Running Nuclei On All My Bug Bounty Programs

NahamSec

29 Jul 202410:44

Summary

TLDRThe video script details a 24-hour bug bounty program scanning marathon, where the presenter utilized SubFinder and Nuclei to scan 250,000 unique subdomains for vulnerabilities. Despite the extensive scan, few vulnerabilities were found, highlighting the saturation of the automated vulnerability market. The presenter shares insights on using Nuclei for lead generation and finding exposed panels, recommending a cautious approach to avoid overwhelming targets and the subsequent legal complications. The script concludes with a suggestion to focus on manual testing for more fruitful results.

Takeaways

🕵️‍♂️ The speaker spent 24 hours scanning bug bounty programs using SubFinder and Nuclei, identifying approximately 250,000 unique subdomains.
🔍 SubFinder was used for reconnaissance to list all subdomains, which were then used with Nuclei for further scanning.
📚 The Nuclei repository, which was used for scanning, has been turned private for personal reasons, but there are forks available.
⚠️ The speaker received a notice from AWS to stop scanning, highlighting the potential for scanning activities to attract unwanted attention.
💡 For new bug bounty hunters, the speaker advises that automated scanning with Nuclei templates did not yield many vulnerabilities, indicating a saturated market for automated vulnerabilities.
📈 The speaker suggests that while automated scanning may not be profitable, it can be useful for research purposes or to find niche areas of interest.
🗂️ The process involved four phases: data collection, creating a stable environment with batch files, information gathering on exposures, and looking for misconfigurations.
🛠️ The speaker used terminal commands to split the large list of subdomains into manageable batches to avoid timeouts and ensure a smoother scanning process.
🔑 The speaker emphasized the importance of using headers in requests to signify benign intent during the scanning process.
📊 The results of the scans were categorized into different phases, with the speaker finding more value in the lead generation and information gathering phases than in the actual vulnerability scanning.
🚫 The speaker does not recommend large-scale vulnerability scanning due to the headache, scaling issues, and limited monetary returns.

Q & A

What did the speaker do for the last 24 hours?
-The speaker spent the last 24 hours scanning various bug bounty programs using SubFinder to identify subdomains and then scanning them with Nuclei using publicly available templates.
What is SubFinder and how was it used in this context?
-SubFinder is a tool used for finding subdomains of a domain. The speaker used it to identify all the subdomains within the domains they had access to and compiled them into a text file for further scanning with Nuclei.
What is Nuclei and how does it relate to the speaker's scanning process?
-Nuclei is a tool for automated vulnerability scanning using templates. The speaker used Nuclei with publicly available templates to scan the subdomains they found with SubFinder.
Why did the speaker's scanning activity cause issues with AWS?
-The speaker's scanning activity involved sending a large number of requests, which led to AWS sending an abuse case, likely due to the high volume of traffic generated by the scans.
What was the outcome of the speaker's large-scale scanning across bug bounty programs?
-The speaker found that despite scanning a large number of subdomains with Nuclei, there were no vulnerabilities discovered, indicating a saturated market for automated vulnerabilities.
What advice does the speaker give to new bug bounty hunters regarding the use of automated tools like Nuclei?
-The speaker advises new bug bounty hunters not to rely solely on automated tools like Nuclei for making money, as the market for automated vulnerabilities is saturated and not as profitable as one might think.
What was the purpose of the speaker's research and what were the phases involved?
-The speaker's research aimed to understand the effectiveness of automated scanning tools in bug bounty hunting. The phases involved data collection, creating a stable environment for scanning, information gathering, and vulnerability scanning.
What is the significance of the disclaimer header used by the speaker in their requests?
-The disclaimer header was used to signify that the requests were for bug bounty hunting purposes, indicating non-malicious intent and helping to avoid any misunderstandings about the nature of the scans.
What did the speaker find during the phase focused on finding exposed panels and misconfigurations?
-During this phase, the speaker found various exposed panels such as GlobalProtect, Pulse Secure, Django, and WordPress, as well as potential misconfigurations that could turn into leads for further research.
What is the speaker's recommendation for using Nuclei in the context of bug bounty hunting?
-The speaker recommends using Nuclei for generating leads by finding interesting assets and exposed panels, rather than solely relying on it for discovering vulnerabilities.
What was the final takeaway from the speaker's research on automated scanning in bug bounty programs?
-The final takeaway was that while automated scanning can generate leads and identify exposed panels and misconfigurations, it is not as effective for finding vulnerabilities, and the speaker does not recommend it for that purpose.