• Stars
    star
    1,188
  • Rank 39,371 (Top 0.8 %)
  • Language
    C#
  • License
    MIT License
  • Created almost 4 years ago
  • Updated almost 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

BigBountyRecon tool utilises 58 different techniques using various Google dorks and open source tools to expedite the process of initial reconnaissance on the target organisation.

BigBountyRecon

BigBountyRecon tool utilises 58 different techniques using various Google dorks and open source tools to expedite the process of initial reconnaissance on the target organisation. Reconnaissance is the most important step in any penetration testing or a bug hunting process. It provides an attacker with some preliminary knowledge on the target organisation. Furthermore, it will be useful to gain insights into what controls are in place as well as some rough estimations on the security maturity level of the target organisation.

This tool can be used in addition to your usual approach for bug hunting. The idea is to quickly check and gather information about your target organisation without investing time and remembering these syntaxes. In addition, it can help you define an approach towards finding some quick wins on the target.

Any suggestions or ideas for this tool are welcome - just tweet me on @ManiarViral

image

ANYRUN:

Techniques

  1. Directory Listing: Finding open directories using Google Dork on your target organisation helps one to understand the directory structure on the webserver. It may reveal sensitive information or it may lead to information disclosure.

  2. Configuration Files: Often times configuration files contains sensitive information such as hardcoded passwords, sensitive drive locations or API tokens which can help you gain privilege access to the internal resources.

  3. Database Files: Database Files are data files that are used to store the contents of the database in a structured format into a file in separate tables and fields. Depending on the nature of the web application these files could provide access to sensitive information.

  4. WordPress: WordPress is an open-source CMS written in PHP. WordPress has thousands of plugins to build, customise and enhance the websites. There are numerous vulnerabilities in these plugins. Finding WordPress related

  5. Log Files: Log files sometimes provide detailed information of the users' activities in a particular application. These files are good to look at session cookies or other types of tokens.

  6. Backup and Old Files: Backup files are original copies of the critical systems. These provide access to PII or access to sensitive records.

  7. Login Pages: It is extremely important to identify login pages of your target organisation to perform bruteforce attempts or trying default credentials to gain further access to organisation resources.

  8. SQL Errors: SQL errors leaks sensitive information about the backend systems. This can help one to perform enumeration on the database types and see if the application is vulnerable to input validation related attacks such as SQL Injection.

  9. Apache Config Files: Apache HTTP Server is configured by placing directives in plain text configuration files. The main configuration file is usually called httpd.conf. In addition, other configuration files may be added using the Include directive, and wildcards can be used to include many configuration files. Any directive may be placed in any of these configuration files. Depending on the entries in these config files it may reveal database connection strings, username and passwords, the internal workings, used and referenced libraries and business logic of application.

  10. Robots.txt File: Robots.txt file instructs web robots how to crawl pages on their website. Depending on the content of the file, an attacker might discover hidden directories and files.

  11. DomainEye: DomainEye is a domain/host investigation tool that has the largest domain databases. They provide services such as reverse Whois, reverse IP lookup, as well as reverse NS and MX.

  12. Publicly Exposed Documents: Such documents can be used to extract metadata information.

  13. phpinfo(): Exposing phpinfo() on its own isn't necessarily a risk, but in combination with other vulnerabilities could lead to your site becoming compromised. Additionally, module versions could make attackers life easier when targeting application using newly discovered exploits.

  14. Finding Backdoors: This can help one to identify website defacements or server hijacking related issues. By exploiting the open redirect vulnerability on the trusted web application, the attacker can redirect victims to a phishing page.

  15. Install/Setup Files: Such files allows an attacker to perform enumeration on the target organisation. Information gathered using these files can help discover version details which can then be used to perform the targeted exploit.

  16. Open Redirects: With these, we look at various known parameters vulnerable to open redirect related issues.

  17. Apache Struts RCE: Successfully exploiting an RCE vulnerability could allow the attacker to run arbitrary programs. Here, we are looking for files with extensions of ".action" or ".do".

  18. 3rd Party Exposure: Here we are looking for exposure of information on third party sites such as Codebeautify, Codeshare and Codepen.

  19. Check Security Headers: Identify quickly if the target site is using security related headers in the server response.

  20. GitLab: Quickly look for sensitive information on the GitLab.

  21. Find Pastebin Entries: Shows you the results related to the target organisation on the Pastebin site. This could be passwords or any other sensitive information related to the target organisation.

  22. Employees on LINKEDIN: Identifying employee names on LinkedIn can help you build a username list when it comes to password spraying attack.

  23. .HTACCESS / Sensitive Files: Look for sensitive file exposure. This may indicate a server misconfiguration.

  24. Find Subdomains: Subdomain helps you expand the attack surface on the target organisation. There are numerous tools available to automate the process of subdomain enumeration.

  25. Find Sub-Subdomains: Identify sub-sub domains on the target organisation using Google Dork,

  26. Find WordPress related exposure: WordPress related exposure helps you gain access to sensitive files and folders.

  27. BitBucket & Atlassian: Source code leakage, hardcoded credentials and access to cloud infrastructure.

  28. PassiveTotal: PassiveTotal is a great tool to perform threat investigation. Using BigBountyRecon we will use PassiveTotal to identify subdomains on the target information.

  29. Stackoverflow: Source code exposure or any technology-specific questions mentioned on the Stackoverflow.

  30. Find WordPress related exposure using Wayback Machine: Look for archieved WordPress files using WaybackMachine.

  31. GitHub: Quickly look for sensitive information on the GitHub.

  32. OpenBugBounty: Look for publicly exposed security issues on the OpenBugBounty website.

  33. Reddit: Information about the particular organisation on the Reddit platform.

  34. Crossdomain.xml: Look for misconfigured crossdomain.xml files on the target organisation.

  35. ThreatCrowd: Search engine for threats, however, we are going to use this to identify additional sub-domains.

  36. .git Folder: Source code exposure. it's possible to download the entire repository content if accessible.

  37. YouTube: Look for any recent news on Youtube.

  38. Digitalocean Spaces: Spaces is an S3-compatible object storage service that lets you store and serve large amounts of data. We will look for any data exposures.

  39. .SWF File (Google): Flash is dead. We are going to use Google Dorks to look for older versions of flash .swf's which contain vulnerabilities.

  40. .SWF File (Yandex): Flash is dead. We are going to use Yandex to look for older versions of flash .swf's which contain vulnerabilities.

  41. .SWF File (Wayback Machine): Flash is dead. We are going to use WaybackMachine to look for older versions of flash .swf's which contain vulnerabilities.

  42. Wayback Machine: Look for archived files to access old files.

  43. Reverse IP Lookup: Reverse IP Lookup lets you discover all the domain names hosted on any given IP address. This will help you to explore the attack surface for a target organisation.

  44. Traefik: Look for an open-source Edge Router for an unauthenticated interface which exposes internal services.

  45. Cloud Storage and Buckets: Google CSE for various cloud storages - aws, digitalocean, backblaze, wasabi, rackspace, dropbox, ibm, azure, dreamhost, linode, gcp, box, mailru

  46. s3 Buckets: Open s3 buckets.

  47. PublicWWW: Source code search engine indexes the content of over 200 million web sites and provides a query interface that lets the caller find any alphanumeric snippet, signature or keyword in the web pages β€˜HTML’, β€˜JavaScript’ and β€˜CSS’ style sheet code.

  48. Censys (IPv4, Domains & Certs): Search engine for finding internet devices. We will use this to look for additional sub-domains using various endpoints on Censys.

  49. Shodan: Search engine for Internet-connected devices

  50. SharePoint RCE: Look for CVE-2020-0646 SharePoint RCE related endpoint.

  51. API Endpoints: Find WSDL files.

  52. Gist Searches: Quickly look for sensitive information on the Gist pastes.

  53. CT Logs: Certificate Transparency (CT) is an Internet security standard and open-source framework for monitoring and auditing digital certificates. We will use to look for additional sub-domains for a targeted organisation.

  54. Password Leak: Look for plaintext passwords of internal employees exposed in various leaks.

  55. What CMS: Identify the version and type of CMS used by a target organisation for targeted enumeration and exploit research.

Screenshots

Search for plaintext passwords for a target organisation:

image

Looking for subdomains and other interesting information on the target organisation:

image

Finding Apache Struts related assets:

image

Verifying if the URL contains extenstion of ".do":

image

How to use this tool?

Step1: Download the file from Release section: https://github.com/Viralmaniar/BigBountyRecon/releases/download/v0.1/BigBountyRecon.exe

Step2: Run the EXE file

Step3: Enter the target domain

Step4: Click on different buttons in the tool to find information

Step5: In case of Google Captcha simply click on the puzzle and move ahead

Questions?

Twitter: https://twitter.com/maniarviral
LinkedIn: https://au.linkedin.com/in/viralmaniar

Dorking operators across Google, DuckDuckGo, Yahoo and Bing

Table obtained from: https://exposingtheinvisible.org/guides/google-dorking/

Here is a table with possible dorks for various search engines.

Dork Description Google DuckDuckGo Yahoo Bing
cache:[url] Shows the version of the web page from the search engine’s cache. βœ“
related:[url] Finds web pages that are similar to the specified web page. βœ“
info:[url] Presents some information that Google has about a web page, including similar pages, the cached version of the page, and sites linking to the page. βœ“
site:[url] Finds pages only within a particular domain and all its subdomains. βœ“ βœ“ βœ“ βœ“
intitle:[text] or allintitle:[text] Finds pages that include a specific keyword as part of the indexed title tag. You must include a space between the colon and the query for the operator to work in Bing. βœ“ βœ“ βœ“ βœ“
allinurl:[text] Finds pages that include a specific keyword as part of their indexed URLs. βœ“
meta:[text] Finds pages that contain the specific keyword in the meta tags.
filetype:[file extension] Searches for specific file types. βœ“ βœ“ βœ“
intext:[text], allintext:[text], inbody:[text] Searches text of page. For Bing and Yahoo the query is inbody:[text]. For DuckDuckGo the query is intext:[text]. For Google either intext:[text] or allintext:[text] can be used. βœ“ βœ“ βœ“
inanchor:[text] Search link anchor text βœ“
location:[iso code] or loc:[iso code], region:[region code] Search for specific region. For Bing use location:[iso code] or loc:[iso code] and for DuckDuckGo use region:[iso code].An iso location code is a short code for a country for example, Egypt is eg and USA is us. https://en.wikipedia.org/wiki/ISO_3166-1 βœ“ βœ“
contains:[text] Identifies sites that contain links to filetypes specified (i.e. contains:pdf) βœ“
altloc:[iso code] Searches for location in addition to one specified by language of site (i.e. pt-us or en-us) βœ“
feed:[feed type, i.e. rss] Find RSS feed related to search term βœ“ βœ“ βœ“
hasfeed:[url] Finds webpages that contain both the term or terms for which you are querying and one or more RSS or Atom feeds. βœ“ βœ“ βœ“
ip:[ip address] Find sites hosted by a specific ip address βœ“ βœ“
language:[language code] Returns websites that match the search term in a specified language βœ“ βœ“
book:[title] Searches for book titles related to keywords βœ“
maps:[location] Searches for maps related to keywords βœ“
linkfromdomain:[url] Shows websites whose links are mentioned in the specified url (with errors) βœ“

Contribution & License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.
Want to contribute? Please fork it and hit up with a pull request.

Any suggestions or ideas for this tool are welcome - just tweet me on @ManiarViral

More Repositories

1

Passhunt

Passhunt is a simple tool for searching of default credentials for network devices, web applications and more. Search through 523 vendors and their 2084 default passwords.
Python
1,177
star
2

Powershell-RAT

Python based backdoor that uses Gmail to exfiltrate data through attachment. This RAT will help during red team engagements to backdoor any Windows machines. It tracks the user activity using screen capture and sends it to an attacker as an e-mail attachment.
Python
1,034
star
3

I-See-You

ISeeYou is a Bash and Javascript tool to find the exact location of the users during social engineering or phishing engagements. Using exact location coordinates an attacker can perform preliminary reconnaissance which will help them in performing further targeted attacks.
Shell
765
star
4

SMWYG-Show-Me-What-You-Got

This tool allows you to perform OSINT and reconnaissance on an organisation or an individual. It allows one to search 1.4 Billion clear text credentials which was dumped as part of BreachCompilation leak. This database makes finding passwords faster and easier than ever before.
Python
422
star
5

Wifi-Dumper

This is an open source tool to dump the wifi profiles and cleartext passwords of the connected access points on the Windows machine. This tool will help you in a Wifi penetration testing. Furthermore, it is useful while performing red team or an internal infrastructure engagements.
Python
269
star
6

Remote-Desktop-Caching-

This tool allows one to recover old RDP (mstsc) session information in the form of broken PNG files. These PNG files allows Red Team member to extract juicy information such as LAPS passwords or any sensitive information on the screen. Blue Team member can reconstruct PNG files to see what an attacker did on a compromised host. It is extremely useful for a forensics team to extract timestamps after an attack on a host to collect evidences and perform further analysis.
Python
207
star
7

XposedOrNot

XposedOrNot (XoN) tool is to search an aggregated repository of xposed passwords comprising of ~850 million real time passwords. Usage of such compromised passwords is detrimental to individual account security.
Python
136
star
8

PeekABoo

PeekABoo tool can be used during internal penetration testing when a user needs to enable Remote Desktop on the targeted machine. It uses PowerShell remoting to perform this task. Note: Remote desktop is disabled by default on all Windows operating systems.
Python
132
star
9

Phirautee

A proof of concept crypto virus to spread user awareness about attacks and implications of ransomwares. Phirautee is written purely using PowerShell and does not require any third-party libraries. This tool steals the information, holds an organisation’s data to hostage for payments or permanently encrypts/deletes the organisation data.
PowerShell
115
star
10

MurMurHash

This little tool is to calculate a MurmurHash value of a favicon to hunt phishing websites on the Shodan platform.
Python
113
star
11

HiveJack

This tool can be used during internal penetration testing to dump Windows credentials from an already-compromised host. It allows one to dump SYSTEM, SECURITY and SAM hives and once copied to the attacker machines provides option to delete these files to clear the trace.
C#
108
star
12

In-Spectre-Meltdown

This tool allows to check speculative execution side-channel attacks that affect many modern processors and operating systems designs. CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre) allows unprivileged processes to steal secrets from privileged processes. These attacks present 3 different ways of attacking data protection measures on CPUs enabling attackers to read data they shouldn't be able to. This tool is originally based on Microsoft: https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in
Python
93
star
13

DDWPasteRecon

DDWPasteRecon tool will help you identify code leak, sensitive files, plaintext passwords, password hashes. It also allow member of SOC & Blue Team to gain situational awareness of the organisation's web exposure on the pastesites. It Utilises Google's indexing of pastesites to gain targeted intelligence of the organisation. Blue & SOC teams can collect and analyse data from these indexed pastesites to better protect against unknown threats.
C#
36
star
14

Guided-Access-Mode-Bypass

This write-up will provide detailed description on how to bypass Guided Access mode on Apple iPhones.
18
star
15

Reg-Hives

This tool can be used during internal penetration testing to dump Windows credentials from an already-compromised host. Use it to copy SYSTEM, SECURITY and SAM hives and download them back to the attacker machines.
Python
15
star
16

Pentest-Stuff

DIGITAL Command Language
11
star
17

Viralmaniar

6
star
18

Flubber-Ducky

2
star
19

Pentest-Payloads

2
star
20

viralmaniar.github.io

JavaScript
2
star
21

Information-Security-Links

Access to awesome blogs and tutorials related to information security field.
1
star
22

OSCE_learning

1
star
23

JavaScript_Code_Snippets

1
star
24

Javascript

Short snippets for pentesting.
1
star