Everybody has problemsBugs are created along the time- Reputation and amount of reports means less than what you are thinking
- Create an account in the target, be patient, check everything, try harder
- choose a few targets (3 ~ 4)
- After 20 submissions, start to invest in yourself
- paid tools (shodan, census, whoxy, security tails, changedetection.io, security trails)
- automation (receive notifications when a new vulnerability be found)
- understand the target
- crunchbase (financials > acquisitions)
- wikipedia
- find ASN (be careful with false positives when automating)
- bpg.he.net
- asnlookup.com
- metabigor
- enumeration ASN
amass intel -asn $ASN_NUMBER
- Analyitics Relationships
- builtwith.com/relationships/example.com
- googling copyright text, terms of service, privacy policy
- shodan.io/search?query=example.com
- linked discovery
- using burp > visit the domains, add a filter and check sitemap > run spider and repeat until a fatigue
- gospider
- hakrawler
- subdomain enumeration
- SubDomainizer
- subdomain scraping
- robtex
- dnsdumpster
- dnsdb search
- googling example.com -www.example.com -blog.example.com
- amass -d example.com
- github search (https://github.com/gwen001/github-subdomains)
- shodan (shosubgo)
- https://tls.bufferover.run/
- subdomain bruting
- check wildcards: try to resolve a invalid subdomain and check if it will return a record
amass enum -brute -d example.com -srcamass enum -brute -d example.com -w wordlist.txtshuffledns -d example.com -w wordlist.txt -r resolvers.txt- wordlist: https://wordlists.assetnote.io/
- threading a command
interlace -tL targets.txt -threads 5 -c "nikto --host _target_ > _target_.nikto.txt" -vcat paths.txt | parallel -j 100 curl -si target.com/{} --results curl_output/{}
- frameworks
- fast port scanning
- web services in other ports
- low hangfruits services
- default creds
- misconfigurations
rustscan example.com --ulimit 100000 -r 1-65000naabu -host example.com- `masscan -p- -iL targets.txt --max-rate 1800 -oG output.txt
- service scanning
- default creds (brutespray)
- screenshotting
- gowitness
- subdomain takeover
- better for fresh target coming from a good recon
- nuclei
- jaeles scanner
- intrigue core
- sn1per
- https://github.com/RetireJS/retire.js
- create your own nuclei template
- new exploits without an official template yet
- tweetdeck can be used to monitor for new exploits
- the MAIN WAY to achive a bounty
- web fuzzing
- feroxbuster:
cat subdomains.txt | feroxbuster --stdin -r -k --json -o feroxbuster.results.json -A --smart -w wordlist.txt #--parallel 1 --resume-from cat feroxbuster.results.json | jq 'select (.status == 200) | select (.path | test("\\.(js|cs s|png|ico)$") | not)' | jq -s 'sort_by(.content_length) | sort_by(.original_url) | .[] | {"url","path"," status","content_length","word_count"}' -C | less -R- turbo intruder
- feroxbuster:
- getallurls (https://github.com/lc/gau):
cat domains.txt | getallurls -subs -random-agent -o gau.results.txt - https://github.com/xnl-h4ck3r/waymore:
waymore -i domains.txt -mode U -oU waymore.results.txt - get api endpoints in the apk: https://github.com/dwisiswant0/apkleaks
- javascript parsing
xnLinkFinder.py -i example.com -v -d2 -sp https://example.com(https://github.com/xnl-h4ck3r/xnLinkFinder)xnLinkFinder -i waymore.results.txt -sf /tmp/domains.txt -o xnlinkfinder.results.txt- GAP BApp (https://github.com/xnl-h4ck3r/GAP-Burp-Extension)
- spider (looking for interesting links, parameters)
- burp
gospider -s example.com --depth 1- katana
- how the session is managed? (cookies, header, id)
- does the app have different user levels?
- what does the app try to protect?
- retest past vulnerabilities again
- functions
- upload functions (injection, xss, ssrf, idor)
- api (hidden methods, lack of auth)
- account section (xss, ssti, intregrations with ssrf)
- look for dns variations that resolves to the same target (origin.sub -> origin-sub, www -> www2)