Many websites, organizations, and software developers provide bug bounty
programs as a way for people to be recognized and paid for reporting bugs,
particularly those that relate to security exploits and vulnerabilities.
Burp Suite
For many researchers, Burp Suite is the golden standard proxy program. Burp
Suite allows you to intercept, modify, and repeat requests on the fly, as
well as install custom plugins to make things easier. Professional Edition
just makes the process easier by allowing you to add more plugins and using
the burp collaborator client.
Discovering Subdomains & Content - AMASS (https://github.com/OWASP/Amass)
It is overall the most thorough tool for discovering subdomains, as it uses
the most sources for discovery with a mixture of passive, and active and
will even do alterations to discovered subdomains. Command - amass enum -brute -active -d domain.com -o amass-output.txt.
HTTPROBE
To find working HTTP and HTTPS servers with HTTPROBE by TomNomNom (https://github.com/tomnomnom/httprobe). You can probe extra ports by setting the -p flag:
cat amass-output.txt | httprobe -p http:81 -p http:3000 -p https:3000
-p http:3001 -p https:3001 -p http:8000 -p http:8080 -p https:8443 -c 50
| tee online-domains.txt
ANEW
To find new domains. If you already have a list of domains and want to see
if there are new ones, anew by TomNomNom (https://github.com/tomnomnom/anew) also plays nicely as the new domains go straight to stdout, for
example, cat new-output.txt | anew old-output.txt | httprobe
DNSGEN - Low-hanging fruits
To find some gems, dnsgen by Patrik Hudak (https://github.com/ProjectAnte/dnsgen) works brilliantly:
cat amass-output.txt | dnsgen - | httprobe
AQUATONE
It is a good idea to do a visual inspection. Aquatone (https://github.com/michenriksen/aquatone)
is indeed a great tool, but most people don't realize it takes endpoints and
files as well as domains, so it can sometimes be worth looking for
everything and then giving it all into aquatone.
FFUF
To discover files and directories. FFuF (https://github.com/ffuf/ffuf) is by far the fastest and most customizable, it’s worth reading all the
documentation, however for basic usage
ffuf -ac -v -u https://domain/FUZZ -w wordlist.txt.
Wordlist
Daniel Miessler has provided us with “SecLists” (https://github.com/danielmiessler/SecLists/) which contains wordlists for every type of scanning you want to do. Grab
a list and start scanning to
see what you can find.
JS endpoint discovery
ParamScanner – A custom tool to scrape each endpoint discovered and
search for input names, ids, and javascript parameters. The script will look
for <input> and scrape the name & ID and then try it as a
parameter. As well as this it will also search for var {name} = “” and try
to determine parameters referenced in javascript.
Waybackurls
It (https://github.com/tomnomnom/waybackurls) works in the same way as other web crawlers. Basically, the tool accepts
line-delimited domains on stdin, fetches known URLs from the Wayback Machine
for *.domain, and outputs them on stdout.
Dirsearch
Dirsearch is a frequently used free and open-source application for
brute-forcing directories and files on websites. Multithreaded, Keep alive
connections, numerous extensions, exporting reports in both plain text and
JSON, HTTP proxy support, User-agent randomization, and many other features
are included in this program. You can also brute-force files and directories
using a custom wordlist like SecList. This utility is user-friendly and
simple to operate, and it works with three major operating systems (Windows,
MacOSX, and GNU/Linux). Command -
python dirsearch.py -u https://example.com -e html,php,jpeg
Gitrob
Gitrob tool is widely popular to find sensitive files on public Github
repositories this tool will clone user or organizations public repositories
and in-depth iterate all the commit history and it matches with the
potentially sensitive files such as
api_key, access_token, password, database_name, etc. To install this
tool you need to have Golang set up on your local machine. GitHub repo —
https://github.com/michenriksen/gitrob
Google Dork
Google Dork (https://www.exploit-db.com/google-hacking-database) is also known as "Google Hacking," and it is a technique for using Google
search to uncover security weaknesses in a website. It's quite useful for
security researchers, and you can obtain information such as usernames,
passwords, and sensitive information by employing Google's web crawling.
Shodan
Shodan is a search engine that hackers and security researchers use to
locate insecure Internet of Things devices. By querying the engine, they can
obtain information such as the device's IP address, web server data, banner,
ISP, SSH, FTP, TELNET, and more.
We hope this helps. If any suggestions or doubts you can add a comment and we
will reply as soon as possible.
No comments:
Post a Comment