Skip to content
bug bounty hunters starter notes
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
_config.yml
readme.md

readme.md

Books

  1. The web application hacker's handbook
  2. owasp testing guide
  3. web hacking 101
  4. breaking into infromation security
  5. mastering mordern web peneteration testing

Recon

  • ASN's(autonomous system numbers) - (ip ranges , keyword searches)

  • ARIN & RIPE - arin ripe whoislookups all

  • Rev whois - rev

  • shodan - shodan

  • we cannot miss out on burp

  • domlink domlink

  • builtwith - they also has a browser plugin it tells about stack that site is bult on and analytics

    Subdomain scraping enumeration

    subdomain bruteforcing

    • massdns

      ex: .subbrute.py /root/work/bin/all.txt $TARGET.com | ./bin/massdns -r resolvers.txt -t A -a -o -w massdns_output.txt -

    • gobuster

      ex gobuster -m dns -u $TARGET.com -t 100 -w all.txt

    • best dictonary file : all.txt

    • scans.io

    • commonspeak

    Enumeration

    • masscan

      ex: masscan -p1-65535 -iL $TARGET_LIST --max-rate 10000 -oG $TARGET_OUTPUT

    • nmap

    • brutespray

      masscan output => map services scan -oG => brutespray credential bruteforcing.

      ex: python brutespray.py --file nmap.gnmap -U /usr/share/wordlist/user.txt -P /usr/share/wordlist/pass.txt --threads 5 --hosts 5

    • Eyewitness

    • waybackursls enumeration using wayback

Keeping track of all this

  Xmind organization

xmind.png

Identification and cve searching

Parsing Heavy javascript sites

  • zap Ajax spider - owasp zap
  • [Linkfinder]
  • [jsparser]

Content Discovery

  • Gobuster
  • Burp content discovery
  • Robots disallowed
  • wpscan
  • Seclists / RAFT / Digger wordlists
  • cmsmap
  • custom wordlist

XSS

SSRF

Subdomain Takeover info

Work in progress..

You can’t perform that action at this time.