Shulou(Shulou.com)05/31 Report--

This article is about how to use BugBountyScanner in vulnerability reward network reconnaissance. I think it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

BugBountyScanner

BugBountyScanner is a Bash script and Docker image that rewards network reconnaissance activities for vulnerabilities. The characteristic of this tool is that it consumes less resources, but the output information is very rich.

Yes, BugBountyScanner can help you get your first loophole bonus!

We strongly recommend that you run BugBountyScanner through a server, which can be a VPS or home server, rather than running directly from a host command line terminal. From the perspective of the underlying implementation mechanism, BugBountyScanner consumes very few resources, but it may take several days of scanning to achieve greater coverage. It is worth mentioning that the script can be run independently.

We can use it as a Docker image or run the script directly on the Debian/Ubuntu system (see below). All we have to do is start the script and forget everything. Running the script takes a few minutes (for a very small scope of less than 10 subdomains) to a few days (for a very large scope of more than 20000 subdomains). BugBountyScanner also provides a "quick mode" option, which can delete some very time-consuming tasks, such as vulnerability identification, port scanning and Web node crawling, etc., and the majority of researchers can configure options according to their own needs.

Note that we strongly recommend that you open VPN before using this script.

Tools used by BugBountyScanner

Amass

Dnsutils

Go

Gau

Gf (with Gf-Patterns)

GoBuster

Gospider

Httpx

Nmap

Nuclei (with Nuclei-Templates)

Qsreplace

Subjack

Webscreenshot

Function introduction

Resource efficient, suitable for long-time running in the background on low-resource VPS, home server or Raspberry Pi

Each command result supports sending notifications through Telegram

Cooperate with Nuclei for extensive CVE and misconfiguration detection (you can choose to detect vulnerabilities through Burp Collaborator)

Subdomain enumeration and real-time Web server detection

Web screenshot and Web resource crawling, HTML screenshot report generation

Retrieve sensitive nodes from Wayback devices

Using Gf to identify parameterized URL of interest

Enumerate common temporary and legacy files with GoBuster

Automatically detect LFI, SSTI, and open redirection in URL parameters

Subdomain takeover detection

Port scan (first 1000 TCP+SNMP)

Support "fast mode" network reconnaissance

Tool installation Docker installation

Docker Hub: [portal]

The image can automatically generate the Dev development branch (: tag tag) and the main branch (: latest tag).

We can pull the Docker image of BugBountyScanner locally from Docker Hub using the following command:

Docker pull chvancooten/bugbountyscannerdocker run-it chvancooten/bugbountyscanner / bin/bash

The vast majority of researchers can also choose to use Docker-Compose:

Version: "3" services: bugbountybox: container_name: BugBountyBox stdin_open: true tty: true image: chvancooten/bugbountyscanner:latest environment:-telegram_api_key=X-telegram_chat_id=X volumes:-${USERDIR} / docker/bugbountybox:/root/bugbounty # VPN recommended:) network_mode: service:your_vpn_container depends_on:-your_vpn_container

Alternatively, we can build our own image from the code source:

Git clone https://github.com/chvancooten/BugBountyScanner.gitcd BugBountyScannerdocker build. Manual installation

Note: this script has been tested on Ubuntu 20.04. the specific installation and configuration may be different from other distribution systems, but it should be used for most Debian-based operating systems, such as Kali Linux.

If you want to run the script manually, we can run the following command:

Git clone https://github.com/chvancooten/BugBountyScanner.gitcd BugBountyScannercp .env.example .env # Edit accordinglychmod + x BugBountyScanner.sh setup.sh./setup.sh-t / custom/tools/dir # Setup is automatically triggered, but can be manually run./BugBountyScanner.sh-- help./BugBountyScanner.sh-d target1.com-d target2.net-t / custom/tools/dir-- quick tool use

We can use the-- help or-h command to view BugBountyScanner's brief help menu:

Root@dockerhost:~#. / BugBountyScanner.sh-hBugBountyHunter-Automated BugBounty reconnaissance script. / BugBountyScanner.sh [options] options:-h,-- help show brief help-t,-- toolsdir tools directory (no trailing /), defaults to'/ opt'-q,-- quick perform quick recon only (default: false)-d,-- domain top domain to scan, can take multiple-o,-- outputdirectory parent outputdirectory Defaults to current directory (subfolders will be created per domain)-w,-- overwrite overwrite existing files. Skip steps with existing files if not provided (default: false)-c,-- collaborator-id pass a BurpSuite Collaborator BIID to Nuclei to detect blind vulns (default: not enabled) Note: 'ToolsDir',' telegram_api_key' and 'telegram_chat_id' can be defined in. Env or through Docker environment variables. Example:./BugBountyScanner.sh-quick-d google.com-d uber.com-t / opt

Notes about using Burp Collaborator: Nuclei needs to use our Burp Collaborator's "BIID". If you are using Burp's Collaborator server, you can get this ID by setting "Project Options- > Misc- > Poll over unencrypted HTTP" for the server. Next, use the client to query the server and use the second Burp client or Wireshark to intercept "? biid= parameter" from the HTTP request. This is the ID we need. Don't forget to encode the URL.

The above is how to use BugBountyScanner in vulnerability reward network reconnaissance. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.