Hello Everyone, hope your doing great from last month I am facing issue with youtube account so that’s why I am writing this post for totally beginners, who’s really curious for bug hunting.
As everyone knows bug hunting topic is most popular now a days and their is only one reason for it is “BOUNTY” Everyone loves Paisa. As if now personally I don’t really care about the bug hunting (Nothing like that I don’t want money, I have some other stuffs to do so I ignored). But past few days I started dig into it, and the common sense for hacking is “if you know the target better you can hunt the weakness easily”
First go for the target no matter if your getting it from BugCrowd, HackerOne or some Vulnerability Disclosure Program. after selecting target you need to at least stick it for 10-15 days if you are really looking for some good bugs. Check for the scope if it includes *example.com you can check this in most of program scope on Bugcrowd as well as Hackerone, and what it means that it’s include all the subdomains.
Subdomains includes means Huge Scope and obviously it increases the chances to find vulnerabilities. first simple step is Subdomain Enumeration.
What is Subdomain Enumeration? Subdomain enumeration is collecting sub domains of the main domain.
For subdomain enumeration there are lot’s of stuff available like google dorks, website which provide services to get subdomain include free or paid stuff as well as different tools like Sublist3r, amass, subbrute, knockpy, etc. I am going to use amass.
for installation of amass run command “apt install amass” and you check also checkout the documentation of it https://github.com/OWASP/Amass/blob/master/doc/user_guide.md
$amass enum -d example.com -o subdomain.txt
The above command create subdomain.txt file including subdomain, Now what do to next is our question and the answer is very simple for that. We can use a tool which gives screenshot of every subdomain present in list. For Screenshot people use tool like Eyewithness or Webscreenshot, but I recently found a very cool alternative both of this named as ScreenShooter.
Download ScreenShooter from github and make sure that you install all the requirements. https://github.com/si9int/ScreenShooter
$apt install python3-pip $pip3 install selenium $apt install chromium
git clone https://github.com/si9int/ScreenShooter.git cd ScreenShooter python3 exe.py -s subdomain.txt
Now you can simply go through with each screenshot easily but don’t stop here, try to perform reverse whois, IP history and many more things. Here I suggest you to go and check for directory fuzzing for that you can use wfuzz, gobuster, dirsearch.
Download Dirsearch from github and try it for each and every subdomain. https://github.com/maurosoria/dirsearch
git clone https://github.com/maurosoria/dirsearch.git cd disearch python3 dirsearch.py -u example.com -e *
It may help you to find out some sensitive data, and you can also go with the Nmap and check for the ports scan for interesting services (like port 9200 Elastic Search) running on it or not.
That’s all for today, I hope you really enjoy the stuff. If you wanted me to add something into this post please let me know and I will also make sure that will update it time to time. 😀