bounty-reconlisted

Use at the start of a bug bounty engagement. Provides scope-aware recon methodology — passive enumeration, subdomain discovery, asset attribution, tech stack fingerprinting, content discovery. Respects scope and program rules. Triggers on "bounty recon", "subdomain enum", "attack surface map", "h1 recon", "bug bounty start".
26zl/cybersec-toolkit · ★ 6 · AI & Automation · score 73

Install: claude install-skill 26zl/cybersec-toolkit

# Bug bounty recon methodology ## 0. Read the scope, twice Before running any tool: - In-scope domains, IPs, mobile apps? - Out-of-scope (often: blogs, marketing sites, third-party SaaS, login portals with rate limits)? - Allowed test types (active scanning? brute force? social engineering?)? - Reporting requirements (PoC format, CVSS, screenshots)? If on HackerOne / Bugcrowd, parse the scope CSV. Out-of-scope hits cost reputation. ## 1. Passive (no traffic to target) ```bash # Subdomain via cert transparency curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sort -u # Subdomain via passive sources amass enum -passive -d target.com subfinder -d target.com -all -silent assetfinder --subs-only target.com findomain -t target.com # Combined echo target.com | tlsx -san -cn -silent | sort -u ``` GitHub / GitLab / Postman dorking: ```bash # tools in registry gitleaks detect --source=. --no-git trufflehog github --org=target-org # Manual: # site:github.com "target.com" password # site:postman.com "target.com" ``` OSINT layer: - `whois target.com` - ASN: `whois -h whois.cymru.com " -v target.com"` - Reverse DNS / reverse whois — `domainmonster`, `viewdns.info` - Wayback: `waybackurls target.com | sort -u > wayback.txt` - Common Crawl: `gau target.com` ## 2. Active (only after passive sweep) Subdomain bruteforcing — only if scope allows: ```bash # DNS bruteforce shuffledns -d target.com -w wordlists/dns.txt -r resolvers.txt # Permutation