├── README.md
└── install.sh


/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | # Tools of The Bug Hunters Methodology V2
 3 | *NOTE:* The following list has been created based on the PPT "The Bug Hunters Methodology V2 by @jhaddix"
 4 | 
 5 | ## Discovery
 6 | * Sublist3r (Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT).
 7 | * Brutesubs (An automation framework for running multiple open sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose).
 8 | * Cloudflare_enum (Cloudflare DNS Enumeration Tool for Pentesters).
 9 | * Censys.py (Quick and Dirty script to use the Censys API to query subdomains of a target domain).
10 | * massdns (A high-performance DNS stub resolver).
11 | * ListSubs.txt (A list with a lot of subs).
12 | * EyeWitness (EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible).
13 | * GoBuster (Directory/file & DNS busting tool written in Go).
14 | * RobotsDisallowed (The RobotsDisallowed project is a harvest of the Disallowed directories from the robots.txt).
15 | * Parameth (This tool can be used to brute discover GET and POST parameters).
16 | 
17 | ## Web Content
18 | * GroundControl (A collection of scripts that run on my web server).
19 | * Sleepy-Puppy (Sleepy Puppy XSS Payload Management Framework).
20 | * XSSHunter (The XSS Hunter service - a portable version of XSSHunter.com).
21 | * TPLMap (Code and Server-Side Template Injection Detection and Exploitation Tool).
22 | * PsychoPATH (Hunting file uploads & LFI in the dark).
23 | * Commix (Automated All-in-One OS command injection and exploitation tool)
24 | 
25 | ## Miscellaneous
26 | * AutoSubTakeover (A tool used to check if a CNAME resolves to the scope adress).
27 | * HostileSubBruteforcer (This app will bruteforce for exisiting subdomains)
28 | * Tko-Subs (A tool that can help detect and takeover subdomains with dead DNS records).
29 | * SandCastle (Python script for AWS S3 bucket enumeration).
30 | * GitRob (Reconnaissance tool for GitHub organizations).
31 | * TruffleHog (Searches through git repositories for high entropy strings, digging deep into commit history)
32 | 
33 | ## Plugins BurpSuite
34 | * VulnersCom: https://github.com/vulnersCom/burp-vulners-scanner
35 | * BackSlash-powered-scanner: https://github.com/PortSwigger/backslash-powered-scanner
36 | * Header Checks: https://github.com/eonlight/BurpExtenderHeaderChecks
37 | * pyschPATH: https://github.com/ewilded/psychopath
38 | * HUNT Burp Suite Extension: https://github.com/bugcrowd/HUNT
39 | 
40 | ## Credits
41 | * GitHub Jhaddix https://github.com/jhaddix/tbhm
42 | * Bug Bounty Forum https://bugbountyforum.com/tools/
43 | * "The Bug Hunter Methodology V2 by @jhaddix" https://docs.google.com/presentation/d/1p8QiqbGndcEx1gm4_d3ne2fqeTqCTurTC77Lxe82zLY
44 | 


--------------------------------------------------------------------------------
/install.sh:
--------------------------------------------------------------------------------
  1 | printf "TOOLS OF'THE BUG HUNTERS METHODOLOGY V2'\n\n"
  2 | printf "[*] DISCOVERY TOOLS\n\n"
  3 | mkdir discovery 2>/dev/null
  4 | 
  5 | printf "[+] Cloning Sublist3r\n"
  6 | printf "[!] Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT\n\n"
  7 | git clone https://github.com/aboul3la/Sublist3r.git discovery/sublist3r 2>/dev/null
  8 | 
  9 | printf "[+] Cloning brutesubs\n"
 10 | printf "[!] An automation framework for running multiple open sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose\n\n"
 11 | git clone https://github.com/anshumanbh/brutesubs.git discovery/brutesubs 2>/dev/null
 12 | 
 13 | printf "[+] Cloning cloudflare_enum\n"
 14 | printf "[!] Cloudflare DNS Enumeration Tool for Pentesters\n\n"
 15 | git clone https://github.com/mandatoryprogrammer/cloudflare_enum discovery/cloudflare_enum 2>/dev/null
 16 | 
 17 | printf "[+] Cloning censys.py\n"
 18 | printf "[!] Quick and Dirty script to use the Censys API to query subdomains of a target domain\n\n"
 19 | git clone https://gist.github.com/anshumanbh/96a0b81dfe318e9e956013209e178fa9 discovery/censys 2>/dev/null
 20 | 
 21 | printf "[+] Cloning massdns\n"
 22 | printf "[!] A high-performance DNS stub resolver\n\n"
 23 | git clone https://github.com/blechschmidt/massdns discovery/massdns 2>/dev/null
 24 | 
 25 | printf "[+] Downloading list subdomains\n"
 26 | printf "[!] A list with a lot of subs\n\n"
 27 | git clone https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056 discovery/list_subs 2>/dev/null
 28 | 
 29 | printf "[+] Cloning EyeWitness\n"
 30 | printf "[!] EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible\n\n"
 31 | git clone https://github.com/ChrisTruncer/EyeWitness discovery/eyewitness 2>/dev/null
 32 | 
 33 | printf "[+] Cloning GoBuster\n"
 34 | printf "[!] Directory/file & DNS busting tool written in Go\n\n"
 35 | git clone https://github.com/OJ/gobuster discovery/gobuster 2>/dev/null
 36 | 
 37 | printf "[+] Cloning RobotsDisallowed\n"
 38 | printf "[!] The RobotsDisallowed project is a harvest of the Disallowed directories from the robots.txt\n\n"
 39 | git clone https://github.com/danielmiessler/RobotsDisallowed discovery/robotsdisallowed 2>/dev/null
 40 | 
 41 | printf "[+] Cloning Parameth\n"
 42 | printf "[!] This tool can be used to brute discover GET and POST parameters\n\n"
 43 | git clone https://github.com/maK-/parameth discovery/parameth 2>/dev/null
 44 | 
 45 | printf "[*] WEB CONTENT\n\n"
 46 | mkdir web 2>/dev/null
 47 | 
 48 | printf "[+] Cloning Ground-Control\n"
 49 | printf "[!] A collection of scripts that run on my web server\n\n"
 50 | git clone https://github.com/jobertabma/ground-control web/ground_control 2>/dev/null
 51 | 
 52 | printf "[+] Cloning Sleepy-Puppy\n"
 53 | printf "[!] Sleepy Puppy XSS Payload Management Framework\n\n"
 54 | git clone https://github.com/Netflix/sleepy-puppy web/sleepy_puppy 2>/dev/null
 55 | 
 56 | printf "[+] Cloning XSSHunter\n"
 57 | printf "[!] The XSS Hunter service - a portable version of XSSHunter.com\n\n"
 58 | git clone https://github.com/mandatoryprogrammer/xsshunter web/xsshunter 2>/dev/null
 59 | 
 60 | printf "[+] Cloning tplmap\n"
 61 | printf "[!] Code and Server-Side Template Injection Detection and Exploitation Tool\n\n"
 62 | git clone https://github.com/epinna/tplmap web/tplmap 2>/dev/null
 63 | 
 64 | printf "[+] Cloning psychoPATH\n"
 65 | printf "[!] Hunting file uploads & LFI in the dark\n\n"
 66 | git clone https://github.com/ewilded/psychopath web/psychopath 2>/dev/null
 67 | 
 68 | printf "[+] SSRF CommonsParamaters\n"
 69 | printf "[!] Common Parameters or Injection\n\n"
 70 | printf "file=\nlocation=\nlocale=\npath=\ndisplay=\nload=\nread=\nretrieve=\nfolder=\nstyle=\ntemplate=\ndoc=\nsource=\npdf=\ndest=\ncontiue=\nurl=\n" > web/ssrf_parameters.txt
 71 | 
 72 | printf "[+] Cloning Commix\n"
 73 | printf "[!] Automated All-in-One OS command injection and exploitation tool\n\n"
 74 | git clone https://github.com/commixproject/commix web/commix 2>/dev/null 2>/dev/null
 75 | 
 76 | printf "[*] MISCELLANEOUS\n\n"
 77 | mkdir misc 2>/dev/null
 78 | 
 79 | printf "[+] Cloning autoSubTakeover\n"
 80 | printf "[!] A tool used to check if a CNAME resolves to the scope adress\n\n"
 81 | git clone https://github.com/JordyZomer/autoSubTakeover misc/autosubtakeover 2>/dev/null
 82 | 
 83 | printf "[+] Cloning HostileSubBruteforcer\n"
 84 | printf "[!] This app will bruteforce for exisiting subdomains\n\n"
 85 | git clone  https://github.com/nahamsec/HostileSubBruteforcer misc/hostilesubbruteforcer 2>/dev/null
 86 | 
 87 | printf "[+] Cloning tko-subs\n"
 88 | printf "[!] A tool that can help detect and takeover subdomains with dead DNS records\n\n"
 89 | git clone https://github.com/anshumanbh/tko-subs misc/tko-subs 2>/dev/null
 90 | 
 91 | printf "[+] Cloning SandCastle\n"
 92 | printf "[!] Python script for AWS S3 bucket enumeration\n\n"
 93 | git clone https://github.com/yasinS/sandcastle misc/sandcastle_aws 2>/dev/null
 94 | 
 95 | printf "[+] Cloning gitrob\n"
 96 | printf "[!] Reconnaissance tool for GitHub organizations\n\n"
 97 | git clone https://github.com/michenriksen/gitrob misc/gitrob 2>/dev/null
 98 | 
 99 | printf "[+] Cloning truffleHog\n"
100 | printf "[!] Searches through git repositories for high entropy strings, digging deep into commit history\n\n"
101 | git clone https://github.com/dxa4481/truffleHog misc/trufflehog 2>/dev/null
102 | 
103 | printf "[*] Plugins for Burp Suite\n"
104 | printf "[+] VulnersCom: https://github.com/vulnersCom/burp-vulners-scanner\n"
105 | printf "[+] BackSlash-powered-scanner: https://github.com/PortSwigger/backslash-powered-scanner\n"
106 | printf "[+] Header Checks: https://github.com/eonlight/BurpExtenderHeaderChecks\n"
107 | printf "[+] pyschPATH: https://github.com/ewilded/psychopath\n"
108 | 


--------------------------------------------------------------------------------