Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/hahwul/hack-pet

🐰 Managing command snippets for hackers/bug bounty hunters. with pet.
https://github.com/hahwul/hack-pet

bugbounty bugbountytips command-line-manager go golang hacking pet snippets tool

Last synced: 13 days ago
JSON representation

🐰 Managing command snippets for hackers/bug bounty hunters. with pet.

Awesome Lists containing this project

README 

        


  


  

  


      






## hack-pet

hack-pet is collection of command snippets that are useful to hackers/bug bounty hunters. It is similar to the [recon_profile](https://github.com/nahamsec/recon_profile), but it uses the [pet](https://github.com/knqyf263/pet). pet can manage the command set more progressively.



### What is pet

Simple command-line snippet manager, written in Go => [pet](https://github.com/knqyf263/pet)



### How to use hack-pet

Add the snippet you like from the list below to the snippet toml file(`~/.config/pet/snippet.toml` or `$ pet edit`) in pet. To add all items, you can also paste `hackpet.toml`.



1) Copy & Paste hackpet.toml file to pet snippet file

```text

$ cat ./hackpet.toml >> ~/.config/pet/snippet.toml

```



2) Running pet

```text

$ pet exec



or 



$ pet search

```



3) You can find hackpet's snippets. The snippet of the hackpet has the tag `#hackpet`. If you have a lot of snippets in use, you can find them quickly by searching for tags.



## Screenshot




## Tree

```text

.

├── hackpet.toml => all snippets

├── snippets     => collection of snippets

```



## Snippets



| Description | Command |

| ----------- | ------- |

| Find All Allocated IP ranges for ASN given an IP address | `whois -h whois.radb.net -i origin -T route $(whois -h whois.radb.net  \| grep origin: \| awk '{print $NF}' \| head -1) \| grep -w "route:" \| awk '{print $NF}' \| sort -n` |

| Android set proxy | `adb shell settings put global http_proxy :` |

| Android unset proxy | `adb shell settings put global http_proxy :0` |

| Brute forcing for endpoints with dirsearch | `dirsearch -e php,asp,aspx,jsp,py,txt,conf,config,bak,backup,swp,old,db,sql -u ` |

| certprobe / runs httprobe on all the hosts from certspotter | `curl -s https://crt.sh/\?q\=\%.\&output\=json \| jq -r '.[].name_value' \| sed 's/\*\.//g' \| sort -u \| httprobe \| tee -a ./all.txt` |

| Extract subdomains from IP Range | `nmap  -sn \| grep "" \| awk '{print $5}'` |

| Find subdomain and takeover (with subfinder/amass/assetfinder/subjack) | `subfinder -d  >> domains ; assetfinder -subs-only  >> domains ; amass enum -norecursive -noalts -d  >> domains ; subjack -w domains -t 100 -timeout 30 -ssl -c ~/go/src/github.com/haccer/subjack/fingerprints.json -v  \| tee takeover` |

| Find LFI with gau | `~/go/bin/gau  \| ~/go/bin/gf lfi \| ~/go/bin/qsreplace "/etc/passwd" \| xargs -I % -P 25 sh -c 'curl -s "%" 2>&1 \| grep -q "root:x" && echo "VULN! %"'` |

| Find OpenRedirect with gau | `export LHOST="http://localhost"; gau  \| gf redirect \| qsreplace "$LHOST" \| xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 \| grep -q "Location: $LHOST" && echo "VULN! %"'` |

| Get bugcrowd programs | `curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/bugcrowd_data.json \| jq -r '.[].targets.in_scope[] \| [.target, .type] \| @tsv'` |

| one \| uniq); doneGet CIDR and Orgz from target lists | `for DOMAIN in $(cat );do echo $(for ip in $(dig a $DOMAIN +short); do whois $ip \| grep -e "CIDR\\|Organization" \| tr -s " " \| paste - -; d` |

| Get hackerone programs | `curl -sL https://github.com/arkadiyt/bounty-targets-data/blob/master/data/hackerone_data.json?raw=true \| jq -r '.[].targets.in_scope[] \| [.asset_identifier, .asset_type] \| @tsv'` |

| Get intigriti programs | `curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/intigriti_data.json \| jq -r '.[].targets.in_scope[] \| [.endpoint, .type] \| @tsv'` |

| Get Subdomains from Archive | `curl -s "http://web.archive.org/cdx/search/cdx?url=*./*&output=text&fl=original&collapse=urlkey" \| sed -e 's_https*://__' -e "s/\/.*//" \| sort -u` |

| Get Subdomains from BufferOverRun | `curl -s https://dns.bufferover.run/dns?q=. \|jq -r .FDNS_A[]\|cut -d',' -f2\|sort -u` |

| Get Subdomains from CertSpotter | `curl -s "https://certspotter.com/api/v0/certs?domain=" \| grep -Po "((http\|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" \| sort -u` |

| Get Subdomains from crt.sh | `curl -s "https://crt.sh/?q=%25.&output=json" \| jq -r '.[].name_value' \| sed 's/\*\.//g' \| sort -u` |

| Get Subdomains from JLDC | `curl -s "https://jldc.me/anubis/subdomains/?" \| grep -Po "((http\|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" \| sort -u` |

| Get Subdomains from RapidDNS.io | `curl -s "https://rapiddns.io/subdomain/?full=1#result" \| grep "" \| grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" \| sort -u` |

| Get Subdomains from VirusTotal | `curl -s "https://www.virustotal.com/ui/domains//subdomains?limit=40" \| grep -Po "((http\|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" \| sort -u` |

| Get url with gau, included parameter | `echo  \| ~/go/bin/gau \| grep "=" \| qsreplace -a ` |

| Get all the urls out of a sitemap.xml | `curl -s  \| xmllint --format - \| grep -e 'loc' \| sed -r 's\|?loc>\|\|g'` |

| Get urls from urlscanio | `gron "https://urlscan.io/api/v1/search/?q=domain:"  \| grep 'url' \| gron --ungron` |

| Find XSS with gospider | `gospider -S  -c 10 -d 5 --blacklist ".(jpg\|jpeg\|gif\|css\|tif\|tiff\|png\|ttf\|woff\|woff2\|ico\|pdf\|svg\|txt)" --other-source \| grep -e "code-200" \| awk '{print $5}'\| grep "=" \| qsreplace -a \| dalfox pipe -o result.txt` |

| ipinfo | `curl http://ipinfo.io/` |

| Create a wordlist using param used in the domain | `waybackurls  \|  grep "?" \| unfurl keys  \| sort -u \| tee -a paramlist.txt` |

| Ports Scan without CloudFlare | `subfinder -silent -d  \| filter-resolved \| cf-check \| sort -u \| naabu -rate 40000 -silent -verify \| httprobe` |

| Sort & Tested Domains from Recon.dev | `curl "https://recon.dev/api/search?key=&domain=" \|jq -r '.[].rawDomains[]' \| sed 's/ //g' \| sort -u \|httpx -silent` |

| Find Subdomains TakeOver | `subfinder -d  >> domains ; assetfinder -subs-only  >> domains ; amass enum -norecursive -noalts -d  >> domains ; subjack -w domains -t 100 -timeout 30 -ssl -c ~/go/src/github.com/haccer/subjack/fingerprints.json -v 3 >> takeover ;` |

| Get multiple target's Custom URLs from ParamSpider | `cat  \| xargs -I % python3 ~/tool/ParamSpider/paramspider.py -l high -o ./spidering/paramspider/% -d % ;` |

| URLs Probing with cURL + Parallel | `cat  \| parallel -j50 -q curl -w 'Status:%{http_code}\t  Size:%{size_download}\t %{url_effective}\n' -o /dev/null -sk` |



## Contribute

First, Make snippet DOML with `hack-pet add` 

```

$ hack-pet add

add called

[command]

>>> echo  | ~/go/bin/gau | grep "=" | qsreplace -a

echo  | ~/go/bin/gau | grep "=" | qsreplace -a



[desc]

>>> get url with gau, included parameter

get url with gau, included parameter



[toml filename | e.g nmap_full_scan.toml]

>>> get_url_param.toml

get_url_param.toml



[[snippets]]

command = "echo  | ~/go/bin/gau | grep \"=\" | qsreplace -a "

description = "get url with gau, included parameter"

output = ""

tag = ["hackpet"]

```



or 



Write TOML Code in `./snippets` directory

```toml

[[snippets]]

command = "echo  | ~/go/bin/gau | grep \"=\" | qsreplace -a "

description = "Get url with gau, included parameter"

output = ""

tag = ["hackpet"]



```

Please attach a `hackpet` to the tag. This allows you to distinguish between different snippets and hackpet.



Second, move your DOML file to `/snippet` directory

```

$ mv get_url_param.toml ./snippets/

```



Finaly, Send Pull Request! (your DOML file in `./snippets/`)



## Merge (for me)

```

$ hack-pet merge

$ git add hackpet.toml README.md

$ git commit -m "merge and distribute readme"

$ git push -u origin master 

```

Oneline

```

$ hack-pet merge

$ git add hackpet.toml README.md ; git commit -m "merge and distribute readme" ; git push -u origin master

```