https://www.criticalthinkingpodcast.io/
https://book.hacktricks.wiki/
https://www.thehacker.recipes/
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master
# reverse shell generator
https://www.revshells.com/
# ssrf payload generator
https://shelltrail.com/tools/ssrf-payload-generator
# Keep a CLAUDE.md file in the root directory for context
Example - https://aituglo.com/guide/bug-bounty/#setup-and-recon:~:text=The%20program%27s%20CLAUDE.md
Ask Claude to download all JS files, beautify and output a list with endpoints, routes, secrets and suspicious behaviors
Delegate recon to Claude (use known tools as usual)
Use several agents in parallel with different skills (guided + one free roaming)
Keep the context small (instruct them to take notes, summarize and reset)
Ask for leads instead of bugs
If the free roaming agent finds something different, add it to the guided skilled agent
For long, autonomous hacking sessions use prompts like "I'm going to bed. Don't ask me any questions. Don't stop hacking."
Sometimes asserting the vulnerability exists improves performance ("this function is definitely vulnerable and has at least 2 to 3 security issues")
# Keep skills in a SKILL.md file - https://platform.claude.com/docs/en/agents-and-tools/agent-skills/overview?ref=aituglo.com
Claude will load specialized skills when necessary i.e idor-hunt, auth-bypass, js-recon, ...
Advanced: write an orchestrator agent that launches agents/tools on its own
Active Scan++
Autorize
AutoRepeater
Collaborator Everywhere
Copy As Python-Requests
HTTP Request Smuggler
JS Miner
MCP Server (+ Claude Desktop)
Param Miner
Retire.js
# simple and fast (no UDP, max speed), also works with domains
nmap -p- -T5 <ip>
nmap -A -p<ports> <ip>
# port discovery only but ultra speed
masscan --max-rate 100000 --ports 0-65535 <ip>
masscan --max-rate 100000 --ports 0-65535 -iL <ip_file>
# ASN/ip space enumeration, careful with cloud ranges
https://bgp.he.net/
https://dnschecker.org/all-dns-records-of-domain.php
# find acquired/related companies
https://asrank.caida.org/
Google "<company_name> acquisitions"
# reverse whois
https://www.whoxy.com/
# ad/analytics relationships
https://builtwith.com/
# well... shodan
https://www.shodan.io/
# subdomain scraping
subfinder -v -d <domain> # setup api keys for better results
subfinder -d <domain> -silent | httpx -title -status-code -fc 404,403,401 -location # check if website is alive, filters dead and shows redirect location
github-subdomains -d <domain> -t "<github_token>"
# really good, can do a lot more with the right options but takes a long time
bbot -t <domain> -p subdomain-enum
# brute force
amass enum -brute -d twitch.tv
ffuf -H "Host: FUZZ.<domain>" -ac -w "/usr/share/wordlists/SecLists-master/Discovery/DNS/subdomains-top1million-20000.txt" -u <url>
# spidering, finds more than just subdomains
Burp Suite (set a keyword in the scope) --> Target --> Right click target --> Scan --> Crawl
# manual permutation guessing
sub.domain.com --> origin.sub.domain.com
sub.domain.com --> origin-sub.domain.com
www.target.com --> ww2.target.com
# max speed with previously merged rafts wordlist and many extensions
# adapt wordlist and extensions to website stack
# don't ignore javascript files, they're good for recon
feroxbuster -u <url> -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files.txt -x asp,aspx,bak,txt,html,php,rar,zip,git,env,py,json,conf,yaml,js,xml -t 50
# to add a cookie, ignore TLS checks, add a custom header and a custom user agent
(...) -b 'session=cookie' -k -H "X-Forwarded-For: 127.0.0.1" -a pentester_brunocaseiro
# searches for endpoints, including inline js
xnLinkFinder -i <input> -v -d 3 -sf <scope>
# unminify or deobfuscate js
https://beautifier.io/
# good starting points
https://taksec.github.io/google-dorks-bug-bounty/
https://dorks.faisalahmed.me/
# fixed vulnerabilities might be bypassable
"<company/domain>" vulnerabilities
# Jason Haddix google dorks (https://gist.github.com/jhaddix/1fb7ab2409ab579178d2a79959909b33)
./gdorklinks.sh <company>
# some other starting points
"<company/domain>" <service> # i.e "google" ftp
"<company/domain>" <keyword> # i.e password, key, secret, pass, credentials, login, token, ftp, config, pwd, secrutiy_credentials, connectionstring, JDBC, ssh2_auth_password, send_keys, ...
"<company/domain>" NOT keyword # ignores results with "keyword"
user:<username> keyword # keyword can be company name, helps find hidden domains. previous employees do not show under the github organization but can be found from old code
"<company/domain>" language:bash # bash is good to find scripts, but works for other languages
# finds secrets, optionally add --results=verified
trufflehog git <.git_repo_link> #
trufflehog github --org=<github_org_name>
# list of services and how to take them over
https://github.com/EdOverflow/can-i-take-over-xyz
# grep for company name in cloud provider's IP ranges
https://kaeferjaeger.gay/?dir=sni-ip-ranges
# s3 bucket search engine
https://grayhatwarfare.com/
# Spoof another user within intercom widgets, paste in console
Intercom('boot', {email:'test@test.com'});
