Skip to main content
IT Blog IT Blog
  1. All Posts/

awesome-bbht

Tools Shell

awesome-bbht

A bash script that will automatically install a list of bug hunting tools I sometimes use for recon, exploitation, etc. (minus burp.) (Contributions are always welcome.)

Install 

git clone https://github.com/0xApt/awesome-bbht.sh
cd awesome-bbht
chmod +x awesome-bbht.sh
sudo ./awesome-bbht.sh

The list of tools downloaded:

awscli

Subdomain-enum

  • aquatone – A Tool for Domain Flyovers
  • knockpy – Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.
  • subbrute – A DNS meta-query spider that enumerates DNS records, and subdomains.
  • assetfinder – Find domains and subdomains related to a given domain
  • domain-finder
  • rsdl – Subdomain Scan with the Ping Method
  • subDomainizer – A tool to find subdomains and interesting things hidden inside, external Javascript files of page, folder, and Github.
  • domain_analyzer – Analyze the security of any domain by finding all the information possible. Made in python.
  • massdns – A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)
  • subfinder – Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.
  • amass – In-depth Attack Surface Mapping and Asset Discovery
  • sub.sh – Online Subdomain Detect Script
  • sublist3r – Fast subdomains enumeration tool for penetration testers
  • Sudomy – Sudomy is a subdomain enumeration tool, created using a bash script, to analyze domains and collect subdomains in fast and comprehensive way . Report output in HTML or CSV format https://github.com/Screetsec/
  • dnsenum – Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.

Content Discovery

API

  • secretx – Extracting api keys and secrets by requesting each url in your list.

AWS S3 Bucket

  • s3brute – s3 brute force tool
  • s3-bucket-finder – Find aws s3 buckets and extract datas.
  • bucket-stream – Find interesting Amazon S3 Buckets by watching certificate transparency logs.
  • slurp – Enumerate S3 buckets via certstream, domain, or keywords.
  • lazys3 – A Ruby script to bruteforce for AWS s3 buckets using different permutations.
  • cred_scanner –
    A simple file-based scanner to look for potential AWS access and secret keys in files
  • DumpsterDiver – A tool used to analyze big volumes of various file types in search of harcoded secrets like keys (AWS Access Key, Azuer Share Key or SSH keys) or passwords.
  • S3Scanner – Scan for open AWS S3 buckets and dump the contents

Inspecting JS Files

  • JSParser – A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files.
  • relative-url-extractor – A small tool that extracts relative URLs from a file.
  • github-search
  • sub.js – A tool to get javascript files from a list of URLS or subdomains
  • LinkFinder – A python script that finds endpoints in JavaScript files

Code Audit

  • Cobra – Source Code Security Audit (源代码安全审计)

Crawlers

  • Crawler – Crawl website extract links
  • waybackMachine – Use wayback Machine data to pull a list of paths.
  • meg – Fetch many paths for many hosts – without killing the hosts
  • hakrawler – Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application
  • igoturls – WaybackURLS + OtxURLS + CommonCrawl

Directory Bruteforcers & Fuzzers

  • gobuster – Directory/File, DNS and VHost busting tool written in Go
  • ffuf – Fast web fuzzer written in Go
  • dirsearch – Web path scanner

Exploitation

Subdomain Takeover

  • subjack – Subdomain Takeover tool written in Go
  • subdomain-takeover – Subdomain Takeover Scanner | Subdomain Takeover Tool | by 0x94
  • takeover – Sub-Domain TakeOver Vulnerability Scanner
  • SubOver – A Powerful Subdomain Takeover Tool

Google Cloud Storage

  • GCPBucketBrute – A script to enumerate Google Storage buckets, determine what access you have to them, and determine if they can be privilege escalated.

Digital Ocean

  • spaces-finder – A tool to hunt for publicly accessible DigitalOcean Spaces

XXE

  • XXEinjector – Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods.

CSRF

  • XSRFProbe – The Prime Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit.

Command Injection

SQLi

  • sqlmap – Automatic SQL injection and database takeover tool http://sqlmap.org
  • sqliv – massive SQL injection vulnerability scanner
  • sqlmate – A friend of SQLmap which will do what you always expected from SQLmap.

XSS

  • XSStrike – Most advanced XSS scanner.
  • XSS-keylogger – A keystroke logger to exploit XSS vulnerabilities in a site – for my personal Educational purposes only

CMS

  • CMSmap – CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.
  • CMSeeK – CMS Detection and Exploitation suite – Scan WordPress, Joomla, Drupal and over 170 other CMSs
  • wpscan – WPScan is a free, for non-commercial use, black box WordPress Vulnerability Scanner written for security professionals and blog maintainers to test the security of their WordPress websites
  • Joomscan – OWASP Joomla Vulnerability Scanner Project
  • Droopescan –
    A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe.
  • Drupwn – Drupal enumeration & exploitation tool

CloudFlare

  • CloudFail – Utilize misconfigured DNS and old database records to find hidden IP’s behind the CloudFlare network

Git

  • truffleHog – Searches through git repositories for high entropy strings and secrets, digging deep into commit history
  • git-dumper – A tool to dump a git repository from a website

Frameworks

  • Sn1per – Automated pentest framework for offensive security experts
  • XRay – XRay is a tool for recon, mapping and OSINT gathering from public networks.
  • datasploit – An #OSINT Framework to perform various recon techniques on Companies, People, Phone Number, Bitcoin Addresses, etc., aggregate all the raw data, and give data in multiple formats.
  • Osmedeus – Fully automated offensive security framework for reconnaissance and vulnerability scanning
  • TIDoS-Framework – The Offensive Manual Web Application Penetration Testing Framework.
  • discover – Custom bash scripts used to automate various penetration testing tasks including recon, scanning, parsing, and creating malicious payloads and listeners with Metasploit.
  • lazyrecon – This script is intended to automate your reconnaissance process in an organized fashion
  • 003Recon – Some tools to automate recon – 003random
  • LazyRecon – An automated approach to performing recon for bug bounty hunting and penetration testing.
  • Vulmap – Vulmap is a web vulnerability scanning and verification tool that can scan webapps for vulnerabilities and has a vulnerability verification function

Wordlists

  • SecLists – SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
  • Jhaddix Wordlist
  • Nahamsec list

Other

  • altdns – Generates permutations, alterations and mutations of subdomains and then resolves them
  • nmap – network mapper
  • Blazy – Blazy is a modern login bruteforcer which also tests for CSRF, Clickjacking, Cloudflare and WAF.
  • httprobe –
    Take a list of domains and probe for working HTTP and HTTPS servers
  • broken-link-checker –
    Find broken links, missing images, etc within your HTML.
  • wafw00f – WAFW00F allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website.