hacknotes

This note is written to Solve Web Application CTFs, Bug Bounty or Web App Penetration Testing.

Check my Bug Bounty Hunting Methodology to learn some bonus.

You can use my script Hackify to install tools and wordlist on your linux system.

Content

• Installing Tools and Wordlists
• Finding Targets
• Recon
  • Basic Recon
  • Subdomain Enumeration
  • Cloudflare Bypass
  • Directory Busting
  • Crawling
  • Parameter Fuzzing
  • Common File Checks
  • Banner Grabbing
  • Known Vulnerablity in Software or Services
• Scanning
  • CMS Test
  • Dorking
  • Automated Scan
  • One Liners
• Manual Testing
  • Manual Methods

Installing Tools and Wordlists

• HackiFy should be used to install important tools and wordlists.

    git clone https://github.com/ZishanAdThandar/hackify.git
    cd hackify
    chmod +x hackify.sh; bash hackify.sh # tools
    chmod +x wordlist.sh; bash wordlist.sh # wordlist
  

• Top tools list: Remaining tools can be installed manually.

  Finding Targets

• h1asset by adysec, h1domains by zricethezav, Inventory by Trickest, bounty-targets-data by arkadiyt, bug-bounty-recon-dataset by inth3wild
• Google dork https://github.com/sushiwushi/bug-bounty-dorks/blob/master/dorks.txt
• Bug Bounty Hunting Platforms
• https://github.com/projectdiscovery/public-bugbounty-programs For Downloading subdomains of all programs https://chaos.projectdiscovery.io/
• Find New Acquisitions by target companies https://index.co/company/COMPANY/acquirees. Example: https://index.co/company/google/acquirees

• Reverse IP to wider scope in case of red teaming Hacker Target, ViewDNS.info and SecurityTrails Account Needed.

  Recon

  Basic Recon

• dig dig axfr @<ip_address> target.tld
• nslookup, host, dnsenum, fierce, dnsrecon
• whois target.tld
• theHarvester, FinalRecon, Recon-ng, SpiderFoot or OSINT Framework

Subdomain Enumeration

• Gobuster gobuster vhost -u http://monitorsthree.htb --append-domain -w /opt/wordlists/SecLists/Discovery/DNS/namelist.txt -r
• ffuf ffuf -w /opt/wordlists/SecLists/Discovery/DNS/dns-Jhaddix.txt:FUZZ -fw 18 -mc all -ac -u http://domain.tld -H 'Host: FUZZ.domain.tld' [For vpn file and ctf]
• ffuf ffuf -w /opt/wordlists/SecLists/Discovery/DNS/dns-Jhaddix.txt:FUZZ -fw 18 -mc all -ac -u http://FUZZ.domain.tld [For Real World]
• subauto [Use Hackify to install subauto] subauto domain.tld [Very useful for real world subdomain enumeration.]

Cloudflare Bypass

• SecurityTrails, ViewDNS.info: For DNS history and records.
• dnsdumpster.com
• Shodan, Censys: For Internet device searches.
• Google, Bing: For cached search engine results.
• crt.sh, Censys, CertDB: For certificate transparency logs.
• dig: To find DNS misconfigeration ip leak.

Directory Busting

• Recursive directory busting ffuf -w /opt/wordlists/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -ic -recursion -recursion-depth 3 -u https://target.com/FUZZ
• Directoryffuf -w /opt/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt -u https://target.com/FUZZ/
• dirsearch dirsearch -e php,html,txt -t 50 -u http://domain.tld/
• Files ffuf -w /opt/wordlists/SecLists/Discovery/Web-Content/raft-large-files.txt -u https://target.com/FUZZ/
• feroxbuster -w /opt/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt -u http://target.tld/

Crawling

• LinkFinder by GerbenJavado
• ReconSpider.py domain.tld

Parameter Fuzzing

• arjun -u target.tlf=d
• Burpsuite plugin parmafinder++
• webarchive https://web.archive.org/cdx/search/cdx?url=*.domanin.tld&fl=original&collapse=urlkey
• x8 Paramter Discovery
• ffuf

Common file checks

• robots.txt, secrets.txt, .well-known/security.txt, /.well-known/change-password, .well-known/openid-configuration, .well-known/assetlinks.json, .well-known/mta-sts.txt etc file could reveal sensetive informations
• use dirb to find common files. dirb http://target.tld
• Check source code for any sensetive information leak

Banner Grabbing

• Wappalyzer, Builtwith
• WhatWeb, nmap, Netcraft
• wafw00f domain.tld
• nikto -h domain.tld -Tuning b
• curl -I domain.tld

Known Vulnerablity in Software or Services

• Searching on Google
• Using searchsploit
• shodan
• censys
• We can also utilize online exploit databases to search for vulnerabilities, like Exploit DB, Rapid7 DB, or Vulnerability Lab.

---

Scanning

CMS Test

• wpscan wpscan --url https://domain.tld/wordpress-blog/ -e u,ap --api-token=<API_TOKEN> Check https://wpscan.com/profile for api token.
• Search for other CMS Scanner and use them on particular CMS
• Known CVE: Check outdated or vulnerable version for any service or software using exploitdb and google.

Dorking

• DorkScout: Golang tool to automate google dork scan against the entiere internet or specific targets.
• pagodo (Passive Google Dork)
• FGDS curl https://raw.githubusercontent.com/IvanGlinkin/Fast-Google-Dorks-Scan/master/FGDS.sh -s |bash -s domain.com
• sitedorks by Zarcolio
• git-hound
  • Install git-hound with Hackify or from repo release then which git-hound
  • Login Details: nano /root/go/bin/config.yml Example: https://github.com/tillson/git-hound/blob/main/config.example.yml
  • Entering OTP git-hound --otp-code 1234568
  • git-hound --config-file /root/go/bin/config.yml --subdomain-file subdomains.txt

Automated Scan

• Burp Suite Pro: with different extensions like HUNT by BugCrowd. Bug Bounty Pro could be used.
• nuclei with nuclei-templates or external templates
  • nuclei template install (as root): nuclei -ut
  • nuclei command: nuclei -l httpsubdomain.txt -resume nuclei.txt -nmhe [rate-limit 10/second to avoid error of rapid request, -nmhe to skip error]
• Acunetix Pro
  • Creating Acunetix CSV list from https links for i in $(cat domain.comhttpssubdomain.txt); do echo \"$i\", \" \"; done > domain.comacunetix.csv
• Afrog afrog -T domain.comhttpsubs.txt
• Owasp NetTracker
• Wapiti [Linux]

Exploitation Tools

• RCE: Commix
• Cross Site Scripting: XSStrike, XSSxrapy
• File inclusion: LFIMap, liffy
• Fileupload: fuxploider
• CORS: Corsy
• CRLF Injection: crlfuzz
• GraphQL: batchql by assetnote, INQL Scanner Burpsuite Extension or INQL Script
• 403 bypass: bypass-403 by iamj0ker, 403bypasser by yunemse48, 4-ZERO-3 by Dheerajmadhukar or 403 Bypasser Burpsuite Extension
• GF Pattern Commands: Gf-Patterns

One Liners

• Bug Bounty oneliners by thevillagehacker
• Bug Bounty Hunters oneliners by codelively

---

Manual Testing

• Burp Extenders from BApp store or : Turbo Intruder or many others https://github.com/snoopysecurity/awesome-burp-extensions
• Burp BChecks: BChecks Collection, PortSwigger BChecks, Custom BChecks etc

  Manual Methods

• Login Bypass
• SQL Injection

This site is open source. Improve this page.