BugBountyScanner - A Bash Script And Docker Image For Bug Bounty Reconnaissance

BugBountyScanner - A Bash Script And Docker Image For Bug Bounty Reconnaissance
2021-02-24 20:30:00 Author: www.blogger.com(查看原文) 阅读量:151 收藏

tag:blogger.com,1999:blog-8317222231133660547.post-90220760053402846482021-02-24T08:30:00.004-03:002021-02-24T08:30:01.863-03:00BugBountyScanner - A Bash Script And Docker Image For Bug Bounty Reconnaissance<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-Z7Oajr5emhc/YDSQE8Y416I/AAAAAAAAVao/IJ62j0upOFUAJE0D0WEp-hC8LWs--5jMwCNcBGAsYHQ/s868/BugBountyScanner.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="555" data-original-width="868" height="410" src="https://1.bp.blogspot.com/-Z7Oajr5emhc/YDSQE8Y416I/AAAAAAAAVao/IJ62j0upOFUAJE0D0WEp-hC8LWs--5jMwCNcBGAsYHQ/w640-h410/BugBountyScanner.png" width="640" /></a></div> A Bash script and Docker image for Bug Bounty reconnaissance, intended for headless use. Low on resources, high on information output. Helpful? BugBountyScanner helped you net a bounty? <a name='more'></a><div> </div>Description <blockquote> <div>Note: Using the script over a VPN is highly recommended.</div></blockquote> It's recommended to run BugBountyScanner from a server (VPS or home server), and not from your terminal. It is programmed to be low on resources, with potentially multiple days of scanning in mind for bigger scopes. The script functions on a stand-alone basis. You can run the script either as a docker image or from your preferred Debian/Ubuntu system (see below). All that is required is kicking off the script and forgetting all about it! Running the script takes anywhere in between several minutes (for very small scopes < 10 subdomains) and several days (for very large scopes > 20000 subdomains). A 'quick mode' flag is present, which drops some time-consuming tasks such as <a href="https://www.kitploit.com/search/label/Vulnerability" target="_blank" title="vulnerability">vulnerability</a> identification, port scanning, and web endpoint crawling. Installation Docker Docker Hub Link: <a href="https://hub.docker.com/r/chvancooten/bugbountyscanner" rel="nofollow" target="_blank" title="https://hub.docker.com/r/chvancooten/bugbountyscanner">https://hub.docker.com/r/chvancooten/bugbountyscanner</a>. Images are generated automatically for both the Dev branch (<code>:dev</code> tag) and the Master branch (<code>:latest</code> tag). You can pull the Docker image from Docker Hub as below. <pre><code>docker pull chvancooten/bugbountyscanner docker run -it chvancooten/bugbountyscanner /bin/bash </code></pre> Docker-Compose can also be used. <pre><code>version: "3" services: bugbountybox: container_name: BugBountyBox stdin_open: true tty: true image: chvancooten/bugbountyscanner:latest environment: - telegram_api_key=X - telegram_chat_id=X volumes: - ${USERDIR}/docker/bugbountybox:/root/bugbounty # VPN recommended :) network_mode: service:your_vpn_container depends_on: - your_vpn_container </code></pre> Alternatively, you can build the image from source. <pre><code>git clone https://github.com/chvancooten/BugBountyScanner.git cd BugBountyScanner docker build . </code></pre> Manual If you prefer running the script manually, you can do so. <blockquote> <div>Note: The script has been built on -and tested for- Ubuntu 20.04. Your mileage may vary with other distro's, but it should work on most Debian-based installs (such as Kali Linux).</div></blockquote> <pre><code>git clone https://github.com/chvancooten/BugBountyScanner.git cd BugBountyScanner cp .env.example .env # Edit accordingly chmod +x BugBountyScanner.sh setup.sh ./setup.sh -t /custom/tools/dir # Setup is automatically triggered, but can be manually run ./BugBountyScanner.sh --help ./BugBountyScanner.sh -d target1.com -d target2.net -t /custom/tools/dir --quick </code></pre> Usage Use <code>--help</code> or <code>-h</code> for a brief help menu. <pre><code>root@dockerhost:~# ./BugBountyScanner.sh -h BugBountyHunter - Automated Bug Bounty <a href="https://www.kitploit.com/search/label/Reconnaissance" target="_blank" title="reconnaissance">reconnaissance</a> script ./BugBountyScanner.sh [options] options: -h, --help show brief help -t, --toolsdir tools directory (no trailing /), defaults to '/opt' -q, --quick perform quick recon only (default: false) -d, --domain <domain> top domain to scan, can take multiple -o, --outputdirectory parent output directory, defaults to current directory (subfolders will be created per domain) -w, --overwrite overwrite existing files. Skip steps with existing files if not provided (default: false) -c, --collaborator-id pass a BurpSuite Collaborator BIID to Nuclei to detect blind vulns (default: not enabled) Note: 'ToolsDir', 'telegram_api_key' and 'telegram_chat_id' ca n be defined in .env or through Docker environment variables. example: ./BugBountyScanner.sh --quick -d google.com -d uber.com -t /opt </code></pre> <blockquote> A note on using Burp Collaborator: Nuclei requires your Burp Collaborator's "BIID". If you are using Burp's hosted Collaborator servers, you can acquire this ID by setting 'Project Options -> Misc -> Poll over unencrypted HTTP' for the server. Then poll the server once from your client, and intercept the <code>?biid=</code> parameter from the HTTP request using a second Burp client or Wireshark. This is the ID you need (make sure to URL-decode). </blockquote> Features <ul> <li>Resource-efficient, suitable for running in the background for a prolonged period of time on a low-resource VPS, home server, or Raspberry Pi</li> <li>Telegram status notifications with per-command results</li> <li>Extensive CVE and <a href="https://www.kitploit.com/search/label/Misconfiguration" target="_blank" title="misconfiguration">misconfiguration</a> detection with Nuclei (optionally with detection of blind <a href="https://www.kitploit.com/search/label/vulnerabilities" target="_blank" title="vulnerabilities">vulnerabilities</a> via Burp Collaborator)</li> <li>Subdomain enumeration and live webserver detection</li> <li>Web screenshotting and crawling, HTML screenshot report generation</li> <li>Retrieving (hopefully sensitive) endpoints from the Wayback Machine</li> <li>Identification of interesting parameterized URLs with Gf</li> <li>Enumeration of common "temporary" and forgotten files with GoBuster</li> <li>Automatic detection of LFI, SSTI, and Open Redirects in URL parameters</li> <li>Subdomain takeover detection</li> <li>Port scanning (Top 1000 TCP + SNMP)</li> <li>'Quick Mode' for opsec-safe (ish) <a href="https://www.kitploit.com/search/label/Infrastructure" target="_blank" title="infrastructure">infrastructure</a> reconnaissance</li> </ul> Tools <ul> <li><code>amass</code></li> <li><code>dnsutils</code></li> <li><code>Go</code></li> <li><code>gau</code></li> <li><code>Gf</code> (with <code>Gf-Patterns</code>)</li> <li><code>GoBuster</code></li> <li><code>gospider</code></li> <li><code>httpx</code></li> <li><code>nmap</code></li> <li><code>Nuclei</code> (with <code>Nuclei-Templates</code>)</li> <li><code>qsreplace</code></li> <li><code>subjack</code></li> <li><code>webscreenshot</code></li> </ul> <div style="text-align: center;"><a class="kiploit-download" href="https://github.com/chvancooten/BugBountyScanner" rel="nofollow" target="_blank" title="Download BugBountyScanner">Download BugBountyScanner</a></div>Zion3R[email protected]

文章来源: http://www.blogger.com/feeds/8317222231133660547/posts/default/9022076005340284648
如有侵权请联系:admin#unsafe.sh