From 62b0ae8a6106c6204ea10f58604e3e25428de167 Mon Sep 17 00:00:00 2001
From: MD15 <md15ev@gmail.com>
Date: Wed, 3 Feb 2021 21:16:07 +0700
Subject: [PATCH] Added recon checklist

---
 Misc/Recon.MD | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 Misc/Recon.MD

diff --git a/Misc/Recon.MD b/Misc/Recon.MD
new file mode 100644
index 0000000..3bbc6a8
--- /dev/null
+++ b/Misc/Recon.MD
@@ -0,0 +1,66 @@
+# Bug-Bounty-Recon
+
+## Small Scope
+### Only Specific URLs are part of Scope. This usually includes staging/dev/testing or single URLs. like: app.harshbothra.tech
+- [x] Directory Enumeration
+- [x] Technology Fingerprinting
+- [x] Port Scanning
+- [x] Parameter Fuzzing
+- [x] Wayback History
+- [x] Known Vulnerabilities
+- [x] Hardcoded Information in JavaScript
+- [x] Domain Specific GitHub & Google Dorking
+- [x] Broken Link Hijacking
+- [x] Data Breach Analysis
+- [x] Misconfigured Cloud Storage
+## Medium Scope
+### Usually the scope is wild card scope where all the subdomains are part of scope. like: Scope: *.harshbothra.tech
+- [x] Subdomain Enumeration
+- [x] Subdomain Takeover
+- [x] Probing & Technology Fingerprinting
+- [x] Port Scanning
+- [x] Known Vulnerabilities
+- [x] Template Based Scanning (Nuclei/Jeales)
+- [x] Misconfigured Cloud Storage
+- [x] Broken Link Hijacking
+- [x] Directory Enumeration
+- [x] Hardcoded Information in JavaScript
+- [x] GitHub Reconnaissance
+- [x] Google Dorking
+- [x] Data Breach Analysis
+- [x] Parameter Fuzzing
+- [x] Internet Search Engine Discovery (Shodan, Censys, Spyse, etc.)
+- [x] IP Range Enumeration (If in Scope)
+- [x] Wayback History
+- [x] Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
+- [x] Heartbleed Scanning
+- [x] General Security Misconfiguration Scanning
+## Large Scope
+### Everything related to the Organization is a part of Scope. This includes child companies, subdomains or any labelled asset owned by organization.
+- [x] Tracking & Tracing every possible signatures of the Target Application (Often there might not be any history on Google related to a scope target, but you can still crawl it.) ​
+- [x] Subsidiary & Acquisition Enumeration (Depth – Max)​
+- [x] Reverse Lookup
+- [x] ASN & IP Space Enumeration and Service Identification​
+- [x] Subdomain Enumeration
+- [x] Subdomain Takeover
+- [x] Probing & Technology Fingerprinting
+- [x] Port Scanning
+- [x] Known Vulnerabilities
+- [x] Template Based Scanning (Nuclei/Jeales)
+- [x] Misconfigured Cloud Storage
+- [x] Broken Link Hijacking
+- [x] Directory Enumeration
+- [x] Hardcoded Information in JavaScript
+- [x] GitHub Reconnaissance
+- [x] Google Dorking
+- [x] Data Breach Analysis
+- [x] Parameter Fuzzing
+- [x] Internet Search Engine Discovery (Shodan, Censys, Spyse, etc.)
+- [x] IP Range Enumeration (If in Scope)
+- [x] Wayback History
+- [x] Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
+- [x] Heartbleed Scanning
+- [x] General Security Misconfiguration Scanning
+- [x] And any possible Recon Vector (Network/Web) can be applied.​
+
+Source: [Link](https://www.xmind.net/m/hKKexj/)
\ No newline at end of file