bug bounty hunting

SecurityTrails Blog · Mar 25 · by Esteban Borges

IP Reconnaissance for Bug Bounty Hunters with SurfaceBrowser™

Reading time: 4 minutes

IP reconnaissance is often the base and a starting point of any security research or bug hunt. This is simply because scanning any IP address can lead you to an individual host in question—and once you’ve found the host, the possibilities are limitless. From there you may find running services, open ports, databases, unsecured files and much more. Everything begins with finding and scanning the IP address.

Doing this is relatively easy for smaller organizations; looking up the ASN of an organization often nets you almost all of its IP addresses. When looking at larger organizations, however, you can get multiple departments running on different network spaces, ASNs and locations with tens and thousands of IPs.

Some larger organizations like IBM, Amazon, Ford Motor Company have /8’s of their own which is approximately 16,777,216 individual IPv4 addresses. Scanning and finding open ports and services on half a million IPs or even, say, 10,000 IPs (which is commonly seen at many larger organizations) is quite a time consuming and difficult task.

But not all hope is lost! Some tools like our own SecurityTrails SurfaceBrowser™, actively scan and gather information for you, empowering your security research and IP reconnaissance in literally seconds.

How to perform IP reconnaissance for Bug Bounty Hunting

Let’s see how anyone can perform a complete IP reconnaissance using SurfaceBrowser™, our all-in-one surface analysis tool:

To begin your IP reconnaissance, first head over to your user area and log into your account. Once logged in, click on “Access SurfaceBrowser™” on the left-hand side or load this URL: https://securitytrails.com/app/sb/.

In our example, we’ll be scanning the company domain “ge.com”

scanning the company domain ge.com

From the left-hand sidebar, select “IP Blocks” under the “IP Addresses” heading:

General Electric

Give it a few seconds for SurfaceBrowser™ to generate your report, after which you’ll see all the IP addresses associated with the company GE:

SurfaceBrowser™ report

As you can see, the IP blocks along with IP counts, RIR, open ports, hostnames and apex domains hosted on those IP addresses are also revealed.

Looking further into per-IP information with SurfaceBrowser™

Scanning the IP 1.1.1.1 as an example, SurfaceBrowser™ now shows you a summary of all the available information, and allows you to jump from one tab to another to discover even more details:

SurfaceBrowser™ summary of all the available information

Domains

The Domains tab lists the number of domains associated with this IP address, current/active domains on the IP address and past domains/domain history associated with the IP address.

The Domains tab

Ports History

The Ports History tab lists ports that were open in the past (and might still be open), or are closed now and when they were last seen open.

The Ports History tab

P2P

The P2P tab lists any peer-to-peer activity which may have occurred on or via this IP address, including data such as date, torrent, category and source.

P2P tab

Open Ports and Software

The Open Ports and Software section lists services and applications running as well as each open port found on the IP address. Services and applications include web servers, DNS servers such as Nginx, Unbound (DNS-Server), other services like HTTP proxy and more.

Open Ports and Software section

DNS

This section lists all associated forward DNS and reverse DNS addresses and information for the IP address.

DNS section

ASN

This section indicates which autonomous system number (ASN) the IP address belongs to, helping to further trace out associated IP ranges and network uplinks/providers.

ASN section

Latest Seen Certificates

The last or latest seen certificates seen on this IP address, the port it is assigned to, location and validity are indicated in this area.

Combined, the above information gives you a great headstart into gathering information about the IP address in question.

Latest Seen Certificates

What about IP neighbors?

Sometimes an IP address might not have much to offer, simply because it could be well secured or running nothing of value to the investigation. On the other hand, its neighbours might be running services of interest—and finding these IP neighbors is super easy with the SurfaceBrowser™ tool as well:

IP neighbors

We find neighbouring IPs to the IP being searched for, the organization it belongs to, and the related hostnames and ports seen open.

Summary

As we’ve shown you, large organizations can have multiple thousands of IP allocations between their departments actively in use. In such cases, scanning each IP block for live hosts and then scanning each individual IP for open ports is time consuming and often impossible for an individual dealing with larger organizations like IBM, Amazon, and Ford Motor Company, all of whom have their own /8 IPv4 allocations (~16 million individual IP addresses).

Using SecurityTrails SurfaceBrowser™ helps by automatically scanning IP ranges and listing open ports and services running on them, which can speed up your IP reconnaissance tasks significantly.

ESTEBAN BORGES

Esteban is a seasoned security researcher and cybersecurity specialist with over 15 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.