fa
Feedback
Bug Bounty Diary

Bug Bounty Diary

رفتن به کانال در Telegram

A diary documenting the journey of finding bugs, with daily notes and useful tricks. Follow for real experiences, discoveries, and practical tips in bug bounty hunting. Group: @BugBounty_Forum

نمایش بیشتر
الهند55 130فناوری و برنامه‌ها16 410
6 482
مشترکین
+224 ساعت
+327 روز
+13130 روز

در حال بارگیری داده...

کانال‌های مشابه
The Bug Bounty Hunter
47.5K
The Bug Bounty Hunter
University Resources!
15.5K
University Resources!
BugCod3
7.3K
BugCod3
PwnSystem
5.8K
PwnSystem
Technical Navigator
2.3K
Technical Navigator
avatar
1
کانال‌های بیشتر
ابر برچسب‌ها
هیچ داده‌ای
مشکلی وجود دارد؟ لطفاً صفحه را تازه کنید یا با مدیر پشتیبانی ما تماس بگیرید.
اشارات ورودی و خروجی
---
---
---
---
---
---
جذب مشترکین
ژوئن '26
ژوئن '26
+60
در 0 کانال‌ها
مه '26
+231
در 2 کانال‌ها
Get PRO
آوریل '26
+129
در 0 کانال‌ها
Get PRO
مارس '26
+90
در 0 کانال‌ها
Get PRO
فوریه '26
+174
در 1 کانال‌ها
Get PRO
ژانویه '26
+189
در 1 کانال‌ها
Get PRO
دسامبر '25
+482
در 6 کانال‌ها
Get PRO
نوامبر '25
+1 348
در 3 کانال‌ها
Get PRO
اکتبر '250
در 0 کانال‌ها
Get PRO
سپتامبر '250
در 0 کانال‌ها
Get PRO
اوت '250
در 0 کانال‌ها
Get PRO
ژوئیه '250
در 1 کانال‌ها
Get PRO
ژوئن '250
در 0 کانال‌ها
Get PRO
مه '25
+73
در 0 کانال‌ها
Get PRO
آوریل '25
+219
در 0 کانال‌ها
Get PRO
مارس '25
+161
در 0 کانال‌ها
Get PRO
فوریه '25
+209
در 3 کانال‌ها
Get PRO
ژانویه '25
+301
در 3 کانال‌ها
Get PRO
دسامبر '24
+446
در 1 کانال‌ها
Get PRO
نوامبر '24
+716
در 1 کانال‌ها
Get PRO
اکتبر '24
+765
در 2 کانال‌ها
Get PRO
سپتامبر '24
+365
در 1 کانال‌ها
Get PRO
اوت '24
+280
در 1 کانال‌ها
Get PRO
ژوئیه '24
+191
در 1 کانال‌ها
Get PRO
ژوئن '24
+133
در 1 کانال‌ها
Get PRO
مه '24
+211
در 1 کانال‌ها
Get PRO
آوریل '24
+457
در 3 کانال‌ها
تاریخ
رشد مشترکین
اشارات
کانال‌ها
10 ژوئن+2
09 ژوئن+3
08 ژوئن+8
07 ژوئن+8
06 ژوئن+9
05 ژوئن+9
04 ژوئن+2
03 ژوئن+6
02 ژوئن+7
01 ژوئن+6
پست‌های کانال
Bug Bounty Diary
-----‐------------------------------- ✎ Discovering Domains via NS Correlation -----‐------------------------------- ● What is a Nameserver? A nameserver (NS) is a specialised server within the Domain Name System (DNS) which translates human-readable domain names into IP addresses. Essentially, nameservers tell the internet where to find your web server. In this post I will describe a simple technique which can be used to correlate one or more websites using NS data.Finding Nameservers To find the nameservers for a domain name, the simplest way is to use the dig tool: 
$ dig +noall +answer ns deliveroo.com
deliveroo.com.          86400   IN      NS      mona.ns.cloudflare.com.
deliveroo.com.          86400   IN      NS      phil.ns.cloudflare.com.
Finding Related Domains Some DNS providers like Cloudflare will assign you a NS pair at the account level. This means that all domain names you add to your account will share the same NS pair. In the example above, deliveroo.com uses the Cloudflare nameserver pair mona.ns.cloudflare.com and phil.ns.cloudflare.com. Domains added under the same Cloudflare account are often assigned the same NS pair. Since the number of possible Cloudflare NS pair combinations is limited, many domains share them, making it relatively easy to identify other domains that may be managed by the same operator. ● Downloading The Dataset Merklemap provides a DNS record database containing 4 billion+ records. You can download it here. The dataset is provided in JSONL format and is compressed using xz. The uncompressed raw data is around ~500GB in size. If you just want to extract domain/NS pairs in the format domain,ns1,ns2,ns... you can use xzcat with jq like so: 
xzcat dns_records_database.jsonl.xz | jq -r '
  select([.results[] | .success?.records?.NS? // empty] | length > 0) |
  [.hostname] + [.results[].success?.records?.NS? // empty | .[]] |
  join(",")
' > domains.csv
Querying the Dataset One way to query the parsed data is using DuckDB. grep will also work but will probably be a bit slower. 
NS1="phil.ns.cloudflare.com."
NS2="mona.ns.cloudflare.com."
duckdb -csv -noheader -c "
  SELECT column0 AS domain, column1 AS ns
  FROM read_csv('domains.csv', header=false)
  WHERE list_sort(str_split(column1, ',')) = list_sort(['${NS1}','${NS2}'])
" > results.csv
Looking at results.csv we have ~300 entries. A lot are false positives, but there are some new domains which definitely belong to the same operator: 
$ grep -i deliveroo results.csv | cut -d, -f1
deliveroo.de
deliveroo.blog
deliveroo.xn--9dbq2a
... 32 more
In a lot of cases you might not be able to correlate one website to another based on just a keyword in the domain name. In those cases you can do things like: • Fingerprint HTTP responses • Compare WHOIS information • Compare technologies used • DNS similarities #bugbounty #recon #DNS © T.me/BugBounty_Diary

2
-----‐------------------------------- ✎ Discovering Domains via NS Correlation -----‐------------------------------- ● What is a Nameserver? A nameserver (NS) is a specialised server within the Domain Name System (DNS) which translates human-readable domain names into IP addresses. Essentially, nameservers tell the internet where to find your web server. In this post I will describe a simple technique which can be used to correlate one or more websites using NS data. ● Finding Nameservers To find the nameservers for a domain name, the simplest way is to use the dig tool: $ dig +noall +answer ns deliveroo.com deliveroo.com. 86400 IN NS mona.ns.cloudflare.com. deliveroo.com. 86400 IN NS phil.ns.cloudflare.com. ● Finding Related Domains Some DNS providers like Cloudflare will assign you a NS pair at the account level. This means that all domain names you add to your account will share the same NS pair. In the example above, deliveroo.com uses the Cloudflare nameserver pair mona.ns.cloudflare.com and phil.ns.cloudflare.com. Domains added under the same Cloudflare account are often assigned the same NS pair. Since the number of possible Cloudflare NS pair combinations is limited, many domains share them, making it relatively easy to identify other domains that may be managed by the same operator. ● Downloading The Dataset Merklemap provides a DNS record database containing 4 billion+ records. You can download it here. The dataset is provided in JSONL format and is compressed using xz. The uncompressed raw data is around ~500GB in size. If you just want to extract domain/NS pairs in the format domain,ns1,ns2,ns... you can use xzcat with jq like so: xzcat dns_records_database.jsonl.xz | jq -r ' select([.results[] | .success?.records?.NS? // empty] | length > 0) | [.hostname] + [.results[].success?.records?.NS? // empty | .[]] | join(",") ' > domains.csv ● Querying the Dataset One way to query the parsed data is using DuckDB. grep will also work but will probably be a bit slower. NS1="phil.ns.cloudflare.com." NS2="mona.ns.cloudflare.com." duckdb -csv -noheader -c " SELECT column0 AS domain, column1 AS ns FROM read_csv('domains.csv', header=false) WHERE list_sort(str_split(column1, ',')) = list_sort(['${NS1}','${NS2}']) " > results.csv Looking at results.csv we have ~300 entries. A lot are false positives, but there are some new domains which definitely belong to the same operator: $ grep -i deliveroo results.csv | cut -d, -f1 deliveroo.de deliveroo.blog deliveroo.xn--9dbq2a ... 32 more In a lot of cases you might not be able to correlate one website to another based on just a keyword in the domain name. In those cases you can do things like: • Fingerprint HTTP responses • Compare WHOIS information • Compare technologies used • DNS similarities #bugbounty #recon #DNS © T.me/BugBounty_Diary
1
3
-----‐------------------------------- ✎ Linux Security → SUID & Privilege Boundaries -----‐------------------------------- In Linux, security heavily depends on permission architecture. One critical mechanism is SUID (Set User ID). ● What is SUID? When SUID is applied to an executable, it runs with the file owner’s permissions instead of the executing user’s. If the file is owned by root, it grants elevated privileges. [me@linux ~]$ ls -l /usr/bin/passwd -rwsr-xr-x 1 root root ... • The s indicates SUID. This allows normal users to run passwd, which needs root access to update /etc/shadow. SUID itself is legitimate, misconfigured SUID binaries are dangerous. If powerful binaries like: • bash • vim • find are improperly assigned SUID, they may be abused for privilege escalation. ● Enumerating SUID Binaries find / -perm -4000 -type f 2>/dev/null This way we can find the files with SUID. ● A Usage example: Let's say find has SUID find . -exec /bin/sh -p \; -quit With this you can open a shell as the root. ● To Audit You need find the files with SUID the way I said before and delete the tag : chmod u-s /path/to/binary #bugbounty #Linux © T.me/BugBounty_Diary
2 369
4
✎ CompTIA Network+ Summary - Module 3 Module 3 is now live on my Hashnode series. --Interfaces & Switches-- As always strippe
✎ CompTIA Network+ Summary - Module 3 Module 3 is now live on my Hashnode series. --Interfaces & Switches-- As always stripped down to the essentials with no fluff. • Blog: Network+ Summary - Module 3
2 235
5
✎ ASN → IP Recon Workflow (BGPView alternative) I used to rely on bgpview.io for extracting IP ranges from ASNs it was free a
✎ ASN → IP Recon Workflow (BGPView alternative) I used to rely on bgpview.io for extracting IP ranges from ASNs it was free and useful for recon workflows. But after it went down, I looked for an alternative and found this awesome repo: • as-ip-blocks: Github It lets you pull IPv4/IPv6 prefixes per ASN directly from raw GitHub data, which is ideal for automation. </> Bash Function for ASN → IP Enumeration You can plug this directly into your recon pipeline or customize it for your tools asn2ip() { local base="https://raw.githubusercontent.com/ipverse/as-ip-blocks/master/as" fetch_asn() { curl -fsSL "$base/$1/aggregated.json" \ | jq -r '.prefixes.ipv4[]?' 2>/dev/null \ | sort -u } if [ ! -t 0 ]; then while IFS= read -r asn; do fetch_asn "$asn" done else fetch_asn "$1" fi } • Single ASN → IP Ranges asn2ip 1234 • List of ASNs → IP Ranges cat asnList | asn2ip #bugbounty #recon #automation © T.me/BugBounty_Diary
0
6
✎ ASN → IP Recon Workflow (BGPView alternative) I used to rely on bgpview.io for extracting IP ranges from ASNs it was free a
✎ ASN → IP Recon Workflow (BGPView alternative) I used to rely on bgpview.io for extracting IP ranges from ASNs it was free and useful for recon workflows. But after it went down, I looked for an alternative and found this awesome repo: • as-ip-blocks: Github It lets you pull IPv4/IPv6 prefixes per ASN directly from raw GitHub data, which is ideal for automation. </> Bash Function for ASN → IP Enumeration You can plug this directly into your recon pipeline or customize it for your tools asn2ip() { local base="https://raw.githubusercontent.com/ipverse/as-ip-blocks/master/as" fetch_asn() { curl -fsSL "$base/$1/aggregated.json" \ | jq -r '.prefixes.ipv4[]?' 2>/dev/null \ | sort -u } if [ ! -t 0 ]; then while IFS= read -r asn; do fetch_asn "$asn" done else fetch_asn "$1" fi } • Single ASN → IP Ranges asn2ip 1234 • List of ASNs → IP Ranges cat asnList | asn2ip #bugbounty #recon #automation © T.me/BugBounty_Diary
0
7
✎ CompTIA Network+ Summary - Module 2 Module 2 is now live on my Hashnode series. Stripped down to the essentials, focusing o
✎ CompTIA Network+ Summary - Module 2 Module 2 is now live on my Hashnode series. Stripped down to the essentials, focusing only on what actually matters for understanding networks from a cybersecurity perspective. • Blog: Network+ Summary - Module 2 #bugbounty #network © T.me/BugBounty_Diary
0
مشاهده همه پست‌ها