BugBountyScanner: Bash script/Docker image for Bug Bounty reconnaissance
A Bash script and Docker image for Bug Bounty reconnaissance, intended for headless use. Low on resources, high on information output.
It’s recommended to run BugBountyScanner from a server (VPS or home server), and not from your terminal. It is programmed to be low on resources, with potentially multiple days of scanning in mind for bigger scopes. The script functions on a stand-alone basis.
You can run the script either as a docker image or from your preferred Debian/Ubuntu system (see below). All that is required is kicking off the script and forgetting all about it! Running the script takes anywhere in between several minutes (for very small scopes < 10 subdomains) and several days (for very large scopes > 20000 subdomains). A ‘quick mode’ flag is present, which drops some time-consuming tasks such as vulnerability identification, port scanning, and web endpoint crawling.
- Resource-efficient, suitable for running in the background for a prolonged period of time on a low-resource VPS, home server, or Raspberry Pi
- Telegram status notifications with per-command results
- Extensive CVE and misconfiguration detection with Nuclei (optionally with detection of blind vulnerabilities via Burp Collaborator)
- Subdomain enumeration and live web server detection
- Web screenshotting and crawling, HTML screenshot report generation
- Retrieving (hopefully sensitive) endpoints from the Wayback Machine
- Identification of interesting parameterized URLs with Gf
- Enumeration of common “temporary” and forgotten files with GoBuster
- Automatic detection of LFI, SSTI, and Open Redirects in URL parameters
- Subdomain takeover detection
- Port scanning (Top 1000 TCP + SNMP)
- ‘Quick Mode’ for opsec-safe (ish) infrastructure reconnaissance
- Gf (with Gf-Patterns)
- Nuclei (with Nuclei-Templates)
Copyright (c) 2020 Cas van Cooten