Researcher Resources - Tools


#1

This is a list of tools that can be helpful to researchers for various things they will need to do. Please let us know if you have any suggestions for resources that we should add to this post!

Tools

Web Application:

Mobile:

Other:


Researcher Resources - How to become a Bug Bounty Hunter
#3

man ascii on most unices gives you the ASCII table with decimal, octal and hex codes for each character.

It changed my life when Joe McCray (IIRC) dropped that in a talk.


#4

I haven’t heard about OWASP SKANDA before, I will be trying it. Thanks


#5

my best partner in testing is live http header and knock. this time i want to try OWASP SKANDA


#6

This will help a lot …:slight_smile:


Curious about some the bug bounty rules and what tools I can be used
#7

You can also add the ironwasp suite to the tools list under the web application category.


#8

Any suggestions on a really good brute-force tool for passwords? We’ve been looking and while burpsuite intruder seems good, but are their better ones? We never have an interest in brute-force, but it has come up as a requirement in a pen-test.


#9

WebSlayer is one of the best free tools available, and Wfuzz for command-line tests.


#10

+1 for man ascii, that thing basically lives on a subsection of my desktop the whole time.

For the exploit devs out there metasm_shell.rb (a sister of nasm_shell.rb) is a real help. You can find them both in the tools folder in Metasploit.

mona.py should be in every Windows exploiter’s toolkit.

Shout out to gobuster as a replacement for other dirbusting software. Early days of its life, but suits me down to the ground for the directory bruteforcing I need to do.


#11

subbrute (https://github.com/TheRook/subbrute) a bit faster than Knock and fierce.pl, and the included list is sorted by frequency of use vs just a dump of names … The SecList project ( https://github.com/danielmiessler/SecLists ) … recon-ng is awesome for osint… netcat…


#12

Hey all!

I’ll be posting tips an tricks from my bug hunting methodology here on the forums over the next few weeks =)

Subdomains and Finding fresh in-scope Targets:

For the subdomain tools, its not really the script I care about, more the list. I usually cat > unique all of the major ones (fierce, subbrute,subdomainer, knock, etc, etc) into a list and use a tool that can take custom lists. Dont miss out on recon-ng either, using its Baidu, Google, Netcraft, and Shodan search modules to find subdomains. I wrote a wrapper script for this here:

http://www.securityaegis.com/recon-ng-creating-a-dynamic-resource-script-for-subdomain-discovery/

Another Tip, don’t forget port scanning on your targets. I see web hunters get to caught up in the application and forget some of these subdomains are redirects to entirely different boxes, and then miss very cool network level vulns. Keep your eye and ear to the Metasplolit community and what modules are new and exciting there, especially ones pertaining to internet facing services.

Keep checking back at targets who do not have a mobile version of the site, and when they add one (and if it is covered in the scope) test it thoroughly. In my experience mobile sites designed around phone viewing are rife with XSS, CSRF, etc, etc. A lot of the time they even lack security controls that the main site might use in favor of speed.

Now, for bug hunting in general, not just Bugcrowd or 3rd party hosted bounties, you want to watch Twitter and Wikipedia for acquisitions. Every acquisition brings in a plethora of new targets that could be covered under the bounty program. Make sure to check the bounty program though, some have a restriction to how soon these sites can be tested.


#13

For bruteforcing web fields Burp will prob be your best best, combined with a good pass list.

For net level stuff, ncrack and hydra/medusa password bruting tools still remain the best imo. They support a variety of protocols with decent speed.


#14

Thanks everyone! Just updated the OP with all of your suggestions :smile:


#15

I actually run/co-created the seclists project. If anyone has any feedback or contributions we would welcome them!


#16

@jhaddix awesome wrapper…I’ve written a few too…recon is a fun tool…


#17

Hey @SamHouston, can you add apktool? http://ibotpeaches.github.io/Apktool/


#18

@planetzuda Done! :smile:


#19

@SamHouston you can throw up NinjaDroid https://github.com/rovellipaolo/NinjaDroid it takes all the fun of Apktool, Dex2jar and a few other tools and rolls them up into a nice python script and runs strings over everyting in the end…Fun way to start with a mobile app before you even install it…


#20

@geekspeed - Updated. Thanks!!!


#21

Pretty rad tool:
From its readme:
This tool exploits XXE to retrieve files from a target server. It obtains directory listings and recursively downloads file contents.