Tools That You Will Need To Start Bug Bounty Hunting & Earn Money By Hacking
Best Tools You Will Need To Start Bug Bounty Hunting & Earn Money By Hacking
Below is a must have list of tools which are useful for vulnerability hunting,in no particular order. While some automate the process of searching for vulnerabilities, these should not replace manual work, keen observation and intuitive thinking. Michiel Prins,Co-Founder of Hackerone,deserves a huge thanks for helping to contribute to the list and providing advice on how to effectively use the tools.Burp Suite
https://portswigger.net/burpBurp Suite is an integrated platform for security testing and pretty much a must when you are starting out.It has a variety of tools which are helpful, including:
• An intercepting proxy which lets you inspect and modify traffic to a site
• AnapplicationawareSpiderforcrawlingcontentandfunctionality(either passively or actively)
• A web scanner for automating the detection of vulnerabilities
• A repeater for manipulating and resending individual requests
• A sequencer tool for testing the randomness of tokens
• A comparer tool to compare requests and responses
Knockpy
https://github.com/guelfoweb/knockKnockpy is a python tool designed to iterate over a huge wordlist to identify subdomains of a company. Identifying subdomains helps to increase the testable surface of a company and increase the chances of finding a successful vulnerability. This is a GitHub repository which means you’ll need to download the repo (the GitHub page has instructions as to how) and need Python installed (they have tested with version 2.7.6 and recommend you use Google DNS (8.8.8.8 | 8.8.4.4).
HostileSubBruteforcer
https://github.com/nahamsec/HostileSubBruteforcerThis app, written by @nahamsec (Ben Sadeghipour - great guy!), will bruteforce for existing subdomains and provide the IP address, Host and whether it has been properly setup,checking AWS,Github,Heroku,Shopify,Tumblr and Squarespace.This is great for finding Subdomain takeovers.
sqlmap
http://sqlmap.orgsqlmap is an open source penetration tool that automates the process of detecting and exploiting SQL injection vulnerabilities.The website has a huge list of features,including support for:
• A wide range of database types (e.g., MySQL, Oracle, PostgreSQL, MS SQL Server, etc.)
• Six SQL injection techniques (e.g., boolean-based blind, time-based blind, error based, UNION query-based, etc)
• Enumerating users,password hashes,privileges,roles,databases,tables and columns
• And much more
According to Michiel Prins, sqlmap is helpful for automating the exploitation of SQL injection vulnerabilities to prove something is vulnerable, saving a lot of manual work. Similar to Knockpy, sqlmap relies on Python and can be run on Windows or Unix based systems.
Nmap
https://nmap.orgNmap is a free and open source utility for network discover and security auditing. According to their site, Nmap uses raw IP packets in novel ways to determine: - Which hosts are available on a network - What services (application name and version) those hosts are offering - What operating systems (and versions) they are running - What type of packet filters/firewalls are in use - And much more The Nmap site has a robust list of installation instructions supporting Windows,Mac and Linux.
Eyewitness
https://github.com/ChrisTruncer/EyeWitnessEyeWitnessisdesignedtotakescreenshotsofwebsites,providesomeserverheaderinfo and identify default credentials if possible. It’s a great tool for detecting what services are running on common HTTP and HTTPS ports and can be used with other tools like Nmap to quickly enumerate hacking targets.
Shodan
https://www.shodan.ioShodan is the internet search engine of “Things”. According to the site, you can, “Use Shodan to discover which of your devices are connected to the internet, where they are located and who is using them”. This is particularly helpful when you are exploring a potential target and trying to learn as much about the targets infrastructure as possible. Combined with this is a handy Firefox plugin for Shodan which allows you to quickly access information for a particular domain.Sometimes this reveals available ports which you can pass to Nmap.
WhatCMS
http://www.whatcms.orgWhat CMS is a simple application which allows you to enter a site url and it’ll return the likely Content Management System the site is using. This is helpful for a couple reason:
• Knowing what CMS a site is using gives you insight into how the site code is structured
• Ift he CMS is open source,you can browse the code for vulnerabilities and test them on the site
• If you can determine the version code of the CMS, it’s possible the site may be outdated and vulnerable to disclosed security vulnerabilities
Nikto
https://cirt.net/nikto2Nikto is an Open Source web server scanner which tests against servers for multiple items, including:
• Potentially dangerous files/programs
• Outdated versions of servers
• Version specific problems
• Checking for server configuration items
According to Michiel, Nikto is helpful for finding files or directories that should not be available (e.g., an old SQL backup file, or the inside of a git repo)
Recon-ng
bitbucket.org/LaNMaSteR53/recon-ngAccording to its page, Recon-ng is a full featured Web Reconnaissance framework written in Python. It provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly. Unfortunately,or fortunately depending on how you want to look at it,Recon-ng provides so much functionality that I can’t adequately describe it here. It can be used for subdomain discovery, sensitive file discovery, username enumeration, scraping social media sites, etc.
idb
http://www.idbtool.comidb is a tool to help simplify some common tasks for iOS app security assessments and research. It’s hosted on GitHub.
Wireshark
https://www.wireshark.comWireshark is a network protocol analyzer which lets you see what is happening on your network in fine detail. This is more useful when a site isn’t just communicating over HTTP/HTTPS. If you are starting out, it may be more beneficial to stick with Burp Suite if the site is just communicating over HTTP/HTTPS.
BucketFinder
https://digi.ninja/files/bucket_finder_1.1.tar.bz2A cool tool that will search for readable buckets and list all the files in them. It can also be used to quickly find buckets that exist but deny access to listing files - on these buckets, you can test out writing using the AWS CLI and described in Example 6 of the Authentication Chapter - How I hacked HackerOne S3 Buckets.
GoogleDorks
https://www.exploit-db.com/google-hacking-databaseGoogle Dorking refers to using advance syntaxes provided by Google to find information not readily available. This can include finding vulnerable files, opportunities for external resource loading, etc.
IPV4info.com
http://ipv4info.comThis is a great site that I just learned about thanks to Philippe Harewood (again!). Using this site, you can find domains hosted on a given server. So, for example, entering yahoo.com will give you Yahoo’s IPs range and all the domains served from the same servers.
JD-GUI
https://github.com/java-decompiler/jd-guiJD-GUI is a tool which can help when exploring Android apps.It’s a standalone graphical utility that displays Java sources from CLASS files. While I don’t have much experience with this tool (yet), it seems promising and useful.
MobileSecurityFramework
https://github.com/ajinabraham/Mobile-Security-Framework-MobSFThis is another tool useful for mobile hacking. It’s an intelligent, all-in-one open source mobile application(Android/iOS) automated pen-testing framework capable of performing static, dynamic analysis and web API testing.
Comments
Post a Comment