Recon Reckoning
Bug Bounty Reconnaissance Tools

On July 15, 2017 the bug bounty platform Bugcrowd hosted the virtual hacking conference LevelUp and included talks on a wide range of application security/bug bounty hunting topics from members of the bug bounty community. I was honored to be able participate and presented a talk entitled “How to Fail at Bug Bounty Hunting” (YouTube and Slides), which is a personal story of failures, lessons learned, and bug bounty hunting tips for busy professionals, part-time and beginning bug bounty hunters. This post is a companion to that presentation which allows for expansion and clarity on my personal resources, mobile setup and bug bounty recon script.

Resources:

Books:
Payload Lists
Criticality
Bounty Reports / Write-ups / Blogs
Test Applications / Capture the Flags
Online Recon
Tools
Miscellaneous

Mobile Set Up:

  1. iPhone with Blink Shell – mosh and ssh terminal emulator (does not require jailbreak!)

  2. DietPi - lightweight Debian OS for RaspberryPi

  3. Enable SSH

  4. Install Mosh - remote terminal application that allows roaming, supports intermittent connectivity
    • apt-get install mosh on Debian
  5. Port forwarding from you public IP address to your internal DietPi IP address
    • Public TCP port 22 to Private TCP port 22
    • Public UDP port 60000-60010 to Private UDP port 60000-60010
  6. Use a Dynamic DNS service or use owned domain names to point to your public IP address
  1. Use the DietPi jumpbox to SSH into boxes on my internal network based on need

  2. Use tmux to multiplex and keep track virtual consoles

  3. Pure pwnage on the go!

PyBrute (Later renamed to domained) [Updated]

The following script can be found at github.com/nilvalues/domained [Updated]

Gist: Some terrible continually updated python code leveraging some awesome tools that I use for bug bounty reconnaissance.

PyBrute uses several subdomain enumeration tools and wordlists to create a unique list of subdmains that are passed to EyeWitness for reporting with categorized screenshots, server response headers and signature based default credential checking. (resources are saved to ./bin and output is saved to ./Output/PyBrute)

NOTE: This is an active recon – only perform on applications that you have permission to test against.

Tools leveraged:
Subdomain Enumeraton Tools:
  1. Sublist3r by Ahmed Aboul-Ela
  2. enumall by Jason Haddix
  3. Knock by Gianni Amato
  4. Subbrute by TheRook
  5. massdns by B. Blechschmidt
Reporting + Wordlists:
Usage
Example 1: python PyBrute.py -d example.com
Uses subdomain example.com with no brutefoce (Sublist3r enumall, Knock)

Example 2: python PyBrute.py -d example.com -b -p --vpn
Uses subdomain example.com with seclist subdomain list bruteforcing (massdns, subbrute, Sublist3r and enumall), adds ports 8443/8080 and checks if on VPN

Example 3: python PyBrute.py -d example.com -b --bruteall
Uses subdomain example.com with large-all.txt bruteforcing (massdns, subbrute, Sublist3r and enumall)

Example 4: python PyBrute.py -d example.com --quick
Uses subdomain example.com and only Sublist3r (+subbrute)

Note: --bruteall must be used with the -b flag
Options
Updates
*****
Written by C. A. Kinney on 25 July 2017