├── README.md
└── Tests
    └── tests.py


/README.md:
--------------------------------------------------------------------------------
  1 | 
  2 | # Awesome Bughunting Oneliners
  3 | 
  4 | ### A  list of bughunting one liners
  5 | 
  6 |   
  7 | 
  8 | ##  Content Discovery/Recon : 
  9 | 
 10 |   
 11 | 
 12 | ### 1 . Using dns.bufferover.run
 13 | 
 14 | ```
 15 | curl -s https://dns.bufferover.run/dns?q=.example.com |jq -r .FDNS_A[]|cut -d',' -f2|sort -u
 16 | ```
 17 | 
 18 | ### 2 . Using Crt.sh
 19 | 
 20 | ```
 21 | curl -s https://dns.bufferover.run/dns?q=.hackerone.com |jq -r .FDNS_A[]|cut -d',' -f2|sort -u
 22 | ```
 23 |   
 24 | 
 25 | ###  3 . Using Certspotter
 26 | 
 27 | ```
 28 | curl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniq
 29 | ```
 30 |   
 31 | 
 32 | ### 4 . Using Certspotter (With port scanning)
 33 | 
 34 | ```
 35 | curl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniq | dig +short -f - | uniq | nmap -T5 -Pn -sS -i - -p 80,443,21,22,8080,8081,8443 --open -n -oG -
 36 | ```
 37 | 
 38 | ###  5 .  Sublist3r One Liner
 39 | 
 40 | ```
 41 | . <(cat domains | xargs -n1 -i{} python sublist3r.py -d {} -o {}.txt)
 42 | ```
 43 | 
 44 | ###  6 . Grab Titles of webpages 
 45 | 
 46 | ```
 47 | for i in $(cat Webservers.txt ); do echo "$i | $(curl --connect-timeout 0.5 $i -so - | grep -iPo '(?<=<title>)(.*)(?=</title>)')"; done 
 48 | ```
 49 | 
 50 | ###  7 . Enumerate hosts from SSL Certificate 
 51 | 
 52 | ```
 53 | echo | openssl s_client -connect https://targetdomain.com:443 | openssl x509 -noout -text | grep DNS
 54 | ```
 55 | 
 56 | ###  8 . Google DNS via HTTPS
 57 | 
 58 | ```
 59 | echo "targetdomain.com" | xargs -I domain proxychains curl -s "https://dns.google.com/resolve?name=domain&type=A" | jq .
 60 | ```
 61 | 
 62 | ###  9 .  CommonCrawl to find endpoints on a site
 63 | 
 64 | ```
 65 | echo "targetdomain.com" | xargs -I domain curl -s "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.domain&output=json" | jq -r .url | sort -u
 66 | ```
 67 | 
 68 | ###  10 . Using WebArchive
 69 | 
 70 | ```
 71 | curl -s "http://web.archive.org/cdx/search/cdx?url=*.hackerone.com/*&output=text&fl=original&collapse=urlkey" |sort| sed -e 's_https*://__' -e "s/\/.*//" -e 's/:.*//' -e 's/^www\.//' | uniq
 72 | ``` 
 73 | 
 74 | ###  11 . Using ThreatCrowd
 75 | 
 76 | ```
 77 | curl https://www.threatcrowd.org/searchApi/v2/domain/report/?domain=hackerone.com |jq .subdomains |grep -o '\w.*hackerone.com'
 78 | ```
 79 | 
 80 | ###  12 . Using Hackertarget
 81 | 
 82 | ```
 83 | curl https://api.hackertarget.com/hostsearch/?q=hackerone.com | grep -o '\w.*hackerone.com'
 84 | ```
 85 | 
 86 | ###  13 . Bruteforce Subdomains
 87 | 
 88 | ```
 89 | while read sub; do if host "$sub.example.com" &> /dev/null; then echo "$sub.example.com"; fi; done < wordslist.txt
 90 | ```
 91 | 
 92 | ###  14 .  Assetfinder 
 93 | 
 94 | ```
 95 | assetfinder http://hackerone.com > recon.txt; for d in $(<recon.txt); do $(cutycapt --url=$d --out=$d.jpg --max-wait=100000); done
 96 | ```
 97 | 
 98 | ## Note : 
 99 | 
100 | ```
101 | These oneliners are collected from different sources , Credits to the respesctive authors
102 | ```
103 | 
104 | ## Contribute : 
105 | 
106 | ```
107 | Open Pull requests
108 | ```
109 | 
110 | 
111 | 
112 | 


--------------------------------------------------------------------------------
/Tests/tests.py:
--------------------------------------------------------------------------------
1 | # todo tests


--------------------------------------------------------------------------------