Bug Bounty Automation Toolkit

April 11, 2020 By ghostlulz

Introduction

A bug bounty is a reward offered to a person who identifies an error or vulnerability in a computer program or system. Some bug bounty hunters like to go deep a single target while others mass scan everything for vulnerabilities. In both of these cases have some sort of automation in place can greatly increase the chances of you finding a bug and getting paid. Most hackers spend 90% of their time manually performing the recon and fingerprinting phase. However most of that can be completely automated saving you time and resources. You should be spending 90% of your time hacking not performing recon. This blog post will cover an automation framework I created to help you save time and get you more bugs ultimately making you more money. You can check out the tool below:

https://bounty.offensiveai.com/

Dashboard

After you have purchased a membership you should be presented with the home page. This page holds all of the target companies which have bug bounty programs. I tend to only stick with companies that have very large scopes, something like (*.example.com). The larger the scope the more targets you can go after. If you have more targets you have a better chance of finding a vulnerability, its a numbers game.

Bug Bounty Targets

Now that you have your targets you just have to click “start hunting” which will bring you to the companies dashboard.

Company Dashboard

The dashboard holds a bunch of analytics about the company. It tells you how many subdomains were found and how many live assets the tool is currently tracking. Note assets are based on the host and port number, so example.com:443 and example.com:22 are two different assets.

The fingerprints bar graph is extremely useful when hunting. I always end up going through the fingerprints looking for something interesting like WordPress, Apache Tomcat, or Jira. Once I find something interesting ill go find all the domains that have that fingerprint and ill attempt mass exploit them all, this typically yields very good results. For example when the Citrix RCE came out a while back I was able to easily search for all Citrix devices and exploit them all within hours of the POC coming out.

Assets

The assets section is where you can find all of the live assets that the system is currently tracking.

As you can see above the we can see each asset along with their fingerprints and the service it is running. You can also search based on fingerprints as well. Earlier I mentioned I like to look at the fingerprints bar graph and search for interesting technologies, well this is where you do that.

Searching for the fingerprint “wordpress” will bring up all assets running wordpress. This is extremely powerful as now I can take all those domains and run them through a vulnerability scanner like “wpscan” and search for vulnerabilities.

Fingerprint search for wordpress

As you can see above we searched for the fingerprint “wordpress” and got a bunch of results back. Now not every one knows what to do when they see a wordpress site and thats why I created the attack tree generator.

An attack tree is a conceptual diagrams showing how an asset, or target, might be attacked.  I am able to dynamically generate these attack trees based on a targets fingerprints. This will give you a road map of how to attack a particular target.

Dynamically generated attack tree

As you can see it generated an attack tree based on the fingerprints of that host. This will show you exactly how an attacker would go about attacking this host, all you have to do is follow the attack tree. If you are unsure about a particular node in the tree you can click it to provide addition resources.

Attack tree resources

As you can see above you are provided with some links to help you perform the attack. In this example it links you to a tool called “wpscan”. Other nodes will have different resources. You can find resources to tools, tutorials, and other helpful links. If your ever unsure on how to attack a target generate an attack map and see what it says.

In addition to dynamically generating attack maps I also generate possible exploits which can be used to target a particular technology.

Exploit suggester

As you can see above we have our targets fingerprints and each fingerprint has a list of exploits which impact that technology. From there you can click an exploit which will redirect you to exploitDB. Once you find an exploit you like the next step is to try it and see if it works.

The assets page is nice because everything is in one spot. You have your hosts, ports, fingerprints, exploits, and attack map attack map all in a single location. 90% of the work is already done for you , all you need to do is take it the rest of the 10%.

Screenshots

You would be surprised the amount of vulnerabilities you can find by just looking at screenshots. I find all kinds of things like API documentation, vpn logins, vmware logins, APIs, information disclosure, subdomain takeover, and literally everything else. You could legit spend all your time looking at screenshots alone and still come up with a bunch of vulnerbilties.

Dont underestimate the power of looking through screenshots, I find stuff ALL THE TIME.

Notes & Reporting

If your not staying organized through out your engagement you may end up forgetting stuff and repeating work you did in the past. I have included a simple note taking feature which uses markdown. You can use this to take all of your notes throughout an engagement.

In addition to notes I have also included a bunch of reporting templates. One of the biggest issues I see in the bug bounty community are poor reports.

I often see awesome finds with horrible reports which cause their bug to get no payout at all or something very small. Being able to clearly communicate your finding to a company will increase your odds of getting a good payday.

Future

This is just the beginning I plan on adding a bunch more to this tool as time goes on. Some things I plan on adding include.

  • Kanban Board
  • Ability to mass run tools on targets (wpscan,ffuf,droopscan,s3 brute force, much more)
  • Ability to define your own targets
  • URL crawling/bruteforcing
  • Machine learning algorithms to analyze the data (vuln prediction, asset clustering, more)
  • Generate/export reports and notes as a PDF
  • Much more

Conclusion

This tool was designed for one purpose, to help bug bounty hunters make more money. This framework will automate the recon and fingerprinting phase so you dont have to. This will save you tuns man hours and resources. Most people spend 90% of their time in the recon and fingerprinting phase but you should be spending 90% of your time hacking. Let me help you make more money.