When doing Bug Bounties you need some urls or endpoints to focus on. Say you get a opportunity from a Bug Bounty provider, whats next? Well first you need some targets. The Bug Bounty description may give a scope something like *.example.com. It’s extremely unlikely that you will find a bug in “www.example.com” so we have to find more interesting targets within that domain. In bug bounty hunting its required to break this into sub-domains where we can focus our bug hunting. So how do we do that, how do we find some interesting subdomains? Well today I will cover some Bug Bounty Recon with Axiom. This will give you a list of sub domains that should give somewhere to focus.
What is Axiom?
From the github page, “Axiom is a dynamic infrastructure framework to efficiently work with multi-cloud environments, build and deploy repeatable infrastructure focused on offensive and defensive security.”
Simply put, Axiom is a framework that allows you to spin up lots of virtual machines, for a short time, to run bug bounty recon in mass. There are so many advantages with this approach.
- Spread the work load over multiple servers.
- Use many different IP addresses so not to trigger any rate limiting.
Unfortunately there is a $ cost to all this but its very cheap and I will cover later.
How does Axiom work?
In just a few short commands, Axiom allows for the Distribution of workloads over multiple servers. You create the input list and Axiom does the work and splits the load for you and returns the output to the local system.
There are many tools for bug bounty recon and so also, there are many bad tools for bug bounty hunting. Hackers who have been doing bug bounty for a living, have created their own workflows and identified the best tools for the job. The developer of Axiom created a tool to help us with Bug Bounties. They selected the best tools for reconnaissance and went so far as to make it easy to add more tools (modules) into it. Also they made this tool Open Source and free to everyone that wants to use it or contribute.
All the best opensource bug bounty tools are installed by Axiom by default. For example.
These tools are utilised in the command called “axiom-scan” and the tools are referenced as modules. For example if you wanted to scan a list of domains for sub domains with the command “subfinder” you would reference the “subfinder” module. Some examples come soon. I promise. Axiom also makes it very easy to add your own tools as modules.
Getting Started with Axiom
Before we can start anything, Axiom needs to be installed. There are various ways to do this, git clone, docker, direct install, and you can find them documented over on the Axiom github wiki page.
The first thing you need, is access to a cloud provider that is compatible with Axiom. For now I recommend Digital Ocean as the droplets pricing works really well to keep the costs down. You can create an account with Digital Ocean using the below link with $100 credit for 60 days. Which gives you load of space for learning and testing Axiom.
After you have created an account with Digital Ocean then you can run the installer as outlined in the installation guide over in github. The installer runs a configuration script which looks for your DigitalOcean API token and some other questions.
You can create a application API token in DigitalOcean by going to the following link after the creation of your DigitalOcean account.
Answering the default to the questions is good enough for most of them. One thing to be aware of is that when the questions are answered the installer will connect to DigialOcean and create a virtual machine (Droplet in Digital Ocean terms). It will install and configure this image with all the tools required and then shut it down and create a snapshot. The original Droplet will be deleted. This new snapshot will be used as a template to spin up all the systems that are required when running axiom scans.
A droplet in digital Ocean has a cost and for this setup we will only use the second smallest and cheapest, which comes with 1GB of RAM and 1VCPU. This costs about $0.01 per hour or $6 per month.
The Image that is created as part of the installation is approx 12G in size and Digital Ocean has a change for keeping custom snapshots in storage. At the time of writing its $0.06 per GB per month. So for 12GB snapshots its around $0.80 per month.
Creating a fleet with Axiom
Once you have your $100 credit lets create some hosts. By default Digital Ocean only lets new users spin up 10 machines at a time. So lets keep below that. If you want more than 10 you have to contact Digital Ocean.
In Axiom, groups of servers are called fleets and the command to create them is called “axiom-fleet”
axiom-fleet worker -i 4
This creates a fleet of 4 Droplets with the prefex “worker. This whole process of creating 4 worker nodes can take about 5 minutes to spin them all up.
Now that we have a fleet we can do some work
Find SubDomains for Bug Bounty recon
So I am going to pick one of the public bug bounties publicly available out there. For this example I will pick the one from “ford.com”. If you sign up with hackerone.com, you can add this to your bug bounty program. Be sure you signed up and understand the ROI (rules of engagement) before doing anything. So lets create a text file called “domains.txt” and inside that we will add the below domains which are part of fords empire that’s open for bug bounties. Then we can do some passive bug bounty recon, with Axiom.
ford.com lincoln.com quicklane.com motorcraft.com omnicraftautoparts.com
We can use the fantastic subfinder tool from project discovery for this. Subfinder is a passive tool for finding subdomains and will not hit the target with traffic.
The command looks like
axiom-scan domains.txt -m subfinder -o subfr.txt
This results in nearly 5000 subdomains.
Most of these won’t be real http sites and we need to find out which ones are real. Lucky Axiom has a module for that too.
Verify http Servers
Another tool provided by Project Discovery, httpx can quickly find real http servers in all that mess.
axiom-scan ./subfr.txt -m httpx -o http.txt
This command will take about 2 minutes to run. Using a fleet of just 4 server can scan nearly 5000 urls in less than 2 minutes. Lets take a look at the results.
So httpx found 577 valid urls in nearly 5000 subdomains. Now that’s a great starting point for bug bounties.
But maybe we can automate a bit more. Looking at 577 urls manually would be a painful chore.
Grabing ScreenShots of the Web Page
webscreenshot is another module that built into axiom default set of tools. This allows you to grab an image of each web page and you can give it a quick overview to see if its something you would like to explore with more depth.
axiom-scan ./http.txt -m webscreenshot ./screenshots
This commands takes all the urls in http.txt file. Splits it up and sents parts to each of our fleet memeber and grabs a screen shot of the web page. It then dumps all the pictures into the output folder ./screenshots/.
After a few minutes you will have a folder full of screen shots.
So we managed to get nearly 500 screen shots of web pages. You can use what ever image browser you like to take a quick glance at these to determine if they are of value. Much faster then browsing each one by one.
Delete your Droplets
Its important at this stage to delete your droplets. You can do so by running the below commands. Assuming you called your hosts “worker”
axiom-rm "worker*" -f
Not only will you keep the costs down but reduce on the energy used the the datacenter they are housed in. Every little helps.
Most of the steps described on this page are passive recon using axiom and cause very little load on the Bug Bounty targets. It’s very important to note this, as we do not want to cause any problems for the service we are testing.
So what can you do next?
- You could automate the entire workflow and trigger an alarm if something new pops up. New pages mean new bugs.
- You could use a tool such as nuclei to dig deeper into the pages to identify more bugs.
- When using subfinder if you add the api tokens for various online tools such as shodan, binaryedge, github.com, etc. It dramatically increases your list of subdomains. Check out the documentation for subfinder
- Most Importantly – Use that big brain of yours to figure out a workflow that will get you some bug bounties.
Big Thanks and Support Open Source
I want to take a minute to thank all the people involved in open source. They do such a fantastic job and spend so much of their time creating such cool project. Please support Open Source when you can.
Hope you found this blog post on Bug Bounty Recon with Axiom interesting. Any feedback or comments you can get me over on twitter.