Skip to content
/ Markdown-Bug-Bounty-Recon Public

A recon Framework for Bug Bounty Hunters that would convert the output of a script into Markdown syntax document, which would help them to make better notes, have everything in one document, or concentrating on one domain.md document.

10 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Markdown-Bug-Bounty-Recon/Markdown-Bug-Bounty-Recon

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

149 Commits
Bug_Bounty_Lab
Bug_Bounty_Lab
 
 
Mobile
Mobile
 
 
Web
Web
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
README.md
README.md
 
 
TODO.md
TODO.md
 
 

Repository files navigation

WORK IN PROGRESS / FOR PERSONAL USE / FOR INSPIRATION TO OTHERS <3

How is this recon framework different from others?

  • Puts every specific-subdomain data to particular folder associated with that subdomain, If you get comfortable with the directory structure then using this script will be a lot easier
  • The concept of this script is to convert all findings into one Markdown report, then you can import this report to Notion, share this file with others and then collaborate easier
  • I want to make it run parallel
  • No Cloud subscription required. I want these script to run locally in the background with 0$

~/.bbrf/config.json

{
  "username": "bbrf",
  "password": "penelope",
  "couchdb": "https://bbrf-server:6984/bbrf",
  "slack_token": "<a slack token to receive notifications>",
  "discord_webhook": "<your discord webhook if you want one>",
  "ignore_ssl_errors": true
}

How to use this framework?

  1. The easiest way is to use my docker container bug-bounty-framework, create the ~/Pentesting directory on the host machine and run the container
  2. Then on the docker container change directory to this ~/Pentesting directory and execute sudo full-web.sh -d ${domain} -u ${USER-EXEC} where ${domain} is your target domain and ${USER-EXEC} is the username home directory name this is important, because otherwise findings would be put in /home/root/ which is not-intented (and I don't know how to remove the necessity of declaring this -u flag other than not executing as root)

For now though I'll present to you what each script does:

full_web.sh

  • Performs full scan, when you look at it you'll see exactly what the framework does and what in which steps it executes other scripts

get-technologies.sh

  • Gets the technologies which the site uses, for now it's only using wappalyzer cli, but there'll be more!

get-subdomains-passively.sh

  • This performs all the subdomain enumeration passively, without active scanning with amass

get-alive-subdomains.sh

  • This script checks, if the addresses from get-subdomains-passively.sh are resolvable, and also performs subdomain brute-forcing - also with amass

get-not-alive-subdomains-ip.sh

  • This script resolves every not_active subdomain to it's ip public ip address

bruting-not-alive-subdomains-ip.sh

  • This will perform brute-forcing on services that the not-alive subdomains run
  • Still in progress

extracting-javascript.sh

  • This will extract javascript from the website, and also search for other sources
  • Still in progress

bruting-alive-subdomains.sh

  • This will brute and test alive subdomains with nuclei
  • Still in progress

markdown_converter.sh

  • This converts the contents of tools-io directory to markdown
  • This breaks a lot, because with every new functionality I need to change this markdown-converter, so It doesn't cover much of the brute-forcing part.
  • The main concept is that It keeps all the findings dynamically updating (new subdomains etc.), but the notes.mdpp is static and only you will be filling its content!

On which topics and subject I'll focus for now?

  • Definetely finding more root domains and subdomain enumeration, also discovering technologies and ways to use that data
  • Also managing scope, detecting the scope of the program, put a massive distinction between passive scanning and active scanning to not make bug-bounty programs angry! D:
  • Being the most accurate, NOT FOLLOWING THE PHILOSOPHY "BRUTE SPRAY AND PRAY"
  • I don't want to focus on brute-forcing mainly, because in the end everyone does that, but someday I'll get down to it

TODO

  • Create separate docker container for this script to run and make it with set cron
  • Include get-technologies.sh output in markdown
  • Implement uploading to imgur via their API
  • Integrate nuclei scanning
  • Record reports by date and check if there're any new findings worth to check out - Can be done with executing sdiff on each file in tools-io/ but also with comparing markdown report
  • Make directory for Notes separate - after all the files in there would be filled the most frequent
  • Also make the possibility to include ignore.txt file to ignore these new findings ( If We want to prevent them from appearing )
  • Make separate shodan script with API key
  • Make basic documentation with docsify
  • Jeez, just get extracting-javascript.sh working!!! With scripthunter and jsmon
  • Redirect unneceseary output to /dev/null in favor of -o flag whenever possible
  • Define out of scope addresses with the help of regex expressions (and grex to generate them)
  • Make it so the any setting performed in docker container with docker attach is persistent when doing a reboot, or store and copy the configs between Host and Container
  • Also have a way to manage $SECRET_TOKENS in a secure and simple manner, probably with env-files while on the Host machine have a bash script/docs on how to assign them
  • Notifications via Slack channel
  • Separate things put in recon and things put on Slack - The markdown report should be source of information - not the source for 'Incident Response'(? xD) when nuclei or ZAP finds anything
  • Implement ZAP with their Automation Framework
  • Backups of the data (Mainly reports)
  • Use EyeWitness
  • After some long time, let's replace markdown with rmarkdown, add sweet charts, visualizations :)
  • Integrate bbrf
    • Make bbrf-server communicate with bug-bounty-framework-web container
    • include bbrf url add - in getting subdomains at the end of the script
    • Abandon the use of subdomain files and rely only on bbrf urls command. Make use of bbrf tags.
  • Experiment with Obsidian plugin creation, etc. :)

About

A recon Framework for Bug Bounty Hunters that would convert the output of a script into Markdown syntax document, which would help them to make better notes, have everything in one document, or concentrating on one domain.md document.

Topics

security bug-bounty bugbounty security-tools

Resources

Readme
Activity
Custom properties

Stars

10 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages