Bug bounty recon

Pasos

Muchas veces cuando tenes la extensión de shodan en el navegador te avisa que posibles vulnerabilidades podría tener.

Link = https://security.snyk.io/ https://www.cve.org/

Tener cuidado con la velocidades.

Paso 1

subfinder -d example.com >> subdominios.txt

sublist3r -d example.com  >> subdominios.txt

amass enum -d example.com -max-dns-queries 120 >> subdominios.txt

amass enum -passive -d example.com >> subdominios.txt

Paso 2

cat subdominios.txt | httprobe -c 100 >> subdominios2.txt

cat subdominios2.txt | uniq >> subdominios3.txt

httpx -l subdominios3.txt -sc | grep 200 >> subdominios4.txt

httpx -l subdominios4.txt -sc -td

Opcion 2

cat subdominios.txt | httprobe -c 100 >> subdominios2.txt

cat subdominios2.txt | uniq >> subdominios3.txt

cat subdominios3.txt | httprobe -c 100  > hosts_validos.txt

httpx -l hosts_validos.txt -sc | grep 200 >> hosts_validos1.txt

httpx -l hosts_validos1.txt -sc -td >> hosts_validos2.txt

httpx -l hosts_validos.txt -all-ports 80,443 -title -status-code -web-server > hosts_abiertos.txt

Paso 3

ffuf -w /usr/share/sectlist -u http://example.com/login.php/FUZZ -p1

ffuf -w /usr/share/sectlist -u http://example.com/FUZZ  -fc 403,301,302 -c -T 200 -e html,php,txt,zip,jsp -p 2 -r 10 -rate 50

ffuf -w /usr/share/sectlist -u http://example.com/FUZZ  -T 200 -e html,php,txt,zip,jsp -p 2 -r 10 -rate 50 -maxtime-job 60 -recursion -recursion-depth 2

nmap -sS -T1 10.10.23.51 --top-ports -V

nmap -A -F -T1 10.10.23.51 -V

Paso 4

shodan

Censys

wayback

crt.sh

Iccan

Hunter

ONYPHE

Netify

grep.app

Intelligence x

Netlas.io

./waybackurls yahoo.com

Google Hacking