Who am i ? hey guys my name is sn0x. i am cyber security researcher |Bug hunter |machine learning |RHCSA|AWS |CEH |eWPTXv2 certified.
CONTENT :
1. Introduction
2. why do we need automation in bug bounty’s?
3. python for bug bounty
4. python basics you need to know
5. Subdomain enumeration using automation script
6. Directory fuzzing with domain availability check
7. fuzzing
8. OSINT Automation using shodan
9. find Misconfigured jenkins
10. Automate finding login endpoint and parameters.
Introduction
hello guys !! today i will demonstrates the hands-on automation using python this might be help you in bug bounty’s for each topic mentioned in table of content.Also this blog gives you basic idea of how to automate something to reduce the repetitive tasks and perform automate in many ways.
why do we need automation in bug bounty’s?
Repetitive work may exhaust you away from doing whats really worth your time !! Automation can help test a theory quickly.Keep n eye out of changes or new assets.So we need to automate these repetitive tasks to save our time and energy to focus on other areas.Hackers (and creative people in general) should never be bored or have to drudge at stupid repetitive work, because when this happens it means they aren’t doing what only they can do — solve new problems. This wastefulness hurts everybody. Therefore boredom and drudgery are not just unpleasant but actually evil.
python
Python is very easy to learn for newcomers and beginners.
It has simplified syntax so anybody can easily read and understand the code. There are lots of tools and modules available for python to do our tasks by writing a few lines of code.
Python is an Interpreter language which means we don’t need to compile the entire program into machine code for running the program. Python interpreters translate the code line by line at runtime so we can run the python program directly without compilation. Python is already included with linux based operating systems. If you are a windows user you can download and install it from python official website — https://www.python.org/downloads/ . Support for python2 is no longer so we are going to use python3 only.
python basics
Before entering into bug bounty automation, We should learn the basics of python programming. We are not going to deep dive into the python but We will learn the basic fundamentals of python and necessary topics in the python programming.
Topics :
VARIABLES AND DATA TYPES
variables and data types
STRINGS
strings
List-Tuple-Set-Dictionary
list in python
Tuples in python
Sets in python
Dictionary in python
Basic Operators
Basic operators
Conditions and loops
if-else-while conditions in python
For Loop in python
Functions
Functions in python
Arbitrary arguments
Arbitrary arguments in python
Arbitrary keyword arguments
Arbitrary keyword arguments
Default parameter value
Default parameter value in python
File operations
File operators in python
Exception handling & Regular expression
Exception handling & Regular expression in python
Subdomain enumeration
We can write a subdomain enumeration tool but Reinventing the wheel does not make sense, already there are many numbers of the tools available in the open source community for subdomain enumeration.
Personally I am using the sublist3r tool written in python, github = https://github.com/aboul3la/Sublist3r.git
after installation is complete you can come back to directory where you have domain files list files.
lets do subdomain enumeration !!
Subdomain enumeration automation script
Subdomain enumeration is done, what we have to do next?.
Directory Fuzzing with domain availability check
Let’s fuzz the directory of the subdomain, You may have found something like an admin panel or backup files or anything sensitive. Let’s say if you got .git directory during directory fuzzing, You can download source code of the application using git dumper tool — https://github.com/arthaud/git-dumper
Before going to the fuzzing directory we need to check if the domain is alive or not, Because large number of requests to the dead domain is a waste of time and bandwidth.
script :
DOMAIN AVAILABILITY CHECK
note : Save this code as checkdomains.py. Here what we did is sent a request to both port 80 and 443 for checking availability of the domain. Here we hit robots.txt endpoint because other than this endpoints are large in size. pass key word does nothing in python it is used to just fill up except block.
Fuzzing
we have to write a script to import the necessary modules and download the directory wordlist from dirsearch repository. We have to check whether the domain is live or not. If the domain is live then fuzzing starts otherwise go to next subdomain. The whole process takes a while because the number of domains and subdomains.
here we go lets code !
script :
Fuzzing
OSINT Automation using shodan
Let’s install the shodan module by executing the following command.
“pip install shodan”
let’s automate !!
Django debug mode shodan automation
Now let’s check the IP address manually or you can automate that process also. Okay Let’s automate
checking IP address manually
here I passed a parameter verify=False that
means I tell the program to don’t verify the SSL certificate of the server. You
can use your own regex to match something else other than mongodb/redis URI.
“ what if we automate finding the spring boot server using shodan ? yes let automate that too!! “
script:
script for finding of spring boot server
“lets Fuzz its IP” tool i am using here wfuzz tool
script :
Misconfigured jenkins
Jenkins is also the battlefield that every hacker would like to control. If someone takes control of the Jenkins server, he can gain amounts of source code and credential, or even control the Jenkins node!
If you get admin access, You can access repositories of the softwares they developed which may contain credentials, You can perform remote code execution via script console.
so let’s Automate the login with gitHub scenario ,
We have set headless mode false because sometimes github ask you to OTP that time you need browser to enter github OTP after that you can set headless to True this prevents opening browser.
We have created a webdriver object and passed the url to fetch the page.
we have set wait time 20 seconds because findelementbyid throws an exception because it executes before the page load. So that we have set waiting time 20. You can reduce the time if your internet connection is fast. Once the page gets loaded it will find the username field id named loginfield and password field to fill the credentials and automatically click the login button and then again page load one more button called authorize button it also clicked automatically once it is done it will redirect to jenkins instance.
Automate finding login endpoint and parameters
Let’s see how I found login endpoint and parameters that is very simple,open the url in browser and fill the username and password click login button and just intercept the request with burp suite you can see the request header and the request body as follows
You can see here the post requests body is the json that’s why we have used json=data in code.
follow me on
Twitter = sn0x
Instagram = sn0x
GitHub = sn0x-sharma
and if really you like this blog you can support me,
To support me {https://www.buymeacoffee.com/sn0xsharma}