Hacker
Professional
- Messages
- 1,044
- Reaction score
- 813
- Points
- 113
Any hack begins with collecting information about the target. The faster and better you collect information, the greater the chance of finding a cool bug, reporting it first and getting a reward. Unlike pentesting, bugbounty involves hundreds of thousands of people at the same time, and services that are in plain sight are researched far and wide, and it is extremely difficult to find anything there. In this article I will tell you about the tools that will help you conduct reconnaissance and gather as much information about the target as possible.
SEARCH FOR SUBDOMAINS
Each subdomain is a potential target, so finding them is one of the first steps in exploration. Large companies like IBM or Microsoft use tens of thousands of subdomains, and all of them need to be kept up-to-date, software updates and bugs fixed in a timely manner. As practice shows, some subdomains are simply forgotten or stubbed out, although all the content remains available. Critical vulnerabilities like RCE, SSTI, SSRF or XXE are most often found on subdomains. The more you find them, the wider the attack surface will be. There are a lot of tools for finding them, so I will only consider those that have been tested in combat conditions and have been shown to be effective in various bug bounty programs.
Chaos
Project site
Let's start with the option for the lazy. The Chaos utility collects information about all public programs located on well-known bugbounty platforms, such as Bugcrowd , HackerOne , Intigrity .
Chaos
At the time of this writing, there are 513 programs on the site. The information is constantly updated, so you will always see the latest information.
Searching and sorting by programs is very convenient. For example, you can view only those programs that offer rewards for vulnerabilities found or have many subdomains, or track new programs in order to be the first to enter and take the icing off the cake. Unlike most exploration sites, it is free.
Code:
chaos -d uber.com -silentrestaurants.uber.com
testcdn.uber.com
approvalservice.uber.com
zoom-logs.uber.com
eastwood.uber.com
meh.uber.com
webview.uber.com
kiosk-api.uber.com
...
recon.dev
Project site
Another site that will help you collect a lot of useful information about subdomains. Unlike Chaos, recon.dev for free only shows the first 20 search results. You will have to pay for the rest, but the price for the resulting dataset is small.
recon.dev
subfinder
Download from GitHub
Subfinder is considered a descendant of sublist3r - the utility also collects information about subdomains using many passive online sources such as Baidu, Bing, Censys. For some sources, you will need to add API keys to the configuration file ( $HOME/.config/subfinder/config.yaml).
Subfinder has a convenient modular architecture and is written in Go, so it is very fast.
Subfinder
DICTIONARIES
Before starting your exploration, it is worth stocking up on a pack of good-quality dictionaries. A lot depends on the choice of a good dictionary: the more hidden parameters, subdomains, directories and files are collected, the higher the chance of finding some kind of security breach.
You can find a huge number of dictionaries on the Internet, but not all of them are effective. Having been doing bugbounties for some time and trying different dictionaries at the same time, I singled out for myself several very interesting options that helped me out more than once and helped me find places that other bug hunters had not yet reached.
fuzz.txt
Download from GitHub
I always start with fuzz.txt, which contains a list of potentially dangerous files and directories. The dictionary is supplemented with new words almost every month. It goes through quickly, and due to this, you can quickly start picking up the finds and at the same time put through other, more voluminous lists. The dictionary contains 4,842 words, but experience has shown that it is perfect for the initial exploration of a web application.
SecLists
Download from GitHub
SecLists is a whole collection of dictionaries that will be very useful not only for bugbounties, but also for penetration testing. Dictionaries include usernames, passwords, URL parameters, subdomains, web shells, and more. I highly recommend spending a little time exploring the contents of the collection in detail.
Assetnote Wordlists
Project site
Another cool collection of dictionaries for discovering all sorts of content and subdomains. Dictionaries are generated on the 28th of every month using commonspeak2 and GitHub Actions .
Assetnote
In addition to auto-generated collections, the site also has hand-created dictionaries using Google BigQuery.
Self-generated
Often you have to generate your own dictionaries. Writing a script, of course, will not be difficult, but why reinvent the wheel?
There are many tools for generating dictionaries, but of all the many, I use Pydictor. Tulza offers a wide range of features to help you create the perfect dictionary for almost any situation. In addition, Pydictor can compare files, count word frequency and combine multiple dictionaries into one.
Let's take an example. Suppose we know that the password is a modified version of a word Password and can contain:
- instead of a а sign @;
- instead of о 0;
- at the end of one to three numbers.
Such a dictionary is generated with the following command:
Code:
./pydictor.py --conf '[P[a,@]{1,1}<none>ssw[o,0]{1,1}<none>rd[0-9]{1,3}<none>' --output /home/kali/Desktop/pydictThis <none> means that the utility does not need to do any additional actions with the wildcard combination.
At the end, Pydictor displays a short summary of the generation process. Not that very important info, but the developer's concern is felt.
PORT SCANNERS
Walking through all the ports in search of interesting things is a nice thing during bugbounty. If you can find an application that no one has previously explored, even better! At the same time, do not forget that even seemingly harmless ports can hide something not quite expected. For example, I found an HTTP service on port 22: you can't even enter it with a browser, only through curl or wget!
If the scope is not particularly large, then Nmap is suitable for scanning, which definitely needs no introduction. But what if there are a lot of hosts? Despite the fact that Nmap - a powerful tool, it has a significant drawback - it is honey-lenny. An alternative, but not a competitor, is masscan: it is fast, but not as functional as Nmap. To make port scans really fast and efficient, you can use both scanners together. How? I will show you now!
MassMap
Download from GitHub
MassMap allows you to scan a large number of IP addresses with the speed of masscan and the thoroughness of Nmap. MassMap is written in Bash, so you don't have to compile anything to use it.
Before starting the scan, the script will check the availability of everything necessary for work, and if something is missing, it will automatically install it.
The algorithm is simple: first, using masscan, all 65,535 TCP ports are scanned for the transmitted list of IP addresses. After that, Nmap goes through the found open ports (including using scripts), giving already extended information for each. The result can be saved in a readable format.
MassMap
Results page
Since the script is actually a wrapper over the scanners, you can change any parameters, add some of your own tools, in general, create and improve as you want!
