A Conceptual Introduction to Automating Bug Bounties
- Create an account on Zulip
- Navigate to
Settings > Your Bots > Add a new bot
- Create a new generic bot named
kenzer
- Add all the configurations in
configs/kenzer.conf
- Install/Run using -
./install.sh -b
[if you needkenzer-compatible
binaries to be installed]./install.sh
[if you do not needkenzer-compatible
binaries to be installed]./run.sh
[if you do not need installation at all]./service.sh
[initialize it as a service post-installation] (preferred)bash swap.sh
[in case you are facing memory issues]
- Interact with
kenzer
using Zulip client, by adding bot to a stream or via DM. - Test
@**kenzer** man
as Zulip input to display available commands. - All the commands can be used by mentioning the chatbot using the prefix
@**kenzer**
.
blacklist <target>,<regex>
- initializes & removes blacklisted targetswhitelist <target>,<regex>
- initializes & keeps only whitelisted targetsprogram <target>,<link>
- initializes the program to which target belongssubenum <target>
- enumerates subdomainsrepenum <target>
- enumerates reputation of subdomainsportenum <target>
- enumerates open portsservenum <target>
- enumerates serviceswebenum <target>
- enumerates webserversheadenum <target>
- enumerates additional info from webserversurlheadenum <target>
- enumerates additional info from urlsasnenum <target>
- enumerates asn recordsdnsenum <target>
- enumerates dns recordsconenum <target>
- enumerates hidden files & directoriesurlenum <target>
- enumerates urlssocenum <target>
- enumerates social media accountssubscan <target>
- hunts for subdomain takeoverscscan[-<severity>] <target>
- scan with customized templatescvescan[-<severity>] <target>
- hunts for CVEsvulnscan[-<severity>] <target>
- hunts for other common vulnerabilitesurlcvescan[-<severity>] <target>
- hunts for CVEs in URLsurlvulnscan[-<severity>] <target>
- hunts for other common vulnerabilites in URLsendscan[-<severity>] <target>
- hunts for vulnerablities in custom endpointsidscan[-<severity>] <target>
- identifies applications running on webserversportscan <target>
- scans open portsbuckscan <target>
- hunts for unreferenced aws s3 bucketsfavscan <target>
- fingerprints webservers using faviconvizscan <target>
- screenshots applications running on webserversenum <target>
- runs all enumerator modulesscan <target>
- runs all scanner modulesrecon <target>
- runs all moduleshunt <target>
- runs your custom workflowupload
- switches upload functionalityupgrade
- upgrades kenzer to latest versionmonitor <target>
- monitors ct logs for new subdomainsmonitor normalize
- normalizes the enumerations from ct logsmonitor db
- monitors ct logs for domains in summary/domain.txtmonitor autohunt <frequency(default=5)>
- starts automated hunt while monitoringsync
- synchronizes the local kenzerdb with githubkenzer <module>
- runs a specific moduleskenzer man
- shows this manual
Although few more modules are available & much more is going to be released in the course of time which can advance this workflow, yet this one is enough to get started with & listed below are few of its successful hunts.
COMPATIBILITY TESTED ON DEBIAN(x64) ONLY
RIGGED WITH LOGIC ISSUES
FEEL FREE TO SUBMIT PULL REQUESTS