Red Team Tools and Methodology
Purpose
Implement proven methodologies and tool workflows from top security researchers for effective reconnaissance, vulnerability discovery, and bug bounty hunting. Automate common tasks while maintaining thorough coverage of attack surfaces.
Inputs/Prerequisites
- Target scope definition (domains, IP ranges, applications)
- Linux-based attack machine (Kali, Ubuntu)
- Bug bounty program rules and scope
- Tool dependencies installed (Go, Python, Ruby)
- API keys for various services (Shodan, Censys, etc.)
Outputs/Deliverables
- Comprehensive subdomain enumeration
- Live host discovery and technology fingerprinting
- Identified vulnerabilities and attack vectors
- Automated recon pipeline outputs
- Documented findings for reporting
Core Workflow
1. Project Tracking and Acquisitions
Set up reconnaissance tracking:
# Create project structure
mkdir -p target/{recon,vulns,reports}
cd target
# Find acquisitions using Crunchbase
# Search manually for subsidiary companies
# Get ASN for targets
amass intel -org "Target Company" -src
# Alternative ASN lookup
curl -s "https://bgp.he.net/search?search=targetcompany&commit=Search"2. Subdomain Enumeration
Comprehensive subdomain discovery:
# Create wildcards file
echo "target.com" > wildcards
# Run Amass passively
amass enum -passive -d target.com -src -o amass_passive.txt
# Run Amass actively
amass enum -active -d target.com -src -o amass_active.txt
# Use Subfinder
subfinder -d target.com -silent -o subfinder.txt
# Asset discovery
cat wildcards | assetfinder --subs-only | anew domains.txt
# Alternative subdomain tools
findomain -t target.com -o
# Generate permutations with dnsgen
cat domains.txt | dnsgen - | httprobe > permuted.txt
# Combine all sources
cat amass_*.txt subfinder.txt | sort -u > all_subs.txt3. Live Host Discovery
Identify responding hosts:
# Check which hosts are live with httprobe
cat domains.txt | httprobe -c 80 --prefer-https | anew hosts.txt
# Use httpx for more details
cat domains.txt | httpx -title -tech-detect -status-code -o live_hosts.txt
# Alternative with massdns
massdns -r resolvers.txt -t A -o S domains.txt > resolved.txt4. Technology Fingerprinting
Identify technologies for targeted attacks:
# Whatweb scanning
whatweb -i hosts.txt -a 3 -v > tech_stack.txt
# Nuclei technology detection
nuclei -l hosts.txt -t technologies/ -o tech_nuclei.txt
# Wappalyzer (if available)
# Browser extension for manual review5. Content Discovery
Find hidden endpoints and files:
# Directory bruteforce with ffuf
ffuf -ac -v -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
# Historical URLs from Wayback
waybackurls target.com | tee wayback.txt
# Find all URLs with gau
gau target.com | tee all_urls.txt
# Parameter discovery
cat all_urls.txt | grep "=" | sort -u > params.txt
# Generate custom wordlist from historical data
cat all_urls.txt | unfurl paths | sort -u > custom_wordlist.txt6. Application Analysis (Jason Haddix Method)
**Heat Map Priority Areas:**
- **File Uploads** - Test for injection, XXE, SSRF, shell upload
- **Content Types** - Filter Burp for multipart forms
- **APIs** - Look for hidden methods, lack of auth
- **Profile Sections** - Stored XSS, custom fields
- **Integrations** - SSRF through third parties
- **Error Pages** - Exotic injection points
**Analysis Questions:**
- How does the app pass data? (Params, API, Hybrid)
- Where does the app talk about use
<!-- truncated -->