2017-03-26 18:00:23 +02:00
# Bug Hunting Methodology and Enumeration
2018-04-23 21:22:11 +02:00
2018-08-12 23:30:22 +02:00
## Summary
* [Passive Recon ](#passive-recon )
* Shodan
* Wayback Machine
* The Harvester
2022-10-02 13:13:16 +02:00
* Github OSINT
2018-08-12 23:30:22 +02:00
* [Active Recon ](#active-recon )
2022-10-02 13:13:16 +02:00
* [Network discovery ](#network-discovery )
* [Web discovery ](#web-discovery )
2018-08-12 23:30:22 +02:00
* [Web Vulnerabilities ](#looking-for-web-vulnerabilities )
2018-04-23 21:22:11 +02:00
2017-03-26 18:00:23 +02:00
## Passive recon
2018-08-12 23:30:22 +02:00
2022-10-02 13:13:16 +02:00
* Using [Shodan ](https://www.shodan.io/ ) to detect similar app
2018-08-12 23:30:22 +02:00
```bash
2018-03-23 13:53:53 +01:00
can be integrated with nmap (https://github.com/glennzw/shodan-hq-nse)
nmap --script shodan-hq.nse --script-args 'apikey=< yourShodanAPIKey > ,target=< hackme > '
```
2017-05-01 22:40:36 +02:00
2022-10-02 13:13:16 +02:00
* Using [The Wayback Machine ](https://archive.org/web/ ) to detect forgotten endpoints
2018-08-12 23:30:22 +02:00
```bash
2017-05-17 20:40:45 +02:00
look for JS files, old links
2020-10-02 17:26:57 +02:00
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=< targetDomain.com > & output=text& fl=original& collapse=urlkey& matchType=prefix"
2017-05-17 20:40:45 +02:00
```
2017-05-01 22:40:36 +02:00
2022-10-02 13:13:16 +02:00
* Using [The Harvester ](https://github.com/laramies/theHarvester )
2018-08-12 23:30:22 +02:00
```python
2017-05-17 20:40:45 +02:00
python theHarvester.py -b all -d domain.com
```
2017-01-07 20:51:47 +01:00
2022-10-02 13:13:16 +02:00
* Look for private information in [GitHub]() repos with [GitRob ](https://github.com/michenriksen/gitrob.git )
```bash
gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
```
2022-10-24 12:05:39 +02:00
* Perform Google Dorks search
2022-10-02 13:13:16 +02:00
2017-03-26 18:00:23 +02:00
## Active recon
2018-08-12 23:30:22 +02:00
2022-10-02 13:13:16 +02:00
### Network discovery
2019-05-12 21:34:09 +02:00
2022-10-02 13:13:16 +02:00
* Subdomains enumeration
2022-10-16 00:27:47 +02:00
* Enumerate already found subdomains: [projectdiscovery/subfinder ](https://github.com/projectdiscovery/subfinder ): `subfinder -d hackerone.com`
* Permutate subdomains: [infosec-au/altdns ](https://github.com/infosec-au/altdns )
* Bruteforce subdomains: [Josue87/gotator ](https://github.com/Josue87/gotator )
* Subdomain takeovers: [EdOverflow/can-i-take-over-xyz ](https://github.com/EdOverflow/can-i-take-over-xyz )
2018-08-12 23:30:22 +02:00
2022-10-02 13:13:16 +02:00
* Network discovery
* Scan IP ranges with `nmap` , [robertdavidgraham/masscan ](https://github.com/robertdavidgraham/masscan ) and [projectdiscovery/naabu ](https://github.com/projectdiscovery/naabu )
* Discover services, version and banners
2018-08-12 23:30:22 +02:00
2022-10-16 00:27:47 +02:00
* Review latest acquisitions
2022-10-02 13:13:16 +02:00
* ASN enumeration
* [projectdiscovery/asnmap ](https://github.com/projectdiscovery/asnmap ): `asnmap -a AS45596 -silent`
2018-08-12 23:30:22 +02:00
2022-10-02 13:13:16 +02:00
* DNS Zone Transfer
```ps1
2019-06-09 20:53:41 +02:00
host -t ns domain.local
domain.local name server master.domain.local.
host master.domain.local
master.domain.local has address 192.168.1.1
dig axfr domain.local @192 .168.1.1
```
2022-10-02 13:13:16 +02:00
### Web discovery
2017-05-01 22:40:36 +02:00
2022-10-24 12:05:39 +02:00
* Locate `robots.txt` , `security.txt` , `sitemap.xml` files
2022-10-16 00:27:47 +02:00
* Retrieve comments in source code
* Discover URL: [tomnomnom/waybackurls ](github.com/tomnomnom/waybackurls )
* Search for `hidden` parameters: [PortSwigger/param-miner ](https://github.com/PortSwigger/param-miner )
2022-10-02 13:13:16 +02:00
* List all the subdirectories and files with `gobuster` or `ffuf`
```ps1
# gobuster -w wordlist -u URL -t threads
./gobuster -u http://example.com/ -w words.txt -t 10
```
2017-05-01 22:40:36 +02:00
2022-10-02 13:13:16 +02:00
* Find backup files with [mazen160/bfac ](https://github.com/mazen160/bfac )
2018-08-12 23:30:22 +02:00
```bash
bfac --url http://example.com/test.php --level 4
bfac --list testing_list.txt
```
2017-05-01 22:40:36 +02:00
2022-10-02 13:13:16 +02:00
* Map technologies: Web service enumeration using [projectdiscovery/httpx ](https://github.com/projectdiscovery/httpx ) or Wappalyzer
* Gather favicon hash, JARM fingerprint, ASN, status code, services and technologies (Github Pages, Cloudflare, Ruby, Nginx,...)
2016-11-06 06:42:50 +01:00
2022-10-02 13:13:16 +02:00
* Take screenshots for every websites using [sensepost/gowitness ](https://github.com/sensepost/gowitness )
2018-08-12 23:30:22 +02:00
2022-10-02 13:13:16 +02:00
* Automated vulnerability scanners
* [projectdiscovery/nuclei ](https://github.com/projectdiscovery/nuclei ): `nuclei -u https://example.com`
* [Burp Suite's web vulnerability scanner ](https://portswigger.net/burp/vulnerability-scanner )
* [sullo/nikto ](https://github.com/sullo/nikto ): `./nikto.pl -h http://www.example.com`
2016-11-06 06:42:50 +01:00
2022-10-02 13:13:16 +02:00
* Manual Testing: Explore the website with a proxy:
* [Caido - A lightweight web security auditing toolkit ](https://caido.io/ )
* [ZAP - OWASP Zed Attack Proxy ](https://www.zaproxy.org/ )
* [Burp Suite - Community Edition ](https://portswigger.net/burp/communitydownload )
2018-08-12 23:30:22 +02:00
2016-11-06 06:42:50 +01:00
2017-03-26 18:00:23 +02:00
## Looking for Web vulnerabilities
2022-10-24 12:05:39 +02:00
* Explore the website and look for vulnerabilities listed in this repository: SQL injection, XSS, CRLF, Cookies, ....
* Test for Business Logic weaknesses
* High or negative numerical values
* Try all the features and click all the buttons
2022-10-02 13:13:16 +02:00
* [The Web Application Hacker's Handbook Checklist ](https://gist.github.com/gbedoya/10935137 ) copied from http://mdsec.net/wahh/tasks.html
2017-03-26 20:51:40 +02:00
2016-12-20 19:46:06 +01:00
* Subscribe to the site and pay for the additional functionality to test
2022-10-02 13:13:16 +02:00
* Inspect Payment functionality - [@gwendallecoguic ](https://twitter.com/gwendallecoguic/status/988138794686779392 )
2018-04-23 18:41:59 +02:00
> if the webapp you're testing uses an external payment gateway, check the doc to find the test credit numbers, purchase something and if the webapp didn't disable the test mode, it will be free
2018-04-23 18:44:49 +02:00
2018-04-23 18:41:59 +02:00
From https://stripe.com/docs/testing#cards : "Use any of the following test card numbers, a valid expiration date in the future, and any random CVC number, to create a successful payment. Each test card's billing country is set to U.S. "
e.g :
2018-04-23 20:45:54 +02:00
2022-10-02 13:13:16 +02:00
Test card numbers and tokens
2018-04-23 21:22:11 +02:00
2022-10-02 13:13:16 +02:00
| NUMBER | BRAND | TOKEN |
| :------------- | :------------- | :------------- |
| 4242424242424242 | Visa | tok_visa |
| 4000056655665556 | Visa (debit) | tok_visa_debit |
| 5555555555554444 | Mastercard | tok_mastercard |
2018-04-23 20:45:54 +02:00
2022-10-02 13:13:16 +02:00
International test card numbers and tokens
2018-04-23 20:55:26 +02:00
2022-10-02 13:13:16 +02:00
| NUMBER | TOKEN | COUNTRY | BRAND |
| :------------- | :------------- | :------------- | :------------- |
| 4000000400000008 | tok_at | Austria (AT) | Visa |
| 4000000560000004 | tok_be | Belgium (BE) | Visa |
| 4000002080000001 | tok_dk | Denmark (DK) | Visa |
| 4000002460000001 | tok_fi | Finland (FI) | Visa |
| 4000002500000003 | tok_fr | France (FR) | Visa |
2018-04-23 20:45:54 +02:00
2018-12-24 15:02:50 +01:00
## References
2018-08-12 23:30:22 +02:00
* [[BugBounty] Yahoo phpinfo.php disclosure - Patrik Fehrenbach](http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/)
* [Nmap CheatSheet - HackerTarget ](https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/ )
