-
Notifications
You must be signed in to change notification settings - Fork 39
Bug Bounty Methodology
Go the road less travelled, find programs that are not on hackerone or bugcrowd: https://www.bugcrowd.com/bug-bounty-list/ google: "Responsible Disclosure" or "Vulnerability Disclosure" or "responsible disclosure website list"
Hackerone In Scope Domains: https://github.com/zricethezav/h1domains/blob/master/domains.txt
responsible disclosure "bounty"
intext:”Responsible Disclosure Policy”
"responsible disclosure" "private program"
"responsible disclosure" "private" "program"
vulnerability disclosure program "bounty" -bugcrowd -hackerone
responsible disclosure "private program" <--- find private hackerone/bugcrowd programs
https://github.com/random-robbie/bugbountydork/blob/master/main.py
If you find a vulnerable javascript script and want to find other websites vulnerable to the same script, you can use this website to search for other websites running the same script. https://nerdydata.com/search?query=ga.js
./amass -active -d test.com -o /opt/output/company.com/amassCompany.txt
./subfinder -d test.com -v -o /opt/output/company.com/subfinderNoBrute.txt <--- simple scan
./subfinder -b -w /opt/wordlists/all.txt -d upwork.com -v -o /opt/output/company.com/subfinder.txt <--- indepth scan
python sublist3r.py -b -d example.com -v -t 40 -o /opt/output/company.com/example.txt
python sublist3r.py -p 21,22,3389,8080,8181,8000,9443,8443,6900,9200,81
aquatone-discover -d test.com
curl 'https://crt.sh/?q=%.example.com&output=json' | jq '.name_value' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u
Enumeration with aquatone: https://blog.it-securityguard.com/visual-recon-a-beginners-guide/
cd /opt/massdns
./scripts/subbrute.py /opt/wordlists/all.txt canva.com | ./bin/massdns -r lists/resolvers.txt -t A -o S -w canvaMassdns.txt
gobuster -m dns -u canva.com -t 100 -w /opt/wordlists/all.txt -o /opt/output/company.com/GoBusterCanvasubdomains.txt -q
Don't forget to permutation scan: Ex: admin.helpdesk.company.com, help.helpdesk.company.com, then bruteforce helpdesk.company.com!
Utilizing jason haddix's all.txt wordlist for subdomain bruteforcing https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056
cat aquatoneSublist.txt | httprobe -c 50 > livehosts.txt
./EyeWitness.py --prepend-https -f /root/vanillasublister.txt --web --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" -d targetvanilla
Multithreaded Eyewitness:
./EyeWitness.py --prepend-https -f /root/vanillasublister.txt --web --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" --threads 35 -d targetvanilla
webscreenshot -i /tmp/adobeurls.txt -o /targets/adobe.com -v -w 10
webscreenshot -i /tmp/adobeurls.txt -o /targets/adobe.com -v -m -w 10(HTTP & HTTPS)
epg-prep /root/adobe.com
node yourname.js
http://yourserverip:3000/photos
Ports to Find: 21,22,3389,8080,8181,8000,9443,8443,6900,9200,81
masscan -p- --banners targets.txt
nmap -p 21,22,3389,8080,8181,8000,9443,8443,6900,9200,81 -iL targets.txt
aquatone-scan -d uber.com -t 30 -p medium
aquatone-scan -d test.com -t 30 -p small (small is port 443 and 80)
port:80,443,2376,8000,8080,8443,9443 http.title:Company
aquatone-takeover -d adobe.com
https://github.com/EdOverflow/can-i-take-over-xyz
https://takeover.cyberint.com/
https://hackerone.com/reports/380158
http://archive.org/web/ (if subdomain name indicates critical data config.test.com or admin.test.com, try looking at it from wayback machine. may show critical data (API keys, user/pass)
site:admin.target.com (if website returns 403, try google dorking the website to see if there is any endpoints you can access)
Burp Discover Content Engagement Tool
./dirsearch.py -u http://target.com -e * -r
dirb http://target.com
gobuster -w /opt/wordlists/content_discovery_all.txt -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" -t 50 -u http://canva.com/ -o canvagobuster.txt -fw -r
https://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10 <---- jason haddix directory bruteforce list
site:site.com ext:php,asp,aspx,jsp,jspa,txt,swf
site:test.com ext:php
site:test.com ext:asp
curl(https://github.com/internetarchive/wayback/blob/master/wayback-cdx-server/README.md):
curl 'http://web.archive.org/cdx/search/cdx?url=games.sidefx.com/*&output=text&fl=original&collapse=urlkey'
^^^ more info https://www.shawarkhan.com/2018/06/getting-php-code-execution-and-leverage.html
You can query commoncrawl.org to discover endpoints as well
python3 cc.py github.com -y 18 -o github_2018.txt
site:github.com inurl:looker "api" "key"
site:github.com inurl:looker "password"
https://medium.freecodecamp.org/discovering-the-hidden-mine-of-credentials-and-sensitive-information-8e5ccfef2724?gi=3cf919a0784b Look for invite links: Slack, Discord, etc
Target Tab > Right Click Target.com > Engagement Tools > Find Scripts
Ctrl A > Copy Selected URLs (Paste to textfile linkfinder.txt)
cat linkfinder.txt | grep .js > linkfinder2.txt
python linkfinder.py -o cli -i http://target.com/everylink.js
OR copy and paste into JSParser:
python handler.py (visit localhost:8008)
https://whatcms.org/ discover type of CMS running on website