Automated reconnaissance wrapper — TomNomNom's meg on steroids.
Built by TomNomNom and EdOverflow.
This wrapper will automate numerous tasks and help you during your reconnaissance process. The script finds common issues, low hanging fruit, and assists you when approaching a target. meg+ also allows you to scan all your in-scope targets on HackerOne in one go — it simply retrieves them using a GraphQL query.
Watch TomNomNom's talk to learn more about his reconnaissance methodology:
You will need Golang and PHP to use all the features provided by this tool. On top of that, make sure to install meg, waybackurls, Sublist3r, and gio.
git clone https://github.com/EdOverflow/megplus.git
cd megplus
go get github.com/tomnomnom/meg
go get github.com/tomnomnom/waybackurls
git clone https://github.com/aboul3la/Sublist3r.git
# See https://github.com/aboul3la/Sublist3r#dependencies
You can either scan a list of hosts or use your HackerOne X-Auth-Token token to scan all the bug bounty programs that you participate in.
$ ./megplus.sh
1) Usage - target list of domains: ./megplus.sh <list of domains>
2) Usage - target all HackerOne programs: ./megplus.sh -x <H1 X-Auth-Token>
3) Usage - run sublist3r first: ./megplus.sh -s <single host>
1) Example: ./megplus.sh domains
2) Example: ./megplus.sh -x XXXXXXXXXXXXXXXX
3) Example: ./megplus.sh -s example.com
meg+ will scan for the following things:
- Sudomains using Sublist3r;
- Configuration files;
- Interesting strings;
- Open redirects;
- CRLF injection;
- CORS misconfigurations;
- Path-based XSS;
- (Sub)domain takeovers.
I welcome contributions from the public.
The issue tracker is the preferred channel for bug reports and features requests.
The bug tracker utilizes several labels to help organize and identify issues.
Use the GitHub issue search — check if the issue has already been reported.