daily pastebin goal

Bugbounty scope expanding

a guest Mar 27th, 2019 416 in 1 day
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Hi, this is @emi0x00
  3. I wanted to share one method/advice to expand bug bounty/penetration attack surface and automate it to save some time via certificate transparency live feed and well known tools most of the things are scripted within 1 file. I use this with some other recon scripts that automate all process for me - this is only for new certs being issued in CT logs:
  5. 1. Pick a target let's go with xyz123123ccc.com
  7. 2. Scrape certificate transparency logs with any free tool from github or curl/wget that stuff
  9. 3. place all results in a file (I like to sort them out and remove wildcards (*) other junk that is not necessary leaving only subdomains
  11. 4. split up all found subdomains with all possible subdomain combinations:
  13. example:
  14. xyz123123ccc.com
  15. test.dev.xyz123123ccc.com
  16. cc.prod.xyz123123ccc.com
  18. will be as:
  19. xyz123123ccc.com
  20. dev.xyz123123ccc.com
  21. prod.xyz123123ccc.com
  22. test.dev.xyz123123ccc.com
  23. cc.prod.xyz123123ccc.com
  25. ^ see where this is going ? - No way Im going to do that stuff by hand if I get more than 5 results back :) so to automate this all process and expand scope this step is very important.  
  27. 5. run subbrute + massdns (with combined lists - shoutout to @Jhaddix for making good list(s) @ github) on all split up subdomains that we made in step 4. (after that You should sort results and drop duplicates and remove junk data that may come out)
  29. 6. Next I do nmap scan, first I resolve all dns names that I generated to get back live host IP's
  31. 7. IPs being sorted and more extensive scans are made with nmap on different CIDR's this depends on reversed IPs - this allows to scan some additional IPs and maybe get some other targets (just double check if they are in the scope, this can be very tricky)
  33. 8. Next I run nmap scan with well known (34~ web based ports)  - this is quick list made for step 9
  35. 9. Feed nmap results (from step 8.) to a tool/script to get print-screens this is for low hanging fruits and just to sort out things rather than visit each site on separated port(s).
  37. 10. While I check screens and work on some obvious targets, nmap full port scan + sV is running behind the scenes - this is for later to check if there are some hidden gems that are not caught up by simple scans maybe some application is not using default port and it's changed maybe some other juicy service is up etc.
  39. 11. All 10 steps goes in to one bash script that is being run by crontab every X hours.
  41. 12. + each round when cron runs a script it makes .log/.txt files with findings  and combined findings to get overall picture.
  44. - I can help with some parts of this script but not giving away copy & paste setup / script. Don't be lazy most of these points are doable within couple of minutes.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand