├── README.md ├── aws-attack.sh ├── bountyRecon.sh ├── config.conf ├── domains.txt ├── jsextractor.sh ├── key_files.list ├── keywords.txt ├── prerequisites.txt ├── providers.json ├── search.sh ├── subdomains.sh ├── takeover.sh └── vulns ├── citrix_vuln.txt └── port_8009.txt /README.md: -------------------------------------------------------------------------------- 1 | ## bountyRecon 2 | 3 | Bounty Recon is a bash script to automate the process of reconnaissance for bug bounties. It is said that, the more you know about your target better are the chances of getting bug. Keeping this in mind, the utility was created for effectively gathering information about the target and covering the maximum scope. 4 | 5 | 6 | This repository is not maintained anymore and is moved to [bountyRecon v2](https://github.com/AdmiralGaust/bountyReconv2). 7 | -------------------------------------------------------------------------------- /aws-attack.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if ! [[ ${1} ]];then 4 | echo -e "\n[!]\tUsage : ./aws-attack.sh S3_Bucket_Name\n" 5 | exit 6 | fi 7 | 8 | echo -e "\n[+] Trying unauthenticated listing\n" 9 | aws s3 ls s3://"${1}" 10 | 11 | #echo -e "\n[+] Trying unauthenticated read\n" 12 | #aws s3 --no-sign-request --recursive cp s3://"${1}"/ ${1} 13 | #aws s3 --no-sign-request --recursive mv s3://"${1}"/ ${1} 14 | 15 | echo -e "\n[+] Trying unauthenticated write\n" 16 | echo "Uploaded by bug_bunny as a PoC for bounty" > test.txt 17 | aws s3 --no-sign-request cp test.txt s3://"${1}"/Just_A_Test.txt 18 | echo "Uploaded by bug_bunny as a PoC for bounty" > test.txt 19 | aws s3 --no-sign-request mv test.txt s3://"${1}"/Just_A_Test.txt 20 | 21 | echo -e "\n[+] Trying authenticated listing\n" 22 | aws s3 --profile myprofile ls s3://"${1}" 23 | 24 | #echo -e "\n[+] Trying authenticated read\n" 25 | #aws s3 --profile myprofile cp s3://"${1}"/ ${1} 26 | #aws s3 --profile myprofile mv s3://"${1}"/ ${1} 27 | 28 | 29 | echo -e "\n[+] Trying authenticated write\n" 30 | echo "Uploaded by bug_bunny as a PoC for bounty" > test.txt 31 | aws s3 --profile myprofile cp test.txt s3://"${1}"/Just_A_Test.txt 32 | echo "Uploaded by bug_bunny as a PoC for bounty" > test.txt 33 | aws s3 --profile myprofile mv test.txt s3://"${1}"/Just_A_Test.txt 34 | -------------------------------------------------------------------------------- /bountyRecon.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ##Script to Automate Bug Bounty Recon 4 | 5 | if ! [[ ${1} && ${2} ]] ;then 6 | echo -e "\n[!] Please pass the required arguments :" 7 | echo -e "\tusage : ./bountyRecon.sh TARGET_NAME [list of domains]\n" 8 | exit 9 | fi 10 | 11 | if ! [[ -f ${2} ]]; then 12 | echo -e "\n[-] File does not exist : ${2}\n" 13 | exit 14 | fi 15 | 16 | 17 | ######Reading Config File 18 | 19 | function getValueFromConfig() { 20 | echo `grep ${1} config.conf | cut -d '=' -f 2` 21 | } 22 | 23 | 24 | 25 | #######Initializing variables 26 | 27 | TARGET_NAME=${1} 28 | domains=${2} 29 | 30 | Recon_Home="$(getValueFromConfig "Recon_Home")/${TARGET_NAME}" 31 | amass_config_path=$(getValueFromConfig "amass_config_path") 32 | 33 | 34 | mkdir -p "${Recon_Home}/logs" 35 | 36 | start_time=`date "+%d%m%y_%H%M%S"` 37 | logfile="${Recon_Home}/logs/${start_time}.log" 38 | 39 | 40 | 41 | ######Subdomain Enumeration######## 42 | 43 | mkdir -p "${Recon_Home}/subdomains" 44 | 45 | echo -e "\n[+] Started Subdomain Enumeration at ${start_time}"| tee -a ${logfile} 46 | 47 | echo $domains | parallel ./subdomains.sh {} "${Recon_Home}/subdomains" 48 | 49 | echo -e "[+] Subdomain Enumeration Finished at `date '+%d%m%y_%H%M%S'`"| tee -a ${logfile} 50 | 51 | cat "${Recon_Home}/subdomains/subfinder.txt" "${Recon_Home}/subdomains/amass.txt" |sed "/^[\.*]/d" |sort -u > "${Recon_Home}/subdomains/subdomains.txt" 52 | 53 | 54 | ##########Screenshot the target with aquatone###### 55 | 56 | mkdir -p "${Recon_Home}/aquatone" 57 | 58 | echo -e "[+] Attempting Screenshot for the target subdomains..." | tee -a ${logfile} 59 | 60 | aquatone_home=$(getValueFromConfig "aquatone_home") 61 | cat "${Recon_Home}/subdomains/subdomains.txt"| ${aquatone_home}/aquatone -out "${Recon_Home}/aquatone" -http-timeout 30000 -scan-timeout 30000 -screenshot-timeout 60000 62 | 63 | echo -e "[+] Screenshot Finished for subdomains" | tee -a ${logfile} 64 | 65 | 66 | #######Extract javascript files and urls 67 | 68 | echo -e "[+] Extracting javascript from html source" | tee -a ${logfile} 69 | 70 | ./jsextractor.sh "${Recon_Home}" 71 | 72 | echo -e "[+] javascript extracted successfully" | tee -a ${logfile} 73 | 74 | 75 | ########Subdomain takeover 76 | 77 | mkdir -p "${Recon_Home}/takeover" 78 | 79 | echo $Recon_Home | parallel ./takeover.sh {} 80 | 81 | #Test put method on all subdomains 82 | 83 | 84 | ########Testing for Alive and Resolvable domains#### 85 | 86 | #echo "[+] Checking for alive domains..\n" | tee -a ${logfile} 87 | #cat "${Recon_Home}/subdomains/subdomains.txt" | httprobe -p http:8080 https:8080 https:8443 http:8000 https:8000 -c 50| tee -a "${Recon_Home}/subdomains/alive.txt" 88 | #echo "[+] Finished Checking Alive domains\n" | tee -a ${logfile} 89 | 90 | #massdns_home=$(getValueFromConfig "massdns_home") 91 | #echo -e "[+] Checking for Resolvable domains.." | tee -a ${logfile} 92 | #${massdns_home}/bin/massdns -r ${massdns_home}/lists/resolvers.txt -o S -w "${Recon_Home}/subdomains/massdns.txt" "${Recon_Home}/subdomains/subdomains.txt" 93 | #echo -e "[+] Finished Checking Resolvable domains" | tee -a ${logfile} 94 | #cat "${Recon_Home}/subdomains/massdns.txt" |cut -d " " -f 1|sed "s/\.$//"|sort -u > "${Recon_Home}/subdomains/resolvable.txt" 95 | 96 | 97 | ###TO do list 98 | 99 | 100 | #Check hidden files and other important files like .git, .DS_Store and swagger-ui.html on all subdomains 101 | #Masscan the target 102 | #Check for cve 2019 19781 exploit - grep "citrix login" in title or "citrix" occurences >3 103 | #pdf ssrf - html rendering to pdf 104 | 105 | #ffuf 106 | #cloud_enum - https://github.com/initstring/cloud_enum -------------------------------------------------------------------------------- /config.conf: -------------------------------------------------------------------------------- 1 | #Specify path where output is stored 2 | Recon_Home=/home/hackguru/Documents/BugBounty/reconData 3 | 4 | #Specify the Amass Home Directory and amass config file location 5 | amass_home=/home/hackguru/Documents/BugBounty/tools/amass/ 6 | amass_config_path=/home/hackguru/Documents/BugBounty/tools/amass/config.ini 7 | 8 | 9 | #Specify the location of massdns cloned directory 10 | massdns_home=/home/hackguru/Documents/BugBounty/tools/massdns 11 | 12 | 13 | #Specify the location of eyewitness cloned directory 14 | aquatone_home=/home/hackguru/Documents/BugBounty/tools/aquatone 15 | -------------------------------------------------------------------------------- /domains.txt: -------------------------------------------------------------------------------- 1 | bitpesa.co 2 | paytm.com 3 | -------------------------------------------------------------------------------- /jsextractor.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | mkdir -p "${1}"/scripts 3 | 4 | 5 | function getValueFromConfig() { 6 | echo `grep ${1} config.conf | cut -d '=' -f 2` 7 | } 8 | 9 | 10 | for x in $(ls "${1}/aquatone/html/") 11 | do 12 | 13 | END_POINTS=$(cat "${1}/aquatone/html/$x" | grep -Eoi "src\s*=\s*[\'\"]?[^>]+>" |grep -Eoi "[\'\"\/].*js"|sed "s/\"//g"| sed "s/\'//g") 14 | for end_point in $END_POINTS 15 | do 16 | URL=$end_point 17 | 18 | len=$(echo $end_point | grep "//" | wc -c) 19 | if [ $len == 0 ] 20 | then 21 | URL=`echo "${x}"|sed "s/__/\:\/\//"|sed "s/_/./g"|sed "s/\.\./~/"|cut -d "~" -f 1` 22 | URL=$URL/$end_point 23 | fi 24 | 25 | file=$(basename $end_point) 26 | mkdir -p "${1}/scriptResponse/$x/" 27 | curl -k -X GET $URL -L > "${1}/scriptResponse/$x/$file" 28 | echo $URL >> "${1}/scripts/$x" 29 | done 30 | done -------------------------------------------------------------------------------- /key_files.list: -------------------------------------------------------------------------------- 1 | .DS_STORE 2 | .git 3 | .gitignore 4 | .git/HEAD 5 | .svn 6 | .idea 7 | .idea/workspace.xml 8 | .swp 9 | .htpasswd 10 | .httpasswd 11 | coredump 12 | .winscp.ini 13 | filezilla.xml 14 | server-status 15 | api-docs 16 | swagger-ui.html 17 | swagger/swagger-ui.html 18 | api/swagger-ui.html 19 | swagger/index.html 20 | 21 | 22 | ##Needs modification 23 | v1.0/swagger-ui.html 24 | v1.1/swagger-ui.html 25 | v1.2/swagger-ui.html 26 | v1.3/swagger-ui.html 27 | 28 | assets/server.js 29 | assets/app.js 30 | -------------------------------------------------------------------------------- /keywords.txt: -------------------------------------------------------------------------------- 1 | sentry 2 | token 3 | xoxp- 4 | access_token 5 | auth 6 | aws_key 7 | Authorization 8 | citrix 9 | api_key -------------------------------------------------------------------------------- /prerequisites.txt: -------------------------------------------------------------------------------- 1 | parallel 2 | subfinder (~/.config/subfinder/config.json) 3 | amass (config.ini) 4 | massdns 5 | aquatone 6 | subjack 7 | subover (subover home should be where providers.json is present) -------------------------------------------------------------------------------- /providers.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "name":"github", 4 | "cname":["github.io", "github.map.fastly.net"], 5 | "response":["There isn't a GitHub Pages site here.", "For root URLs (like http://example.com/) you must provide an index.html file"] 6 | }, 7 | { 8 | "name":"heroku", 9 | "cname":["herokudns.com", "herokussl.com", "herokuapp.com"], 10 | "response":["There's nothing here, yet.", "herokucdn.com/error-pages/no-such-app.html", "No such app"] 11 | }, 12 | { 13 | "name":"unbounce", 14 | "cname":["unbouncepages.com"], 15 | "response":["The requested URL / was not found on this server.", "The requested URL was not found on this server"] 16 | }, 17 | { 18 | "name":"tumblr", 19 | "cname":["tumblr.com"], 20 | "response":["There's nothing here.", "Whatever you were looking for doesn't currently exist at this address."] 21 | }, 22 | { 23 | "name":"shopify", 24 | "cname":["myshopify.com"], 25 | "response":["Sorry, this shop is currently unavailable.", "Only one step left!"] 26 | }, 27 | { 28 | "name":"instapage", 29 | "cname":["pageserve.co", "secure.pageserve.co", "https://instapage.com/"], 30 | "response":["You've Discovered A Missing Link. Our Apologies!"] 31 | }, 32 | { 33 | "name":"desk", 34 | "cname":["desk.com"], 35 | "response":["Please try again or try Desk.com free for 14 days.", "Sorry, We Couldn't Find That Page"] 36 | }, 37 | { 38 | "name":"tictail", 39 | "cname":["tictail.com", "domains.tictail.com"], 40 | "response":["Building a brand of your own?", "to target URL: Trying to access your account?"] 46 | }, 47 | { 48 | "name":"cargocollective", 49 | "cname":["cargocollective.com"], 50 | "response":["404 Not Found"] 51 | }, 52 | { 53 | "name":"statuspage", 54 | "cname":["statuspage.io"], 55 | "response":["Better Status Communication", "You are being redirected"] 56 | }, 57 | { 58 | "name":"amazonaws", 59 | "cname":["amazonaws.com"], 60 | "response":["NoSuchBucket", "The specified bucket does not exist"] 61 | }, 62 | { 63 | "name":"cloudfront", 64 | "cname":["cloudfront.net"], 65 | "response":["The request could not be satisfied", "ERROR: The request could not be satisfied"] 66 | }, 67 | { 68 | "name":"bitbucket", 69 | "cname":["bitbucket.org"], 70 | "response":["The page you have requested does not exist"] 71 | }, 72 | { 73 | "name":"smartling", 74 | "cname":["smartling.com"], 75 | "response":["Domain is not configured"] 76 | }, 77 | { 78 | "name":"acquia", 79 | "cname":["acquia.com"], 80 | "response":["If you are an Acquia Cloud customer and expect to see your site at this address"] 81 | }, 82 | { 83 | "name":"fastly", 84 | "cname":["fastly.net"], 85 | "response":["Please check that this domain has been added to a service", "Fastly error: unknown domain"] 86 | }, 87 | { 88 | "name":"pantheon", 89 | "cname":["pantheonsite.io"], 90 | "response":["The gods are wise", "The gods are wise, but do not know of the site which you seek."] 91 | }, 92 | { 93 | "name":"zendesk", 94 | "cname":["zendesk.com"], 95 | "response":["Help Center Closed | Zendesk", "Help Center Closed"] 96 | }, 97 | { 98 | "name":"uservoice", 99 | "cname":["uservoice.com"], 100 | "response":["This UserVoice subdomain is currently available!"] 101 | }, 102 | { 103 | "name":"ghost", 104 | "cname":["ghost.io"], 105 | "response":["The thing you were looking for is no longer here", "The thing you were looking for is no longer here, or never was"] 106 | }, 107 | { 108 | "name":"pingdom", 109 | "cname":["stats.pingdom.com"], 110 | "response":["pingdom"] 111 | }, 112 | { 113 | "name":"tilda", 114 | "cname":["tilda.ws"], 115 | "response":["Domain has been assigned"] 116 | }, 117 | { 118 | "name":"wordpress", 119 | "cname":["wordpress.com"], 120 | "response":["Do you want to register"] 121 | }, 122 | { 123 | "name":"teamwork", 124 | "cname":["teamwork.com"], 125 | "response":["Oops - We didn't find your site."] 126 | }, 127 | { 128 | "name":"helpjuice", 129 | "cname":["helpjuice.com"], 130 | "response":["We could not find what you're looking for."] 131 | }, 132 | { 133 | "name":"helpscout", 134 | "cname":["helpscoutdocs.com"], 135 | "response":["No settings were found for this company:"] 136 | }, 137 | { 138 | "name":"cargo", 139 | "cname":["cargocollective.com"], 140 | "response":["If you're moving your domain away from Cargo you must make this configuration through your registrar's DNS control panel."] 141 | }, 142 | { 143 | "name":"feedpress", 144 | "cname":["redirect.feedpress.me"], 145 | "response":["The feed has not been found."] 146 | }, 147 | { 148 | "name":"surge", 149 | "cname":["surge.sh"], 150 | "response":["project not found"] 151 | }, 152 | { 153 | "name":"surveygizmo", 154 | "cname":["privatedomain.sgizmo.com", "privatedomain.surveygizmo.eu", "privatedomain.sgizmoca.com"], 155 | "response":["data-html-name"] 156 | }, 157 | { 158 | "name":"mashery", 159 | "cname":["mashery.com"], 160 | "response":["Unrecognized domain "] 161 | }, 162 | { 163 | "name":"intercom", 164 | "cname":["custom.intercom.help"], 165 | "response":["This page is reserved for artistic dogs.","

Uh oh. That page doesn’t exist.

"] 166 | }, 167 | { 168 | "name":"webflow", 169 | "cname":["proxy.webflow.io"], 170 | "response":["

The page you are looking for doesn't exist or has been moved.

"] 171 | }, 172 | { 173 | "name":"kajabi", 174 | "cname":["endpoint.mykajabi.com"], 175 | "response":["

The page you were looking for doesn't exist.

"] 176 | }, 177 | { 178 | "name":"thinkific", 179 | "cname":["thinkific.com"], 180 | "response":["You may have mistyped the address or the page may have moved."] 181 | }, 182 | { 183 | "name":"tave", 184 | "cname":["clientaccess.tave.com"], 185 | "response":["

Error 404: Page Not Found

"] 186 | }, 187 | { 188 | "name":"wishpond", 189 | "cname":["wishpond.com"], 190 | "response":["https://www.wishpond.com/404?campaign=true"] 191 | }, 192 | { 193 | "name":"aftership", 194 | "cname":["aftership.com"], 195 | "response":["Oops.

The page you're looking for doesn't exist."] 196 | }, 197 | { 198 | "name":"aha", 199 | "cname":["ideas.aha.io"], 200 | "response":["There is no portal here ... sending you back to Aha!"] 201 | }, 202 | { 203 | "name":"brightcove", 204 | "cname":["brightcovegallery.com", "gallery.video", "bcvp0rtal.com"], 205 | "response":["

Error Code: 404

"] 206 | }, 207 | { 208 | "name":"bigcartel", 209 | "cname":["bigcartel.com"], 210 | "response":["

Oops! We couldn’t find that page.

"] 211 | }, 212 | { 213 | "name":"activecompaign", 214 | "cname":["activehosted.com"], 215 | "response":["alt=\"LIGHTTPD - fly light.\""] 216 | }, 217 | { 218 | "name":"compaignmonitor", 219 | "cname":["createsend.com"], 220 | "response":["Double check the URL or