Categories
bugbountytip hacking-tools tutorials

Introducing Haktrails: A Small CLI Tool Harnessing the Power of SecurityTrails

Yes, I made a logo for my tool. It’s a wolf with a moon on it’s head. It has nothing to do with the tool but if you like wolves then you will probably enjoy it. I am quite talented at graphic design, I changed the text to “haktrails” all by myself. The wolf bit was a free Canva template.

Quick Ad Break

Full disclosure – SecurityTrails has sponsored me to write this tool and create some content because they’re running Bug Bounty Hunting Month. As part of that, they’ve released a plan that is catered directly to bug bounty hunters. If you’re a bug bounty hunter, you should buy this. I know it doesn’t quite mean as much when I’m being sponsored, but I would legitimately recommend this product even if I wasn’t. They’re offering the plan for $50 per month. If you sign up after April 15th you’ll be paying double that. I’ve used the features included in this plan for ages, but I paid a lot more for them! If you actively use it, even at $99 per month, the ROI is insanely good, and now you’ll have the perfect companion tool to make full use of it! Click here to check out the details.

Okay I’ll stop harassing you now.

Why Haktrails

Building a huge distributed recon system is great and all but at some point it becomes more cost/time effective to just pay for access to recon data that someone else has gathered. Working with APIs can be a bit awkward though. Wouldn’t it be lovely if there was a nifty little tool that did all of the API calls for you, and integrated nicely with your existing tools? 🤔

Yes. Yes it would! That’s exactly what haktrails does.

Features

  • Stdin input for easy tool chaining
  • “JSON” or “list” output options for easy tool chaining
  • Subdomain discovery
  • Associated root domain discovery
  • Associated IP discovery
  • Historical DNS data
  • Historical whois data
  • Company discovery (discover the owner of a domain)
  • Whois (returns json whois data for a given domain)
  • Ping (check that your current SecurityTrails configuration/key is working)
  • Usage (check your current SecurityTrails usage)

How to Use It

Setting Up the Config File

Before you do anything, you need to create a config file. The default location for the config file is:

~/.config/haktools/haktrails-config.yml 

The config file should look like this:

securitytrails:
  key: <your api key>

You are all hackers so I know I don’t need to say this, but make sure you replace “<your api key>” with your actual SecurityTrails API key.

Installing the Tool

First, install golang on your computer, then run the following command:

go get github.com/hakluke/haktrails

You should now have the haktrails binary at ~/go/bin/haktrails. If you haven’t already, I’d recommend adding ~/go/bin/ to your $PATH so that you can just type haktrails instead of ~/go/bin/haktrails.

Using the Tool

Note

Note: In these examples, domains.txt is a list of root domains that you wish to gather data on. For example:

hakluke.com
bugcrowd.com
tesla.com
yahoo.com

Flags

  • The output type can be specified with -o json or -o list. List is the default. List is only compatiable with subdomains, associated domains and associated ips. All the other endpoints will return json regardless.
  • The number of threads can be set using -t <number>. This will determine how many domains can be processed at the same time. It’s worth noting that the API has rate-limiting, so setting a really high thread count here will actually slow you down.
  • The config file location can be set with -c <file path>. The default location is ~/.config/haktools/haktrails-config.yml. A sample config file can be seen below.
  • The lookup type for historical DNS lookups can be set with -type <type>, available options are a,aaaa,mx,txt,ns,soa.

Warning

Warning: With this tool, it’s very easy to burn through a lot of API credits. For example, if you have 10,000 domains in domains.txt, running cat domains.txt | haktrails subdomains will use 10,000 credits. It’s also worth noting that some functions (such as associated domains) will use multiple API requests, for example, echo "yahoo.com" | haktrails associateddomains would use about 20 API requests, because the data is paginated and yahoo.com has a lot of associated domains.

Gathering subdomains

This will gather all subdomains of all the domains listed within domains.txt.

cat domains.txt | haktrails subdomains

Of course, a single domain can also be specified like this:

echo "yahoo.com" | haktrails subdomains

Gathering associated domains

“Associated domains” is a loose term, but it is generally just domains that are owned by the same company. This will gather all associated domains for every domain in domains.txt

cat domains.txt | haktrails associateddomains

Gathering associated IPs

Again, associated IPs is a loose term, but it generally refers to IP addresses that are owned by the same organisation.

cat domains.txt | haktrails associatedips

Getting historical DNS data

Returns historical DNS data for a domain.

cat domains.txt | haktrails historicaldns

Getting historical whois data

Returns historical whois data for a domain.

cat domains.txt | haktrails historicalwhois

Getting company details

Returns the company that is associated with the provided domain(s).

cat domains.txt | haktrails company

Getting domain details

Returns all details of a domain including DNS records, alexa ranking and last seen time.

cat domains.txt | haktrails details

Getting whois data

Returns whois data in JSON format.

cat domains.txt | haktrails whois

Getting domain tags

Returns “tags” of a specific domain.

cat domains.txt | haktrails tags

Getting API Usage Data

Returns data about API usage on your SecurityTrails account.

haktrails usage

Checking Your API Key

Pings SecurityTrails to check if your API key is working properly.

haktrails ping

Showing Some Average ASCII Art

~$ haktrails banner

	 _       _   _           _ _
	| |_ ___| |_| |_ ___ ___|_| |___
	|   | .'| '_|  _|  _| .'| | |_ -|
	|_|_|__,|_,_|_| |_| |__,|_|_|___|

	    Made with <3 by hakluke
	  Sponsored by SecurityTrails
	         hakluke.com

Getting More Info

For more information and up to date usage instructions, checkout the Haktrails Github repository.

You Made it This Far…

I lovingly craft artisanal hacking tools with my bare hands, I also write blogs about infosec, bug bounties and life. If that sounds good to you, follow me on socials and pop your email in here:

Categories
bugbountytip entrepreneurship inspiration videos

An Interview With STÖK: Bug Bounties, Hacking, Content Creation, Veganism and Entrepreneurship

@stokfredrik (STÖK) is an inspirational, motivational hacker, bug bounty hunter, entrepreneur, vegan and content creator. In this interview we chat about mental health, hacking, content creation, sunglasses, haircare, COVID19, veganism and entrepreneurship!

Book Recommendation: Untethered Soul https://www.amazon.com.au/Untethered-…

Hair maintenance: Razul Clay

STÖK’s manifesto:

Hackers gonna hack.

Creators gonna create.

Good vibes only.

Categories
bugbountytip videos

10 Tips For Crushing Bug Bounties in the First 12 Months

10 actionable tips for bug bounty beginners to boost their success in the first 12 months of hacking. Don’t forget to subscribe for more!

Categories
bugbountytip tutorials

How to use Surge.sh: The perfect host for XSS payloads

Surge.sh flies under the radar of many, but it’s pretty common among static-site developers. Personally, I find it to be the best place for hosting my XSS payloads. It’s free, easy, they provide SSL, and you can deploy scripts in (literally) seconds.

Earlier today I made a Tweet about how good Surge is for hosting XSS payloads, and a lot of people seemed to like it.

There were some comments that were asking about how to set it up, so I thought I’d write a blog about it.

Let’s say that you have found a nice little XSS, and you’ve managed to write a nice JavaScript payload to perform a full account takeover (as outlined in my blog, How to Upgrade Your XSS Bugs From Medium to Critical). The problem is, you need somewhere to host the payload. It can’t be over plain HTTP because otherwise you will face mixed-content errors. You can use Ngrok, but that means you need to keep your home computer on until your bug gets triaged which is not ideal. If you post it to Github pages then everyone can see notifications when you add the script, which gives away your PoC and tells the world which host is vulnerable.

I have been searching for the perfect way to do this for a long time, and I’ve finally found it. Surge.sh! This blog post will show you how to set up surge.sh to deploy your JavaScript payloads in seconds.

Installation

  • First you will need to install NodeJS, which you can download here: https://nodejs.org/en/
  • Run the following command to install the surge CLI tool
npm install --global surge

That’s it, you’ve installed surge.

Deploying Your Payload

Create an empty directory and navigate to it.

mkdir mypayload
cd mypayload

Create your JavaScript payload (or any static website).

echo "alert(1)" > payload.js

Run “surge” to deploy all files in the current directory, which should just be payload.js if you have been following along.

surge

The first time you run surge, it will ask for your email and a password. Once you’ve set that up it won’t ask you again.

The screenshot below shows the whole deployment process.

The surge command usually takes a few seconds. Once it’s done, your payload will be accessible at the subdomain that you specified. In this case, I just used the automatically chosen one, which happened to be kind-wrench.surge.sh. So now my JavaScript file is accessible at https://kind-wrench.surge.sh/payload.js

I should say that Surge isn’t just for XSS payloads, it is very good at hosting full static sites.

If you enjoyed this, follow me on my socials!