Skip to content

Latest commit

 

History

History
433 lines (347 loc) · 11.9 KB

methodology.md

File metadata and controls

433 lines (347 loc) · 11.9 KB

Bug Bounty Methodology

Credits

  • This wouldn't be possible without our lord and saviour Jason Haddix

Table of content

Seed Domain Enumeration

Finding Acquisitions

ASN Enumeration

  • Manual enumeration via https://bgp.he.net/
  • Discover seed domains - amass intel --asn
  • Automated enumeration
    • ASNLookup (maxmind.com dataset)
    • metabigor (bgp.he.net, asnlookup.com)

Reverse WHOIS

Ad/Analytics Relationship Mapping

echo "tesla.com" | python3 getrelationship.com

Google Fu

  • "Copyright Text" inurl:tesla.com
  • "Terms of Service Text" inurl:tesla.com
  • "Privacy Policy Text" inurl:tesla.com

Subdomain Enumeration

Linked and JS Discovery

Manual Linked and JS Discovery

Demonstrated using Burp Pro

  • Set a scope item
    • Check "Use advanced scope controls"
    • Enter a term instead of an absolute domain name
    • Host or ip range: "keyword"
    • Site map
      • Filter by request type: Show only in-scope items
  • Crawl all in-scope targets
    • Scan type: Crawl
    • Scan confgiruation
      • Crawl strategy - fastest
      • Never stop crawling due to application errors
    • Resource Pool
      • Name: "name"
      • Maximum concurrent requests: 50

Linked and JS Discovery Tools

  • Hakrawler
hakrawler -url tesla.com -hs -linkfinder
  • GoSpirer
gospider -s https://tesla.com
  • Subdomainizer

Input JS files either from Burp or Hakrawler

python3 SubDomainizer.py -l jsfiles.txt -o js-subdomains.txt
python linkfinder.py -i 'scripts/*.js' -r ^/api/ -o results.html

Linked and JS Discovery Oneliners

  • Pure bash linkfinder @ntrzz
curl -s $1 | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort | uniq | grep ".js" > jslinks.txt; while IFS= read link; do python linkfinder.py -i "$link" -o cli; done < jslinks.txt | grep $2 | grep -v $3 | sort -n | uniq; rm -rf jslinks.txt
  • Finding JS files script @D0cK3rG33k
assetfinder site.com | gau|egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)'|while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Zo-9_]+" |sed -e 's, 'var','"$url"?',g' -e 's/ //g'|grep -v '.js'|sed 's/.*/&=xss/g'):echo -e "\e[1;33m$url\n" "\e[1;32m$vars";done
  • Extract endpoints from JS files @renniepak
cat main.js | grep -oh "\"\/[a-zA-Z0-9_/?=&]*\"" | sed -e 's/^"//' -e 's/"$//' | sort -u

Subscraper by Cillian Collins

  • For recursive analysis

Subdomain Scraping

Sources

  • Infrastructure sources

    • Censys (requires an api key)
    • Chaos (requires an api key)
    • Robtex (requires an api key)
    • DnsDB (requires an api key)
    • Github (requires an api key)
    • Passive Total (requires an api key)
    • NetCraft
    • PTRarchive
    • Wayback Machine

  • Search sources

    • BinaryEdge
    • Shodan (requires an api key)
    • Spyse (requires an api key)
    • Zoomeye (requires an api key)
    • Intelx (requires an api key)
    • Baidu
    • DogPile

  • Security sources

    • VirusTotal
    • SecurityTrails (requires an api key)
    • F-Secure
    • Hacker Target
    • ThreatCrowd
    • ThreatMiner
    • ThreatBook (requires an api key)

  • Certificate search

Manual Subdomain Enumeration

  • Google Subdomain Enumeration
site:tesla.com -www.tesla.com
site:tesla.com -www.tesla.com -test.tesla.com
site:tesla.com -www.tesla.com -test.tesla.com -staging.teala.com
site:tesla.com -www.tesla.com -test.tesla.com -staging.example.com -prod.tesla.com

Subdomain Enumeration Tools

amass enum -d tesla.com
subfinder -d tesla.com
findomain -t tesla.com
assetfinder --subs-only tesla.com
go run main.go -d target.com -s YourAPIKEY

Subdomain Enumeration Frameworks

  • LazyRecon
./lazyrecon.sh -d tesla.com
./lazyrecon.sh -d tesla.com -e excluded.tesla.com,other.tesla.com

Subdomain Enumeration Oneliners

  • Get subdomains from rapiddns.io

@andirrahmani1

curl -s "https://rapiddns.io/subdomain/$1?full=1#result" | grep "<td><a" | cut -d '"' -f 2 | grep http | cut -d '/' -f3 | sed 's/#results//g' | sort -u
  • Get subdomains from bufferover.run

@_ayoubfathi_

curl -s https://dns.bufferover.run/dns?q=.DOMAIN.com |jq -r .FDNS_A[]|cut -d',' -f2|sort -u
  • Get subdomains from riddler.io

@pikpikcu

curl -s "https://riddler.io/search/exportcsv?q=pld:domain.com" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
  • Get subdomains from virustotal

@pikpikcu

curl -s "https://www.virustotal.com/ui/domains/domain.com/subdomains?limit=40" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
  • Get Subdomains from CertSpotter

@pikpikcu

curl -s "https://certspotter.com/api/v0/certs?domain=domain.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
  • Get Subdomains from Archive

@pikpikcu

curl -s "http://web.archive.org/cdx/search/cdx?url=*.domain.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u
  • Get Subdomains from JLDC

@pikpikcu

curl -s "https://jldc.me/anubis/subdomains/domain.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
  • Get Subdomains from securitytrails

@pikpikcu

curl -s "https://securitytrails.com/list/apex_domain/domain.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep ".domain.com" | sort -u
  • Get Subdomains from crt.sh

@vict0ni

curl -s "https://crt.sh/?q=%25.$1&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u

Subdomain Bruteforce

amass enum -brute -d tesla.com -src
amass enum -brute -d tesla.com -rf resolvers.txt -w wordlist.txt
./subbrute.py tesla.com
aiodnsbrute -w wordlist.txt -vv -t 1024 tesla.com
aiodnbrute -f - -o json tesla.com
aiodnsbrute -r resolvers.txt -f - -o json tesla.com | jq '.[] | select(.ip[] | startswith("172."))'
aiodnsbrute --gethostbyname domain.com
aiodnsbrute -r resolvers.txt domain.com
./bin/massdns -r lists/resolvers.txt -t AAAA -w results.txt domains.txt
shuffledns -d tesla.com -list wordlist.txt -r resolvers.txt
subfinder -d tesla.com | shuffledns -d tesla.com -r resolvers.txt

Content Discovery

Wordlists

Fuzzers

Scanning

Port Scanning

  • Masscan
masscan -p1-65535 192.168.0.1 --max-rate 1800 -oG output.log
masscan -p1-65535 -iL ips.txt --max-rate 1800 -oG output.log
  • DNMasscan
dnmasscan example.txt dns.log -p80,443 -oG masscan.log
  • Masscan to Service Scan to Credential Bruteforce
    1. dnmasscan - port scanning
    2. nmap - service scan -oG
    3. brutespray - credential bruteforce

Screenshotting

python3 EyeWitness.py -f /path/to/live-domains.txt -d /path/to/eyewitness/ --web
cat targets.txt | aquatone
./httpscreenshot.py -i \<gnmapFile\> -p -w 5 -a -vH

Subdomain Takeover

./subover -l /path/to/live-domains.txt -v
  • Nuclei
nuclei -l /path/to/live-domains.txt -t subdomain-takeover/*

Vulnerability Scanning

Sensitive Data Exposure

Google Dorking

Github Recon

Favicon Analysis using Shodan

  • Favfreak
cat urls.txt | python3 favfreak.py -o output
  • Shodan
shodan search org:"Target" http.favicon.hash:<hash> --fields ip str,port --separator " " | awk '{print $1":"$2}'

Shoran Dorks

@manas_hunter

"default password" org:teslamotors
"230 login successful" port:"21" org:teslamotors
vsftpd 2.3.4 port:21 org:teslamotors
230 "anonymous@" login ok org:teslamotors
guest login ok org:teslamotors
country:EU port:21 -530 +230 +teslamotors
country:IN port:80 title:protected org:teslamotors

Bucket Hunting