├── LICENSE ├── README.md ├── Recon.sh └── bug_bounty_script.sh /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 Shubham Rooter - Shubham Tiwari 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Bug Bounty Script 2 | 3 | Bug Bounty Script is a powerful and versatile Bash script designed to automate security testing tasks for bug bounty hunting. This script streamlines the process of reconnaissance, port scanning, vulnerability scanning, and more, helping security researchers and bug bounty hunters efficiently identify potential security vulnerabilities in target domains. 4 | 5 | 6 | ## Prerequisites 7 | 8 | Before running the script, ensure that you have the following tools installed on your system: 9 | 10 | - Nmap 11 | - Dirb 12 | - DNSenum 13 | - Whois 14 | - WhatWeb 15 | - Wappalyzer 16 | - Nikto 17 | - Sublist3r 18 | - Xsser 19 | - SQLMap 20 | - Nuclei 21 | - Amass 22 | 23 | Refer to the respective tool documentation for installation instructions. 24 | 25 | 26 | ## Features 27 | 28 | - Automates various security testing tasks, including DNS enumeration, whois lookup, HTTP fingerprinting, and technology stack detection. 29 | - Performs comprehensive port scanning using Nmap to identify open ports and gather information about the target system. 30 | - Conducts thorough web server scanning with Nikto, uncovering potential vulnerabilities in the target's web applications. 31 | - Scans for subdomains using Sublist3r, enabling the discovery of additional attack vectors. 32 | - Performs directory enumeration with Dirb to identify hidden directories and files on the target's web server. 33 | - Checks for XSS vulnerabilities using Xsser, a powerful cross-site scripting (XSS) scanner. 34 | - Detects SQL injection vulnerabilities using SQLMap, a popular tool for automated SQL injection detection and exploitation. 35 | - Conducts vulnerability scanning with Nuclei, a highly extensible and fast scanner for detecting potential vulnerabilities. 36 | - Performs automated reconnaissance with Amass, a versatile and comprehensive tool for discovering subdomains, domain names, and associated IP addresses. 37 | 38 | ## Options 39 | 40 | -h or --help: Display the usage instructions. 41 | -l or --list : Specify a file containing target domain(s) to scan. 42 | -d or --domain : Specify a single target domain to scan. 43 | -o or --output : Specify the output directory path. 44 | -nt or --nmap-threads : Specify the number of threads for Nmap (default: 100). 45 | -dt or --dirb-threads : Specify the number of threads for Dirb (default: 10). 46 | 47 | ## Usage 48 | 49 | 1. Clone the repository: 50 | 51 | ```shell 52 | git clone https://github.com/your-username/bug-bounty-script.git 53 | 54 | ``` 55 | ``` 56 | cd bug-bounty-script 57 | ``` 58 | ``` 59 | chmod +x bug_bounty_script.sh 60 | ``` 61 | 62 | 63 | To scan multiple target domains listed in a file: 64 | ``` 65 | ./bug_bounty_script.sh -l domains.txt 66 | ``` 67 | To scan a single target domain and specify the output directory: 68 | ``` 69 | ./bug_bounty_script.sh -d example.com -o output_directory 70 | ``` 71 | To scan a single target domain and specify the output directory: 72 | ``` 73 | ./bug_bounty_script.sh -d example.com -o output_directory 74 | 75 | 76 | To adjust the number of threads for Nmap and Dirb: 77 | ``` 78 | ./bug_bounty_script.sh -nt 50 -dt 5 79 | ``` 80 | 81 | 82 | ## Contribution 83 | 84 | Contributions are welcome! If you have any suggestions, bug reports, or feature requests, please open an issue or submit a pull request. 85 | 86 | ## Maintainers : 87 | 88 | `This Repo is maintained by : ` 89 | 90 | - [Shubham Rooter](https://github.com/shubham-rooter) 91 | 92 | ### Author : 93 | 94 | **Shubham Rooter** 95 | 96 | * [Github](https://www.github.com/shubham-rooter) 97 | * [Twitter](https://www.twitter.com/shubhamtiwari_r) 98 | * [Instagram](https://www.instagram.com/shubham_rooter) 99 | * [Linkdin](https://www.linkedin.com/in/shubham-tiwari09/) 100 | 101 | ### License : 102 | 103 | Copyright © 2023, [Shubham Rooter](https://github.com/Shubham-Rooter). 104 | Released under the [MIT License](LICENSE). 105 | 106 | ***Thankyou.*** 107 | ***Happy Hunting..*** 108 | -------------------------------------------------------------------------------- /Recon.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Set the target URL 4 | url="https://example.com" 5 | 6 | # Set the output file 7 | output_file="recon_results.txt" 8 | 9 | # Perform subdomain enumeration 10 | echo "Performing subdomain enumeration..." 11 | subdomains=$(subfinder -d $url) 12 | subdomains+=$(sublist3r -d $url) 13 | subdomains+=$(massdns -d $url) 14 | echo $subdomains >> $output_file 15 | 16 | # Perform directory and file discovery 17 | echo "Performing directory and file discovery..." 18 | dirsearch -u $url -e * >> $output_file 19 | 20 | # Check for open ports and running services 21 | echo "Performing port scan..." 22 | nmap -sC -sV $url >> $output_file 23 | 24 | # Check for known vulnerabilities 25 | echo "Checking for known vulnerabilities..." 26 | vulners -s $url >> $output_file 27 | 28 | # Retrieve JavaScript files 29 | echo "Retrieving JavaScript files..." 30 | GetJS -u $url >> $output_file 31 | 32 | # Find links 33 | echo "Finding links..." 34 | GoLinkFinder -u $url >> $output_file 35 | 36 | # Get all URLs 37 | echo "Retrieving all URLs..." 38 | getallurls -u $url >> $output_file 39 | 40 | # Check for URLs in Wayback Machine 41 | echo "Checking for URLs in Wayback Machine..." 42 | WayBackUrls -u $url >> $output_file 43 | 44 | # Check for robots.txt in Wayback Machine 45 | echo "Checking for robots.txt in Wayback Machine..." 46 | WayBackRobots -u $url >> $output_file 47 | 48 | # Check for Forced Browsing vulnerabilities 49 | echo "Checking for Forced Browsing vulnerabilities..." 50 | FFuF -u $url >> $output_file 51 | 52 | # Check for XSS vulnerabilities 53 | echo "Checking for XSS vulnerabilities..." 54 | XSSHunter -u $url >> $output_file 55 | 56 | # Check for SQL injection vulnerabilities 57 | echo "Checking for SQL injection vulnerabilities..." 58 | SQLMap -u $url >> $output_file 59 | 60 | # Check for XXE vulnerabilities 61 | echo "Checking for XXE vulnerabilities..." 62 | XXEInjector -u $url >> $output_file 63 | 64 | # Check for SSRF vulnerabilities 65 | echo "Checking for SSRF vulnerabilities..." 66 | SSRFDetector -u $url >> $output_file 67 | 68 | # Check for secrets in Git repository 69 | echo "Checking for secrets in Git repository..." 70 | GitTools -u $url >> $output_file 71 | gitallsecrets -u $url >> $output_file 72 | 73 | # Check for race condition vulnerabilities 74 | echo "Checking for race condition vulnerabilities..." 75 | RaceTheWeb -u $url >> $output_file 76 | 77 | # Check for CORS misconfigurations 78 | echo "Checking for CORS misconfigurations..." 79 | CORStest -u $url >> $output_file 80 | 81 | # Take screenshots 82 | echo "Taking screenshots..." 83 | EyeWitness -u $url >> $output_file 84 | 85 | # Check for parameter tampering vulnerabilities 86 | echo "Checking for parameter tampering vulnerabilities..." 87 | parameth -u $url >> $output_file 88 | 89 | echo "Recon complete!" 90 | -------------------------------------------------------------------------------- /bug_bounty_script.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Bug Bounty Script 4 | 5 | # Configuration 6 | target_urls=() 7 | output_directory="" 8 | nmap_threads=100 9 | dirb_threads=10 10 | 11 | # Colors for formatting 12 | GREEN='\033[0;32m' 13 | CYAN='\033[0;36m' 14 | RED='\033[0;31m' 15 | NC='\033[0m' # No Color 16 | 17 | # Display banner 18 | display_banner() { 19 | echo -e "${CYAN}" 20 | echo -e "██████╗░██╗░░░██╗░██████╗░  ██████╗░░█████╗░██╗░░░██╗███╗░░██╗████████╗██╗░░░██╗" 21 | echo -e "██╔══██╗██║░░░██║██╔════╝░  ██╔══██╗██╔══██╗██║░░░██║████╗░██║╚══██╔══╝╚██╗░██╔╝" 22 | echo -e "██████╦╝██║░░░██║██║░░██╗░  ██████╦╝██║░░██║██║░░░██║██╔██╗██║░░░██║░░░░╚████╔╝░" 23 | echo -e "██╔══██╗██║░░░██║██║░░╚██╗  ██╔══██╗██║░░██║██║░░░██║██║╚████║░░░██║░░░░░╚██╔╝░░" 24 | echo -e "██████╦╝╚██████╔╝╚██████╔╝  ██████╦╝╚█████╔╝╚██████╔╝██║░╚███║░░░██║░░░░░░██║░░░" 25 | echo -e "╚═════╝░░╚═════╝░░╚═════╝░  ╚═════╝░░╚════╝░░╚═════╝░╚═╝░░╚══╝░░░╚═╝░░░░░░╚═╝░░░" 26 | 27 | echo -e "${NC}" 28 | } 29 | 30 | # Function to display usage instructions 31 | display_help() { 32 | echo -e "Bug Bounty Script By Shubham Tiwari" 33 | echo -e "Usage: ./bug_bounty_script.sh [OPTIONS]" 34 | echo -e "Options:" 35 | echo -e " -h, --help\t\tDisplay usage instructions" 36 | echo -e " -l, --list\t\tSpecify a file containing target domain(s)" 37 | echo -e " -d, --domain\t\tSpecify a single target domain" 38 | echo -e " -o, --output\t\tSpecify the output directory path" 39 | echo -e " -nt, --nmap-threads\tSpecify the number of threads for Nmap (default: 100)" 40 | echo -e " -dt, --dirb-threads\tSpecify the number of threads for Dirb (default: 10)" 41 | echo 42 | echo -e "Social Media:" 43 | echo -e " Twitter: https://twitter.com/shubhamtiwari_r" 44 | echo -e " LinkedIn: https://www.linkedin.com/in/shubham-tiwari09" 45 | echo -e " GitHub: https://github.com/shubham-rooter" 46 | } 47 | 48 | # Parse command line arguments 49 | while [[ $# -gt 0 ]]; do 50 | case "$1" in 51 | -h|--help) 52 | display_help 53 | exit 0 54 | ;; 55 | -l|--list) 56 | if [[ -n "$2" ]]; then 57 | while IFS= read -r domain || [[ -n "$domain" ]]; do 58 | target_urls+=("$domain") 59 | done < "$2" 60 | shift 2 61 | else 62 | echo -e "${RED}Error: File not specified.${NC}" 63 | exit 1 64 | fi 65 | ;; 66 | -d|--domain) 67 | if [[ -n "$2" ]]; then 68 | target_urls+=("$2") 69 | shift 2 70 | else 71 | echo -e "${RED}Error: Domain not specified.${NC}" 72 | exit 1 73 | fi 74 | ;; 75 | -o|--output) 76 | if [[ -n "$2" ]]; then 77 | output_directory="$2" 78 | shift 2 79 | else 80 | echo -e "${RED}Error: Output directory not specified.${NC}" 81 | exit 1 82 | fi 83 | ;; 84 | -nt|--nmap-threads) 85 | if [[ -n "$2" ]]; then 86 | nmap_threads="$2" 87 | shift 2 88 | else 89 | echo -e "${RED}Error: Number of threads for Nmap not specified.${NC}" 90 | exit 1 91 | fi 92 | ;; 93 | -dt|--dirb-threads) 94 | if [[ -n "$2" ]]; then 95 | dirb_threads="$2" 96 | shift 2 97 | else 98 | echo -e "${RED}Error: Number of threads for Dirb not specified.${NC}" 99 | exit 1 100 | fi 101 | ;; 102 | *) 103 | echo -e "${RED}Error: Invalid option: $1${NC}" 104 | exit 1 105 | ;; 106 | esac 107 | done 108 | 109 | # Display banner 110 | display_banner 111 | 112 | # Perform bug bounty scanning for each target URL 113 | for target_url in "${target_urls[@]}"; do 114 | # Additional reconnaissance tools 115 | echo -e "${GREEN}Running additional reconnaissance tools${NC}" 116 | 117 | # Perform DNS enumeration with DNSenum 118 | echo -e "${GREEN}Performing DNS enumeration with DNSenum${NC}" 119 | dnsenum "$target_url" 120 | 121 | # Perform whois lookup with Whois 122 | echo -e "${GREEN}Performing whois lookup with Whois${NC}" 123 | whois "$target_url" 124 | 125 | # Perform HTTP fingerprinting with WhatWeb 126 | echo -e "${GREEN}Performing HTTP fingerprinting with WhatWeb${NC}" 127 | whatweb "$target_url" 128 | 129 | # Perform technology stack detection with Wappalyzer 130 | echo -e "${GREEN}Performing technology stack detection with Wappalyzer${NC}" 131 | wappalyzer "$target_url" 132 | 133 | echo -e "${GREEN}Scanning target: $target_url${NC}" 134 | nmap -p 80,443 -T4 -A -Pn --max-parallelism $nmap_threads $target_url 135 | 136 | echo -e "${GREEN}Checking for open ports${NC}" 137 | nmap -p- -T4 -Pn --max-parallelism $nmap_threads $target_url 138 | 139 | echo -e "${GREEN}Running Nikto web server scanner${NC}" 140 | nikto -h $target_url 141 | 142 | echo -e "${GREEN}Scanning for subdomains using Sublist3r${NC}" 143 | sublist3r -d $target_url -o "$output_directory/$target_url-subdomains.txt" 144 | 145 | echo -e "${GREEN}Performing directory enumeration with Dirb${NC}" 146 | dirb "http://$target_url" -r -o "$output_directory/$target_url-dirb.txt" -t $dirb_threads 147 | 148 | echo -e "${GREEN}Scanning for XSS vulnerabilities with Xsser${NC}" 149 | xsser -u $target_url 150 | 151 | echo -e "${GREEN}Checking for SQL injection with SQLMap${NC}" 152 | sqlmap -u $target_url --batch 153 | 154 | echo -e "${GREEN}Running Nuclei for vulnerability scanning${NC}" 155 | nuclei -l "$output_directory/$target_url-subdomains.txt" -t vulnerabilities/ -o "$output_directory/$target_url-nuclei.txt" 156 | 157 | echo -e "${GREEN}Performing automated reconnaissance with Amass${NC}" 158 | amass enum -d $target_url -o "$output_directory/$target_url-amass.txt" 159 | 160 | echo -e "${GREEN}Completed bug bounty scan for $target_url${NC}" 161 | echo 162 | done 163 | --------------------------------------------------------------------------------