Skip to content

Instantly share code, notes, and snippets.

@ruevaughn
Last active Oct 8, 2021
Embed
What would you like to do?
Recon portion of my approach to bug bounties. It's a WIP
find . -type f -name "*.body"
find . -type f -name "*.body" | html-tool tags title | vim -
ggrep -Hrni ""
ggrep -hri ""
%! sort -u --version-sort
onaws domain.com
subfinder -d dommain.com | dnsx -req
~ ~ Bug Bounty Recon Pipeline ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
amass enum -d owasp.org
amass db -names -d owasp.org
amass db -summary -d owasp.org
amass db -show -d owasp.org
amass db -names -src -d mytarget.com
amass intel -active -whois -d owasp.org
cat wildcards | assetfinder --subs-only | anew domains
cat wildcards | findomain --stdin --output
cat domains | httprobe -c 80 --prefer-https | anew httprobe.out
cat findomain.out | anew domains | httprobe -c 50 | anew hosts
cat hosts | fff -d 1 -S -o roots
comb <(echo https://some.url) ~/recon/files/short-wordlist.txt | fff -s 200
cat final | rev | cut -d . -f 1-3 | rev | sort -u | tee root.subdomains
waybackurls domain.com
gobuster dir -u <url -w <path-to-wordlist> -x <extension> -k dirscan.txt
gobuster dir -u http://192.168.38.20 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
gobuster dir -u https://www.domain.com -w /home/user/bounty/awesome-wordlists/wordlists/discovery/directory_only_one.small.txt --wildcard
nmap -sC -sV -p- 1.1.1.1
nmap -sV -Pn -n 1.1.1.1
nmap 192.168.1.0/24 -p 22 --open
nmap 192.168.254.13 -p 22 --script ssh-brute --script-args userdb=users.txt,passdb=passwords.txt
nmap -p 22 --script ssh-brute --script-args userdb=users.lst,passdb=pass.lst \
--script-args ssh-brute.timeout=4s <target>
" https://github.com/tijme/angularjs-csti-scanner
acstis -d "https://finnwea.com/some/page/?category=23"
" https://github.com/hahwul/XSpear
xspear -u 'https://www.hahwul.com/?q=123' --cookie='role=admin' -v 1 -a
~ ~ Mobile ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
" Frida
frida-ps -U
" SSL Pinning Bypass for Android
frida -U -no-pause --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f YOUR_BINARY
" Objection
https://github.com/sensepost/objection
" MobSF
mobsf.github.io
" get arch version
adb shell getprop ro.product.cpu.abi
" Call Intent / Activity
adb shell am start -n com.android.insecurebankv2/com.android.insecurebankv2.PostLogin
adb shell settings put global http_proxy localhost:8082
adb reverse tcp:3333 tcp:8082
adb push ./burp-android-cert.cer /sdcard/Download/
adb push /path/to/frida-server /data/local/
adb shell chmod 777 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server
# Using ADB, call the android exported activity.
adb shell am start -n com.android.insecurebankv2/com.android.insecurebankv2.PostLogin
apktool d InsecureBankv2
" recompile .apk
apktool b -f -d InsecureBankv2/
keytool -genkey -v -keystore ctf.keystore -alias ctfKeystore
-keyalg RSA -keysize 2048 -validity 1000
sqlmap http://35.227.24.107/e48623ef7c/login --data "username=a&password=b" --dbms=mysql --dbs
sqlmap http://35.227.24.107/e48623ef7c/login --data "username=a&password=b" --dbms=mysql --dbs -D level2 -T admins --dump
dnsrecon.py -d domain.com
./real_ip_discover.py "site.com" 0.0.0.0/24 "<title>Welcome to site.com"
" Get Ranges
https://www.cloudflare.com/ips-v4
tldr curl
tldr awk
FILE=xss.jpg;socat -v -d -d TCP-LISTEN:80,fork "SYSTEM:/bin/echo 'HTTP/1.1 200 OK';/bin/echo 'Content-Length: '`wc -c<$FILE`;/bin/echo 'Content-Type: image/png';/bin/echo 'Content-Type: text/html';/bin/echo;dd 2>/dev/null<$FILE"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment