Skip to main content

Bug Bounty Path

This is a start on documenting my process. The goal is automation....maybe.

Mitre ATT&CK: Recon

Reconnaissance consists of techniques that involve adversaries actively or passively gathering in...

Active Scanning

Consists of

Active Scanning Scanning IP Blocks Vulnerability Scanning Wordlist Scanning Gather ...

Gathering Host Information

Gather Identity Information

Gather Network Information

Gather Org Information

Open Technical Infomation

References

https://attack.mitre.org/ https://attack.mitre.org/tactics/TA0043/    

Technical OSINT Tools

Open-source intelligence (OSINT) is the collection and analysis of data gathered from open source...

What is OSINT?

  OSINT stands for open source intelligence. The “open source” part refers to publicly available...

Tools

OSINT Shodan Maltego Google Dorks Recon-ng Ahmia.fi Wayback Machine theHarvester TinEye...

Shodan

Shodan is a search engine of publically accessible(/discoverable) network devices on the internet...

Huntr

https://huntr.dev/ We fund open source security. We pay security researchers for finding vulner...

HackerOne

https://hackerone.com/bug-bounty-programs Bug Bounty Programs Bug bounty programs offer monetar...

Maltego

https://www.maltego.com/ Maltego is an open source intelligence and graphical link analysis tool...

Recon-ng Framework

https://github.com/lanmaster53/recon-ng Recon-ng is a full-featured reconnaissance framework des...

Ahmia.fi

Tor search engine out of scope for this round

Wayback Machine

theHarvester

https://github.com/laramies/theHarvester theHarvester is a simple to use, yet powerful tool desi...

TinEye

https://tineye.com/ for researching images online. If you have an image on your local device, yo...

OSINT Framework

https://osintframework.com/ OSINT framework focused on gathering information from free tools or ...

Find Subdomains

DNS, HackerOne, Fuzzing, and the like....

FFUF Tool

  https://github.com/ffuf/ffuf ffuf - Fuzz Faster U Fool A fast web fuzzer written in Go. I...

Lepus Tool

Lepus is a tool for enumerating subdomains, checking for subdomain takeovers and perform port sca...

tomnomnom tools in Rengine

https://github.com/tomnomnom/gf The examples are GREAT!!!!!! gf A wrapper around grep to avo...

theFuzz (formerly known as fuzzywuzzy)

https://github.com/seatgeek/thefuzz TheFuzz Fuzzy string matching like a boss. It uses Levensht...

Name Service Takeover

Look for takeover

Lepus

Subdomain Takeover Lepus has a list of signatures in order to identify if a domain can be taken ...

CNAME Records

Wayback for URLS

End Point Discovery

Port Scanning

nmap, MassScan

NMAP

Nmap is short for “Network Mapper” and was originally released in September 1997 by Gordon Lyon...

MASSCAN: Mass IP port scanner

Git hub project  https://github.com/robertdavidgraham/masscan Overview This is an Internet-scal...

Naabu (in Rengine)

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in...

GitHub Recon

What is it and how do you do it?

Rengine

reNgine is a web application reconnaissance suite with focus on a highly configurable streamlined...

WebApps Opportunities

Focus on Web Applications Vulnerabilities

Cross-origin resource sharing (CORS)

Cross-origin resource sharing (CORS)  Cross-origin resource sharing (CORS) is a browser mechan...

Password Reset Vulnerability

Password reset poisoning is a technique whereby an attacker manipulates a vulnerable website into...

SNMP and HOST Header Injection

    How to Test Initial testing is as simple as supplying another domain (i.e. attacker.com) i...

Clickjacking via IFRAME

Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible o...

Access Controls and Parameter Tampering

Burp Proxy Histroy for endpoint discovery

Arjun for hidden end point discovery

CSRF Discovery/Detection

SSRF Parameter Detection/Discovery

XSS and SSTI Discovery/Detection

Rate Limits

Directory Brute-Force

HTTP Request Smuggling

Open Redirect via WaybackURLs

Social-SignOn Bypass

Possible DOS vial multiple Cookies injection

File Upload via CSRF, XSS, SSRF, RCE, LFI, XXE

    HTB https://whitehatlab.eu/en/blog/writeup/hackthebox/machine/linux/doctor/

Buffer Overflow

WebApp Tools

AMASS (in Rengine?)

https://github.com/owasp-amass/amass The OWASP Amass Project performs network mapping of attack ...

Nuclei (in Regine)

https://github.com/projectdiscovery/nuclei Nuclei is used to send requests across targets based ...

GoSpider

https://github.com/jaeles-project/gospider GoSpider GoSpider - Fast web spider written in Go    

gau (get all urls)

https://github.com/lc/gau which replaces Rengine's  https://github.com/bp0lr/gauplus   getallu...

Nikto

https://github.com/sullo/nikto Nikto is an Open Source (GPL) web server scanner which performs c...
Back to top