This wrapper will automate numerous tasks and help you during your reconnaissance process. The script finds common issues, low hanging fruit, and assists you when approaching a target. meg+ also allows you to scan all your in-scope targets on HackerOne in one go — it simply retrieves them using a GraphQL query.
Watch TomNomNom's talk to learn more about his reconnaissance methodology:
You will need Golang, Python 2 or 3, and PHP 7.0 to use all the features provided by this tool. On top of that, make sure to install meg, waybackurls, Sublist3r, and gio.
git clone https://github.com/EdOverflow/megplus.git
go get github.com/tomnomnom/meg
go get github.com/tomnomnom/waybackurls
git clone https://github.com/aboul3la/Sublist3r.git
# See https://github.com/aboul3la/Sublist3r#dependencies
You can either scan a list of hosts or use your HackerOne
X-Auth-Tokentoken to scan all the bug bounty programs that you participate in.
1) Usage - target list of domains: ./megplus.sh <list of domains>
2) Usage - target all HackerOne programs: ./megplus.sh -x <H1 X-Auth-Token>
3) Usage - run sublist3r first: ./megplus.sh -s <single host>
1) Example: ./megplus.sh domains
2) Example: ./megplus.sh -x XXXXXXXXXXXXXXXX
3) Example: ./megplus.sh -s example.com
Usage - Docker
If you don't feel like installing all the dependencies mentioned above, you can simply run the
abhartiya/tools_megplusDocker container, where
test.txtis a sample file containing the URLs to test against. In your case, this will be the file containing the URLs you want to test:
docker run -v $(pwd):/megplus abhartiya/tools_megplus test.txt
The command will run the
abhartiya/tools_megplusDocker image as a container and mount the
pwdonto the container as a volume (at
/megplus), which makes the
test.txtfile available to the container. Once megplus finishes running, the
outdirectory will be created in
pwdwith all the results.
meg+ will scan for the following things:
- Sudomains using Sublist3r;
- Configuration files;
- Interesting strings;
- Open redirects;
- CRLF injection;
- CORS misconfigurations;
- Path-based XSS;
- (Sub)domain takeovers.