awesome-bbht

A bash script that will automatically install a list of bug hunting tools I sometimes use for recon, exploitation, etc. (minus burp.) (Contributions are always welcome.)

Install

git clone https://github.com/0xApt/awesome-bbht.sh
cd awesome-bbht
chmod +x awesome-bbht.sh
sudo ./awesome-bbht.sh

The list of tools downloaded:

awscli

Subdomain-enum

• aquatone - A Tool for Domain Flyovers

• knockpy - Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.

• subbrute - A DNS meta-query spider that enumerates DNS records, and subdomains.

• assetfinder - Find domains and subdomains related to a given domain

• domain-finder

• rsdl - Subdomain Scan with the Ping Method

• subDomainizer - A tool to find subdomains and interesting things hidden inside, external Javascript files of page, folder, and Github.

• domain_analyzer - Analyze the security of any domain by finding all the information possible. Made in python.

• massdns - A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)

• subfinder - Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.

• amass - In-depth Attack Surface Mapping and Asset Discovery

• sub.sh - Online Subdomain Detect Script

• sublist3r - Fast subdomains enumeration tool for penetration testers

• Sudomy - Sudomy is a subdomain enumeration tool, created using a bash script, to analyze domains and collect subdomains in fast and comprehensive way . Report output in HTML or CSV format https://github.com/Screetsec/

• dnsenum - Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.

Content Discovery

API

• secretx - Extracting api keys and secrets by requesting each url in your list.

AWS S3 Bucket

• s3brute - s3 brute force tool

• s3-bucket-finder - Find aws s3 buckets and extract datas.

• bucket-stream - Find interesting Amazon S3 Buckets by watching certificate transparency logs.

• slurp - Enumerate S3 buckets via certstream, domain, or keywords.

• lazys3 - A Ruby script to bruteforce for AWS s3 buckets using different permutations.

• cred_scanner - A simple file-based scanner to look for potential AWS access and secret keys in files

• DumpsterDiver - A tool used to analyze big volumes of various file types in search of harcoded secrets like keys (AWS Access Key, Azuer Share Key or SSH keys) or passwords.

• S3Scanner - Scan for open AWS S3 buckets and dump the contents

Inspecting JS Files

• JSParser - A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files.

• relative-url-extractor - A small tool that extracts relative URLs from a file.

• github-search

• sub.js - A tool to get javascript files from a list of URLS or subdomains

• LinkFinder - A python script that finds endpoints in JavaScript files

Code Audit

• Cobra - Source Code Security Audit (源代码安全审计)

Crawlers

• Crawler - Crawl website extract links

• waybackMachine - Use wayback Machine data to pull a list of paths.

• meg - Fetch many paths for many hosts - without killing the hosts

• hakrawler - Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application

• igoturls - WaybackURLS + OtxURLS + CommonCrawl

Directory Bruteforcers & Fuzzers

• gobuster - Directory/File, DNS and VHost busting tool written in Go

• ffuf - Fast web fuzzer written in Go

• dirsearch - Web path scanner

Exploitation

Subdomain Takeover

• subjack - Subdomain Takeover tool written in Go

• subdomain-takeover - Subdomain Takeover Scanner | Subdomain Takeover Tool | by 0x94

• takeover - Sub-Domain TakeOver Vulnerability Scanner

• SubOver - A Powerful Subdomain Takeover Tool

Google Cloud Storage

• GCPBucketBrute - A script to enumerate Google Storage buckets, determine what access you have to them, and determine if they can be privilege escalated.

Digital Ocean

• spaces-finder - A tool to hunt for publicly accessible DigitalOcean Spaces

XXE

• XXEinjector - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods.

CSRF

• XSRFProbe - The Prime Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit.

Command Injection

• commix - Automated All-in-One OS command injection and exploitation tool. https://commixproject.com

SQLi

• sqlmap - Automatic SQL injection and database takeover tool http://sqlmap.org

• sqliv - massive SQL injection vulnerability scanner

• sqlmate - A friend of SQLmap which will do what you always expected from SQLmap.

XSS

• XSStrike - Most advanced XSS scanner.

• XSS-keylogger - A keystroke logger to exploit XSS vulnerabilities in a site - for my personal Educational purposes only

CMS

• CMSmap - CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.

• CMSeeK - CMS Detection and Exploitation suite - Scan WordPress, Joomla, Drupal and over 170 other CMSs

• wpscan - WPScan is a free, for non-commercial use, black box WordPress Vulnerability Scanner written for security professionals and blog maintainers to test the security of their WordPress websites

• Joomscan - OWASP Joomla Vulnerability Scanner Project

• Droopescan - A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe.

• Drupwn - Drupal enumeration & exploitation tool

CloudFlare

• CloudFail - Utilize misconfigured DNS and old database records to find hidden IP's behind the CloudFlare network

Git

• truffleHog - Searches through git repositories for high entropy strings and secrets, digging deep into commit history

• git-dumper - A tool to dump a git repository from a website

Frameworks

• Sn1per - Automated pentest framework for offensive security experts

• XRay - XRay is a tool for recon, mapping and OSINT gathering from public networks.

• datasploit - An #OSINT Framework to perform various recon techniques on Companies, People, Phone Number, Bitcoin Addresses, etc., aggregate all the raw data, and give data in multiple formats.

• Osmedeus - Fully automated offensive security framework for reconnaissance and vulnerability scanning

• TIDoS-Framework - The Offensive Manual Web Application Penetration Testing Framework.

• discover - Custom bash scripts used to automate various penetration testing tasks including recon, scanning, parsing, and creating malicious payloads and listeners with Metasploit.

• lazyrecon - This script is intended to automate your reconnaissance process in an organized fashion

• 003Recon - Some tools to automate recon - 003random

• LazyRecon - An automated approach to performing recon for bug bounty hunting and penetration testing.

• Vulmap - Vulmap is a web vulnerability scanning and verification tool that can scan webapps for vulnerabilities and has a vulnerability verification function

Wordlists

• SecLists - SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

• Jhaddix Wordlist

• Nahamsec list

Other

• altdns - Generates permutations, alterations and mutations of subdomains and then resolves them

• nmap - network mapper

• Blazy - Blazy is a modern login bruteforcer which also tests for CSRF, Clickjacking, Cloudflare and WAF.

• httprobe - Take a list of domains and probe for working HTTP and HTTPS servers

• broken-link-checker - Find broken links, missing images, etc within your HTML.

• wafw00f - WAFW00F allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website.