├── README.md └── install.sh /README.md: -------------------------------------------------------------------------------- 1 | 2 | # Tools of The Bug Hunters Methodology V2 3 | *NOTE:* The following list has been created based on the PPT "The Bug Hunters Methodology V2 by @jhaddix" 4 | 5 | ## Discovery 6 | * Sublist3r (Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT). 7 | * Brutesubs (An automation framework for running multiple open sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose). 8 | * Cloudflare_enum (Cloudflare DNS Enumeration Tool for Pentesters). 9 | * Censys.py (Quick and Dirty script to use the Censys API to query subdomains of a target domain). 10 | * massdns (A high-performance DNS stub resolver). 11 | * ListSubs.txt (A list with a lot of subs). 12 | * EyeWitness (EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible). 13 | * GoBuster (Directory/file & DNS busting tool written in Go). 14 | * RobotsDisallowed (The RobotsDisallowed project is a harvest of the Disallowed directories from the robots.txt). 15 | * Parameth (This tool can be used to brute discover GET and POST parameters). 16 | 17 | ## Web Content 18 | * GroundControl (A collection of scripts that run on my web server). 19 | * Sleepy-Puppy (Sleepy Puppy XSS Payload Management Framework). 20 | * XSSHunter (The XSS Hunter service - a portable version of XSSHunter.com). 21 | * TPLMap (Code and Server-Side Template Injection Detection and Exploitation Tool). 22 | * PsychoPATH (Hunting file uploads & LFI in the dark). 23 | * Commix (Automated All-in-One OS command injection and exploitation tool) 24 | 25 | ## Miscellaneous 26 | * AutoSubTakeover (A tool used to check if a CNAME resolves to the scope adress). 27 | * HostileSubBruteforcer (This app will bruteforce for exisiting subdomains) 28 | * Tko-Subs (A tool that can help detect and takeover subdomains with dead DNS records). 29 | * SandCastle (Python script for AWS S3 bucket enumeration). 30 | * GitRob (Reconnaissance tool for GitHub organizations). 31 | * TruffleHog (Searches through git repositories for high entropy strings, digging deep into commit history) 32 | 33 | ## Plugins BurpSuite 34 | * VulnersCom: https://github.com/vulnersCom/burp-vulners-scanner 35 | * BackSlash-powered-scanner: https://github.com/PortSwigger/backslash-powered-scanner 36 | * Header Checks: https://github.com/eonlight/BurpExtenderHeaderChecks 37 | * pyschPATH: https://github.com/ewilded/psychopath 38 | * HUNT Burp Suite Extension: https://github.com/bugcrowd/HUNT 39 | 40 | ## Credits 41 | * GitHub Jhaddix https://github.com/jhaddix/tbhm 42 | * Bug Bounty Forum https://bugbountyforum.com/tools/ 43 | * "The Bug Hunter Methodology V2 by @jhaddix" https://docs.google.com/presentation/d/1p8QiqbGndcEx1gm4_d3ne2fqeTqCTurTC77Lxe82zLY 44 | -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | printf "TOOLS OF'THE BUG HUNTERS METHODOLOGY V2'\n\n" 2 | printf "[*] DISCOVERY TOOLS\n\n" 3 | mkdir discovery 2>/dev/null 4 | 5 | printf "[+] Cloning Sublist3r\n" 6 | printf "[!] Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT\n\n" 7 | git clone https://github.com/aboul3la/Sublist3r.git discovery/sublist3r 2>/dev/null 8 | 9 | printf "[+] Cloning brutesubs\n" 10 | printf "[!] An automation framework for running multiple open sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose\n\n" 11 | git clone https://github.com/anshumanbh/brutesubs.git discovery/brutesubs 2>/dev/null 12 | 13 | printf "[+] Cloning cloudflare_enum\n" 14 | printf "[!] Cloudflare DNS Enumeration Tool for Pentesters\n\n" 15 | git clone https://github.com/mandatoryprogrammer/cloudflare_enum discovery/cloudflare_enum 2>/dev/null 16 | 17 | printf "[+] Cloning censys.py\n" 18 | printf "[!] Quick and Dirty script to use the Censys API to query subdomains of a target domain\n\n" 19 | git clone https://gist.github.com/anshumanbh/96a0b81dfe318e9e956013209e178fa9 discovery/censys 2>/dev/null 20 | 21 | printf "[+] Cloning massdns\n" 22 | printf "[!] A high-performance DNS stub resolver\n\n" 23 | git clone https://github.com/blechschmidt/massdns discovery/massdns 2>/dev/null 24 | 25 | printf "[+] Downloading list subdomains\n" 26 | printf "[!] A list with a lot of subs\n\n" 27 | git clone https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056 discovery/list_subs 2>/dev/null 28 | 29 | printf "[+] Cloning EyeWitness\n" 30 | printf "[!] EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible\n\n" 31 | git clone https://github.com/ChrisTruncer/EyeWitness discovery/eyewitness 2>/dev/null 32 | 33 | printf "[+] Cloning GoBuster\n" 34 | printf "[!] Directory/file & DNS busting tool written in Go\n\n" 35 | git clone https://github.com/OJ/gobuster discovery/gobuster 2>/dev/null 36 | 37 | printf "[+] Cloning RobotsDisallowed\n" 38 | printf "[!] The RobotsDisallowed project is a harvest of the Disallowed directories from the robots.txt\n\n" 39 | git clone https://github.com/danielmiessler/RobotsDisallowed discovery/robotsdisallowed 2>/dev/null 40 | 41 | printf "[+] Cloning Parameth\n" 42 | printf "[!] This tool can be used to brute discover GET and POST parameters\n\n" 43 | git clone https://github.com/maK-/parameth discovery/parameth 2>/dev/null 44 | 45 | printf "[*] WEB CONTENT\n\n" 46 | mkdir web 2>/dev/null 47 | 48 | printf "[+] Cloning Ground-Control\n" 49 | printf "[!] A collection of scripts that run on my web server\n\n" 50 | git clone https://github.com/jobertabma/ground-control web/ground_control 2>/dev/null 51 | 52 | printf "[+] Cloning Sleepy-Puppy\n" 53 | printf "[!] Sleepy Puppy XSS Payload Management Framework\n\n" 54 | git clone https://github.com/Netflix/sleepy-puppy web/sleepy_puppy 2>/dev/null 55 | 56 | printf "[+] Cloning XSSHunter\n" 57 | printf "[!] The XSS Hunter service - a portable version of XSSHunter.com\n\n" 58 | git clone https://github.com/mandatoryprogrammer/xsshunter web/xsshunter 2>/dev/null 59 | 60 | printf "[+] Cloning tplmap\n" 61 | printf "[!] Code and Server-Side Template Injection Detection and Exploitation Tool\n\n" 62 | git clone https://github.com/epinna/tplmap web/tplmap 2>/dev/null 63 | 64 | printf "[+] Cloning psychoPATH\n" 65 | printf "[!] Hunting file uploads & LFI in the dark\n\n" 66 | git clone https://github.com/ewilded/psychopath web/psychopath 2>/dev/null 67 | 68 | printf "[+] SSRF CommonsParamaters\n" 69 | printf "[!] Common Parameters or Injection\n\n" 70 | printf "file=\nlocation=\nlocale=\npath=\ndisplay=\nload=\nread=\nretrieve=\nfolder=\nstyle=\ntemplate=\ndoc=\nsource=\npdf=\ndest=\ncontiue=\nurl=\n" > web/ssrf_parameters.txt 71 | 72 | printf "[+] Cloning Commix\n" 73 | printf "[!] Automated All-in-One OS command injection and exploitation tool\n\n" 74 | git clone https://github.com/commixproject/commix web/commix 2>/dev/null 2>/dev/null 75 | 76 | printf "[*] MISCELLANEOUS\n\n" 77 | mkdir misc 2>/dev/null 78 | 79 | printf "[+] Cloning autoSubTakeover\n" 80 | printf "[!] A tool used to check if a CNAME resolves to the scope adress\n\n" 81 | git clone https://github.com/JordyZomer/autoSubTakeover misc/autosubtakeover 2>/dev/null 82 | 83 | printf "[+] Cloning HostileSubBruteforcer\n" 84 | printf "[!] This app will bruteforce for exisiting subdomains\n\n" 85 | git clone https://github.com/nahamsec/HostileSubBruteforcer misc/hostilesubbruteforcer 2>/dev/null 86 | 87 | printf "[+] Cloning tko-subs\n" 88 | printf "[!] A tool that can help detect and takeover subdomains with dead DNS records\n\n" 89 | git clone https://github.com/anshumanbh/tko-subs misc/tko-subs 2>/dev/null 90 | 91 | printf "[+] Cloning SandCastle\n" 92 | printf "[!] Python script for AWS S3 bucket enumeration\n\n" 93 | git clone https://github.com/yasinS/sandcastle misc/sandcastle_aws 2>/dev/null 94 | 95 | printf "[+] Cloning gitrob\n" 96 | printf "[!] Reconnaissance tool for GitHub organizations\n\n" 97 | git clone https://github.com/michenriksen/gitrob misc/gitrob 2>/dev/null 98 | 99 | printf "[+] Cloning truffleHog\n" 100 | printf "[!] Searches through git repositories for high entropy strings, digging deep into commit history\n\n" 101 | git clone https://github.com/dxa4481/truffleHog misc/trufflehog 2>/dev/null 102 | 103 | printf "[*] Plugins for Burp Suite\n" 104 | printf "[+] VulnersCom: https://github.com/vulnersCom/burp-vulners-scanner\n" 105 | printf "[+] BackSlash-powered-scanner: https://github.com/PortSwigger/backslash-powered-scanner\n" 106 | printf "[+] Header Checks: https://github.com/eonlight/BurpExtenderHeaderChecks\n" 107 | printf "[+] pyschPATH: https://github.com/ewilded/psychopath\n" 108 | --------------------------------------------------------------------------------