helcaraxeals · October 3, 2020 11:09
diff --git a/Bug Bounty methodology b/Bug Bounty methodology
 #find sub domain


 @Identify IPs and main TLDs

 ASNs (http://bgp.he.net)
 Reverse Whois (https://whois.arin.net (Target IP Range) , https://reverse.report/ , http://domainbigdata.com/ , http://viewdns.info/ ,https://apps.db.ripe.net/db-web-ui/#/fulltextsearch)
 Acquisitions (https://www.crunchbase.com/search/acquisitions)
 Trademarks
 Shodan (shodan.io)
 https://censys.io
 https://developers.facebook.com/tools/ct
 https://www.zoomeye.org/
 crt.sh (%.site.com)
 https://transparencyreport.google.com/https/certificates?hl=en
 https://github.com/anshumanbh/brutesubs
 https://github.com/mandatoryprogrammer/cloudflare_enum
 https://github.com/TheRook/subbrute
 https://github.com/blechschmidt/massdns
 https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056 (wordlist DNS)
 https://github.com/jfrancois/SDBF
 sublister
 gobuster
 https://github.com/vysecurity/DomLink
 https://builtwith.com
 https://github.com/blechschmidt/massdns
 https://github.com/sa7mon/S3Scanner

 #####Mobile

 https://apkscan.nviso.be


 ######## other side on same domain
 www.yougetsignal.com


 ##########################################
 https://github.com/nahamsec/bbht
 https://github.com/nahamsec/lazyrecon
 ##########################################
 github amazonaws.com uber

 ############## Find Subdomains of Subdomain ##################
 /subbrute.py target.com > sudomains.txt
 ./subbrute.py –t subdomains.txt



 ###########Leak ##############################################

 gitrob
 git-all-secrets
 truffleHog
 git-secrets
 repo-supervisor



 #AWS SS3
 site:s3.amazonaws.com inurl:site
 sandcastle (https://github.com/0xSearches/sandcastle)
 https://github.com/nahamsec/lazys3


 ###################Dork:
 site.com +inurl:dev -cdn
 site:apkscan.nviso.be site
 site:site.com -www.site.com -www.sanbox

 -site:target.com filetype:php
 - site:target.com filetype:aspx
 - site:target.com filetype:swf (Shockwave Flash)
 - site:target.com filetype:wsdl
 - site: target.com inurl:.php?id=
 - site: target.com inurl:.php?user=
 - site: target.com inurl:.php?book=
 - site: target.com inurl:login.php
 - site: target.com intext: “login”
 - site: target.com inurl:portal.php
 - site: target.com inurl:register.php
 -site: target.com intext: “index of /”
 -site: target.com filetype:txt
 - site: target.com inurl:.php.txt
 -site: target.com ext:txt
 CSP Headers
 fofa.so



 @Permutation scanning & Portscan
 nmap -sS -A -PN -p- --script=http-title site.com

 Altdns
 Sdbf
 nmap
 masscan


 @Visual Identification
 eyewitness

 @AUXiliary

 spider
 Github

 @Platform Identification


 Builtwith
 Wappalyzer
 Vulners Burp Plugin

 @Content Discovery

 #Mapping 

 https://github.com/zseano/InputScanner.git
 https://github.com/zseano/JS-Scan.git


 retire.js
 SVN
 git (https://github.com/arthaud/git-dumper.git , https://github.com/michenriksen/gitrob )
 RAFT lists
 Wapplyzer
 Xssed.com
 intrigue (https://github.com/intrigueio/intrigue-core)
 https://github.com/cure53/Flashbang



 Gobuster
 Wordlists
 Burp

 @Parameter discovery
 https://github.com/s0md3v/Arjun
 Parameth
 Burp analyze target
 https://github.com/epinna/tplmap.git


 https://github.com/jhaddix/domain


 #Port scanner:








 #Testing


 #WAF

 tip 
 ww1,ww2,ww3, ... site.com
 x.sub.y.com
 x-sub.y.com


 #SQL

 SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/

 #SSL
 https://github.com/arvinddoraiswamy/mywebappscripts/tree/master/ForceSSL

 #IOS

 idb tool (https://github.com/dmayer/idb)





 ######################################### SCRIPTS ####################################




 #!/bin/bash
 for ipa in 98.13{6..9}.{0..255}.{0..255}; do
 wget -t 1 -T 5 http://${ipa}/phpinfo.php; done&
	#find sub domain


	@Identify IPs and main TLDs

	ASNs (http://bgp.he.net)
	Reverse Whois (https://whois.arin.net (Target IP Range) , https://reverse.report/ , http://domainbigdata.com/ , http://viewdns.info/ ,https://apps.db.ripe.net/db-web-ui/#/fulltextsearch)
	Acquisitions (https://www.crunchbase.com/search/acquisitions)
	Trademarks
	Shodan (shodan.io)
	https://censys.io
	https://developers.facebook.com/tools/ct
	https://www.zoomeye.org/
	crt.sh (%.site.com)
	https://transparencyreport.google.com/https/certificates?hl=en
	https://github.com/anshumanbh/brutesubs
	https://github.com/mandatoryprogrammer/cloudflare_enum
	https://github.com/TheRook/subbrute
	https://github.com/blechschmidt/massdns
	https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056 (wordlist DNS)
	https://github.com/jfrancois/SDBF
	sublister
	gobuster
	https://github.com/vysecurity/DomLink
	https://builtwith.com
	https://github.com/blechschmidt/massdns
	https://github.com/sa7mon/S3Scanner

	#####Mobile

	https://apkscan.nviso.be


	######## other side on same domain
	www.yougetsignal.com


	##########################################
	https://github.com/nahamsec/bbht
	https://github.com/nahamsec/lazyrecon
	##########################################
	github amazonaws.com uber

	############## Find Subdomains of Subdomain ##################
	/subbrute.py target.com > sudomains.txt
	./subbrute.py –t subdomains.txt



	###########Leak ##############################################

	gitrob
	git-all-secrets
	truffleHog
	git-secrets
	repo-supervisor



	#AWS SS3
	site:s3.amazonaws.com inurl:site
	sandcastle (https://github.com/0xSearches/sandcastle)
	https://github.com/nahamsec/lazys3


	###################Dork:
	site.com +inurl:dev -cdn
	site:apkscan.nviso.be site
	site:site.com -www.site.com -www.sanbox

	-site:target.com filetype:php
	- site:target.com filetype:aspx
	- site:target.com filetype:swf (Shockwave Flash)
	- site:target.com filetype:wsdl
	- site: target.com inurl:.php?id=
	- site: target.com inurl:.php?user=
	- site: target.com inurl:.php?book=
	- site: target.com inurl:login.php
	- site: target.com intext: “login”
	- site: target.com inurl:portal.php
	- site: target.com inurl:register.php
	-site: target.com intext: “index of /”
	-site: target.com filetype:txt
	- site: target.com inurl:.php.txt
	-site: target.com ext:txt
	CSP Headers
	fofa.so



	@Permutation scanning & Portscan
	nmap -sS -A -PN -p- --script=http-title site.com

	Altdns
	Sdbf
	nmap
	masscan


	@Visual Identification
	eyewitness

	@AUXiliary

	spider
	Github

	@Platform Identification


	Builtwith
	Wappalyzer
	Vulners Burp Plugin

	@Content Discovery

	#Mapping

	https://github.com/zseano/InputScanner.git
	https://github.com/zseano/JS-Scan.git


	retire.js
	SVN
	git (https://github.com/arthaud/git-dumper.git , https://github.com/michenriksen/gitrob )
	RAFT lists
	Wapplyzer
	Xssed.com
	intrigue (https://github.com/intrigueio/intrigue-core)
	https://github.com/cure53/Flashbang



	Gobuster
	Wordlists
	Burp

	@Parameter discovery
	https://github.com/s0md3v/Arjun
	Parameth
	Burp analyze target
	https://github.com/epinna/tplmap.git


	https://github.com/jhaddix/domain


	#Port scanner:








	#Testing


	#WAF

	tip
	ww1,ww2,ww3, ... site.com
	x.sub.y.com
	x-sub.y.com


	#SQL

	SLEEP(1) /‘ or SLEEP(1) or ‘“ or SLEEP(1) or “/

	#SSL
	https://github.com/arvinddoraiswamy/mywebappscripts/tree/master/ForceSSL

	#IOS

	idb tool (https://github.com/dmayer/idb)





	######################################### SCRIPTS ####################################




	#!/bin/bash
	for ipa in 98.13{6..9}.{0..255}.{0..255}; do
	wget -t 1 -T 5 http://${ipa}/phpinfo.php; done&
No results found