Just a cheap vuln finding robot. Currently in heavy Dev. So please, be careful with it.. Its a violent script if I've ever written one. Nothing is rate limited so you'll probably get IP blocked over it, specifically during aquatone if youre not already banned before getting there. Cheers!
< Huge shoutout to my dude for his help bringing this script into the 21st century! &&
's github />
Already changing the world around us to fit our needs :muscle:
:heart: ~@incredincomp
Requirements
- a healthy dose of tenacity
- DigitalOcean Account - use this link to get $100 in free credit.. plus get me $25! :)
- doctl installed and configured
- Some API keys if you want good results for subdomain enumeration
- Works on Ubuntu 20.04 + ask @1efty
- if you want to backup your box super easy without scp, configure aws (need your iam account Access key ID and the Secret access key)
Caution
Slack integration is included.. you need to add some data to aptly named files and you should be off to the races. Mind you, if you set up file upload by filling in the proper data in ./bot_user_oauth_at.txt and ./slack_channel.txt, you also need to have the a bot setup with the proper permissions to post files to whatever channel, then invite the bot to that channel.
Your data is in slacks hands then though, so if you are working within specific privacy and private program scopes, you may need to adjust course accordingly and do some research before you start dumping possibly important data on your targets into slacks servers and therefore the world. Be smart about it.
Commands
Set up the_hunting.sh
download the hunting
git clone https://github.com/incredincomp/the_hunting.git && cd the_hunting/install pre-reqs make and packer and congifure aws for secure cold storage
sudo ./reqs.shexport your digital ocean api key to env
export DIGITALOCEAN_ACCESS_TOKEN="1234546789abcdefghijkl"export your digital ocean ssh key fingerprint to env
export hunting_fingerprint="11:22:33:44:55:66:77:88:99:AA"Building box snapshot for use with --create
From inside /the_hunting.. run
make buildShould complete after <=> 10 minutes.
Usage
To build a remote box on DO
Use this command to generate a new droplet based off your make build snapshot
./the_hunting.sh --createConnect to your box via ssh. Nice for almost nothing... I would recommend using the --tmux option
./the_hunting.sh --connectStart first tmux session on your box and connect, to leave the_hunting running when you leave.. press ctrl + b then d
./the_hunting.sh --tmuxReconnect to your last tmux session
./the_hunting.sh --rmuxDelete your box
./the_hunting.sh --removeTo install and run locally (not needed with a droplet)
Install script prereqs needed for running, from inside ./the_hunting/ call
./the_hunting.sh --install-allScript's usage anywhere
Recon a root domain name for responsive subdomains
./the_hunting.sh --target hackerone.comExclude out of scope domains from your recon results before doing recon (leaving you with a clean scope subdomain list in responsive-domains...txt)
./the_hunting.sh --target hackerone.com --exclude support.hackerone.com,go.hacker.one,www.hackeronestatus.com,info.hacker.one,ma.hacker.oneScan a file list of subdomains separated by new line
./the_hunting.sh --file subdomains.txtThis will run all nuclei templates on your list of targets inside of subdomains.txt
./the_hunting.sh --file-all subdomains.txtSpider a list of urls with owaspzap
./the_hunting.sh --spider important-subdomains.txtConfiguration
Config Files
All your user config files are to be stored inside of ./backup-files/. I have placed default configs for subfinder and amass in here for you, as well as the other files needed for a fully configured instance. The tokens are pretty aptly named, but these are all optional and are meant to enhance the script to some degree.
custom-header.txt can be used to set your header for scans.. otherwise you can just run the scan option and it will ask you everytime now as it starts
Configure AWS for backups.
You are going to need to run sudo ./reqs.sh and configure AWS cli through that prompt or have it done previously.
To-Do/Upcoming
switching to aws, probably cheaper and easier to manage. Able to store data and probably just send some encrypted emails.. maybe need a domain for that thoughfixing directory structure/house cleaning
Methodology
Anything crossed out currently is implemented to a point, but turned off in the production version. Manually uncomment them in the script if you want to use them, do it on lines 377-414
Recon
Subdomains
Subdomain Enum
~~gobuster - vhost & dns https://github.com/OJ/gobuster~~
Amass https://github.com/OWASP/Amass
~~Subfinder https://github.com/projectdiscovery/subfinder~~
Subdomain TakeOver
Subjack https://github.com/haccer/subjack
Target Validation
Webserver Status Checks
Httprobe https://github.com/tomnomnom/httprobe
Webpage Validation
aquatone https://github.com/michenriksen/aquatone
Scanning
Fuzzing
#### Directory and file Fuzzing
to-do: Dirb
https://tools.kali.org/web-applications/dirb
~~Gobuster - dir https://github.com/OJ/gobuster~~
### Port Scanning
#### To-do: nmap
##### nse scripts
https://nmap.org/book/nse.html
Webpage and Server Scanning
nuclei
Templates
Community templates - https://github.com/projectdiscovery/nuclei-templates
To-Do: User made templates - https://nuclei.projectdiscovery.io/templating-guide/