Resources-for-Beginner-Bug-.../assets/tools.md
Ben Sadeghipoour 89af61c6ef 2023 Updates
2023-03-07 15:26:20 -08:00

14 KiB

Resources-for-Beginner-Bug-Bounty-Hunters

Tools 🧰

Here you can find links to a bunch of useful tools for Bug Bounty Hunting.

Table of Contents

  1. Proxy & Network Sniffer
  2. Burp Extensions
  3. Recon, OSINT & Discovery
  4. Exploitation
  5. Scanners
  6. Mobile Hacking
  7. Notes & Organization
  8. Others

Proxy & Network Sniffer

Name Description Written in Created by
Burp Suite A Proxy to intercept and manipulate Web Traffic (free & paid version). Here you can find Tips & Tricks to get started with Burp. Java Port Swigger
OWASP Zap Proxy A Proxy to intercept and manipulate Web Traffic (free). Java OWASP
Caido A lightweight web security auditing toolkit. Web Caido
Wireshark Wireshark is a network protocol analyzer that lets you capture and read network packets. C, C++ The Wireshark team

Burp Extension

Name Description Written in
Logger++ "This extension can be used to log the requests and responses made by all Burp tools, and display them in a sortable table. It can also save the logged data in CSV format." Java
AuthMatrix "AuthMatrix is an extension to Burp Suite that provides a simple way to test authorization in web applications and web services. With AuthMatrix, testers focus on thoroughly defining tables of users, roles, and requests for their specific target application upfront. These tables are displayed through the UI in a similar format to that of an access control matrix commonly built in various threat modeling methodologies." Python (Needs Jython version 2.7.0 or later)
Autorize "Autorize is an extension aimed at helping the penetration tester to detect authorization vulnerabilities..." Python (Needs Jython)
Autorize "Autorize is an extension aimed at helping the penetration tester to detect authorization vulnerabilities..." Python (Needs Jython)
Burp Bounty "Burp Bounty helps Burp Suite Professional users to quickly and easily build their own scan checks for use with Burp Scanner"
Param Miner "Built to identify hidden, unlinked parameters, Param Miner is very useful when hunting for web cache poisoning vulnerabilities"

Asset Discovery

Name Description
Amass Uses a variety of different techniques to gather subdomains and can build a network map of the target. Very good export options.
BuiltWith A very handy Browser Extension (for Chrome, Firefox) that checks for more than 18,000 types of internet technologies. Gives you a very quick glance on what a Web Application is built.
subfinder subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well.
dnsgen generates a combination of domain names from the provided input.

Fuzzing

Name Description
FFuF A very fast Fuzzing Tool to brute force directories or other parameters. Highly configurable.
dirsearch dirsearch is a simple command-line tool designed to brute force directories and files in websites
FeroxBuster A simple, fast, recursive content discovery tool written in Rust

Content Discovery

Name Description
meg meg is a tool for fetching lots of URLs but still being 'nice' to servers. It can be used to fetch many paths for many hosts; fetching one path for all hosts before moving on to the next path and repeating.
httpx A fast and multi-purpose HTTP toolkit that allows running multiple probes.
hakrawler hakrawler is a Go web crawler designed for easy, quick discovery of endpoints and assets within a web application. It can be used to discover Forms, Endpoints, Subdomains, Related documents and JS Files
nuclei "Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use."
waybackurls Fetch all the URLs that the Wayback Machine knows about for a domain

Recon Framework

Name Description
meg Automates the entire process of reconnaissance for you. It outperforms the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target.
sn1per Discover hidden assets and vulnerabilities in your environment.
Spiderfoot An open source intelligence (OSINT) automation tool. It integrates with just about every data source available and utilises a range of methods for data analysis, making that data easy to navigate.
reNgine reNgine is a web application reconnaissance suite with a focus on a highly configurable streamlined recon process.
AutoRecon AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. It is intended as a time-saving tool for use in CTFs and other penetration testing environments (e.g. OSCP).
Osmedeus A Workflow Engine for Offensive Security. It was designed to build a foundation with the capability and flexibility that allows you to build your own reconnaissance system and run it on a large number of targets.

OSINT Search Engines

Name Description Created by
hunter.io Email Enumeration for big corps Hunter Team
intelx.io Swiss army Knife of OSINT Intelligence X
Shodan Search engine that lets you find systems connected to the internet with a variety of filters John Matherly
Censys "Censys is a public search engine that enables researchers to quickly ask questions about the hosts and networks that compose the Internet." Censys
crt.sh SSL certificate search tool Sectigo
Virus Total WHOIS, DNS, and subdomain recon Virus Total Team
ZoomEye Search engine for specific network components Team from Knownsec
NerdyData Search Engine for Source Code NerdyData
Crunchbase For finding Information about Businesses and their acquisitions TechCrunch
Searchcode Helping you find real world examples of functions, API's and libraries over 90 languages across multiple sources searchcode

Exploitation

Name Description Written in Created by
sqlmap sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. Python sqlmapproject

Scanners

Name Description Written in Created by
Nmap A well known and powerful Tool for port scanning. Nmap provides the possibility to use scripts to further customize its functionality. C, C++, Python, Lua Gordon Lyon
Masscan This is an Internet-scale port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second, from a single machine. C Robert David Graham
KeyHacks Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. / streaak
Nmap command helper A tool that helps you with nmap commands. Has a build in training feature to help memorizing them. 0x0n0x

Mobile Hacking

Name Description Written in Created by
Frida
jadx Dex to Java decompiler Java skylot
Ghidra "A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission" Java NSA
dex2jar Useful to convert dex files into jar to decompile the application. Java, Smali Bob Pan
andriller Andriller - is software utility with a collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices. andriller.com Python Denis Sazonov
Mobile Security Framework (MobSF) Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF support mobile app binaries (APK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing. Python MobSF Team
objection "objection is a runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak." Python & TypeScript sensepost
RMS - Runtime Mobile Security Runtime Mobile Security (RMS) is a powerful web interface that helps you to manipulate Android Java Classes and Methods at Runtime Python @mobilesecurity_

Notes & Organization

Name Description Written in Created by
Reconness "ReconNess helps you to run and keep all your #recon in the same place allowing you to focus only on the potentially vulnerable targets without distraction and without required a lot of bash skill or programing skill in general." C# Reconness
Updog "Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use HTTP basic auth." Python sc0tfree
Notion "Write, plan, collaborate, and get organized — all in one tool." Notion Labs
Joplin "Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. The notes are searchable, can be copied, tagged and modified either from the applications directly or from your own text editor. The notes are in Markdown format." JavaScript Laurent Cozic
Xmind XMind, a full-featured mind mapping and brainstorming tool, designed to generate ideas, inspire creativity, brings productivity in a remote WFH team. / XMind Ltd.
Axiom Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty and pentesting. Bash @pry0cc
PenTest.ws PenTest.WS is a penetration testing web application for organizing hosts, services, vulnerabilities and credentials during a penetration test. A reporting module is available for documenting and delivering a full penetration test. PenTest.ws

Others

Name Description Written in Created by
SecLists A huge collection of word lists for hacking. Daniel Miessler
AssetNote's Wordlists Collection of wordlists created by AssetNote. AssetNote.io
Recon Pi A lightweight recon tool that performs extensive reconnaissance with the latest tools using a Raspberry Pi. @x1m_martijn
CyberChef Awesome Tool for de-/encoding stuff. Try it out! JavaScript gchq
webhook.site Webhook.site allows you to easily test, inspect, forward and create Custom Actions for any incoming HTTP request or e-mail. fredsted
requestcatcher Request Catcher will create a subdomain on which you can test an application. All requests sent to any path on the subdomain are forwarded to your browser in real time.
canarytokens Description Thinkst Canary

back to Intro Page