recon-and-methodology

仓库: yaklang/hack-skills
安装量: 222
排名: #9286

安装

npx skills add https://github.com/yaklang/hack-skills --skill recon-and-methodology
SKILL: Recon and Methodology — Expert Bug Bounty Playbook
AI LOAD INSTRUCTION
Systematic recon and bug-finding methodology from top bug hunters. Covers subdomain enumeration, endpoint discovery, tech fingerprinting, and the hunter's mental model for finding bugs that others miss. Key insight: most high-severity bugs are found through systematic coverage, not just clever payloads. 1. RECON HIERARCHY Target Selection └── Scope Definition (in-scope assets) └── Asset Discovery (subdomains, IPs, domains) └── Tech Fingerprinting (what's running) └── Endpoint Discovery (attack surface) └── Vulnerability Testing (per vulnerability type) 2. SUBDOMAIN ENUMERATION (CRITICAL FIRST STEP) Passive (no DNS queries to target)

Subfinder (aggregates multiple sources):

subfinder -d target.com -o subdomains.txt

Amass passive:

amass enum -passive -d target.com

Certsh (certificate transparency):

curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u

SecurityTrails API, Shodan:

Web: https://securitytrails.com/list/apex_domain/target.com

Active (DNS brute force + resolution)

Massdns + wordlist:

massdns -r /path/to/resolvers.txt -t A -o S -w output.txt \ < ( cat wordlist.txt | sed 's/$/.target.com/' )

ffuf for subdomain brute:

ffuf -w subdomains-wordlist.txt -u https://FUZZ.target.com \ -mc 200,301 ,302,403 -H "Host: FUZZ.target.com"

DNSx for bulk resolution:

cat subdomains.txt | dnsx -a -resp -o resolved.txt

Recommended wordlist: SecLists/Discovery/DNS/

Virtual Host Discovery

ffuf vhost mode:

ffuf -w wordlist.txt -u https://target.com \ -H "Host: FUZZ.target.com" -mc 200,301 ,403

gobuster vhost:

gobuster vhost -u https://target.com -w wordlist.txt 3. SERVICE AND PORT DISCOVERY

Fast port scan (common ports):

nmap -T4 -F target.com -oN ports.txt

Comprehensive scan on resolved subdomains:

cat resolved_ips.txt | nmap -iL - --open -p 80,443 ,8080,8443,8888,3000,5000 -oG scan.txt

httpx for HTTP probing:

cat subdomains.txt | httpx -title -tech-detect -status-code -o live_hosts.txt

masscan for speed on large IP ranges:

masscan -p 80,443 ,8080,8443 10.0 .0.0/8 --rate = 1000 4. WEB TECHNOLOGY FINGERPRINTING

Wappalyzer (browser extension) or:

whatweb https://target.com

httpx with tech detection:

httpx -u https://target.com -tech-detect

Check headers manually:

curl -sI https://target.com | grep -i "server|x-powered-by|x-generator|cf-ray"

Fingerprint from:

  • Server header: nginx/1.18, Apache/2.4, IIS/10.0
  • X-Powered-By: PHP/7.4, ASP.NET
  • Cookies: PHPSESSID ( PHP ) , JSESSIONID ( Java ) , _rails_session ( Rails )
  • HTML comments: < ! -- Drupal 9 --
  • Meta generator: < meta name = "generator" content = "WordPress 6.2"
  • JS framework files: /static/js/angular.min.js
  • ENDPOINT DISCOVERY Directory Brute Force

ffuf (fastest):

ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \ -mc 200,301 ,302,403 -t 50 -o dirs.txt

Gobuster:

gobuster dir -u https://target.com -w wordlist.txt -x php,html,js,json

feroxbuster (recursive):

feroxbuster -u https://target.com -w wordlist.txt -x php,html,txt -r Parameter Discovery

Arjun (hidden parameter finder):

arjun -u https://target.com/api/endpoint

x8:

x8 -u https://target.com/api/endpoint -w params-wordlist.txt JavaScript Source Mining

Extract endpoints from JS files:

gau target.com | grep '.js$' | httpx -mc 200 | xargs -I { } curl -s { } | \ grep -oE '"/[a-zA-Z0-9/_-]+"' | sort -u

LinkFinder:

python3 linkfinder.py -i https://target.com -d -o output.html

GetAllURLs (gau):

gau target.com | sort -u

all_urls.txt

Wayback URLs:

waybackurls target.com | sort -u

wayback_urls.txt API Endpoint Discovery

Common API paths:

ffuf -u https://target.com/FUZZ -w /SecLists/Discovery/Web-Content/api/api-endpoints.txt

Swagger/OpenAPI:

test: /swagger.json /api-docs /openapi.json /v2/api-docs /.well-known/ /docs/

GraphQL:

test: /graphql /gql /v1/graphql /api/graphql 6. SOURCE CODE RECON GitHub / GitLab Exposure

trufflehog (secret scanner in git history):

trufflehog git https://github.com/target-org/target-repo

gitleaks:

gitleaks detect --source /path/to/cloned/repo

Manual GitHub search:

site:github.com "target.com" "api_key" OR "secret" OR "password"

site:github.com "target.com" ".env" OR "config.php" OR "db_password"

GitHub dorks:

"target.com" extension:env

"target.com" filename:*.config password

org:target-org secret OR password OR apikey

Exposed Environment Files

Check common paths:

https://target.com/.env https://target.com/.git/config https://target.com/config.json https://target.com/config.yaml https://target.com/credentials.json https://target.com/secrets.json https://target.com/wp-config.php https://target.com/backup.sql https://target.com/backup.zip 7. ZSEANO'S TESTING METHODOLOGY Core Philosophy Go deep on one program rather than spread across many — learn the application thoroughly Build a profile of the company — tech stack, developers, processes Look where others don't — check error pages, admin paths, old versions, mobile API Follow the filter — if input is filtered somewhere, that functionality exists and may be bypassed Testing Sequence (One Page / Feature) For each input point: 1. Non-malicious HTML tags (

, ) → are they reflected? 2. Incomplete tags → what happens? (<iframe src=//evil.com ) 3. Encoding tests → %0d, %0a, %09, <%00 4. Observe the OUTPUT too (not just response) — where does your input appear? 5. Test same input in ALL similarly-structured pages (shared code → shared vuln) 6. Check if the same parameter exists in mobile/API endpoint (less protected) Parameter Insights - Each parameter tells a story: "what does this do server-side?" - Filename → OS interaction → Path Traversal / CMDi - URL/location → HTTP fetch → SSRF - Template/HTML parameter → render function → SSTI - XML field → parser → XXE - SQL filter → query → SQLi - User-content → storage → Stored XSS 8. BUG BOUNTY PROGRAM TRIAGE (WHERE TO SPEND TIME) High-Value Target Selection ✓ Programs with large scope (*.target.com) ✓ Programs that pay for P2/P3 (not just RCE) ✓ Programs with recent tech changes (migrations = new bugs) ✓ Programs with active development (new features = new attack surface) × Avoid: frozen/old codebases with well-known CVEs (already claimed) × Avoid: strict programs with narrow scope (less surface) High-Value Feature Focus (by bug probability) Priority 1: Authentication, password reset, 2FA → account takeover Priority 2: File upload, profile edit, API endpoints → stored XSS, IDOR Priority 3: Admin panels, user management → BFLA, privilege escalation Priority 4: Payment flows, subscription → business logic Priority 5: Import/export, template rendering → XXE, SSTI 9. NUCLEI TEMPLATES (AUTOMATED SCANNING)

Run all on target:

nuclei -u https://target.com -t /nuclei-templates/ -o nuclei-results.txt

Specific categories:

nuclei -u https://target.com -t cves/ -severity critical,high nuclei -u https://target.com -t exposures/ nuclei -u https://target.com -t misconfiguration/

On subdomain list:

cat subdomains.txt | nuclei -t exposures/ -t misconfiguration/ -o exposed.txt 10. COMMON MISCONFIGURATIONS (QUICK WINS) □ CORS: Access-Control-Allow-Origin: * with credentials → CSRF + data theft □ S3 bucket public: curl https://target.s3.amazonaws.com/ □ Directory listing: response contains "Index of /" □ .git exposed: curl https://target.com/.git/config □ .env exposed: curl https://target.com/.env □ Debug mode: stack traces in production (source code exposure) □ Default credentials: admin:admin, admin:password on admin panels □ phpinfo.php: curl https://target.com/phpinfo.php □ Backup files: config.bak, database.sql.gz, app.zip □ GraphQL introspection enabled: POST /graphql {"query":"{__schema{types{name}}}"} □ Admin panels: /admin /manager /console /phpmyadmin /wp-admin 11. QUICK REFERENCE TOOLS Category Tool Subdomain enum subfinder, amass, massdns Port scan nmap, masscan HTTP probe httpx Dir brute ffuf, feroxbuster, gobuster JS mining LinkFinder, gau, waybackurls Secret scan trufflehog, gitleaks Parameter fuzz arjun, x8 Vuln scan nuclei Proxy/intercept Burp Suite Pro JWT attacks jwt_tool SQLi sqlmap XSS dalfox, XSStrike SSRF SSRFmap, Gopherus 12. JAVA MIDDLEWARE FINGERPRINT MATRIX Middleware Detection Path Key Indicators Apache Tomcat /manager/html , /manager/status Default creds: tomcat:tomcat , admin:admin JBoss / WildFly /jmx-console/ , /web-console/ JMX MBean access, WAR deployment WebLogic /console/ , /wls-wsat/ T3 protocol on 7001/7002, IIOP Spring Boot Actuator /actuator/ , /actuator/env , /actuator/heapdump JSON endpoint listing, heap dump contains secrets Spring Boot (alt paths) /actuator/jolokia , /actuator/gateway/routes Jolokia JMX bridge, Gateway route injection Jenkins /script , /manage Groovy console, API token in cookie GlassFish /common/ , /theme/ Admin on 4848, default empty password Jetty /jolokia/ JMX access Resin /resin-admin/ Admin panel Spring Boot Actuator Exploitation Priority /actuator/env → Leak environment variables (DB creds, API keys) /actuator/heapdump → Download JVM heap → search for passwords in memory /actuator/jolokia → JMX → possible RCE via MBean manipulation /actuator/gateway/routes → Spring Cloud Gateway → SpEL injection (CVE-2022-22947) /actuator/configprops → All configuration properties /actuator/mappings → All URL mappings (hidden endpoints) /actuator/beans → All Spring beans /actuator/shutdown → POST to shutdown application (DoS) 13. INFORMATION LEAK DETECTION CHECKLIST Version Control & Backup Leaks /.git/HEAD → Git repository exposed /.svn/entries → SVN metadata /.svn/wc.db → SVN SQLite database /.hg/requires → Mercurial /.bzr/README → Bazaar /.DS_Store → macOS directory listing Backup File Patterns /backup.zip /backup.tar.gz /backup.sql /wwwroot.rar /www.zip /web.zip /db.sql /database.sql /dump.sql /config.php.bak /config.php~ /config.php.swp /.config.php.swp /wp-config.php.bak /.env /.env.bak /.env.production API Documentation & Debug /swagger-ui.html → Swagger/OpenAPI /swagger-ui/ → Swagger UI /api-docs → API documentation /graphql → GraphQL playground /graphiql → GraphQL IDE /debug/ → Debug endpoints /phpinfo.php → PHP configuration /server-status → Apache status /server-info → Apache info /nginx_status → Nginx status Cloud & Infrastructure /.aws/credentials → AWS credentials /.docker/config.json → Docker registry auth /robots.txt → Disallowed paths (hint list) /sitemap.xml → Full URL listing /crossdomain.xml → Flash cross-domain policy /.well-known/ → Various well-known URIs

返回排行榜