BugBounty

Useful commands

SQLmap batch URL checker

Grab a list of URLs from any source with parameters and paste into a file called sqllst.tmp.

Then run the following:

cat sqllst.tmp | sort -R | head 100 > sqllst
rm sqllst.tmp

Don't run this at it is very aggressive and will likely get you blocked by the website but it works as follows:

for i in $(cat sqllst); do echo $i; sqlmap -u $i --batch --ignore-redirects; done | tee -a sqlmaplogs

Gobuster batch scanner

for i in $(cat httpservices);do gobuster -k -w /root/Tools/directory-list-medium.lst -u $i -q -e -t 10; done | tee -a directories

Nikto batch scanner

for i in $(cat httpservices); do nikto +host $i -ask no; done | tee -a nikto

Bug Bounty Scanning Bot

Firstly buy a Raspberry Pi and install Raspbian there are loads of guides online on how to do this.

Change the hostname to something of your choosing

hostname scanbot

Once installed enable SSH and login to the Pi remotely as root.

nano /etc/ssh/sshd_config
# change the following
PermitRootLogin yes

Create folders

cd /root
mkdir BugBounty
cd BugBounty
mkdir Tools
mkdir Scans
mkdir Completed

Install tools

Download payloads

cd /root/BugBounty/Tools/
git clone https://github.com/jdksec/Payloads.git

Install keys for Kali tools

gpg --keyserver hkp://keys.gnupg.net --recv-key 7D8D0BF6
echo "deb http://http.kali.org/kali kali-rolling main non-free contrib" >> /etc/apt/sources.list
apt-key update
apt-get update

Install tools required for scanning

Remove the ones you do not want and do not just install all of these as many open ports on your machine.

# REQUIRED
apt -y install masscan
apt -y install nmap
apt -y install gobuster
apt -y install nikto
apt -y install dig
apt -y install googler
apt -y install wfuzz
apt -y install sslscan
apt -y install tmux
apt -y install dnsutils
apt -y install autossh
# OPTIONAL
apt-get -y install 6tunnel
apt-get -y install aircrack-ng
apt-get -y install amap
apt-get -y install apache2
apt-get -y install apt-file
apt-get -y install apt-show-versions
apt-get -y install arp-scan
apt-get -y install autoconf
apt-get -y install backdoor-factory
apt-get -y install bdfproxy
apt-get -y install bfbtester
apt-get -y install bing-ip2hosts
apt-get -y install bison
apt-get -y install bridge-utils
apt-get -y install bsqlbf
apt-get -y install btscanner
apt-get -y install build-essential
apt-get -y install bundler
apt-get -y install ca-certificates
apt-get -y install chaosreader
apt-get -y install chkrootkit
apt-get -y install chromium
apt-get -y install clusterd
apt-get -y install cryptcat
apt-get -y install curl
apt-get -y install cutycapt
apt-get -y install daemonfs
apt-get -y install darkstat
apt-get -y install dhcpdump
apt-get -y install dissy
apt-get -y install dmitry
apt-get -y install dns2tcp
apt-get -y install dnswalk
apt-get -y install dsniff
apt-get -y install dtrx
apt-get -y install enum4linux
apt-get -y install etherape
apt-get -y install exe2hexbat
apt-get -y install exploit-db
apt-get -y install fcrackzip
apt-get -y install file-roller
apt-get -y install fimap
apt-get -y install flasm
apt-get -y install foremost
apt-get -y install fping
apt-get -y install freerdp-x11
apt-get -y install ftp
apt-get -y install ftp-proxy
apt-get -y install galleta
apt-get -y install geany
apt-get -y install gedit
apt-get -y install gem
apt-get -y install ghettotooth
apt-get -y install git
apt-get -y install git-core
apt-get -y install gobuster
apt-get -y install golang
apt-get -y install googler
apt-get -y install hexedit
apt-get -y install hostmap
apt-get -y install hping3
apt-get -y install html2text
apt-get -y install htop
apt-get -y install htshells
apt-get -y install http-tunnel
apt-get -y install httptunnel
apt-get -y install httrack
apt-get -y install hydra
apt-get -y install hyperion
apt-get -y install ike-scan
apt-get -y install inguma
apt-get -y install iodine
apt-get -y install iotop
apt-get -y install ipcalc
apt-get -y install ipgrab
apt-get -y install ipv6calc
apt-get -y install isr-evilgrade
apt-get -y install john
apt-get -y install kismet
apt-get -y install knocker
apt-get -y install lcrack
apt-get -y install libapr1
apt-get -y install libaprutil1
apt-get -y install libcurl4-openssl-dev
apt-get -y install libpcap-dev
apt-get -y install libpq-dev
apt-get -y install libreadline6-dev
apt-get -y install libsqlite3-dev
apt-get -y install libssl-dev
apt-get -y install libsvn1
apt-get -y install libtool
apt-get -y install libxml2
apt-get -y install libxml2-dev
apt-get -y install libxslt-dev
apt-get -y install libyaml-dev
apt-get -y install locate
apt-get -y install lynis
apt-get -y install lynx
apt-get -y install macchanger
apt-get -y install mboxgrep
apt-get -y install mdk3
apt-get -y install medusa
apt-get -y install metagoofil
apt-get -y install msfpc
apt-get -y install mysqloit
apt-get -y install mz
apt-get -y install nbtscan
apt-get -y install ncftp
apt-get -y install ncurses-dev
apt-get -y install netcat-traditional
apt-get -y install netdiscover
apt-get -y install netrw
apt-get -y install netsed
apt-get -y install netwag
apt-get -y install netwox
apt-get -y install nikto
apt-get -y install nmap
apt-get -y install nmapsi4
apt-get -y install nstreams
apt-get -y install obexftp
apt-get -y install onesixtyone
apt-get -y install openssl
apt-get -y install openvpn
apt-get -y install ophcrack
apt-get -y install ophcrack-cli
apt-get -y install otp
apt-get -y install p0f
apt-get -y install p7zip-full
apt-get -y install packeth
apt-get -y install packit
apt-get -y install pbnj
apt-get -y install pdfcrack
apt-get -y install pentbox
apt-get -y install php
apt-get -y install pnscan
apt-get -y install postgresql
apt-get -y install postgresql-contrib
apt-get -y install powertop
apt-get -y install proxychains
apt-get -y install pscan
apt-get -y install psmisc
apt-get -y install ptunnel
apt-get -y install pure-ftpd
apt-get -y install pv
apt-get -y install pwgen
apt-get -y install python-m2crypto
apt-get -y install python-pip
apt-get -y install ranger
apt-get -y install rar
apt-get -y install ratproxy
apt-get -y install reaver
apt-get -y install remmina
apt-get -y install remmina-plugin-rdp
apt-get -y install remmina-plugin-vnc
apt-get -y install responder
apt-get -y install rsh-client
apt-get -y install ruby
apt-get -y install screen
apt-get -y install scrub
apt-get -y install seclists
apt-get -y install secure-delete
apt-get -y install sendemail
apt-get -y install s.e.t
apt-get -y install shellter
apt-get -y install shutter
apt-get -y install siege
apt-get -y install silversearcher-ag
apt-get -y install sipcrack
apt-get -y install sipvicious
apt-get -y install skipfish
apt-get -y install smbmap
apt-get -y install socat
apt-get -y install spectacle
apt-get -y install splint
apt-get -y install sqlbrute
apt-get -y install sqlite3
apt-get -y install sqlmap
apt-get -y install sqlninja
apt-get -y install sshuttle
apt-get -y install ssldump
apt-get -y install sslscan
apt-get -y install sslsniff
apt-get -y install sslstrip
apt-get -y install stunnel
apt-get -y install stunnel4
apt-get -y install subnetcalc
apt-get -y install swaks
apt-get -y install tcpdump
apt-get -y install tcpflow
apt-get -y install tcpick
apt-get -y install tcpreplay
apt-get -y install tcpslice
apt-get -y install tcpspy
apt-get -y install tcptrace
apt-get -y install tcpxtract
apt-get -y install testssl.sh
apt-get -y install tftpd
apt-get -y install theHarvester
apt-get -y install tinyproxy
apt-get -y install tmux
apt-get -y install tor
apt-get -y install torbrowser-launcher
apt-get -y install u3-tool
apt-get -y install udptunnel
apt-get -y install unace
apt-get -y install unicornscan
apt-get -y install unrar
apt-get -y install unzip
apt-get -y install upx-ucl
apt-get -y install ussp-push
apt-get -y install veil-evasion
apt-get -y install vidalia
apt-get -y install vinetto
apt-get -y install vlc
apt-get -y install vncviewer
apt-get -y install voiphopper
apt-get -y install voipong
apt-get -y install vsftpd
apt-get -y install w3af
apt-get -y install w3af-console
apt-get -y install w3m
apt-get -y install wapiti
apt-get -y install wash
apt-get -y install wavemon
apt-get -y install wbox
apt-get -y install webacoo
apt-get -y install webhttrack
apt-get -y install webshells
apt-get -y install weplab
apt-get -y install wfuzz
apt-get -y install wget
apt-get -y install wifite
apt-get -y install windows-binaries
apt-get -y install wine
apt-get -y install wine32
apt-get -y install wipe
apt-get -y install wireshark
apt-get -y install wordlists
apt-get -y install xinetd
apt-get -y install xprobe
apt-get -y install yersinia
apt-get -y install zenmap
apt-get -y install zerofree
apt-get -y install zip
apt-get -y install zlib1g
apt-get -y install zlib1g-dev
apt-get -y install zzuf

Once you have finished installing the tools remove the kali repo from your sources.list

nano /etc/apt/sources.list

Install VPN

Download the Express VPN raspbian install

cd /root/BugBounty/Tools
wget https://download.expressvpn.xyz/clients/linux/expressvpn_2.0.0-1_armhf.deb
dpkg -i expressvpn_2.0.0-1_armhf.deb

Activate with your Express VPN activation code from the portal

Connect to the VPN and check current IP address

expressvpn connect
curl ifconfig.co

Once connected perform a speed-test

curl -s https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py | python -

Switch servers until you get one with a decent speed.

expressvpn connect "Germany"

Create script for scanning

cd /root/BugBounty
touch AutoScan
chmod +x AutoScan
#!/bin/bash
echo """
_ _
(_) | |
_ _ __ ___ ___ ___| |
| | '_ \/ __|/ _ \/ __| __|
| | | | \__ \ __/ (__| |
|_|_| |_|___/\___|\___|\__|v1.0
Bug Bounty Scanner - jdksec 2019
"""
echo "---------------------------------------------------------------"
echo "[+] Enter Targets name: "
echo "---------------------------------------------------------------"
read -p "" file
mkdir /root/BugBounty/Scans/$file
cd /root/BugBounty/Scans/$file
read -p "[+] Press enter to add your targets:" null
nano ./Targets.txt
cat Targets.txt > Whois.txt
echo "[+] Ensure you are in a tmux session and have configured your scans!"
sleep 10
echo "[+] VPN Connection status:" | tee -a Scanner.log
expressvpn status
echo "[+] Your current IP address is: " | tee -a Scanner.log
curl ifconfig.co | tee -a Scanner.log
echo "[+] Performing speedtest: " | tee -a Scanner.log
curl -s https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py | python - | tee -a Scanner.log
echo "[+] Continuing with current connection in 10 seconds: "
sleep 10
echo "[+] Subdomain Bruteforce started $(date)" | tee -a Scanner.log
for Target in $(cat Targets.txt)
do
#Uncomment the scan you want
gobuster -m dns -w /root/BugBounty/Tools/Payloads/Subdomains-Small.lst -u $Target -i | tee -a Scanner.log | tee -a Subdomains.lst
#gobuster -m dns -w /root/BugBounty/Tools/Payloads/Subdomains-Medium.lst -u $Target -i | tee -a Scanner.log | tee -a Subdomains.lst
#gobuster -m dns -w /root/BugBounty/Tools/Payloads/Subdomains-Large.lst -u $Target -i | tee -a Scanner.log | tee -a Subdomains.lst
done
cat Targets.txt >> Targets.tmp
cat Subdomains.lst | grep Found | cut -d " " -f 2 >> Targets.tmp
cat Targets.tmp | sort -u > Targets.txt
rm Targets.tmp
echo "[+] The following Targets will be scanned:" | tee -a Scanner.log
cat Targets.txt | tee -a Scanner.log
echo "[+] Checking ownership: " | tee -a Scanner.log
sleep 10
for Target in $(cat Whois.txt)
do
echo $Target | tee -a Ownership.txt | tee -a Scanner.log
whois $Target | grep -E "Registrant Organization:|Admin Organization:|Registrant Email:|Admin Email:" | tee -a Ownership | tee -a Scanner.log
sleep 1
done
echo "[+] Resolving IP addresses for Masscan" | tee -a Scanner.log
for i in $(cat Targets.txt)
do host $i| awk '/has address/ {print $4}' | tee -a IPs.tmp
done
cat IPs.tmp | sort -u > IPs.txt
rm IPs.tmp
echo "[+] Scanning with Masscan:" | tee -a Scanner.log
masscan -iL IPs.txt -p10000,10243,1025,1026,1029,1030,1033,1034,1036,1038,110,1100,111,1111,113,119,123,135,137,139,143,1433,1434,1521,15567,161,1748,1754,1808,1809,199,20048,2030,2049,21,2100,22,22000,2222,23,25,25565,27900,2869,3128,3268,3269,32768,32843,32844,32846,3306,3339,3366,3372,3389,3573,35826,3632,36581,389,4190,43862,43871,44048,443,4443,4445,445,45295,4555,4559,464,47001,49152,49153,49154,49155,49156,49157,49158,49159,49160,49165,49171,49182,49327,49664,49665,49666,49667,49668,49669,49670,5000,5038,53,5353,5357,54987,55030,55035,55066,55067,55097,55104,55114,55116,55121,55138,55146,55167,55184,5722,5800,58633,587,5900,59010,59195,593,5985,6001,6002,6003,6004,6005,6006,6007,6008,6010,6011,6019,6144,631,636,64327,64337,6532,7411,745,7778,80,82,83,84,85,86,87,8000,8014,808,8080,81,8192,8228,88,8443,8008,8888,9389,9505,993,995 | tee -a MasscanList.txt
#masscan -iL IPs.txt -p0-1024 | tee -a MasscanList.txt
#masscan -iL IPs.txt -p0-10000 | tee -a MasscanList.txt
#masscan -iL IPs.txt -p0-65535 | tee -a MasscanList.txt
echo "[+] Services found:" | tee -a Scanner.log
cat MasscanList.txt | grep Discovered | awk '{print $6":"$4}' | cut -d "/" -f 1 | tee -a Scanner.log
echo "[+] Starting scans" | tee -a Scanner.log
for Target in $(cat Targets.txt)
do
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "[+] $Target - Scanned: $(date)" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "[+] TCP Scan Started: $(date)" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
#Uncomment the scan you want
#Super fast scan
nmap -Pn -sSVC -p 10000,10243,1025,1026,1029,1030,1033,1034,1036,1038,110,1100,111,1111,113,119,123,135,137,139,143,1433,1434,1521,15567,161,1748,1754,1808,1809,199,20048,2030,2049,21,2100,22,22000,2222,23,25,25565,27900,2869,3128,3268,3269,32768,32843,32844,32846,3306,3339,3366,3372,3389,3573,35826,3632,36581,389,4190,43862,43871,44048,443,4443,4445,445,45295,4555,4559,464,47001,49152,49153,49154,49155,49156,49157,49158,49159,49160,49165,49171,49182,49327,49664,49665,49666,49667,49668,49669,49670,5000,5038,53,5353,5357,54987,55030,55035,55066,55067,55097,55104,55114,55116,55121,55138,55146,55167,55184,5722,5800,58633,587,5900,59010,59195,593,5985,6001,6002,6003,6004,6005,6006,6007,6008,6010,6011,6019,6144,631,636,64327,64337,6532,7411,745,7778,80,82,83,84,85,86,87,8000,8014,808,8080,81,8192,8228,88,8443,8008,8888,9389,9505,993,995 -oN $Target-01-NmapTCP.txt $Target | tee -a Scanner.log
#Fast scan
#nmap -Pn -sSVC --top-ports 1000 -oN $Target-01-NmapTCP.txt $Target | tee -a Scanner.log
#Full scan
#nmap -Pn -sSVC -p- -oN $Target-01-NmapTCP.txt $Target | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "[+] UDP Scan Started: $(date)" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
#Uncomment the scan you want
#Fast scan
nmap -sUV -sC --top-ports 10 -oN $Target-02-NmapUDP.txt $Target | tee -a Scanner.log
#Deep scan
#nmap -sUV -sC --top-ports 200 -oN $Target-02-NmapUDP.txt $Target | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "[+] Nikto Scan Started: $(date)" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
nikto -maxtime 10m -ask no -p 80,443 -h $Target | tee $Target-03-Nikto.txt | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "[+] SSL Scan Started: $(date)" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
sslscan --no-colour --show-certificate $Target | grep -E "Signature Algorithm:|Altnames: |Heartbleed" | grep -v " " | tee $Target-04-SSLScan.txt | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "[+] Directory Scan Started: $(date)" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
#Uncomment the size of the dictionary you want
#Small wordlist
gobuster -u http://$Target/ -w /root/BugBounty/Tools/Payloads/DirectoryList-Small.lst -q -e -t 10 | tee -a $Target-05-Directories.txt | tee -a Scanner.log
gobuster -k -u https://$Target/ -w /root/BugBounty/Tools/Payloads/DirectoryList-Small.lst -q -e -t 10 | tee -a $Target-05-Directories.txt | tee -a Scanner.log
#Medium Wordlist
#gobuster -u http://$Target/ -w /root/BugBounty/Tools/Payloads/DirectoryList-Medium.lst -q -e -t 10 | tee -a $Target-05-Directories.txt | tee -a Scanner.log
#gobuster -k -u https://$Target/ -w /root/BugBounty/Tools/Payloads/DirectoryList-Medium.lst -q -e -t 10 | tee -a $Target-05-Directories.txt | tee -a Scanner.log
#Large Wordlist
#gobuster -u http://$Target/ -w /root/BugBounty/Tools/Payloads/DirectoryList-Large.lst -q -e -t 10 | tee -a $Target-05-Directories.txt | tee -a Scanner.log
#gobuster -k -u https://$Target/ -w /root/BugBounty/Tools/Payloads/DirectoryList-Large.lst -q -e -t 10 | tee -a $Target-05-Directories.txt | tee -a Scanner.log
done
for Target in $(cat Targets.txt)
do
cat $Target-01-NmapTCP.txt | grep /tcp | grep open >> "$Target"_Ports.txt 2> /dev/null
cat $Target-02-NmapUDP.txt | grep /udp | grep open | grep -v filtered >> "$Target"_Ports.txt 2> /dev/null
(
input="$Target"_Ports.txt
while IFS= read -r port
do
echo "$Target":"$port" >> ServicesList.txt
done < "$Target"_Ports.txt
)
rm *_Ports.txt
done
echo
echo "---------------------------------------------------------------" | tee -a Scanner.log
echo "[+] The following services were found:" | tee -a Scanner.log
echo "---------------------------------------------------------------" | tee -a Scanner.log
cat ServicesList.txt | tee -a Scanner.log
echo "[+] Generating post scan script"
cat ServicesList.txt | grep open | grep http | grep -v ssl | cut -d "/" -f 1 >> HTTPServices.txt
cat ServicesList.txt | grep open | grep https | grep -v ":80/" | cut -d "/" -f 1 >> HTTPSServices.txt
touch PostScan.sh
echo "#!/bin/bash" >> PostScan.sh
echo "read -p 'Open burpsuite & firefox and turn off intercept'" >> PostScan.sh
chmod +x PostScan.sh
for i in $(cat HTTPServices.txt)
do
echo "firefox http://$i >> PostScan.sh
echo "sleep 2" >> PostScan.sh
done
for i in $(cat HTTPSServices.txt)
do
echo "firefox https://$i >> PostScan.sh
echo "sleep 2" >> PostScan.sh
done
cd ../
zip -r Completed/$file.zip $file

Link

https://raw.githubusercontent.com/jdksec/Tools/master/AutoScan

Test out the scanner against a host on HackerOne or BugCrowd

Map the bot to remote server so you can use it remotely

Create the following service on the Pi

nano /etc/systemd/system/autossh.service

Enter the following code replacing the "DIGITALOCEANIP" host with your details

Description=AutoSSH Tunnel
After=network.target
[Service]
User=root
ExecStart=/usr/bin/autossh -M 0 root@DIGITALOCEANIP -p 22 -o "ExitOnForwardFailure=yes" -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -N -R 2491:localhost:22
Restart=always
RestartSec=30
[Install]
WantedBy=multi-user.target

Generate ssh keys and copy to remote server

ssh-keygen
ssh-copy-id root@DIGITALOCEANIP

Start the autossh service and check it works

systemctl start autossh.service
systemctl status autossh.service

Now login to your digital ocean server and check your Pi is mapped locally

Check you can login via the digital ocean server to your scan bot

ssh root@127.0.0.1 -p 2491

Enter your password and now you should be connected to the raspberry pi remotely

Now enable the service so it is persistent

systemctl enable autossh.service

Happy scanning!