通过 bash 脚本将各种工具集成到一起是一种简单的概念,它可以让漏洞赏金挖掘者自动执行重复性任务,实现无需自己实现相关功能也能自动化漏洞发现,将更多时间花在高级漏洞上,提高效率和收入。
自动化是当今漏洞赏金挖掘的新趋势,网络上每天都有新的框架发布。这包括从具有用户界面和后端数据库的成熟解决方案到自定义构建 Bash 脚本集合。所有这些都有其用途,具体采用哪种取决于用户偏好和测试深度。
漏洞赏金自动化的一些明显的好处包括:
-
更快识别低危漏洞。
-
持续侦察以捕捉不断变化的环境。
-
通过自动化重复性任务来最大化时间和利润。
由于其灵活性,Bash 脚本可以很好地适用在自动化领域。用户可以使用他们现有的工具和方法立即开始。而无需构建框架的每个组件,只需添加最适合每个流程的开源工具即可。这就是为什么这种方法也有利于那些不精通使用任何特定语言,但对整个挖掘步骤有一些基本认知和了解的脚本小子们。
Bash 的另一个好处是语言独立。这使得挖掘者可以为工作选择最好的工具,而不必去管这个工具底层编程语言是什么。像许多漏洞赏金工具都是用 Python 或 Go 编写的。Bash 把它们的执行、解析合并到进一步的自动化过程中
例如,以下脚本将使用SubScraper执行子域枚举,并将结果传递给httprobe以探查可正常访问的http和https服务器
#用法: ./enum.sh domain(dot)comTARGET=$1python3 subscraper.py $TARGET -o subdomains.txtcat subdomains.txt |grep -v "$(cat out_of_scope.txt)"|httprobe
非常简单?对不对。但是一个完美自动化方案的Bash可没这么简单,像下面这样:
## Execute as wget -O - https://gist.github.com/LuD1161/66f30da6d8b6c1c05b9f6708525ea885/raw | bash# # Thanks JeffreyShran for the gist url thing### It's debian based, so for centos and likewise you have to change apt to yum and similarly#InstallationStartTime=$(date +%s)#### COLORS #### ( Taken from : https://misc.flogisoft.com/bash/tip_colors_and_formatting )NORMAL='e[0m'RED='e[31m'LIGHT_GREEN='e[92m'LIGHT_YELLOW='e[93m'BLINK='e[5m'BOLD='e[1m'UNDERLINE='e[4m'###############mkdir ~/toolsapt update -yq && apt upgrade -yq # Do it manually, cause there are some whiptail menus that aren't automated yet and# thus cause problems# change python3 to python and set priority of 10 - https://stackoverflow.com/a/50331137update-alternatives --install /usr/bin/python python /usr/bin/python3 10apt install -yq wget unzip curl screen git gcc make libpcap-dev python3-pip clang nmap python3-dev build-essential libssl-dev libffi-dev python3-venv p7zip-full p7zip-rar tree software-properties-commonapt-add-repository -y ppa:rael-gc/rvmpip3 install rdpy==1.3.2timedatectl set-timezone Asia/Kolkataapt install -y golang-gocd ~/toolsgit clone https://github.com/jordanpotti/CloudScraper.git && echo -e "n${LIGHT_YELLOW}Installing CloudScraper's requirements.txt ${NORMAL}n"pip3 install -r CloudScraper/requirements.txtecho -e "n${LIGHT_YELLOW}Installing SubFinder${NORMAL}n"GO111MODULE=on go get -v -u github.com/projectdiscovery/subfinder/v2/cmd/subfindercd ~/toolsgit clone https://github.com/blechschmidt/massdns.git && echo -e "n${LIGHT_YELLOW}Making and copying massdns to /usr/bin/ ${NORMAL}n"cd massdnsmakeif [ $? -eq 0 ]; thenmv /root/tools/massdns/bin/massdns /usr/bin/ && cd - # go back to main directorymkdir /root/tools/massdns_listsmv /root/tools/massdns/lists/* /root/tools/massdns_lists/rm -rf massdnsecho -e "n${LIGHT_YELLOW}Installed massdns ${NORMAL}n"elseecho -e "n${LIGHT_YELLOW}Try reinstalling massdns manually ${NORMAL}n"echo -e "n${LIGHT_YELLOW}RUN : git clone https://github.com/blechschmidt/massdns.git ${NORMAL}n"echo -e "n${LIGHT_YELLOW}And then cd into the directory and issue make command ${NORMAL}n"fiecho -e "n${LIGHT_YELLOW}Proceeding with installation of masscan ${NORMAL}n"git clone https://github.com/robertdavidgraham/masscan.git && echo -e "n${LIGHT_YELLOW}Making masscan ${NORMAL}n"cd masscanmake -jif [ $? -eq 0 ]; thenmv ./bin/masscan /usr/bin/ && cd - # go back to main directoryrm -rf masscan && echo -e "n${LIGHT_YELLOW}Deleted masscan github local clone ${NORMAL}n"echo -e "n${LIGHT_YELLOW}Installed masscan ${NORMAL}n"elseecho -e "n${LIGHT_YELLOW}Try reinstalling masscan manually ${NORMAL}n"echo -e "n${LIGHT_YELLOW}RUN : git clone https://github.com/robertdavidgraham/masscan.git ${NORMAL}n"echo -e "n${LIGHT_YELLOW}And then cd into the directory and issue make command ${NORMAL}n"fiecho -e "n${LIGHT_YELLOW}Installing of ffuf${NORMAL}n"go get -v -u github.com/ffuf/ffufecho -e "n${LIGHT_YELLOW}Installing subjack${NORMAL}n"go get -v -u github.com/haccer/subjackgo get -v -u github.com/tomnomnom/waybackurls && echo -e "n${LIGHT_YELLOW}Got waybackurls ;) ${NORMAL}n"mv ~/go/bin/waybackurls /usr/bin/if [ $? -eq 0 ]; thenecho -e "n${LIGHT_YELLOW}Installed waybackurls ${NORMAL}n"elseecho -e "n${LIGHT_YELLOW}Try reinstalling waybackurls manually ${NORMAL}n"echo -e "n${LIGHT_YELLOW}RUN : go get github.com/tomnomnom/waybackurls && echo "Got waybackurls ;)" ${NORMAL}n"echo -e "n${LIGHT_YELLOW}Then move the binary from ~/go/bin/ to /usr/bin/ ${NORMAL}n"figit clone https://github.com/x90skysn3k/brutespray.git && echo -e "n${LIGHT_YELLOW}Cloned Brutespray ${NORMAL}n"apt install amass -yif [ $? -eq 0 ]; thenecho -e "n${LIGHT_YELLOW}Installed amass ${NORMAL}n"rm amass.zipelseecho -e "n${LIGHT_YELLOW}Try redownloading amass ${NORMAL}n"fiapt-get install -yq bc locate dnsutils apache2cd ~/tools & echo -e "n${LIGHT_YELLOW}Cloning JS-scan ${NORMAL}n"git clone https://github.com/zseano/JS-Scan.gitchmod o+x JS-Scanln -s "/root/tools/JS-Scan" /var/www/html/JS-Scancd ~/tools && echo -e "n${LIGHT_YELLOW}Cloning bucketkicker ${NORMAL}n"git clone https://github.com/craighays/bucketkicker.gitpip3 install -r ~/tools/bucketkicker/requirements.txtecho -e "n${LIGHT_YELLOW}Installing trufflehog ${NORMAL}n"pip3 install truffleHogecho -e "n${LIGHT_YELLOW}Installing wafw00f ${NORMAL}n"pip3 install wafw00fecho -e "n${LIGHT_YELLOW}Installing whatweb ${NORMAL}n"apt-get install -yq whatwebecho -e "n${LIGHT_YELLOW}Installing snallygaster ${NORMAL}n"pip3 install snallygastercd ~/tools && echo -e "n${LIGHT_YELLOW}Cloning CloudFlare-Enum ${NORMAL}n"git clone https://github.com/mandatoryprogrammer/cloudflare_enum.gitcd ~/tools && echo -e "n${LIGHT_YELLOW}Cloning AWS-Bruteforcer ${NORMAL}n"git clone https://github.com/Ucnt/aws-s3-data-finder.gitcd aws-s3-data-finder && pip3 install -r requirements.txtcd ~/tools# Although cloning Goohak and GoogD0rker but need to make a workaround for google's IP restriction on advanced search# Cause these are not working for meecho -e "n${LIGHT_YELLOW}For Goohak and GoogD0rker pip3 install google ${NORMAL}n"pip3 install googlecd ~/tools && echo -e "n${LIGHT_YELLOW}Cloning Goohak ${NORMAL}n"git clone https://github.com/1N3/Goohak.gitchmod +x Goohak/goohakcd ~/tools && echo -e "n${LIGHT_YELLOW}Cloning GoogD0rker${NORMAL}n"# Do not use currently it's a WIPgit clone https://github.com/ZephrFish/GoogD0rker.gitcd ~/tools && echo -e "n${LIGHT_YELLOW}Installing brakeman : For RoR applications ${NORMAL}n"# Alternative : gem install brakeman# Using git method so as to install the latest brakemangit clone https://github.com/presidentbeef/brakeman.gitcd brakemangem build brakeman.gemspecyes | gem install brakeman-*.gemmv ~/tools/brakeman/bin/brakeman /usr/local/bin/mv ~/tools/brakeman/bin/codeclimate-brakeman /usr/local/bin/rm -rf ~/tools/brakemancd ~/tools && echo -e "n${LIGHT_YELLOW}Installing gitleaks${NORMAL}n"go get -v -u github.com/zricethezav/gitleakscd ~/tools && echo -e "n${LIGHT_YELLOW}Downloading aquatone binary${NORMAL}n"echo -e "n${LIGHT_YELLOW}Check the latest binaries at : https://github.com/michenriksen/aquatone/releases${NORMAL}n"curl -s https://api.github.com/repos/michenriksen/aquatone/releases/latest | grep "browser_download_url.*linux_amd" | cut -d : -f 3- | tr -d " | wget -qi -unzip aquatone_linux_amd64*.ziprm aquatone_linux_amd64*.zipcd ~/tools && echo -e "n${LIGHT_YELLOW}Installing chromium for aquatone${NORMAL}n"apt-get install -y chromiumcd ~/tools && echo -e "n${LIGHT_YELLOW}Getting all wordlists from gdrive, wordlists contain jhaddix's all.txt and massdns as well as subrute's names.txt ${NORMAL}n"mkdir wordlistswget "https://drive.google.com/uc?export=download&id=1X1TTZhxfiLyqrI1Vrw0_DdhFfl3LzsbX" -O all_resolvers.zipunzip -o all_resolvers.zip -d wordlistsrm all_resolvers.zipcd ~/tools && echo -e "n${LIGHT_YELLOW}Downloading dirbuster wordlists ${NORMAL}n"wget "https://drive.google.com/uc?export=download&id=1KbxiE_RFZCDpBDKAJbWeG6NXe7YNtCIc" -O all_wordlists.zipunzip -o all_wordlists.zip -d wordlistsrm all_wordlists.zip# Finally when all is set and folder's deleted# Get the scripts, it's in a gistecho -e "n${LIGHT_YELLOW}Getting the scripts ;) ${NORMAL}n"wget "https://codeload.github.com/gist/8182f825bd91344ce4c2bf5e2acdf2b3/zip/9bd795e4824794d0a61f8805d48572b833b10353" -O scripts.zipunzip -j scripts.zip -d scriptschmod +x ~/tools/scripts/*rm scripts.zipcd ~/toolswget -O master_script.sh "https://gist.github.com/LuD1161/0a85aef8e27e4a7644fd4b69efb62caa/raw"chmod +x master_script.shwget -O nmap-input-file-creator.py "https://gist.github.com/LuD1161/dbc44c6c028de2f0cbae9e737af5aa1e/raw"chmod +x nmap-input-file-creator.pyapt autoremove -yecho -e "n${LIGHT_YELLOW}Building nmap from git ${NORMAL}n"cd ~/toolsgit clone https://github.com/nmap/nmap.gitcd nmap && sh ./configuremakemake installecho -e "n${LIGHT_YELLOW}Installing wpscan requirements ${NORMAL}n"apt-get -yq install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev libgmp-dev zlib1g-dev gcc git ruby make software-properties-commonapt-add-repository -y ppa:rael-gc/rvmapt-get -yq updateapt-get -yq install rvmcd ~source /etc/profile.d/rvm.shrvm install 2.5.1rvm use 2.5.1 --defaultecho -e "gem: --no-ri --no-rdoc" > ~/.gemrc#echo -e "source /usr/local/rvm/scripts/rvm" >> ~/.bashrccd ~/toolsecho -e "${LIGHT_YELLOW}Cloning wpscan ${NORMAL}"git clone https://github.com/wpscanteam/wpscan.gitcd wpscanyes | gem install bundlerbundle install --without testecho -e "${LIGHT_YELLOW}Setting ulimit to 100000 ${LIGHT_GREEN}( so as to make ffuf work fine with higher number of threads ) ${NORMAL}"echo "ulimit -n 100000" >> ~/.bashrc### Install searchsploit ####echo -e "n${LIGHT_YELLOW}Installing searchsploit${NORMAL}n"mkdir /optgit clone https://github.com/offensive-security/exploitdb.git /opt/exploitdbsed 's|path_array+=(.*)|path_array+=("/opt/exploitdb")|g' /opt/exploitdb/.searchsploit_rc > ~/.searchsploit_rcln -sf /opt/exploitdb/searchsploit /usr/local/bin/searchsploit### Downloading SecLists ####echo -e "n${LIGHT_YELLOW}Downloading SecLists${NORMAL}n"cd ~/toolsgit clone https://github.com/danielmiessler/SecLists.gitInstallationCompletionTime=$(date +%s)echo -e "n${LIGHT_YELLOW}Setting up GOPATH and GO bin in path ${NORMAL}n"echo "export GOPATH=$HOME/go" >> $HOME/.profileecho "PATH=$PATH:/root/tools:$GOPATH/bin" >> $HOME/.profilesource $HOME/.profilesource $HOME/.bashrcecho -e "${LIGHT_GREEN}Setup Complete Bug Bounty tools :) :) ${NORMAL}n"echo -e "${BOLD}Usage : ./master_script.sh domain basic|advanced${NORMAL}n"echo -e "Total Time taken : ${LIGHT_GREEN}$(( $InstallationCompletionTime-$InstallationStartTime )) ${NORMAL}seconds"echo -e "n${LIGHT_YELLOW}e.g. ./master_script.sh example.com basic|advanced ${NORMAL}n"echo -e "n"echo -e "${RED}Don't forget to add subfinder's config.json at ~/.config/subfinder/config.json${NORMAL}n"echo -e "n${LIGHT_YELLOW}Also check for aquatone's latest binaries at : https://github.com/michenriksen/aquatone/releases${NORMAL}n"echo -e "n${LIGHT_YELLOW}Enjoy :) ${NORMAL}n"
此外,自动化的应用是提高精度。范围内的每个 IP 地址和子域都是发现更多漏洞的机会。因此,我们希望确保我们的工具能够提供最准确和最全面的结果。
但是在实践中,子域枚举工具的结果却各不相同,即使是使用那些技术实现差不多的工具。下图展示了针对同一域的三个枚举工具其识别的子域数量的比较:
如图所见,结果的数量并不一致,并且因工具而异。因此,为了确保收到最准确的结果,同时也保持只运行一个命令的简单性。我们可以写个bash把这三种工具给链起来,让它们同时执行的,减少时间并解析结果,提供一个没有重复的输出文件。类似下面这样:
TARGET=$1if ! [ $TARGET ]; thenecho "[!] No target provided."echo ">> $0 <example.com>"exit 1fiOUT_DIR=$(pwd)TOOLS_DIR=$(pwd)/toolsecho [*] Executing SubWalker against: ${TARGET}# Modify the individual commands as needed, add API keys and other resources to# get the best results. Happy Hunting!cd $TOOLS_DIR/subscraperecho "[*] Launching SubScraper"python3 subscraper.py $TARGET -o $OUT_DIR/subscraper.txt &> /dev/null &cd $TOOLS_DIR/Sublist3recho "[*] Launching Sublist3r"python3 sublist3r.py -d $TARGET -o $OUT_DIR/sublist3r.txt &> /dev/null &cd $TOOLS_DIR/assetfinderecho "[*] Launching assetfinder"./assetfinder --subs-only $TARGET > $OUT_DIR/assetfinder.txt &echo "[*] Waiting until all scripts complete..."waitcd $OUT_DIR(cat subscraper.txt sublist3r.txt assetfinder.txt | sort -u) > subwalker.txtrm subscraper.txt sublist3r.txt assetfinder.txtRES=$(cat subwalker.txt | wc -l)echo -e "n[+] SubWalker complete with ${RES} results"echo "[+] Output saved to: $OUT_DIR/subwalker.txt"exit 0
需要注意的是,自动化不应该完全取代手工测试。有些潜在的东西通常只能通过手工分析和用户交互才能发现。但是,Bash脚本是自动化重复任务的好方法,可以节省时间用于更高级的发现,这些发现通常会带来更高的回报
最后,想要打造全自动漏洞赏金扫描工具,参考:https://labs.detectify.com/2021/11/30/hakluke-creating-the-perfect-bug-bounty-automation/
原文始发于微信公众号(老鑫安全):漏洞赏金自动化简介:使用 Bash 进行工具链
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论