![[The AI Show Episode 146]: Rise of “AI-First” Companies, AI Job Disruption, GPT-4o Update Gets Rolled Back, How Big Consulting Firms Use AI, and Meta AI App](https://www.marketingaiinstitute.com/hubfs/ep%20146%20cover.png)
![[FREE EBOOKS] Modern Generative AI with ChatGPT and OpenAI Models, Offensive Security Using Python & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![How to make Developer Friends When You Don't Live in Silicon Valley, with Iraqi Engineer Code;Life [Podcast #172]](https://cdn.hashnode.com/res/hashnode/image/upload/v1747360508340/f07040cd-3eeb-443c-b4fb-370f6a4a14da.png?#)
![[Virtual Event] Strategic Security for the Modern Enterprise](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt55e4e7e277520090/653a745a0e92cc040a3e9d7e/Dark_Reading_Logo_VirtualEvent_4C.png?width=1280&auto=webp&quality=80&disable=upscale#){kind=logo}
-xl-(1)-xl-xl.jpg)
![iPhone 17 Air Could Get a Boost From TDK's New Silicon Battery Tech [Report]](https://www.iclarified.com/images/news/97344/97344/97344-640.jpg)
![Vision Pro Owners Say They Regret $3,500 Purchase [WSJ]](https://www.iclarified.com/images/news/97347/97347/97347-640.jpg)
![Apple Showcases 'Magnifier on Mac' and 'Music Haptics' Accessibility Features [Video]](https://www.iclarified.com/images/news/97343/97343/97343-640.jpg)
![Sony WH-1000XM6 Unveiled With Smarter Noise Canceling and Studio-Tuned Sound [Video]](https://www.iclarified.com/images/news/97341/97341/97341-640.jpg)
A Comprehensive Guide to Bug Hunting
This guide provides a structured, step-by-step approach to bug hunting, focusing on reconnaissance, subdomain enumeration, live domain filtering, vulnerability scanning, and JavaScript analysis. It incorporates essential tools like SecretFinder, Katana, GetJS, Nuclei, Mantra, Subjs, Grep, and Anew to enhance efficiency and coverage. 1. Initial Reconnaissance Gather information about the target to identify IP blocks, ASNs, DNS records, and associated domains. Tools and Techniques: ARIN WHOIS: Lookup IP blocks and ownership details. BGP.HE: Retrieve IP blocks, ASNs, and routing information. ViewDNS.info: Check DNS history and reverse IP lookups. MXToolbox: Analyze MX records and DNS configurations. Whoxy: Perform WHOIS lookups for domain ownership. Who.is: Retrieve domain registration details. Whois.domaintools: Advanced WHOIS and historical data. IPAddressGuide: Convert CIDR to IP ranges. NSLookup: Identify nameservers. BuiltWith: Discover technologies used on the target website. Amass: Perform comprehensive information gathering (subdomains, IPs, etc.). Shodan: Search for exposed devices and services. Censys.io: Identify hosts and certificates. Hunter.how: Find email addresses and domain-related data. ZoomEye: Search for open ports and services. Steps: Identify the target domain and associated IP ranges. Collect WHOIS data for ownership and registration details. Map out nameservers and DNS records. Use Amass to enumerate initial subdomains and IPs. Leverage Shodan, Censys, and ZoomEye to find exposed services. 2. Subdomain Enumeration Subdomains often expose vulnerabilities. The goal is to discover as many subdomains as possible, including sub-subdomains, and filter live ones. Tools and Techniques: Subfinder: Fast subdomain enumeration. Amass: Advanced subdomain discovery. Crt.sh: Extract subdomains from certificate transparency logs. Sublist3r: Enumerate subdomains using multiple sources. FFUF: Brute-force subdomains. Chaos: Discover subdomains via ProjectDiscovery’s dataset. OneForAll: Comprehensive subdomain enumeration. ShuffleDNS: High-speed subdomain brute-forcing (VPS recommended). Katana: Crawl websites to extract subdomains and endpoints. VirusTotal: Find subdomains via passive DNS. Netcraft: Search DNS records for subdomains. Anew: Remove duplicate entries from subdomain lists. Httpx: Filter live subdomains. EyeWitness: Take screenshots of live subdomains for visual analysis. Steps: Run Subfinder, Amass, Sublist3r, and OneForAll to collect subdomains. Query Crt.sh and Chaos for additional subdomains. Use FFUF and ShuffleDNS for brute-forcing (on a VPS for speed). Crawl the target with Katana to extract subdomains from dynamic content. Combine results into a single file and use Anew to remove duplicates: cat subdomains.txt | anew > unique_subdomains.txt Filter live subdomains with Httpx: cat unique_subdomains.txt | httpx -silent > live_subdomains.txt Use EyeWitness to capture screenshots of live subdomains for manual review. 3. Subdomain Takeover Checks Identify subdomains pointing to unclaimed services (e.g., AWS S3, Azure) that can be taken over. Tools: Subzy: Check for subdomain takeover vulnerabilities. Subjack: Detect takeover opportunities (may be preinstalled in Kali). Steps: Run Subzy on the list of subdomains: subzy run --targets live_subdomains.txt Use Subjack for additional checks: subjack -w live_subdomains.txt -a Manually verify any flagged subdomains to confirm vulnerabilities. 4. Directory and File Bruteforcing Search for sensitive files and directories that may expose vulnerabilities. Tools: FFUF: High-speed directory brute-forcing. Dirsearch: Discover hidden directories and files. Katana: Crawl for endpoints and files. Steps: Use FFUF to brute-force directories on live subdomains: ffuf -w wordlist.txt -u https://subdomain.target.com/FUZZ Run Dirsearch for deeper enumeration: dirsearch -u https://subdomain.target.com -e * Crawl with Katana to identify additional endpoints: katana -u https://subdomain.target.com -o endpoints.txt 5. JavaScript Analysis Analyze JavaScript files for sensitive information like API keys, credentials, or hidden endpoints. Tools: GetJS: Extract JavaScript file URLs from a target. Subjs: Identify JavaScript files across subdomains. Katana: Crawl for JavaScript files and endpoints. SecretFinder: Search JavaScript files for secrets (API keys, tokens, etc.). Mantra: Analyze JavaScript for vulnerabilities and misconfigurations. Grep: Filter specific patterns in JavaScript files. Steps: Use Subjs and GetJS to collect JavaScript file URLs: cat live_subdomains.txt | subjs > js_files.txt getjs --url https://subdomain.target.com >> js_files.txt Crawl with Katana to find additional JavaScript files: katana -u https://subdomain.target.com -o js_endpoints.txt Download JavaScript files for analysis: wget -i js_files.txt -P js_files/ Run SecretFinder to identify sensitive
This guide provides a structured, step-by-step approach to bug hunting, focusing on reconnaissance, subdomain enumeration, live domain filtering, vulnerability scanning, and JavaScript analysis.
It incorporates essential tools like SecretFinder, Katana, GetJS, Nuclei, Mantra, Subjs, Grep, and Anew to enhance efficiency and coverage.
1. Initial Reconnaissance
Gather information about the target to identify IP blocks, ASNs, DNS records, and associated domains.
Tools and Techniques:
- ARIN WHOIS: Lookup IP blocks and ownership details.
- BGP.HE: Retrieve IP blocks, ASNs, and routing information.
- ViewDNS.info: Check DNS history and reverse IP lookups.
- MXToolbox: Analyze MX records and DNS configurations.
- Whoxy: Perform WHOIS lookups for domain ownership.
- Who.is: Retrieve domain registration details.
- Whois.domaintools: Advanced WHOIS and historical data.
- IPAddressGuide: Convert CIDR to IP ranges.
- NSLookup: Identify nameservers.
- BuiltWith: Discover technologies used on the target website.
- Amass: Perform comprehensive information gathering (subdomains, IPs, etc.).
- Shodan: Search for exposed devices and services.
- Censys.io: Identify hosts and certificates.
- Hunter.how: Find email addresses and domain-related data.
- ZoomEye: Search for open ports and services.
Steps:
- Identify the target domain and associated IP ranges.
- Collect WHOIS data for ownership and registration details.
- Map out nameservers and DNS records.
- Use Amass to enumerate initial subdomains and IPs.
- Leverage Shodan, Censys, and ZoomEye to find exposed services.
2. Subdomain Enumeration
Subdomains often expose vulnerabilities. The goal is to discover as many subdomains as possible, including sub-subdomains, and filter live ones.
Tools and Techniques:
- Subfinder: Fast subdomain enumeration.
- Amass: Advanced subdomain discovery.
- Crt.sh: Extract subdomains from certificate transparency logs.
- Sublist3r: Enumerate subdomains using multiple sources.
- FFUF: Brute-force subdomains.
- Chaos: Discover subdomains via ProjectDiscovery’s dataset.
- OneForAll: Comprehensive subdomain enumeration.
- ShuffleDNS: High-speed subdomain brute-forcing (VPS recommended).
- Katana: Crawl websites to extract subdomains and endpoints.
- VirusTotal: Find subdomains via passive DNS.
- Netcraft: Search DNS records for subdomains.
- Anew: Remove duplicate entries from subdomain lists.
- Httpx: Filter live subdomains.
- EyeWitness: Take screenshots of live subdomains for visual analysis.
Steps:
- Run Subfinder, Amass, Sublist3r, and OneForAll to collect subdomains.
- Query Crt.sh and Chaos for additional subdomains.
- Use FFUF and ShuffleDNS for brute-forcing (on a VPS for speed).
- Crawl the target with Katana to extract subdomains from dynamic content.
- Combine results into a single file and use Anew to remove duplicates: cat subdomains.txt | anew > unique_subdomains.txt
- Filter live subdomains with Httpx: cat unique_subdomains.txt | httpx -silent > live_subdomains.txt
- Use EyeWitness to capture screenshots of live subdomains for manual review.
3. Subdomain Takeover Checks
Identify subdomains pointing to unclaimed services (e.g., AWS S3, Azure) that can be taken over.
Tools:
- Subzy: Check for subdomain takeover vulnerabilities.
- Subjack: Detect takeover opportunities (may be preinstalled in Kali).
Steps:
- Run Subzy on the list of subdomains: subzy run --targets live_subdomains.txt
- Use Subjack for additional checks: subjack -w live_subdomains.txt -a
- Manually verify any flagged subdomains to confirm vulnerabilities.
4. Directory and File Bruteforcing
Search for sensitive files and directories that may expose vulnerabilities.
Tools:
- FFUF: High-speed directory brute-forcing.
- Dirsearch: Discover hidden directories and files.
- Katana: Crawl for endpoints and files.
Steps:
- Use FFUF to brute-force directories on live subdomains: ffuf -w wordlist.txt -u https://subdomain.target.com/FUZZ
- Run Dirsearch for deeper enumeration: dirsearch -u https://subdomain.target.com -e *
- Crawl with Katana to identify additional endpoints: katana -u https://subdomain.target.com -o endpoints.txt
5. JavaScript Analysis
Analyze JavaScript files for sensitive information like API keys, credentials, or hidden endpoints.
Tools:
- GetJS: Extract JavaScript file URLs from a target.
- Subjs: Identify JavaScript files across subdomains.
- Katana: Crawl for JavaScript files and endpoints.
- SecretFinder: Search JavaScript files for secrets (API keys, tokens, etc.).
- Mantra: Analyze JavaScript for vulnerabilities and misconfigurations.
- Grep: Filter specific patterns in JavaScript files.
Steps:
- Use Subjs and GetJS to collect JavaScript file URLs: cat live_subdomains.txt | subjs > js_files.txt getjs --url https://subdomain.target.com >> js_files.txt
- Crawl with Katana to find additional JavaScript files: katana -u https://subdomain.target.com -o js_endpoints.txt
- Download JavaScript files for analysis: wget -i js_files.txt -P js_files/
- Run SecretFinder to identify sensitive data: secretfinder -i js_files/ -o secrets.txt
- Use Mantra to detect vulnerabilities in JavaScript code: mantra -f js_files/ -o mantra_report.txt
- Search for specific patterns (e.g., API keys) with Grep: grep -r "api_key|token" js_files/
6. Vulnerability Scanning
Perform automated scans to identify common vulnerabilities.
Tools:
- Nuclei: Fast vulnerability scanner with customizable templates.
- Mantra: Detect misconfigurations and vulnerabilities in web assets.
Steps:
Run Nuclei with a comprehensive template set: nuclei -l live_subdomains.txt -t cves/ -t exposures/ -o nuclei_results.txt
Use Mantra to scan for misconfigurations: mantra -u https://subdomain.target.com -o mantra_scan.txt
7. GitHub Reconnaissance
Search for leaked sensitive information in public repositories.
Tools:
- GitHub Search: Manually search for target-related repositories.
- Grep: Filter repository content for sensitive data.
Steps:
Search GitHub for the target domain or subdomains (e.g., from:target.com).
Clone relevant repositories and use Grep to find secrets: grep -r "api_key|password|secret" repo_folder/
Analyze code for hardcoded credentials or misconfigurations.
8. Next Steps and Analysis
Review EyeWitness screenshots for login pages, outdated software, or misconfigurations.
Analyze Nuclei and Mantra reports for actionable vulnerabilities.
Perform manual testing on promising subdomains (e.g., XSS, SQLi, SSRF).
Document findings and prioritize vulnerabilities based on severity.
Additional Notes
Learning Resources: Complete TryHackMe’s pre-security learning path for foundational knowledge.
Tool Installation:
- Install Anew: go install github.com/tomnomnom/anew@latest
- Install Subzy: go install github.com/PentestPad/subzy@latest
- Install Nuclei: go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
Install Katana: go install github.com/projectdiscovery/katana/cmd/katana@latest
Optimization: Use a VPS for resource-intensive tools like ShuffleDNS and FFUF.
File Management: Organize outputs into separate files (e.g., subdomains.txt, js_files.txt) for clarity.
