Create Your Ultimate Bug Bounty Automation Without Nerdy Bash Skills (Part 1)
Hey everyone, I hope you all are doing well. I have been Programming in multiple languages for some time now, so I thought Writing Bash Automation Scripts Would be Fairly Simple But Bash Sucks !!.
So I created a new tool talosplus which makes it possible to write and run the most complex bash scripts in the easiest way possible. This article is all about understanding and using talosplus.
About Me —
I’m Tarun, a security researcher and bug hunter from India. I hunt for bugs or create new bug bounty tools daily. This is my first blog and I hope it conveys What I intend to describe.
Why Automate Content Discovery ??
If you have already watched the Content Discovery episode of Bounty Thursdays, You already know the answer.
Content Discovery is the most crucial step. The chance of you finding a bug is highly dependent on your Content Discovery Methodology. If you are working on a single domain fairly matters but when working on Wildcard scopes like Grammarly, Tesla, etc. Automation is crucial and saves a Lot of Time and Exhaustion.
Intelligent Automation —
Simply saving all used commands in a text file and running it is simple but it is counterproductive. If you want to get an idea of how complex can a bash script get which is actually productive check out reconftw.
reconftw is just the standard if you are only using this then you are missing a lot of interesting stuff like bash one-liners, gf-patterns, etc much more interesting stuff. If you want to improve your chance of finding bugs you must have your own personal automation and that to an intelligent one.
Executing Commands in Parallel & Race Conditions—
Executing commands in parallel is the best possible way to speed up your bash script. Executing commands in parallel creates lots of problems and the worst of those problems are passing data to the command and extracting and saving the output of the command. when commands are run parallel to avoid race conditions it is essential to use .lock files.
talosplus manages all these problems and abstracts them and tries to run every command in parallel if possible.
talosplus contains all possible good features to effectively run bash scripts these features are either inspired or taken from popular tools like
xargs,parallel,interlace,bbrf,notify
Subdomain Enum Automation Script
This is a sample subdomain Enumeration Bash Script I use in my recon process . If you take a closer look you will find that this file does not have any for loops , pipes , environment variables , local variables , functions etc this is just plain old command and comments. Another Intresting thing is there is no directiory structure etc talosplus provides filesystem abstraction
This is nowhere similar to reconftw or any automation script yet it is the fastest and simplest of all. Let’s Dig deeper into all features of talosplus and write your own automation script
Syntax —
Apart From Commands and Comments two different things you can find are
@variables = These are variables of this bash script instead of bash variables that start with $ these start with @ . These are handled by talosplus and replaced at runtime
#directives = I call these directives and these handle most complex parts and are also managed by talosplus. directives supported by talosplus are #from,#as,#for,#notify,#notifylen,#dir .
Data Storage —
I was heavily inspired by honoki’s bbrf. The original Version of Talos was just parsing and executing commands with the above features and saving the output to a file. After using bbrf I was inspired and integrated all its goodies with additional features and the project became talosplus.
Talosplus uses MongoDB as a backend to store data, unlike bbrf which uses CouchDB. It is mostly similar to bbrf but with more features
All Variables declared/present in the bash script can be set and retrieved even after execution is completed using get,set subcommands. It can also use a clipboard as input. the syntax to set/get any variable in the script is
talosplus get @resolvedsubs // variable is retrieved from mongodb
talosplus set — var @resolvers 1.1.1.1 // there are 3 possible options to set data 1.passing as argument , 2.passing as pipe/stdin 3.passing from clipboard
Read Next Part to Learn More About Writing Syntax.
