prosecurity/bugbounty-starter-notes

bug bounty hunters starter notes

Books

The web application hacker's handbook
owasp testing guide
web hacking 101
breaking into infromation security
mastering mordern web peneteration testing

Recon

ASN's(autonomous system numbers) - (ip ranges , keyword searches)
ARIN & RIPE - arin ripe whoislookups all
Rev whois - rev
shodan - shodan
we cannot miss out on burp
domlink domlink
builtwith - they also has a browser plugin it tells about stack that site is bult on and analytics

Subdomain scraping enumeration
- google dorks
- robtex
- waybackmachine
- sublist3r
- Amass
- subfinder
- Cloudflare Enumeration Tool
subdomain bruteforcing
- massdns
  
  ex: .subbrute.py /root/work/bin/all.txt $TARGET.com | ./bin/massdns -r resolvers.txt -t A -a -o -w massdns_output.txt -
- gobuster
  
  ex gobuster -m dns -u $TARGET.com -t 100 -w all.txt
- best dictonary file : all.txt
- scans.io
- commonspeak
Enumeration
- masscan
  
  ex: masscan -p1-65535 -iL $TARGET_LIST --max-rate 10000 -oG $TARGET_OUTPUT
- nmap
- brutespray
  
  masscan output => map services scan -oG => brutespray credential bruteforcing.
  
  ex: python brutespray.py --file nmap.gnmap -U /usr/share/wordlist/user.txt -P /usr/share/wordlist/pass.txt --threads 5 --hosts 5
- Eyewitness
- waybackursls enumeration using wayback

Keeping track of all this

  Xmind organization

Identification and cve searching

buldwith
retire.js
burp-vulners-scanner
wappanalyzer

Parsing Heavy javascript sites

zap Ajax spider - owasp zap
[Linkfinder]
[jsparser]

Content Discovery

Gobuster
Burp content discovery
Robots disallowed
wpscan
Seclists / RAFT / Digger wordlists
cmsmap
custom wordlist

XSS

blind xss frameworks
- bXSS
- ezXSS
- XSS hunter
- KnoXSS
- Sleepy Puppy
XSS polyglot *
XSS Mindmap

SSRF

for testing in cloud https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b
SSRFmap
Gopherus

Subdomain Takeover info

Work in progress..