hacknotes

This note is written to Solve Web Application CTFs, Bug Bounty or Web App Penetration Testing.

Check my Bug Bounty Hunting Methodology to learn some bonus.

You can use my script Hackify to install tools and wordlist on your linux system.

Content

Installing Tools and Wordlists
Finding Targets
Recon
Scanning
Manual Testing
- Manual Methods

Installing Tools and Wordlists

HackiFy should be used to install important tools and wordlists.

  git clone https://github.com/ZishanAdThandar/hackify.git
  cd hackify
  chmod +x hackify.sh; bash hackify.sh # tools
  chmod +x wordlist.sh; bash wordlist.sh # wordlist

Top tools list: Remaining tools can be installed manually.

Finding Targets
h1asset by adysec, h1domains by zricethezav, Inventory by Trickest, bounty-targets-data by arkadiyt, bug-bounty-recon-dataset by inth3wild
Google dork https://github.com/sushiwushi/bug-bounty-dorks/blob/master/dorks.txt
Bug Bounty Hunting Platforms
https://github.com/projectdiscovery/public-bugbounty-programs For Downloading subdomains of all programs https://chaos.projectdiscovery.io/
Find New Acquisitions by target companies https://index.co/company/COMPANY/acquirees. Example: https://index.co/company/google/acquirees
Reverse IP to wider scope in case of red teaming Hacker Target, ViewDNS.info and SecurityTrails Account Needed.

Recon

Basic Recon
dig dig axfr @<ip_address> target.tld
nslookup, host, dnsenum, fierce, dnsrecon
whois target.tld
theHarvester, FinalRecon, Recon-ng, SpiderFoot or OSINT Framework

Subdomain Enumeration

Gobuster gobuster vhost -u http://monitorsthree.htb --append-domain -w /usr/share/seclists/Discovery/DNS/namelist.txt -r
ffuf ffuf -w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt:FUZZ -fw 18 -mc all -ac -u http://domain.tld -H 'Host: FUZZ.domain.tld' [For vpn file and ctf]
ffuf ffuf -w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt:FUZZ -fw 18 -mc all -ac -u http://FUZZ.domain.tld [For Real World]
subauto [Use Hackify to install subauto] subauto domain.tld [Very useful for real world subdomain enumeration.]

Cloudflare Bypass

SecurityTrails, ViewDNS.info: For DNS history and records.
dnsdumpster.com
Shodan, Censys: For Internet device searches.
Google, Bing: For cached search engine results.
crt.sh, Censys, CertDB: For certificate transparency logs.
dig: To find DNS misconfigeration ip leak.

Directory Busting

Recursive directory busting ffuf -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-lowercase-2.3-big.txt -ic -recursion -recursion-depth 3 -u https://target.com/FUZZ
Directoryffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u https://target.com/FUZZ/
dirsearch dirsearch -e php,html,txt -t 50 -u http://domain.tld/
Files ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -u https://target.com/FUZZ/
feroxbuster -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -u http://target.tld/

Crawling

LinkFinder by GerbenJavado
ReconSpider.py domain.tld

Parameter Fuzzing

arjun -u target.tlf=d
Burpsuite plugin parmafinder++
webarchive https://web.archive.org/cdx/search/cdx?url=*.domanin.tld&fl=original&collapse=urlkey
x8 Paramter Discovery
ffuf

Common file checks

robots.txt, secrets.txt, .well-known/security.txt, /.well-known/change-password, .well-known/openid-configuration, .well-known/assetlinks.json, .well-known/mta-sts.txt etc file could reveal sensetive informations
use dirb to find common files. dirb http://target.tld
Check source code for any sensetive information leak

Wappalyzer, Builtwith
WhatWeb, nmap, Netcraft
wafw00f domain.tld
nikto -h domain.tld -Tuning b
curl -I domain.tld

Known Vulnerablity in Software or Services

Searching on Google
Using searchsploit
shodan
censys
We can also utilize online exploit databases to search for vulnerabilities, like Exploit DB, Rapid7 DB, or Vulnerability Lab.

Scanning

CMS Test

wpscan wpscan --url https://domain.tld/wordpress-blog/ -e u,ap --api-token=<API_TOKEN> Check https://wpscan.com/profile for api token.
Search for other CMS Scanner and use them on particular CMS
Known CVE: Check outdated or vulnerable version for any service or software using exploitdb and google.

Dorking

DorkScout: Golang tool to automate google dork scan against the entiere internet or specific targets.
pagodo (Passive Google Dork)
FGDS curl https://raw.githubusercontent.com/IvanGlinkin/Fast-Google-Dorks-Scan/master/FGDS.sh -s |bash -s domain.com
sitedorks by Zarcolio
git-hound
- Install git-hound with Hackify or from repo release then which git-hound
- Login Details: nano /root/go/bin/config.yml Example: https://github.com/tillson/git-hound/blob/main/config.example.yml
- Entering OTP git-hound --otp-code 1234568
- git-hound --config-file /root/go/bin/config.yml --subdomain-file subdomains.txt

Automated Scan

Burp Suite Pro: with different extensions like HUNT by BugCrowd. Bug Bounty Pro could be used.
nuclei with nuclei-templates or external templates
- nuclei template install (as root): nuclei -ut
- nuclei command: nuclei -l httpsubdomain.txt -resume nuclei.txt -nmhe [rate-limit 10/second to avoid error of rapid request, -nmhe to skip error]
Acunetix Pro
- Creating Acunetix CSV list from https links for i in $(cat domain.comhttpssubdomain.txt); do echo \"$i\", \" \"; done > domain.comacunetix.csv
Afrog afrog -T domain.comhttpsubs.txt
Owasp NetTracker
Wapiti [Linux]

Exploitation Tools

RCE: Commix
Cross Site Scripting: XSStrike, XSSxrapy
File inclusion: LFIMap, liffy
Fileupload: fuxploider
CORS: Corsy
CRLF Injection: crlfuzz
GraphQL: batchql by assetnote, INQL Scanner Burpsuite Extension or INQL Script
403 bypass: bypass-403 by iamj0ker, 403bypasser by yunemse48, 4-ZERO-3 by Dheerajmadhukar or 403 Bypasser Burpsuite Extension
GF Pattern Commands: Gf-Patterns

One Liners

Manual Testing

Burp Extenders from BApp store or : Turbo Intruder or many others https://github.com/snoopysecurity/awesome-burp-extensions
Burp BChecks: BChecks Collection, PortSwigger BChecks, Custom BChecks etc
Manual Methods
Login Bypass
SQL Injection

This site is open source. Improve this page.