0xh7ml

# requirements:
# gf -> https://github.com/tomnomnom/gf
# gf patterns to find leaked tokens and secrets -> https://github.com/emadshanab/Gf-Patterns-Collection
# subjs -> https://github.com/lc/subjs
# gau -> https://github.com/lc/gau
# nuclei -> https://github.com/projectdiscovery/nuclei
# hakcheckurl -> https://github.com/hakluke/hakcheckurl

# note: before you run the script, edit your gf patterns and remove all grep 'H' and 'n' flag and add the 'h' flag

0xh7ml

Description

This is a simple guide to perform javascript recon in the bugbounty

Steps

• The first step is to collect possibly several javascript files (more files = more paths,parameters -> more vulns)

0xh7ml

.
..
........
@
*
*.*
*.*.*
🐎

0xh7ml

#!/bin/bash
import requests
from bs4 import BeautifulSoup as bs
from urllib.parse import urljoin

def js(domain):
    session = requests.Session()
    session.headers["User-Agent"] = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36"
    html = session.get(domain).content
    soup = bs(html, "html.parser")

0xh7ml

Keybase proof

I hereby claim:

• I am 0xh7ml on github.
• I am 0xsasuke (https://keybase.io/0xsasuke) on keybase.
• I have a public key ASCn_XJwTD3ILHr_j5XvOWzpyj4Wmt2LLtn2FkfmhdxElAo

To claim this, I am signing this object:

0xh7ml

Technology

Subdomain Enumeration:


# Basic usage
subfinder -d example.com > example.com.subs

# Recursive
subfinder -d  example.com  -recursive -silent -t 200 -v -o  example.com.subs

0xh7ml

scan target for pentest   
nmap -PN -n -A -sS -p- -oN output.nmap <IP>  
-Pn : no ping check (host is up),  
-n no dns resolution  
-A : detect systeme info  
-sT : tcp connect [laisse des traces dans les logs serveurs] (moins impactant que -sS Syn, ne laisse pas de trace dans les logs par defaut)  
-p- : port de 0-65535  
-oN output.nmap : write utput to file 

ajouter un scan udp en parallèle -sU (dns, ipsec ...)