This note is written to Solve Web Application CTFs, Bug Bounty or Web App Penetration Testing.
Check my Bug Bounty Hunting Methodology to learn some bonus.
You can use my script Hackify to install tools and wordlist on your linux system.
- HackiFy should be used to install important tools and wordlists.
git clone https://github.com/ZishanAdThandar/hackify.git cd hackify chmod +x hackify.sh; bash hackify.sh # tools chmod +x wordlist.sh; bash wordlist.sh # wordlist
- Top tools list: Remaining tools can be installed manually.
- h1asset by adysec, h1domains by zricethezav, Inventory by Trickest, bounty-targets-data by arkadiyt, bug-bounty-recon-dataset by inth3wild
- Google dork https://github.com/sushiwushi/bug-bounty-dorks/blob/master/dorks.txt
- Bug Bounty Hunting Platforms
- https://github.com/projectdiscovery/public-bugbounty-programs For Downloading subdomains of all programs https://chaos.projectdiscovery.io/
- Find New Acquisitions by target companies https://index.co/company/COMPANY/acquirees. Example: https://index.co/company/google/acquirees
- Reverse IP to wider scope in case of red teaming Hacker Target, ViewDNS.info and SecurityTrails Account Needed.
- dig
dig axfr @<ip_address> target.tld - nslookup, host, dnsenum, fierce, dnsrecon
whois target.tld- theHarvester, FinalRecon, Recon-ng, SpiderFoot or OSINT Framework
- Gobuster
gobuster vhost -u http://monitorsthree.htb --append-domain -w /usr/share/seclists/Discovery/DNS/namelist.txt -r - ffuf
ffuf -w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt:FUZZ -fw 18 -mc all -ac -u http://domain.tld -H 'Host: FUZZ.domain.tld'[For vpn file and ctf] - ffuf
ffuf -w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt:FUZZ -fw 18 -mc all -ac -u http://FUZZ.domain.tld[For Real World] - subauto [Use Hackify to install subauto]
subauto domain.tld[Very useful for real world subdomain enumeration.]
- SecurityTrails, ViewDNS.info: For DNS history and records.
- dnsdumpster.com
- Shodan, Censys: For Internet device searches.
- Google, Bing: For cached search engine results.
- crt.sh, Censys, CertDB: For certificate transparency logs.
dig: To find DNS misconfigeration ip leak.
- FeroxBuster
feroxbuster -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u http://target.tld/ - Recursive directory busting
ffuf -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-lowercase-2.3-big.txt -ic -recursion -recursion-depth 3 -u https://target.com/FUZZ - Directory
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u https://target.com/FUZZ/ - dirsearch
dirsearch -e php,html,txt -t 50 -u http://domain.tld/ - Files
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -u https://target.com/FUZZ/
- LinkFinder by GerbenJavado
ReconSpider.py domain.tld
arjun -u target.tlf=d- Burpsuite plugin
parmafinder++ - webarchive
https://web.archive.org/cdx/search/cdx?url=*.domanin.tld&fl=original&collapse=urlkey - x8 Paramter Discovery
- ffuf
robots.txt,secrets.txt,.well-known/security.txt,/.well-known/change-password,.well-known/openid-configuration,.well-known/assetlinks.json,.well-known/mta-sts.txtetc file could reveal sensetive informations- use
dirbto find common files.dirb http://target.tld - Check source code for any sensetive information leak
- Wappalyzer, Builtwith
- WhatWeb, nmap, Netcraft
wafw00f domain.tldnikto -h domain.tld -Tuning bcurl -I domain.tld
- Searching on Google
- Using searchsploit
- shodan
- censys
- We can also utilize online exploit databases to search for vulnerabilities, like Exploit DB, Rapid7 DB, or Vulnerability Lab.
- wpscan
wpscan --url https://domain.tld/wordpress-blog/ -e u,ap --api-token=<API_TOKEN>Check https://wpscan.com/profile for api token. - Search for other CMS Scanner and use them on particular CMS
- Known CVE: Check outdated or vulnerable version for any service or software using exploitdb and google.
- DorkScout: Golang tool to automate google dork scan against the entiere internet or specific targets.
- pagodo (Passive Google Dork)
- FGDS
curl https://raw.githubusercontent.com/IvanGlinkin/Fast-Google-Dorks-Scan/master/FGDS.sh -s |bash -s domain.com - sitedorks by Zarcolio
- git-hound
- Install git-hound with Hackify or from repo release then
which git-hound - Login Details:
nano /root/go/bin/config.ymlExample: https://github.com/tillson/git-hound/blob/main/config.example.yml - Entering OTP
git-hound --otp-code 1234568 git-hound --config-file /root/go/bin/config.yml --subdomain-file subdomains.txt
- Install git-hound with Hackify or from repo release then
- Burp Suite Pro: with different extensions like HUNT by BugCrowd. Bug Bounty Pro could be used.
- nuclei with nuclei-templates or external templates
- nuclei template install (as root):
nuclei -ut - nuclei command:
nuclei -l httpsubdomain.txt -resume nuclei.txt -nmhe[rate-limit 10/second to avoid error of rapid request,-nmheto skip error]
- nuclei template install (as root):
- Acunetix Pro
- Creating Acunetix CSV list from https links
for i in $(cat domain.comhttpssubdomain.txt); do echo \"$i\", \" \"; done > domain.comacunetix.csv
- Creating Acunetix CSV list from https links
- Afrog
afrog -T domain.comhttpsubs.txt - Owasp NetTracker
- Wapiti [Linux]
- RCE: Commix
- Cross Site Scripting: XSStrike, XSSxrapy
- File inclusion: LFIMap, liffy
- Fileupload: fuxploider
- CORS: Corsy
- CRLF Injection: crlfuzz
- GraphQL: batchql by assetnote, INQL Scanner Burpsuite Extension or INQL Script
- 403 bypass: bypass-403 by iamj0ker, 403bypasser by yunemse48, 4-ZERO-3 by Dheerajmadhukar or 403 Bypasser Burpsuite Extension
- GF Pattern Commands: Gf-Patterns
- Burp Extenders from BApp store or : Turbo Intruder or many others https://github.com/snoopysecurity/awesome-burp-extensions
- Burp BChecks: BChecks Collection, PortSwigger BChecks, Custom BChecks etc