TL;DR

  • Know the common private, CGNAT, and link-local ranges.
  • Use IPv6 ranges explicitly during recon; they are often less protected.
  • For bug bounty, prioritize public netblocks, cloud assets, and IPv6.

Common IPv4 Ranges

Private and special-use

  • 10.0.0.0/8 - large private networks, VPCs, Kubernetes pods/services
  • 172.16.0.0/12 - medium private segments, container bridges, corp LANs
  • 192.168.0.0/16 - home routers, SMB, IoT
  • 100.64.0.0/10 - carrier-grade NAT (mobile/ISP backbones)
  • 169.254.0.0/16 - link-local/APIPA (DHCP fallback)
  • 127.0.0.0/8 - loopback
  • 224.0.0.0/4 - multicast
  • 240.0.0.0/4 - experimental

IPv6 equivalents

  • fc00::/7 - ULA (private IPv6)
  • fe80::/10 - link-local
  • ::1/128 - loopback

Bug Bounty Recon Priorities

  1. Public netblocks (ASN/WHOIS) for the target org.
  2. Cloud assets (AWS/GCP/Azure public IPs and hostnames).
  3. Subdomains and wildcard domains for takeover or misconfig.
  4. Storage services (S3/Blob/GCS) for public exposure.
  5. APIs (/api, /v1, /graphql) for auth and rate limit issues.
  6. Mobile and IoT backends from app traffic or firmware.
  7. Edge ports (80/8080/8443/8888) and old VPN endpoints.
  8. Legacy acquisitions and third-party infrastructure.
  9. IPv6 surface (AAAA records often bypass WAF rules).
  10. Metadata IPs after SSRF/RCE (169.254.169.254 etc.).

Notes

  • Combine passive recon (DNS/ASN, Git leaks) with targeted port scans.
  • Prioritize assets that are new or recently exposed.