A Conceptual Introduction to Automating Bug Bounties
- Run
git clone https://github.com/ARPSyndicate/kenzer /root/kenzer && cd /root/kenzer
(preferred) - Create an account on Zulip
- Navigate to
Settings > Your Bots > Add a new bot
- Create a new generic bot named
kenzer
- Add all the configurations in
configs/kenzer.conf
- Install/Run using -
./install.sh -b
[if you needkenzer-compatible
binaries to be installed] (preferred)./install.sh
[if you do not needkenzer-compatible
binaries to be installed]./run.sh
[if you do not need installation at all]./service.sh
[initialize it as a service post-installation] (preferred)bash swap.sh
[in case you are facing memory issues]
- Interact with
kenzer
using Zulip client, by adding bot to a stream or via DM. - Test
@**kenzer** man
as Zulip input to display available commands. - All the commands can be used by mentioning the chatbot using the prefix
@**kenzer**
(name of your chatbot).
blacklist <target>,<regex>
- initializes & removes blacklisted targetswhitelist <target>,<regex>
- initializes & keeps only whitelisted targetsprogram <target>,<link>
- initializes the program to which target belongssubenum[-<mode>[active/passive]] <target>
- enumerates subdomainsrepenum <target>
- enumerates reputation of subdomainsrepoenum <target>
- enumerates github repositoriesportenum[-<mode>[100/1000/full/fast]] <target>
- enumerates open portsservenum <target>
- enumerates serviceswebenum <target>
- enumerates webserversheadenum <target>
- enumerates additional info from webserversurlheadenum <target>
- enumerates additional info from urlsasnenum <target>
- enumerates asn recordsdnsenum <target>
- enumerates dns recordsconenum <target>
- enumerates hidden files & directoriesurlenum[-<mode>[active/passive]] <target>
- enumerates urlssocenum <target>
- enumerates social media accountssubscan <target>
- hunts for subdomain takeoversreposcan <target>
- scans github repositories for api key leakscscan[-<severity>[critical/high/medium/low/info]] <target>
- scan with customized templatescvescan[-<severity>[critical/high/medium/low/info]] <target>
- hunts for CVEsvulnscan[-<severity>[critical/high/medium/low/info]] <target>
- hunts for other common vulnerabilitesendscan[-<severity>[critical/high/medium/low/info]] <target>
- hunts for vulnerablities in custom endpointsidscan[-<severity>[critical/high/medium/low/info]] <target>
- identifies applications running on webserversportscan <target>
- scans open ports (nmap)(slow)shodscan <target>
- scans open ports (shodan)(fast)buckscan <target>
- hunts for unreferenced aws s3 bucketsfavscan <target>
- fingerprints webservers using faviconvizscan <target>
- screenshots applications running on webserversenum <target>
- runs all enumerator modulesscan <target>
- runs all scanner modulesrecon <target>
- runs all moduleshunt <target>
- runs your custom workflowupload
- switches upload functionalityupgrade
- upgrades kenzer to latest versionmonitor <target>
- monitors ct logs for new subdomainsmonitor normalize
- normalizes the enumerations from ct logsmonitor db
- monitors ct logs for domains in summary/domain.txtmonitor autohunt <frequency(default=5)>
- starts automated hunt while monitoringsync
- synchronizes the local kenzerdb with githubfreaker <module> [<target>]
- runs freaker modulekenzer <module>
- runs a specific moduleskenzer man
- shows this manual
Although few more modules are available & much more is going to be released in the course of time which can advance this workflow, yet this one is enough to get started with & listed below are few of its successful hunts.
COMPATIBILITY TESTED ON DEBIAN(x64) ONLY
RIGGED WITH LOGIC ISSUES
FEEL FREE TO SUBMIT PULL REQUESTS