Bash scripting is an easy concept that can allow bug bounty hunters to automate repetitive tasks and spend more time on advanced vulnerabilities, often resulting in higher payouts.
Tool chaining is just that, using Bash scripting to integrate multiple tools executed in a predefined pattern. This post discusses the use of tool chaining in bug bounty automation and introduces a new enumeration tool to add in your recon process!
Automation is the latest trend in bug bounty hunting, with new frameworks being released every day. This ranges from full-fledged solutions with user interfaces and back-end databases to collections of custom-built Bash scripts. All of which have their uses depending on the level of control and depth of testing preferred by the user.
Some obvious benefits to bug bounty automation include:
Bash scripting can be a great introduction to the automation space because of its flexibility. Users are able to get started right away using their existing tools and methodologies. No need to build every component of a framework, simply add open-source tools that best if your process. That is why this approach also benefits hunters not fluent in any specific language but knowledgeable about the underlying techniques being tested.
Another benefit to Bash is language independence. This allows hunters to choose the best tool for the job, regardless of the underlying programming language. Many of the bug bounty tools I see and use are written in either Python or Go. Bash allows both to be executed, parsed, and incorporated into further automation procedures; assuming all tools and dependencies are preinstalled.
As an example, the following script will perform subdomain enumeration with SubScraper and pass the results to Tomnomnom’s httprobe to check for live hosts. Any addresses or DNS names added to out_of_scope.txt will be removed prior to active enumeration, to abide by program guidelines:
#!/usr/bin/env bash
#Usage: ./enum.sh domain(dot)comTARGET=$1
python3 subscraper.py $TARGET -o subdomains.txt
cat subdomains.txt |grep -v "$(cat out_of_scope.txt)"|httprobe
A more complex implementation comes from Nahamsec’s lazyrecon. This uses Bash scripting to chain a variety of tools and techniques automating multiple steps in the traditional recon process. A user-friendly HTML report is then generated to display the resulting data.
Another unexpected application for automation is improving accuracy. Every IP address and subdomain in scope is an opportunity to find more vulnerabilities. Therefore, we want to ensure our tools provide the most accurate and thorough results possible.
In recent hunts, I’ve found varying results across subdomain enumeration tools, even those using similar sources. The following demonstrates three enumeration tools targeting the same domain-wide program and a comparison of the number of subdomains identified:
As you can see, the number of results is not consistent and vary by tool. Therefore, to ensure I receive the most accurate results, while also keeping the simplicity of only running a single command, I created SubWalker!
SubWalker - https://github.com/m8r0wn/SubWalker
Subwalker is a simple Bash script that chains 3 common subdomain enumeration tools: SubScraper, AssetFinder, and Sublist3r. Each is executed simultaneously to reduce time and parses the results to provide a single output file free of duplicates. The tools’ unique enumeration techniques allow for the combination of findings and those overlapping ensure accuracy and validation. Given each tool uses passive methods for information gathering, this approach does not create any additional noise or overhead against the target domain.
Wrapping it up
It’s important to note, automation should not replace manual testing altogether. There are often findings only discovered through manual analysis and user-interaction. However, Bash scripting is a great way to automate repetitive tasks and free up time to spend on more advanced findings that often result in higher payouts.