Jump to content

Title: Create a fully automatic vulnerability bounty scanning tool

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

0x01 Description

The platform used this time is: https://chaos.projectdiscovery.io/, which collects major foreign loophole bounty platforms. Currently, the asset scale is about 1600 0000~1800 0000, which is a terrible number, and it is increasing or decreasing every hour. It connects with a lot of third-party self-built bounty platforms, which is more than what we will collect on our own platform, and the probability of digging is also greater.

1049983-20220825231548630-1613117912.png

0x02 Automation Solution Process

Use scripts to obtain all assets of the projectdiscovery platform. Asset reconnaissance and collection are handed over to projectdiscovery. Comparing the downloaded assets with the last Master domain data, determining whether there are new assets currently appear, if not, it ends, and waiting for the next cycle. If there is, extract the new assets, create a temporary file, and add the new assets to Masterdomain. Use naabu for port scanning, use the open port to verify, use httpx to verify, extract http surviving assets and send http surviving assets to nuclei for vulnerability scan, and also send to Xray. By default, use Xray's basic crawler function to scan common vulnerabilities. Save the scanning results of Xray to be xray-new-$(date +%F-%T).html, you can also add webhook mode to push nuclei vulnerability scan results at the same time and use notify to push real-time, and after scanning nuclei and xray, wait for the next loop. All of this is automatically executed.

1049983-20220825231549519-424638336.png

0x03 Preparation

Install these tools first, set up soft links, and can be used globally. The installation of these tools is very simple and will not be explained anymore. There is also an installation tutorial on github

Centos7+ 64-bit configuration starting from 4H 4G [One server] chaospy [Asset detection, asset download] https://github.com/PhotonBolt/chaospyunzip [Decompression] anew [Filter duplication] https://github.com/tomnomnom/anewnaabu [Port scan] https://github.com/projectdiscovery/naabuhttpx [Survival detection] https://github.com/projectdiscovery/httpxnuclei [Vulnerability scan] https://nuclei.projectdiscovery.io/Xray [Vulnerability scan] https://download.xray.cool/python [WeChat Notification] notify [Vulnerability Notification] Notify's relatively mature push solution server recommends vultr. You can use my recommendation link: https://www.vultr.com/?ref=9059107-8H

0x04 About notify notification related configuration

notify installation and configuration: https://github.com/projectdiscovery/notify

Configuration file (create this file without it): /root/.config/notify/provider-config.yaml

Just modify the notification configuration, for example, the notification I use is telegram and email (you can configure any one)

1049983-20220825231550331-595996097.png

Test results

subfinder -d hackerone.com | notify -provider telegram

I'm setting up a telegram notification. After the execution is completed, if the result can be received, then there is no problem with the notification. You can take the next step

1049983-20220825231550957-978497499.png

0x05 Deployment Process

Please make sure that the tools mentioned above are installed. Now let’s construct a sh script file. This script has done all the processes mentioned above.

Name it : wadong.sh, add execution permissions: chmod +xwadong.sh

The wadong.sh script mainly completes the functions of asset reconnaissance asset collection, port scanning, deduplication detection, survival detection, vulnerability scanning, and result notification

script:

#!/bin/bash

# Use chaospy to download only bounty asset data

#python3 chaospy.py --download-hackerone

#python3 chaospy.py --download-rewards #Download all bounty assets

#./chaospy.py --download-bugcrowd Download BugCrowd Assets

#./chaospy.py --download-hackerone Download Hackerone Assets

#./chaospy.py --download-intigriti Download Intigriti Assets

#./chaospy.py --download-external Download self-custodial assets

#./chaospy.py --download-swags Downloader Swags Assets

#./chaospy.py --download-rewards Download rewarded assets

#./chaospy.py --download-norewards Download assets without rewards

#Decompress the downloaded ones, use awk to compare the results with the last one, and check whether there are any new ones

if ls | grep '.zip' /dev/null; then

unzip '*.zip' /dev/null

cat *.txt newdomains.md

rm -f *.txt

awk 'NR==FNR{lines[$0];next} !($0 in lines)' alltargets.txtls newdomains.md domains.txtls

rm -f newdomains.md

###############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################

echo 'Asset Scout End $(date +%F-%T)' | notify -silent -provider telegram

echo 'Find the new domain $(wc -l domains.txtls)' | notify -silent -provider telegram

###############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################

nuclei -silent -update

nuclei -silent -ut

rm -f *.zip

else

echo 'No new program found' | notify -silent -provider telegram

fi

if [ -s domains.txtls ];then

echo 'Start scan new asset ports using naabu' | notify -silent -provider telegram

fine_line=$(cat domains.txtls | wc -l )

num=1

K=10000

j=true

F=0

while $j

do

echo $fine_line

if [ $num -lt $fine_line ];then

m=$(($num+$K))

sed -n ''$num','$m'p' domains.txtls domaint.txtls

((num=num+$m))

naabu -stats -l domain.txtls -p 80,443,8080,2053,2087,2096,8443,2083,2086,2095,8880,2052,2082,3443,8791,8887,8888,444,9443,2443,10000,10001,8082,8444,20000,8081,8445,8446,8447 -silent -o open-domain.txtls /dev/null | echo 'port scan'

echo 'Port scan ends, start using httpx to detect survival' | notify -silent -provider telegram

httpx -silent -stats -l open-domain.txtls -fl 0 -mc 200,302,403,404,204,303,400,401 -o newurls.txtls /dev/null

echo 'httpx found a total of surviving assets $(wc -l newurls.txtls)' | notify -silent -provider telegram

cat newurls.txtls new-active-$(date +%F-%T).txt #Save new asset record

cat domaint.txtls alltargets.txtls

echo 'The existence of a surviving asset has been added to the historical cache $(date +%F-%T)' | notify -silent -provider telegram

echo 'Start using nuclei to scan new assets' | notify -silent -provider telegram

cat newurls.txtls | nuclei -rl 300 -bs 35 -c 30 -mhe 10 -ni -o res-all-vulnerability-results.txt -stats -silent -severity critical,medium,high,low | notify -silent -provider telegram

echo 'nuclei vulnerability scan ended' | notify -silent -provider telegram

#Use xray scan, remember to match the webhook, delete this item if you don't, save it into a file

#echo 'Start using xray to scan new assets' | notify -silent -provider telegram

#xray_linux_amd64 webscan --url-file newurls.txtls --webhook-output http://www.qq.com/webhook --html-output xray-new-$(date +%F-%T).html

#echo 'xray vulnerability scan has ended. Please go to the server to view the xray vulnerability report' | notify -silent -provider telegram

rm -f open-domain.txtls

rm -f domaint.txtls

rm -f newurls.txtls

else

echo 'ssss'

j=false

sed -n ''$num','$find_line'p' domains.txtls domain.txtls

naabu -stats -l domain.txtls -p 80,443,8080,2053,2087,2096,8443,2083,2086,2095,8880,2052,2082,3443,8791,8887,8888,444,9443,2443,10000,10001,8082,8444,20000,8081,8445,8446,8447 -silent -o open-domain.txtls /dev/null | echo 'port scan'

echo 'Port scan ends, start using httpx to detect survival' | notify -silent -provider telegram

httpx -silent -stats -l open-domain.txtls -fl 0 -mc 200,302,403,404,204,303,400,401 -o newurls.txtls /dev/null

echo 'httpx found a total of surviving assets $(wc -l newurls.txtls)' | notify -silent -provider telegram

cat newurls.txtls new-active-$(date +%F-%T).txt #Save new asset record

cat domaint.txtls alltargets.txtls

echo 'The existence of a surviving asset has been added to the historical cache $(date +%F-%T)' | notify -silent -provider telegram

echo 'Start using nuclei to scan new assets' | notify -silent -provider telegram

cat newurls.txtls | nuclei -rl 300 -bs 35 -c 30 -mhe 10 -ni -o res-all-vulnerability-results.txt -stats -silent -severity critical,medium,high,low | notify -silent -provider telegram

echo 'nuclei vulnerability scan ended' | notify -silent -provider telegram

#Use xray scan, remember to match the webhook, delete this item if you don't, save it into a file

#echo 'Start using xray to scan new assets' | notify -silent -provider telegram

#xray_linux_amd64 webscan --url-file newurls.txtls --webhook-output http://www.qq.com/webhook --html-output xray-new-$(date +%F-%T).html

#echo 'xray vulnerability scan has ended. Please go to the server to view the xray vulnerability report' | notify -silent -provider telegram

rm -f open-domain.txtls

rm -f domaint.txtls

rm -f newurls.txtls

fi

done

rm -f domains.txtls

else

######################################################################################################################### Send result to notify if no new domains found

echo 'No new domain $(date +%F-%T)' | notify -silent -provider telegram

fi

Build a first.sh file, and the script can only be executed once, and it will not be used in the future. It is mainly used to generate historical cache domains for the first time and is marked as an old asset.

Add execution permissions: chmod +x first.sh

#!/bin/bash

# Use chaospy to download only bounty asset data

./chaospy.py --download-new

./chaospy.py --download-rewards

#Decompress the downloaded

if ls | grep '.zip' /dev/null; then

unzip '*.zip' /dev/null

rm -f alltargets.txtls

cat *.txt alltargets.txtls

rm -f *.txt

rm -f *.zip

echo 'Find domain $(wc -l alltargets.txtls) and saved as cache file alltargets.txt'

fi

0x06  Start bounty automation

When ensuring that all the above tools are installed

1. Execute the first.sh script to generate enough cached domain names locally and mark them as old assets

./first.sh2, loop execution of bbautomation.sh script, sleep 3600 seconds, which is once every hour, that is, the script

xunhuan.sh:

#!/bin/bashwhile true; do ./wadong.sh;sleep 3600; done3.chaospy script has been roughly modified to optimize delayed scan time and error report#!/usr/bin/python3import requestsimport time,os,argparse#ColorsBlack='\033[30m'Red='\033[31m'Green='\033[32m'Yellow='\033[33m'Blue='\033[34m'Magenta='\033[35m'Cyan='\033[36m'LightGray='\033[37m'DarkGray='\033[90m'LightRed='\033[91m'LightGreen='\033[92m'LightYellow='\033[93m'LightBlue='\033[94m'LightMagenta='\033[95m'LightCyan='\033[96m'White='\033[97m'Default='\033[0m'banner=''' %s ___________ ____/____ _____///__ \/__ `/__ \/___////////////////////////////////////////////_/(__ ) _____//_//_//\___,////___,///____/%s Small Tool written based on chaos from projectdiscovery.io %s https://chaos.projectdiscovery.io/%s *Author - Moaaz (https://twitter.com/photonbo1t)* %s \n '''%(LightGreen,Yellow,DarkGray,DarkGray,Default)parser=argparse.ArgumentParser(description='ChaosPY Tool')parser.add_argument('-list',dest='list',help='List all programs',action='store_true')parser.add_argument('-list-bugcrowd',dest='list_bugcrowd',help='List BugCrowd programs',action='store_true')parser.add_argument('-list-hackerone',dest='list_hackerone',help='List Hackerone programs',action='store_true')parser.add_argument('--list-intigriti',dest='list_intigriti',help='List Intigriti programs',action='store_true')parser.add_argument('--list-external',dest='list_external',help='List Self Hosted programs',action='store_true')parser.add_argument('--list-swags',dest='list_swags',help='List programs Swags Offers',action='store_true')parser.add_argument('--list-rewards',dest='list_rewards',help='List programs with rewards',action='store_true')parser.add_argument('--list-norewards',dest='list_norewards',help='List programs with no rewards',action='store_true')parser.add_argument('--list-new',dest='list_new',help='List programs with no rewards',action='store_true')parser.add_argument('--list-new',dest='list_new',help='List new programs',action='store_true')parser.add_argument('--list-updated',dest

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.