Bug bounty自学笔记1（常用工具）

听说bug bounty 最近很流行 于是想在YouTube上找一些视频自学，记录一些学习笔记。

1. 选择什么样的virtual hosting software

• VirtualBox 开始不错 但后面要花钱
• VMware （60天免费）

2. 扫描工具
   为了防止被封IP 选择扫描工具是必须的， 尽量减慢扫描速度

• Nmap (Network Mapper) is a network scanner created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich).Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.

• ffuf is a fest web fuzzer written in Go that allows typical directory discovery, virtual host discovery (without DNS records) and GET and POST parameter fuzzing.

• DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the responses（慢，安全）

• SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more

• Shodan is a search engine that lets users search for various types of servers (webcams, routers, servers, etc.) connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client.

• Burp Suite is an integrated platform/graphical tool for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

• bgp.he.net 查ASN—AS number的全称是Autonomous System (AS) Numbers，也就是自治系统编号。

• Cherrytree - A hierarchical note taking application, featuring rich text and syntax highlighting, storing data in a single xml or sqlite file.

• bug bounty checklists 网上搜下就有

• dig – Zone Transfers with dig. As with nslookup, you can use dig to initiate zone transfers. Unlike nslookup, though, dig has no special command to request a zone transfer. Instead, you simply specify axfr (as the query type) and the domain name of the zone as arguments.

• nslookup – is a network administration command-line tool for querying the Domain Name System to obtain the mapping between domain name and IP address, or other DNS records

• Whois – You can perform a WHOIS look-up to view current registration and ownership details of any registered domain name below.

• theHarvester – is a command-line tool included in Kali Linux that acts as a wrapper for a variety of search engines and is used to find email accounts, subdomain names, virtual hosts, open ports / banners, and employee names related to a domain from different public sources (such as search engines and PGP key servers).

• Crt.sh – is a site where you could find all the SSL or TLS certificates of the particular targeted domain. Best site to gather the cert info.

• The Wayback Machine is a digital archive of the World Wide Web founded . it allows the user to go “back in time” and see how websites looked in the past.

• tomnomnom 包含

  • waybackurls：Fetch all the URLs that the Wayback Machine knows about for a domain

  • httprobe：Take a list of domains and probe for working HTTP and HTTPS servers

• Amass : In-depth Attack Surface Mapping and Asset Discovery

• Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask.

• Tenet. htb - provided a very straight-forward deserialization attack to get a foothold and a race-condition attack to get root. Both are the kinds of attacks seem more commonly on hard- and insane-rated boxes, but at a medium difficult here.

• w3thechs.com

• The WPScan CLI tool is a free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their sites. The WPScan CLI tool uses our database of 38,440 WordPress vulnerabilities.

3. 新手去哪里接任务
   hackerone.com – directory

4. Practice

Capture the Flag (CTF) in computer security is an exercise in which “flags” are secretly hidden in purposefully-vulnerable programs or websites. It can either be for competitive or educational purposes.

Hacker101
OverTheWire - Natas