral link →

N,%&#$)?%'F#X%(5
F=#9)C)99>7#7%&:#DE
69>5>F#a)F)7
D(/)*/$$*5F*-./'/2
3(2($M&*G5&@&;*/+)I
/+0*5@'(.*G5&@*F.52
J./'/2Y(2($K2()%"2KH
@'5"&/+)&*5F
52
a()%"2*6.%@(.&\
L5"M$$*J(@*F"$$*/HH(&&
@5*(8(.0I
Thanks!

S/HU%+J g0#(.&(H".%@0 h&%+@

!(+@(&@%+J X"J*X5"+@0

9:<

9:<

!"#$%&'()&*)+,-&.)/+*,&'()&/*0')*1X(@/
L5".*@%G*6%$$*J5*@5*-./'/2*3(2($*@'.5"J'*/*@'%.)QG/.@0
G$/@F5.2*5F*@'(%.*H'5%H(;*$(@@%+J*@'(2*U+56*05"
/GG.(H%/@(*@'(%.*&@5.0K

-%8(*/*@%G

203"&45&6$*&7),048&9&:()&;*+%&<*)+
X0*,'(*-./0*1.(/

1*'/+)QG%HU()*&($(H@%5+*5F*@'(*#(&@*G5&@&*F.52*@'/@
6((U;*G$"&*"G)/@(&*%+*@'(*H52G"@(.*&H%(+H(*F%($)Kb,/U(*/
$55UK

X0*&%J+%+J*"G;*05"*6%$$*H.(/@(*/*a()%"2*/HH5"+@*%F*05"*)5+`@*/$.(/)0
'/8(*5+(K*D(8%(6*5".*!.%8/H0*!5$%H0*F5.*25.(*%+F5.2/@%5+*/#5"@*5".
G.%8/H0*G./H@%H(&K

-(@*@'%&*+(6&$(@@(.

7$*)&6*$8&:()&;*+%&<*)+ 45$$56

45.*/$$*U%+)&*5F*)(8($5G(.& ;*'/HU(.& ;*/+)*@(H'Q

&/880*.(/)(.& *c*4.((*+(6&$(@@(.&*(/H'*Z()+(&)/0
5+*@'(*+(6(&@*@(H'*'/.)6/.(*/+)*&5F@6/.(\*c*756
6($H52%+J*+(6*6.%@(.&\

a%U(*,/U/'/&'% = d/+*e

b#6,,+7)#8,9:-#_S)9=#G>@:)9
05,'7?#c&,X

X"J*X5"+@0 V*2%+*.(/)

A'/.(*05".*%)(/&*6%@'*2%$$%5+&*5F*.(/)(.&K

Z.%@(*5+*a()%"2

?"H9FV. = d/+*<

<5>(6B3#d#*'+#*,'&(=
A)@,&#O'(,F>(%,&

D(H5+ i*2%+*.(/)

S/&/+*1#5"$S/&/+ = 758*V;*<:<<

G,X#(,#*'%7?#>&#1&@,F)
0(9)>F#X%(5#OB1-#

D/G%)/G% i*2%+*.(/)

-./'/2*3(2($ = d/+*9f

*'+#G'&(%&+#!"!.#$'7(%DU>@(,9
O'(5)&(%@>(%,&#/3B#*=L>--

S/HU%+J >*2%+*.(/)

-./'/2*3(2($ = 758*<>;*<:<<

B!#*'+#G'&(%&+#d#_ZL7,%(%&+
<,FF,&#4,9?L9)--E
^'7&)9>M%7%(%)-

X"J*X5"+@0 >*2%+*.(/)

D(/)*25.(*F.52*,'(*-./0*1.(/

1#5"@ S($G ,(.2& !.%8/H0

;)'&'()&7),048&+55