- This wouldn't be possible without our lord and saviour Jason Haddix
- Huge thanks to Cristi Zot for giving me a head start at recon
- Responsible Disclosure Programs
- Seed Domain Enumeration
- Subdomain enumeration
- Content Discovery
- Scanning
- Sensitive Data Exposure
- Recon Frameworks
- Github Security
- OpenBugBounty
- HackerOne
- Bugcrowd
- Intigriti
- Cobalt
- Synack
- ZeroCopter
- HackenProof
- Public bug bounty list
- Awesome bug bounty
- Google VRP
inurl:"responsible disclosure policy"
"powered by bugcrowd" -site:bugcrowd.com
"powered by hackerone"
"submit vulnerability report"
site:responsibledisclosure.com
inurl /bug bounty
inurl : / security
inurl:security.txt
inurl:security "reward"
inurl : /responsible disclosure
inurl : /responsible-disclosure/ reward
inurl : / responsible-disclosure/ swag
inurl : / responsible-disclosure/ bounty
inurl:'/responsible disclosure' hoodie
responsible disclosure swag r=h:com
responsible disclosure hall of fame
responsible disclosure europe
responsible disclosure white hat
white hat program
insite:"responsible disclosure" -inurl:nl
intext responsible disclosure
site eu responsible disclosure
site .nl responsible disclosure
site responsible disclosure
responsible disclosure:sites
responsible disclosure r=h:nl
responsible disclosure r=h:uk
responsible disclosure r=h:eu
responsible disclosure bounty r=h:nl
responsible disclosure bounty r=h:uk
responsible disclosure bounty r=h:eu
responsible disclosure swag r=h:nl
responsible disclosure swag r=h:uk
responsible disclosure swag r=h:eu
responsible disclosure reward r=h:nl
responsible disclosure reward r=h:uk
responsible disclosure reward r=h:eu
"powered by bugcrowd" -site:bugcrowd.com
"powered by hackerone" "submit vulnerability report"
"submit vulnerability report"
site:responsibledisclosure.com
inurl:'vulnerability-disclosure-policy' reward
intext:Vulnerability Disclosure site:nl
intext:Vulnerability Disclosure site:eu
site:*.*.nl intext:security report reward
site:*.*.nl intext:responsible disclosure reward
"security vulnerability" "report"
inurl"security report"
"responsible disclosure" university
inurl:/responsible-disclosure/ university
buy bitcoins "bug bounty"
inurl:/security ext:txt "contact"
"powered by synack"
intext:responsible disclosure bounty
inurl: private bugbountyprogram
inurl:/.well-known/security ext:txt
inurl:/.well-known/security ext:txt intext:hackerone
inurl:/.well-known/security ext:txt -hackerone -bugcrowd -synack -openbugbounty
inurl:reporting-security-issues
inurl:security-policy.txt ext:txt
site:*.*.* inurl:bug inurl:bounty
site:help.*.* inurl:bounty
site:support.*.* intext:security report reward
intext:security report monetary inurl:security
intext:security report reward inurl:report
site:security.*.* inurl: bounty
site:*.*.de inurl:bug inurl:bounty
site:*.*.uk intext:security report reward
site:*.*.cn intext:security report reward
"vulnerability reporting policy"
"van de melding met een minimum van een" -site:responsibledisclosure.nl
inurl:/security ext:txt "contact"
"Submission Form powered by Bugcrowd" -bugcrowd.com
"If you believe you've found a security vulnerability"
intitle:"responsible disclosure policy"
- Manual enumeration via https://bgp.he.net/
- Discover seed domains -
amass intel --asn - Automated enumeration
- ASNLookup (maxmind.com dataset)
- metabigor (bgp.he.net, asnlookup.com)
- https://whoxy.com/
- DOMLink (CLI of whoxy.com)
- https://buildwith.com/
- getrelationship.py (CLI by M4ll0k)
echo "tesla.com" | python3 getrelationship.com- "Copyright Text" inurl:tesla.com
- "Terms of Service Text" inurl:tesla.com
- "Privacy Policy Text" inurl:tesla.com
Demonstrated using Burp Pro
- Set a scope item
- Check "Use advanced scope controls"
- Enter a term instead of an absolute domain name
- Host or ip range: "keyword"
- Site map
- Filter by request type: Show only in-scope items
- Crawl all in-scope targets
- Scan type: Crawl
- Scan confgiruation
- Crawl strategy - fastest
- Never stop crawling due to application errors
- Resource Pool
- Name: "name"
- Maximum concurrent requests: 50
- Hakrawler
hakrawler -url tesla.com -hs -linkfinder- GoSpirer
gospider -s https://tesla.com- Subdomainizer
Input JS files either from Burp or Hakrawler
python3 SubDomainizer.py -l jsfiles.txt -o js-subdomains.txtpython linkfinder.py -i 'scripts/*.js' -r ^/api/ -o results.html- Pure bash linkfinder @ntrzz
curl -s $1 | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort | uniq | grep ".js" > jslinks.txt; while IFS= read link; do python linkfinder.py -i "$link" -o cli; done < jslinks.txt | grep $2 | grep -v $3 | sort -n | uniq; rm -rf jslinks.txt- Finding JS files script @D0cK3rG33k
assetfinder site.com | gau|egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)'|while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Zo-9_]+" |sed -e 's, 'var','"$url"?',g' -e 's/ //g'|grep -v '.js'|sed 's/.*/&=xss/g'):echo -e "\e[1;33m$url\n" "\e[1;32m$vars";done- Extract endpoints from JS files @renniepak
cat main.js | grep -oh "\"\/[a-zA-Z0-9_/?=&]*\"" | sed -e 's/^"//' -e 's/"$//' | sort -u- For recursive analysis
-
Infrastructure sources
- Censys (requires an api key)
- Chaos (requires an api key)
- Robtex (requires an api key)
- DnsDB (requires an api key)
- Github (requires an api key)
- Passive Total (requires an api key)
- NetCraft
- PTRarchive
- Wayback Machine
-
Search sources
- BinaryEdge
- Shodan (requires an api key)
- Spyse (requires an api key)
- Zoomeye (requires an api key)
- Intelx (requires an api key)
- Baidu
- DogPile
-
Security sources
- VirusTotal
- SecurityTrails (requires an api key)
- F-Secure
- Hacker Target
- ThreatCrowd
- ThreatMiner
- ThreatBook (requires an api key)
-
Certificate search
- crt.sh
- CertSpotter
- certDB
- Google Subdomain Enumeration
site:tesla.com -www.tesla.com
site:tesla.com -www.tesla.com -test.tesla.com
site:tesla.com -www.tesla.com -test.tesla.com -staging.teala.com
site:tesla.com -www.tesla.com -test.tesla.com -staging.example.com -prod.tesla.com
amass enum -d tesla.comsubfinder -d tesla.comfindomain -t tesla.comassetfinder --subs-only tesla.comgo run main.go -d target.com -s YourAPIKEY- Get subdomains from rapiddns.io
@andirrahmani1
curl -s "https://rapiddns.io/subdomain/$1?full=1#result" | grep "<td><a" | cut -d '"' -f 2 | grep http | cut -d '/' -f3 | sed 's/#results//g' | sort -u- Get subdomains from bufferover.run
@_ayoubfathi_
curl -s https://dns.bufferover.run/dns?q=.DOMAIN.com |jq -r .FDNS_A[]|cut -d',' -f2|sort -u- Get subdomains from riddler.io
@pikpikcu
curl -s "https://riddler.io/search/exportcsv?q=pld:domain.com" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u- Get subdomains from virustotal
@pikpikcu
curl -s "https://www.virustotal.com/ui/domains/domain.com/subdomains?limit=40" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u- Get Subdomains from CertSpotter
@pikpikcu
curl -s "https://certspotter.com/api/v0/certs?domain=domain.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u- Get Subdomains from Archive
@pikpikcu
curl -s "http://web.archive.org/cdx/search/cdx?url=*.domain.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u- Get Subdomains from JLDC
@pikpikcu
curl -s "https://jldc.me/anubis/subdomains/domain.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u- Get Subdomains from securitytrails
@pikpikcu
curl -s "https://securitytrails.com/list/apex_domain/domain.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep ".domain.com" | sort -u- Get Subdomains from crt.sh
@vict0ni
curl -s "https://crt.sh/?q=%25.$1&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u- LazyRecon
./lazyrecon.sh -d tesla.com
./lazyrecon.sh -d tesla.com -e excluded.tesla.com,other.tesla.com
amass enum -brute -d tesla.com -src
amass enum -brute -d tesla.com -rf resolvers.txt -w wordlist.txt./subbrute.py tesla.comaiodnsbrute -w wordlist.txt -vv -t 1024 tesla.com
aiodnbrute -f - -o json tesla.com
aiodnsbrute -r resolvers.txt -f - -o json tesla.com | jq '.[] | select(.ip[] | startswith("172."))'
aiodnsbrute --gethostbyname domain.com
aiodnsbrute -r resolvers.txt domain.com./bin/massdns -r lists/resolvers.txt -t AAAA -w results.txt domains.txtshuffledns -d tesla.com -list wordlist.txt -r resolvers.txt
subfinder -d tesla.com | shuffledns -d tesla.com -r resolvers.txt- Subdomain Wordlist by Jason Haddix https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056
- fuzzdb
- minimaxir
- PayloadsAllTheThings
- SecLists
- IntruderPayloads
- bruteforce-lists
- PassList
- jeanphorn
- lavalamp
- assetnote
- Masscan
masscan -p1-65535 192.168.0.1 --max-rate 1800 -oG output.log
masscan -p1-65535 -iL ips.txt --max-rate 1800 -oG output.log- DNMasscan
dnmasscan example.txt dns.log -p80,443 -oG masscan.log- Masscan to Service Scan to Credential Bruteforce
- dnmasscan - port scanning
- nmap - service scan -oG
- brutespray - credential bruteforce
python3 EyeWitness.py -f /path/to/live-domains.txt -d /path/to/eyewitness/ --webcat targets.txt | aquatone./httpscreenshot.py -i \<gnmapFile\> -p -w 5 -a -vH-
SubOver
./subover -l /path/to/live-domains.txt -v- Nuclei
nuclei -l /path/to/live-domains.txt -t subdomain-takeover/*- Google Hacking Database
- Dorks by Faisal Ahmed
-
Weaponizing favicon.ico for BugBounties , OSINT and what not
-
Favicon analysis / Favfreak
cat urls.txt | python3 favfreak.py -o output- Favicon analysis / Shodan
shodan search org:"Target" http.favicon.hash:<hash> --fields ip str,port --separator " " | awk '{print $1":"$2}'- Shodan Dorks / from @manas_hunter
"default password" org:teslamotors
"230 login successful" port:"21" org:teslamotors
vsftpd 2.3.4 port:21 org:teslamotors
230 "anonymous@" login ok org:teslamotors
guest login ok org:teslamotors
country:EU port:21 -530 +230 +teslamotors
country:IN port:80 title:protected org:teslamotors
- SecretFinder
- ScriptHunter
- LinkFinder
- JS Beautifier
- Keywords
api
key
http
https
api_key
apikey
token
secret
config
conf
cfg
ENV
env
echo "twitter.com" | waybackurls > wayback-results
cat wayback-results | grep "\.conf"
cat wayback-results | grep "\.xml"
cat wayback-results | grep "\.db"
cat wayback-results | grep "\.log"
cat wayback-results | grep "config"
cat wayback-results | grep "env"
cat wayback-results | grep "key"
cat wayback-results | grep "token"
cat wayback-results | grep "panel"
cat wayback-results | grep "dashboard"Automation built around scripting up other tools in bash or python. Step based, no workflow. Few techniques. Little extensibility.
- https://github.com/AdmiralGaust/bountyRecon
- https://github.com/offhourscoding/recon
- https://github.com/Sambal0x/Recon-tools
- https://github.com/JoshuaMart/AutoRecon
- https://github.com/yourbuddy25/Hunter
- https://github.com/venom26/recon/blob/master/ultimate_recon.sh
- https://gist.github.com/dwisiswant0/5f647e3d406b5e984e6d69d3538968cd
Automation writing a few of their own modules. Some GUI or advanced workflow. Medium techniques. Runs point-in-time. Flat files.
- https://github.com/capt-meelo/LazyRecon
- https://github.com/Screetsec/Sudomy
- https://github.com/phspade/Automated-Scanner
- https://github.com/shmilylty/OneForAll
- https://github.com/LordNeoStark/tugarecon
- https://github.com/SolomonSklash/chomp-scan
- https://github.com/TypeError/domained
- https://github.com/phspade/Automated-Scanner
Automation writing all their own modules. Has GUI. Runs iterativley. Manages data via db.
- https://github.com/Edu4rdSHL/findomain
- https://github.com/SilverPoision/Rock-ON
- https://github.com/epi052/recon-pipeline
Automation writing their own modules. Has GUI. Runs iterativley. Manages data via db. Scales across multiple boxes. Sends alerts to user. Uses novel techniques and iterates quickly. ML + AI.