Seguranca informacao
Reconnaissance: a arte de encontrar alvos
Baixar PDFOSINT, enumeração de subdomínios, port scanning, fingerprinting e content discovery — a fase que define 70% do sucesso em bug bounty.
Reconnaissance (recon) é a fase mais importante de qualquer engagement de segurança. Hunters que fazem recon profundo encontram vulnerabilidades que outros não veem — porque testam alvos que ninguém testou.
"Recon is not just about finding subdomains. It's about understanding the attack surface better than the developers who built it."
OSINT (Open Source Intelligence)
OSINT coleta informações públicas sobre o alvo antes de tocar na infraestrutura.
Fontes primárias
| Fonte | O que encontra | Ferramenta |
|---|---|---|
| Google Dorks | Páginas indexadas, arquivos, configs | site:target.com filetype:env |
| GitHub/GitLab | Código fonte, secrets, tokens | truffleHog, gitLeaks |
| Certificate Transparency | Subdomínios históricos | crt.sh, certspotter |
| DNS Records | Subdomínios, MX, TXT, CNAME | dnsx, dig |
| Wayback Machine | URLs históricas, parâmetros removidos | waybackurls, gau |
| Shodan/Censys | Serviços expostos, banners | shodan CLI, censys |
| Social media | Tecnologias, funcionários, processos | LinkedIn, Twitter |
Google Dorks essenciais
# Arquivos sensíveis
site:target.com filetype:env
site:target.com filetype:json "api_key"
site:target.com filetype:sql
site:target.com filetype:log
# Painéis admin
site:target.com inurl:admin
site:target.com inurl:login
site:target.com intitle:"Dashboard"
# Erros e debug
site:target.com "fatal error" OR "stack trace"
site:target.com "SQL syntax"
site:target.com intitle:"Index of"
# Subdomínios
site:*.target.com -wwwGitHub Dorks
# Tokens e secrets
org:target "api_key"
org:target "password"
org:target "secret_key" OR "access_token"
org:target filename:.env
org:target filename:.npmrc
# Configurações
org:target filename:docker-compose.yml
org:target filename:config.json "database"Subdomain Enumeration
A enumeração de subdomínios é a base do recon. Cada subdomínio é um potencial alvo.
Passive Recon (sem tocar no alvo)
# 1. Certificate Transparency (crt.sh)
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sort -u
# 2. subfinder (múltiplas fontes)
subfinder -d target.com -all -o subfinder_subs.txt
# 3. Amass (passivo)
amass enum -passive -d target.com -o amass_subs.txt
# 4. Sublist3r
sublist3r -d target.com -o sublist3r_subs.txt
# 5. Certspotter
curl -s "https://api.certspotter.com/v1/issuances?domain=target.com&include_subdomains=true&expand=dns_names" | jq -r '.[].dns_names[]' | sort -u
# 6. Shodan
shodan domain target.com
# 7. Consolidar
cat subfinder_subs.txt amass_subs.txt sublist3r_subs.txt | sort -u > all_passive_subs.txtActive Recon (interage com DNS/servidores)
# 1. DNS bruteforce
puredns bruteforce /wordlists/subdomains.txt target.com --resolvers resolvers.txt -o bruteforce_subs.txt
# 2. DNS permutation (subdomain pattern matching)
gotator -sub all_passive_subs.txt -perm /wordlists/permutations.txt -depth 1 -mindup -adv -md -silent | sort -u > perm_subs.txt
# 3. Subdomain takeover check
subjack -w all_subs.txt -t 100 -timeout 30 -ssl -c fingerprint.json -o takeovers.txt
# 4. Consolidar tudo
cat all_passive_subs.txt bruteforce_subs.txt perm_subs.txt | sort -u > final_subs.txtVerificar hosts vivos
# Resolução DNS
cat final_subs.txt | dnsx -silent -resp -o resolved_subs.txt
# HTTP probing
cat resolved_subs.txt | httpx -silent -status-code -title -tech-detect -o alive_hosts.txt
# Separar por código HTTP
cat alive_hosts.txt | grep "200" > hosts_200.txt
cat alive_hosts.txt | grep "403" > hosts_403.txt # Pode ter bypass
cat alive_hosts.txt | grep "301\|302" > hosts_redirects.txtPort Scanning
Nmap — estratégias
# Quick scan (top 1000 ports)
nmap -T4 -iL alive_ips.txt -oN quick_scan.txt
# Full port scan
nmap -p- -T4 -iL alive_ips.txt -oN full_scan.txt
# Service detection + scripts
nmap -sV -sC -p $(cat interesting_ports.txt | tr '\n' ',') -iL alive_ips.txt -oN detailed_scan.txt
# UDP scan (lento, mas útil)
nmap -sU --top-ports 100 -iL alive_ips.txt -oN udp_scan.txt
# Masscan para speed (1M+ hosts)
masscan -p1-65535 -iL alive_ips.txt --rate 10000 -oG masscan_results.txtPortas interessantes para bug bounty
| Porta | Serviço | O que testar |
|---|---|---|
| 80/443 | HTTP/HTTPS | Web app, API, subdomain takeover |
| 8080/8443 | Alt HTTP | Admin panels, dev environments |
| 3000 | Grafana/Node | Default creds, API exposure |
| 5432 | PostgreSQL | Default creds, exposed |
| 27017 | MongoDB | No auth, exposed admin |
| 6379 | Redis | No auth, RCE via crontab |
| 8080 | Jenkins | Default creds, script console |
| 9200 | Elasticsearch | No auth, data exposure |
| 22 | SSH | Weak creds, old versions |
| 21 | FTP | Anonymous login, file listing |
Fingerprinting
Identificar tecnologias ajuda a escolher os payloads certos.
HTTP Headers
# Verificar headers de segurança
curl -sI https://target.com | grep -iE "(x-frame|x-xss|content-security|strict-transport|x-content-type|server|x-powered)"
# Headers ausentes = potencial vulnerabilidade
# X-Frame-Options → Clickjacking
# CSP → XSS
# HSTS → SSL stripping
# X-Content-Type-Options → MIME sniffingTechnology Detection
# WhatWeb
whatweb https://target.com -a 3
# httpx tech detect
echo "https://target.com" | httpx -silent -tech-detect -status-code -title
# Wappalyzer CLI
wappalyzer https://target.com
# BuiltWith (web)
# https://builtwith.com/target.comJavaScript Analysis
# Extrair endpoints de arquivos JS
cat js_files.txt | xargs -I {} sh -c 'curl -s {} | grep -oE "https?://[^\"'"'"'\\s]+"' | sort -u > js_endpoints.txt
# Encontrar API keys e secrets
cat js_files.txt | xargs -I {} sh -c 'curl -s {} | grep -oE "(api[_-]?key|token|secret|password|auth)[\"'"'"']?\s*[:=]\s*[\"'"'"'][^\"'"'"']+"'
# LinkFinder
python linkfinder.py -i https://target.com -o cli
# SecretFinder
python secretfinder.py -i https://target.com/app.js -o cliContent Discovery
Directory Fuzzing
# ffuf (mais rápido)
ffuf -u https://target.com/FUZZ -w /wordlists/seclists/Discovery/Web-Content/common.txt \
-mc 200,204,301,302,307,401,403 \
-o ffuf_results.json -of json
# Feroxbuster (recursive)
feroxbuster -u https://target.com -w /wordlists/seclists/Discovery/Web-Content/common.txt -d 2
# Gobuster
gobuster dir -u https://target.com -w /wordlists/seclists/Discovery/Web-Content/common.txt -o gobuster_results.txt
# API path fuzzing
ffuf -u https://target.com/api/FUZZ -w /wordlists/api-endpoints.txt -mc 200,201,400,401,403,405
# Extension fuzzing
ffuf -u https://target.com/indexFUZZ -w /wordlists/extensions.txt -mc 200,403
# extensions.txt: .bak, .old, .zip, .tar.gz, .sql, .json, .yaml, .envParâmetros Discovery
# Arjun (hidden parameter discovery)
arjun -u https://target.com/endpoint -m GET POST
# Parameth
python parameth.py -u https://target.com/endpoint
# x8 (hidden parameters)
x8 -u "https://target.com/endpoint" -w /wordlists/params.txtArchive Analysis
# Wayback Machine
cat alive_hosts.txt | waybackurls | sort -u > wayback_urls.txt
# gau (getallurls)
cat alive_hosts.txt | gau --threads 5 --o gau_urls.txt
# Filtrar parâmetros únicos
cat wayback_urls.txt gau_urls.txt | sort -u | grep "?" | unfurl keys | sort -u > all_params.txt
# Procurar endpoints sensíveis em arquivos
cat wayback_urls.txt | grep -E "\.(json|xml|yml|yaml|env|config|bak|old|sql|log)$"Pipeline de Recon Automatizado
#!/bin/bash
# recon.sh — pipeline completo
DOMAIN=$1
OUTDIR="recon_${DOMAIN}"
mkdir -p $OUTDIR
echo "[1/6] Subdomain enumeration..."
subfinder -d $DOMAIN -all -o $OUTDIR/subfinder.txt
amass enum -passive -d $DOMAIN -o $OUTDIR/amass.txt
cat $OUTDIR/subfinder.txt $OUTDIR/amass.txt | sort -u > $OUTDIR/all_subs.txt
echo "[2/6] Resolving..."
cat $OUTDIR/all_subs.txt | dnsx -silent -o $OUTDIR/resolved.txt
echo "[3/6] HTTP probing..."
cat $OUTDIR/resolved.txt | httpx -silent -status-code -title -tech-detect -o $OUTDIR/alive.txt
echo "[4/6] Port scanning..."
nmap -T4 -iL $OUTDIR/resolved.txt -oN $OUTDIR/nmap.txt
echo "[5/6] URL gathering..."
cat $OUTDIR/alive.txt | awk '{print $1}' | gau --threads 5 | sort -u > $OUTDIR/urls.txt
echo "[6/6] Fuzzing..."
cat $OUTDIR/alive.txt | awk '{print $1}' | while read url; do
ffuf -u ${url}FUZZ -w /wordlists/common.txt -mc 200,301,302,403 -of csv -o $OUTDIR/ffuf_$(echo $url | md5).csv
done
echo "Recon completo. Resultados em $OUTDIR/"Referências
Bug Bounty: guia completo do hunter
Plataformas de bug bounty, escopo, bounty economics, mentalidade de hunter, workflow de caça e como escolher programas lucrativos.
Web Vulnerabilities: OWASP Top 10 e além
XSS, SQLi, SSRF, IDOR, broken authentication, CSRF, deserialization — cobertura técnica de cada classe de vulnerabilidade com payloads e detecção.