Created
March 25, 2019 20:28
-
-
Save duraki/f23b0db02a733b20a4a3734bd5bb60c3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Go the road less travelled, find programs that are not on hackerone or bugcrowd: | |
| https://www.bugcrowd.com/bug-bounty-list/ | |
| google: "Responsible Disclosure" or "Vulnerability Disclosure" or "responsible disclosure website list" | |
| google: responsible disclosure "bounty" | |
| Responsible Disclosure seems to give best results. | |
| intext:”Responsible Disclosure Policy” | |
| "responsible disclosure" "private program" | |
| "responsible disclosure" "private" "program" | |
| Google Dork: | |
| vulnerability disclosure program "bounty" -bugcrowd -hackerone | |
| responsible disclosure "private program" <--- find private hackerone/bugcrowd programs | |
| ========================================================================= | |
| Google Dorker: | |
| https://github.com/random-robbie/bugbountydork/blob/master/main.py | |
| Subdomain Enumeration: | |
| ./amass -active -v -d test.com OR /root/go/bin/amass -active -v -d test.com | |
| ./subfinder -d test.com OR /root/go/bin/subfinder -d test.com | |
| ./subfinder -b -w /root/Desktop/jhaddixALL/subdomainsALL.txt -d upwork.com -v | |
| python sublist3r.py -b -d example.com -v -t 40 -o example.txt | |
| python sublist3r.py -p 21,22,3389,8080,8181,8000,9443,8443,6900 | |
| aquatone-discover -d test.com Enumeration with aquatone: https://blog.it-securityguard.com/visual-recon-a-beginners-guide/ | |
| ======================================================================== | |
| Subdomain Analysis: | |
| Subdomain bruteforcing: | |
| ./subfinder -d example.com -b -dL jasonhaddixall.txt OR /root/go/bin/subfinder -d test.com -b -dL jasonhaddixall.txt | |
| Subdomain Analysis: | |
| ./EyeWitness.py --prepend-https -f /root/vanillasublister.txt --web --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" -d targetvanilla | |
| Port Scanning: | |
| nmap -p 21,22,3389,8080,8181,8000,9443,8443,6900 -iL targets.txt | |
| aquatone-scan -d uber.com -t 30 -p medium | |
| aquatone-scan -d test.com -t 30 -p small (small is port 443 and 80) | |
| webscreenshot -i /tmp/adobeurls.txt -o /targets/adobe.com -v | |
| webscreenshot -i /tmp/adobeurls.txt -o /targets/adobe.com -v -m (HTTP & HTTPS) | |
| epg-prep /root/adobe.com | |
| node yourname.js | |
| http://yourserverip:3000/photos | |
| site:site.com ext:php,asp,aspx,jsp,jspa,txt,swf | |
| http://archive.org/web/ (if subdomain name indicates critical data config.test.com or admin.test.com, try looking at it from wayback machine. may show critical data (API keys, user/pass) | |
| site:admin.target.com (if website returns 403, try google dorking the website to see if there is any endpoints you can access) | |
| -can also try searching wayback machine for endpoints via curl(https://github.com/internetarchive/wayback/blob/master/wayback-cdx-server/README.md) | |
| -curl 'http://web.archive.org/cdx/search/cdx?url=games.sidefx.com/*&output=text&fl=original&collapse=urlkey' | |
| ^^^ more info https://www.shawarkhan.com/2018/06/getting-php-code-execution-and-leverage.html | |
| You can query commoncrawl.org to discover endpoints as well: | |
| python3 cc.py github.com -y 18 -o github_2018.txt | |
| Subdomain Takeover: | |
| aquatone-takeover -d adobe.com | |
| CORS Testing: | |
| ========================================================== | |
| Directory Bruteforcing: | |
| ./dirsearch.py -u http://target.com -e * -r | |
| ./dirsearch.py -u http://target.com -e * -r -w /root/Desktop/jhaddixALL/directoriesjhaddix.txt --plain-text-report=/root/Desktop/report | |
| Finding directories: | |
| ./dirsearch.py -u http://target.com -L /root/jhaddix/jhaddixdirectories.txt | |
| https://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10 <---- jason haddix directory bruteforce list | |
| ./dirsearch.py -u http://target.com -e * -r -w /opt/tools/directorywordlists/raft-medium-directories.txt --plain-text-report=/root/Desktop/report <---- bruteforce directory | |
| LOOK FOR GOBUSTER | |
| dirb 10 threads, jason haddix wordlist | |
| ============================================================ | |
| Once new directories are found, find files in those directories: | |
| ./dirsearch.py -u http://target.com -r -w /opt/tools/directorywordlists/raft-medium-files.txt --plain-text-report=/root/Desktop/report <---- bruteforce files | |
| ./dirsearch.py -u http://target.com -e * -r | |
| =========================================================== | |
| Find scripts: | |
| site:test.com ext:php | |
| site:test.com ext:asp | |
| github recon: | |
| site:github.com inurl:looker "api" "key" | |
| site:github.com inurl:looker "password" | |
| Endpoint Discovery: | |
| Linkfinder | |
| Target Tab > Right Click Target.com > Save Selected Items | |
| python linkfinder.py -o cli -i burpfile | |
| Link Finder | |
| Target Tab > Right Click Target.com > Engagement Tools > Find Scripts | |
| Ctrl A > Copy Selected URLs (Paste to textfile linkfinder.txt) | |
| cat linkfinder.txt | grep .js > linkfinder2.txt | |
| python linkfinder.py -o cli -i http://target.com/everylink.js | |
| OR copy and paste into JSParser: | |
| python handler.py (visit localhost:8008) | |
| =============================================== | |
| https://whatcms.org/ discover type of CMS running on website | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment