Shriyans Sudhi

[Moltbook](http://moltbook.com) is a social media platform for [OpenClaw](https://openclaw.ai) bots, which are fully-autonomous AI agents. This opens doors for various attacks, most of which could be achieved through prompt injection attacks. In the presentation I gave at RITSEC, I tried to demonstrate the exploit chain for Prompt Injection to [Remote Code Execution](https://owasp.org/www-community/attacks/Code_Injection) through Moltbook.

<YouTubeEmbed url="https://youtu.be/3tXPbAVA_Fg?si=eALoGeukHLHIQBRg" title="Moltbook Research Presentation" />

This presentation was recorded at [ESL Global Cybersecurity Institute](https://www.rit.edu/cybersecurity/) at [Rochester Institute of Technology](https://www.rit.edu/) during [RITSEC](https://ritsec.com/)'s general meeting session.

Upon completion of this research, I plan to work with Moltbook's developers to improve the security of the platform.


Upon conducting a research, I found that it is possible to achieve Arbitrary Remote Code Execution on openclaw bots on Moltbook through indirect prompt injection attacks. This research was demonstrated in a presentation at RITSEC.

Asking AI agents to do (not so) malicious stuff - Presentation

I've been working on a tool called JS Recon, which is a tool built to extract and analyze JavaScript from a website. After 2 months of development, I gave my first presentation at [RITSEC](https://ritsec.club/), which is the cybersecurity club at [Rochester Institute of Technology](https://rit.edu/).

This is more of a demo of the tool, and just slides about the tool.

While the tool has improved a lot since then, the fundamentals of the tool discussed in the presentation are still valid.

<YouTubeEmbed url="https://youtu.be/jQGeq4TNWDM" title="JS Recon Presentation" />


JS Recon Presentation

Hi there,

I hope you are well. In this article, I will describe how you can plot all the WiFi networks in your area on map. This article will contain the following:-

- Backstory

- Hardware requirements

- Installing the app on your mobile phone

- The code

You can read about what wardriving is on [Wikipedia](http://bit.ly/3GXwJAt)

So, let’s get started

## Backstory

I was very fascinated when I heard about hacking WiFi, in fact, I started hacking to get free WiFi 😅, but then after I jumped into it, I started web hacking. So, keeping my wish for WiFi hacking, I somehow wrote a script for NodeMCU (it is a micro-controller with an onboard WiFi chip, which costs about ₹400 — approx $5. Read on Wikipedia here). It just collected the names of WiFi and not the GPS data. You can access the script I used for this at my GitHub page at [https://github.com/shriyanss/NodeMCU_WiFi_Logger](http://bit.ly/3wny6DO)

![](/images/blog/gh_repo_wardrive.webp)

Getting on the main point, in this attempt, I collected WiFi information which contains the following things:-

- SSID

- ESSID

- Channel

- Quality

- Signal level

- Encryption info

It also contains a timestamp, but it is not a part of WiFi.

The same thing can also be done with the help of just a mobile phone, but in this case, I wanted raw data, that is according to me, so I continued with this method

## Hardware required

I used the following things for this wardrive:-

- A Raspberry Pi to collect WiFi information

- A mobile phone to collect GPS data

- A power bank for power supply

Installing application on your mobile phone

For tracking GPS, we also need an app installed on our phone, which will output the results to a file.

In my case, I am using an app named *GPS Logger*. This is a quite simple app and is according to our needs. You can download the app from Google Play [here](https://bit.ly/3WwIy6C)

If you are an iOS user, you can use an equivalent app for this task.

After you are done installing, just follow the steps below:-

- Open the app

- Go to the settings of the app (from three dots on the top right corner)

- Switch on the following: \*Keep screen on \*in interface, *Export Tracks in TXT*and \*Export Tracks in GPX \*in the exportation menu.

- Also, make sure that you export the timestamp in the same timezone, else you may use GMT

- Set *GPS Update interval* in tracking to *1 second*

<iframe title="Configuring GPS logger for wardrive" width="960" height="540" src="https://www.youtube.com/embed/00bpU2jNhXo?feature=oembed" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen=""></iframe>

## The algorithm

Before diving into the code, let’s discuss the algorithm of the software.

### Mobile Phone

Our mobile phones have an inbuilt GPS sensor. To get the data from that GPS sensor, we are using an app from the Google Play store/App Store. The data we will export will be in CSV format, which means it is easy to read and process

### Raspberry Pi

This will run the script, which will contain the WiFi information described above, as well as a timestamp

### Synchronizing the data

In the output from both devices, we have the timestamp as common. So, we can use timestamps to get the GPS coordinated at a particular time.

## The Code — #1

First, let’s go wardriving and collect some data. The first script we will need is to collect WiFi networks in CSV format. Also we need the timestamp as described above. So, the code is:-

> Check out the script at https://gist.github.com/shriyanss/914cbcd27428c668be03406b38c76de0

Make it executable using `chmod +x scan.sh`. Now, we need another script that will keep running it. For this I can a simple python script:-

```
from os import system
while True:
    system("./scan.sh")
```

So the command we need to run is: `sudo python3 main.py > wifi.csv`

This will pipe the output, i.e. CSV to a file called `wifi.csv` .

No, the only task is to go out, and collect data. Just switch on the GPS Logger app and an SSH app and keep in the split screen view.

## Points to remember

- Switch on the *GPS Logger* app first, and then SSH scanning so that we won’t get an entry for which we don’t have GPS coordinates. The same goes for switching off.

- Keep the speed slow (\~20 km/hr) when there is more possibility of getting WiFi, or you may do it according to the length of the wardrive route

- Try to stay near buildings, e.g. on the left/right side of the road where there are buildings.

- Prefer a bicycle/motorbike with a backpack to keep accessories.

## Getting GPS data from the phone

To export data from the app, just go to \*GPS Logger app -> Tracklist -> Click on the route (e.g. the on top *😅*) -> Click on the ‘up arrow’ \*and the file will be exported to the specified location

Now, copy the `.txt`, `.gpx` file to your computer, and edit the file extension for `.txt` file to `.csv`

## Plot the route on the map

Now, you can use any map to view your route. But in my case, I used [_Google My Maps_](http://bit.ly/3XHF5n4). Just click on *“CREATE A NEW MAP”*, and you will see a screen like this:-

![](/images/blog/wardrive_maps.webp)

Just click on *“Import”* under *“Untitled layer”*, and upload the `.gpx` file you got from the GPS logger app. It will plot the route on the map.

## The Code — #2

Now, we need a code to plot all WiFi APs on the map. For this, you can use the following script:-

> Check out the script at https://gist.github.com/shriyanss/1c0007c1822bec471e1d1c5c771f9bc9

Before you run the script, make sure to use the right files on lines 4 and 5.

Now, just run the script, and it will give the `kml` file to be plotted on Google My Maps

**IMPORTANT: Don’t forget edit the file names in line 4 and 5, otherwise the script will end up with an error**

Just run the following command to write data to a file:

```
python3 data_sorter.py > wifi-ap.kml
```

Now, go to Google my maps, click on *“New Layer”*, and it will plot all WiFi AP on the map

**_Please note that it is being sorted on the basis of AP name. To sort on the basis of SSID, please refer lines 143 to 146_**

![](/images/blog/wardrive_map_plotted.webp)

In the above image, you can see all WiFi APs plotted on the map. Please note that I’ve changed the view to \*“Dark landmass” \*through the base map and redacted all WiFi AP names for privacy.

## Final notes

This is a demonstration of how one can do wardrive with given equipment. In the next article, we will discuss how we can \*\*crack these WiFi networks, without the help of a WiFi adapter that supports monitor mode. \*\*Also, there are more chances of errors if the device is not configured properly. Feel free to drop your query in the responses.

I hope that you liked this article 😄. Feel free to follow me for more. Also, **if you want the next part, feel free to subscribe to my mailings list**.


I did wardrive, without a proper wardrive gear, but with a raspberry pi, and my centuries old mobile phone.

Wardrive without a GPS module and WiFi adapter that supports monitor mode, but a Raspberry Pi

A while back, I had to attend a family function, for which I had to travel \~1000 KM (\~620 mi). I came up with the plan of doing a drive along the way.

If you don't know, I particularly like wardrive. There's no reason for it. I just like it. Previously, I've managed to build a technique of incorporating a Raspberry Pi and a Phone for Wardrive. I agree that apps like [Wigle](https://wigle.net) allow users to drive just with their phones, but having control over the code gives you flexibility in what you want to do with data.

## Backstory

I had to attend a family function that was to be held in the national capital of India, [New Delhi](https://en.wikipedia.org/wiki/New_Delhi), and I live in the state of [Muzaffarpur, Bihar (India)](https://en.wikipedia.org/wiki/Muzaffarpur). It was planned that I would go from Muzaffarpur to Patna by car and then from there to New Delhi by train (yeah, we have trains here more than flights). The overall route was expected to be \~1000 KM (perhaps more; \~620+ mi).

The idea of doing wardrive appeared in my mind randomly a few days before travel. Previously, I had written a blog on doing a wardrive with a Raspberry Pi and a mobile phone, so I was sure that I would be doing that again. But this time, I wanted to do something different.

The idea was to incorporate NodeMCUs (ESP8266) as WiFi login workers. Basically, it meant that these NodeMCUs would try to log into WiFi networks with common a password, i.e. 12345678. (the handshake capture attack could also be done, but it would require me to stop and let the handshake be captured). I had read about some similar stuff in the past, so I wanted to recreate it. Perhaps this is the article I read: [Cracking WiFi at Scale with One Simple Trick](https://www.cyberark.com/resources/threat-research-blog/cracking-wifi-at-scale-with-one-simple-trick)

This meant that I had to get several NodeMCUs. At that time, I had two. So, I ordered one more from Amazon.

Now, came the task to design an algorithm for this.

## The new algorithm

Since I already had the software to map all WiFi APs to the map, I needed the software that would attempt to log into those networks. I decided not to use the Raspberry Pi to attempt to log into those networks because I also wanted to monitor the status of what was going on. Using RPi as a login worker would mean that I could lose wireless access to RPi if it always kept switching between WiFi networks (I could connect to it through ethernet, but I wouldn't have that during travel).

Now, it was time to find a way to integrate the RPi and NodeMCUs. Here also, I had two options

- With NodeMCU, try to log in to a network and get the status (true or false if the password was successful). If true, **connect to the Raspberry Pi's WiFi network** and then **send the status through HTTP/Plain TCP/some other protocol**

- With NodeMCU, try to log in to a network and get the status (true or false if the password was successful). If true, transmit the data over a serial connection (i.e., through a wire)

Out of the two, the second one seems more logical as I could save a few seconds on the transmission of data, which is crucial when in a fast-moving vehicle.

I also added a function to blink the onboard LED of NodeMCU whenever it tried to log into a network. This allowed me to know that it's working without SSHing into the RPi.

In total, I had 2 NodeMCUs then. When I did some simple calculations, I found that this was very slow. So, I ordered another NodeMCU. Though the calculations suggested these weren't enough, I still decided to go for it. I also wrote a [LinkedIn post](https://www.linkedin.com/posts/activity-7205920862879830016-S-Jt?utm_source=share&utm_medium=member_desktop) for it.

![](/images/blog/wardrive_linkedin_post.png)

## The Failed Attempt

Now, it was time to go for the trip. I did some basic testing from inside my home to check if it cracked the networks or not, and it worked fine. I packed everything in my bag and went on wardrive.

Over 100 KM passed, and everything seemed fine. When I SSHed into the RPi to see what data had been logged, I found that it did log WiFi networks, but there was no run log for the login worker. This was the major failure in my wardrive. The major change in this attempt was this component, and it failed.

I wasn't able to do a proper investigation as I had to reset the RPi for some other project, but the issue I assume is that the NodeMCUs went out of range of the network in a fast-moving vehicle, and it didn't get enough time to capture the response.

## Plotting the available data

Though the login worker component failed, I did have the GPS and WiFi data available. So, I followed the steps that were mentioned in one of my [previous articles](https://ss0x00.com/blog/wardrive-without-gps-module-but-rpi/).

I failed another issue in this dataset. When I ran the code to merge the GPS and WiFi data, I found that I didn't have GPS coordinates for a few WiFi networks. The reason for this is that I didn't start the GPS tracker when I started the wardrive code. Unfortunately, I had to remove them completely from the final dataset. After fixing this issue, the KML file was finally generated.

When I generated the KML file to upload to Google My Maps, it showed me that the file was either too large or incorrectly formatted. I tried to fix the 'file too large error'. To do so, I used the split command to split the main file into several chunks

```
split -b 700k wifi-ap.kml chunk_
```

After running this command, I manually adjusted the XML format by including the header and footer and adjusting the block for each network. I got the same error again, so I repeated the process again to make it even smaller.

After it didn't work, I decided to check out the XML format. I ran the following command to check the formatting of XML

```
xmllint --recover wifi-ap.kml -o fixed_wifi-ap.kml
```

This time, I got a few errors in the file. I found that the ampersand (`&`) caused issues. So, I replaced it with (`&`) to make sure that it is parsed correctly.

I uploaded the file to Google My Maps, and I successfully completed my longest wardrive.

![](/images/blog/250_km_wardrive_results.png)

I hope that you would've enjoyed reading about this experience. You can now read about how to build this setup on this article 👇


I travelled for more than 1000 KMs and started my wardrive gear on 1/4th of it, leading to a wardrive of 250 KM

Wardrive of 250 KM with Raspberry Pi and a Phone

This post was published on SecureMyOrg’s website. Please check it out [here](https://securemyorg.com/the-security-puzzle-of-graphql-1/)


GraphQL is getting widely adopted for APIs, but with features, it also brings home vulnerabilities.

The Security Puzzle of GraphQL – 1

Hi there 👋,
I hope you are doing well. On May 17th, 2024, I signed my first internship even before I graduated my high school. This was a way too thrilling experience for me.

So first of all, I’ll share the general story (non-technical) part of this, and then, I’ll move to technical things, like what I knew, my experience, and the kind of résumé thing I sent (it wasn’t a PDF file, but all things written in email)

## Thought of internship

I was doing bug bounties for a while, and I wanted to learn more skills, so what could’ve been better than taking an internship? So here started the journey of finding an internship, but before the rocket was even built, I had some doubts about myself.

The biggest question I had, was “Will someone give an internship to a high school guy?”. I saw a video of Ishan Sharma, in which he said: “They rejected me because of my childish voice”. (over telephonic call; for hiring him for marketing,,, as I remember). Yes, it was his first rejection, but fortunately (or maybe unfortunately) not for me. Even though he was rejected at that time, now (at the time of writing this blog), he has 1.3 Million+ subscribers on YouTube, and he also started a marketing company.

This thought was also fueled by another person, [Ankur Warikoo](https://www.youtube.com/@warikoo). I read his first book [_Do Epic Shit_](https://amzn.in/d/5zNtzbM) and in that, a quote was written: “If you never ask, the answer is always *No!*“. Another topic was there in that book, and it was related to cold emailing. It described the power of cold-emailing, and also from YouTube videos of other people as well, I learned that people landed at jobs with the help of this.

So, it was time to write the email

## Sending out emails

The first thing was, to whom will I reach out for an internship? A thought randomly came to my mind, that I had seen an internship opportunity a few months before, though, at that time, I had my exams, so I didn’t apply for it.

It was the time for writing an email, but what will I mention in it? The first thing that came to my mind was the bug bounty experience. This was the only real-life experience I had and for very obvious reasons. Apart from this, I have done some projects on my GitHub, so that’s a great idea to highlight in my email.

So, I quickly drafted an email, mentioning all my previous work in bug bounty, building hacking tools, blogs, etc. Now, it’s time to create a title. From all the videos and other resources I had consumed related to cold emails, I noticed that they all said that the email must have a catchy title. It was important to note that I wrote most of the things in points, and not in long paragraphs (just like this blog) because people generally don’t want to read a long boring, and too formal paragraph from a heap of emails. I made sure that it was easy for me to know maybe \~50% about me within the first few moments of opening the email. To make the person open the email, I needed a good email subject line. So, I started thinking about it, and instantly, got a title: “Can a high school guy get an internship” (maybe I am quick at thinking such things). Now my email draft was looking kinda good.

Also, to maintain professionalism, I decided not to shoot it with my email with the “@gmail.com” domain, but instead shoot it with my work email “<shriyanss@ss0x00.com>” (yes, you can contact me here) and also to look kinda *‘cool’*.

But I didn’t just shoot the email immediately, instead, scheduled it for Monday morning (I drafted the email on the weekend). The reason for this is very straightforward: most people don’t like to open their work email on weekends (maybe a bug bounty hunter dropped a critical 🤪), and they also to make sure, that when they open their email on Monday, my email will appear fairly on the top of their inbox (as most of the email providers show latest emails first).

I combined all these tricks with perfect timing, my email was sent out to the founder

Also, if you are thinking why I didn’t message him regarding this on LinkedIn or X, the reason is that, on those platforms, it is very easy for a message to get lost in messages from other people. Also, there’s nothing to distinguish (other than the user who sent the email) like the subject in the email. If I sent a message on that platform, he would see “Hi there, I hope you are doing well. I am ….” and it’s not at all interesting.


I got my first cybersecurity internship at a high-school, without a degree. Here is how!

How did I land my first cybersecurity internship while being a high-school student?

Hi there!

I hope you are doing well

Recently, I created a new GitHub repository, for the subdomain wordlist. The repo can be found at <https://github.com/shriyanss/subdomains_wordlist>

This repository contains multiple wordlists, but they are generated from the same dataset. So first of all, I’ll tell you how this dataset is obtained

## How the dataset is obtained?

The tool first of all gets the subdomains for different domains. The list of domains is obtained from [@arkadiyt/bounty-targets-data/data/domains.txt](https://github.com/arkadiyt/bounty-targets-data/blob/main/data/domains.txt) (thanks to [@arkadiyt](https://github.com/arkadiyt) for this repo 😉 )

Since this is too raw to undergo further process, I first of all, get all the domains with the help of a custom Python script that extracts domains from it. By me telling this is raw, I mean that there are programs that add app.target.com to the scope. So from that, I am not interested in `app` or the something else, but I am interested in the domain.

Once I’ve got the domains, the next step is subdomain enumeration. A bash script does this thing. But before I passed everything to it, I made another Python script, that divides X the number of domains into a file, for which it has to do subdomain enumeration. This is because I don’t want my machine to just blast up doing subdomain enumeration for the whole week, which might saturate the system for other processes. The script I am talking about simply reads a file called last.txt, and gives the next X number of domains from the domains file. Also, if it reaches the end of the file, it starts from the top to complete that `X` \*\*criteria\*\*.

At this point, our dataset to be processed is ready.

> At the time of writing this blog, I had nearly 1 million subdomains. This count can easily increase later

## Generating wordlist

Once it has got the subdomain list, it simply runs my tools [`subgen`](https://github.com/shriyanss/subdomain_wordlist_gen), and hence, a raw [`wordlist.txt`](https://github.com/shriyanss/subdomains_wordlist/blob/main/wordlist.txt) is complete. But the thing is that it’s not a wordlist. It’s just a raw dump of subdomains from different companies.

The next that is to be done is to remove some prominent noise from the wordlist. Currently, I manually scroll through the list and identify any pattern of noise. For example, the subdomains containing just numbers  – are less useful and are also prominent in the wordlist. So I simply remove them. There are more similar noise patterns that are removed from the wordlist and then piped into [`no_number.txt`](https://github.com/shriyanss/subdomains_wordlist/blob/main/no_number.txt), [`no_uuid.txt`](https://github.com/shriyanss/subdomains_wordlist/blob/main/no_uuid.txt) and others.

The file [`filtered_subdomain_wordlist.txt`](https://github.com/shriyanss/subdomains_wordlist/blob/main/filtered_subdomain_wordlist.txt) is a combination of the above two (no UUID and numbers) file and multiple other patterns I’ve identified.

The next comes [`frequent.txt`](https://github.com/shriyanss/subdomains_wordlist/blob/main/frequent.txt). First of all, the generation of this file takes the longest. What it does is it iterates through the [`filtered_subdomain_wordlist.txt`](https://github.com/shriyanss/subdomains_wordlist/blob/main/filtered_subdomain_wordlist.txt), and then checks the occurrence of the current line. It first goes to the first line, and it contains www (suppose), next it iterates through the whole file and gets a count of it. I know this process is less efficient, but it can be improved later on when it gets really slow. The number of times is currently set to 5. Meaning, that if any subdomain has a frequency of 5 in the `subdomains.txt`, then it will be included in the frequent wordlist. I might change this later, on the basis of the noise I get, or maybe seperate them into different files.

I hope this was informative. See you next time 🙂

Also, feel free to star the wordlist repo. Link: <https://github.com/shriyanss/subdomains_wordlist>

> Pull requests related to grammar or missing content or anything is always welcome (but not spam) 🙂
>
> _Update README.md_


Wordlists are the thing you require for subdomain bruteforcing. In this article, I discussed how I generated one

Subdomains Wordlist. How it is made?

Hi there,

In this article, I will discuss how my automation machine found a bug in one of the HackerOne programs. Since the program is public and the report is also disclosed, I will here are basic info:-

```
Program name: 8x8 (and yes, they have VDP + BBP as well)
Scope: *.8x8.com
```

## Backstory

If you don’t know, I am a high school student (when the bug was found + at the time of writing this article), so it becomes difficult to manage hacking and my school. So the only option I had was to set up an automation machine that would do some basic things. So the basic concept was to gather subdomains as much as possible and run nuclei on them. This was done on a regular basis, on a Raspberry Pi.

The simple algorithm is to collect as many subdomains/hosts as possible, and then run nuclei on them.

Note that since this is an automation, I don’t have to wait for it to finish so it can take as much time as it will. This means you can run subdomain enumeration, generate a permutations list, and then brute-force them. A port scan is also a thing.

I’ve built it in whatever time I got, and now it has more than 5000 URLs to scan and more are being added daily with the help of subdomain enumeration.

Also, all these are interdependent, which means the output of one can be the input of the other.

## The Bug

One day, when I saw the updates of the bot in the morning, I noticed that my bot had detected a directory listing bug from the custom nuclei template I made. The template was very simple, it will simply detect “Index of /” in the response. Also, it had multiple URL paths, which I gathered by manually visiting disclosed reports, write-ups, etc.

If you want to read the disclosed report, you can read it at <https://hackerone.com/reports/1825472>

I simply verified it, all with the help of my smartphone, and even reported it with the help of a mobile.

After a few days, the bug was simply resolved and disclosed 🙂

## Some takeaways

- Getting bugs from default templates is also possible if there’s a good list of URLs (though mine is a custom template, but I guess many people must be using the same)

- Enumerating tools daily on a large scale helps.

- Time matters. The longer you’ll run the automation, the higher the chances of getting a bug.

But still after all, remaining dependent is not good. I saw one of the videos of Nahamsec (I quit recon), and got a few bugs.

Though automation can make lengthy tasks easier, it can’t 100% replace manual testing

I hope that you found this one informative. See you next time 😉


In this blog, I discussed how I found a bug in HackerOne target through automated monitoring

Automated Monitoring + Time = Bug, the bug on HackerOne Target (8×8)

Hi there,

This is gonna be one of my favorite articles I’ve ever written. Automation, that’s a pretty familiar word. Maybe you’ve heard people saying that they got some bounties by just using some simple automation. So in this article, I will be discussing bug bounty automation.

Requirements

1.  A VPS server or a Raspberry Pi (I use Raspberry Pi as one can also use it for other purposes)

2.  Knowledge of some programming language (of course, python preferred)

3.  LINUX as its powerful

4.  And *CRON* (crontab), the backbone

So starting with the backbone, the CRON. So if you don’t know about crontab, here’s a brief description:-

Cron is a command line utility, which schedules the tasks and runs them automatically as specified.

The way you can access it on your Linux machine is by using sudo crontab -e. If you’re running it for the first time, it will ask you for the text editor of your choice. You could use anyone according to your needs.

![](/images/blog/crontab-monitoring-bb-targets.webp)

So I’ve selected nano and if you see my scheduled jobs, you will find multiple things (I know you might be wondering about *CRYPTO MINING*, but that’s not the part of this article but still I will talk about this at the end.

So you can see that I’ve deployed many scripts from the ‘bots’ folder in the user directory. You could specify multiple commands to be run at a particular time. So let’s start with the syntax of CRON

## Crontab

So, if you open crontab for the first time, you’ll find the basic syntax, PLEASE, DON’T REMOVE THE PART DISCUSSING THE SYNTAX, IT WILL HELP YOU IN THE FUTURE, and I’ve dropped it below for your reference

```
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h  dom mon dow   command
```

So the basic syntax is

```
m h dom mon dow command
```

Where ‘m’ is minute

‘h’ is the hour

‘dom’ is the day of the week

‘mon’ is month and

‘dow’ is a day of the week

So now let’s do some practicals:-

> Run nuclei scan in /home/user/nuclei-scans/directory for target <https://www.example.com> with ‘-as’ (automatic scan flag) and output the results to ‘nuclei-scan.txt’ everyday at 12:00 AM

So, let’s do it step by step. First of all, you have to go to the directory specified, so the command would be cd /home/user/nuclei-scans/ . So now, once we’ve switched to the directory, we need to build the command for nuclei. Assuming that the nuclei binary is set to path (or in /usr/bin directory), the command will be nuclei -t <https://www.example.com> -as -o nuclei-scan.txt. Now once we’ve built two commands, let’s combine them, so the final command will be:-

cd /home/user/nuclei-scans/ && nuclei -t <https://www.example.com> -as -o nuclei-scan.txt
So now, once we’ve build the command, let’s add it to crontab.

So the first thing in crontab syntax is minute. So the minute here is ‘00′ (12:00 AM) the next thing is the hour, so since here it is 12:00 AM, we will convert it to 24-hour format, so it will become ‘00’. The next thing is dom, mon, and dow, so since we are running it everyday, it will be ‘\*’ (asterisk, for wildcard). So finally, the line we would add to crontab would be:-

00 00 \* \* \* cd /home/user/nuclei-scans/ && nuclei -t <https://www.example.com> -as -o nuclei-scan.txt
Adding this line to crontab would run nuclei scan automatically at 12 AM every day

## Channel to send messages to

For this, simply head over to Slack (sending message to email is easier but not that suitable for this task, as you could end up messing up your inbox), and create a workspace and channels for different tasks. You could use the guide here for setting up an app and how to use it to send messages to Slack channels.

## The python/bash script

So, you could use any script of your choice, but I use Python for this because it is powerful and easy (bash is also easy, but I feel more comfortable while scripting in Python, so we’ll talk about Python).

So assuming that you’ve a bit of experience in Python programming and you’ve created a Slack webhook

You could use the following code for sending messages to Slack (sorry for using this poor method 😅)

```
import os
slack_webhook = "<slack_webhook_URL>"
def sendMsg(msg):
    if slack_send_msg == True:
        os.system("curl -X POST -H 'Content-type: application/json' --data '{\"text\":\"" + msg + "\"}' " + slack_webhook)
    else:
        print(msg)
```

So, I’ve deployed three bots, The first is to look for new subdomains, next to check subdomain takeover, and one to run nuclei.

So since I am on a metered connection, I scan only a few targets (5–7 domains)

You can see the algorithm in the file below:-

![](/images/blog/algorithm-monitoring-bb-targets.webp)

What if I don’t want to buy/rent a raspberry-pi/VPS server?

You could do the same with your laptop/PC. Just at the place of time, you could use @reboot , so it would run the scan every time your machine is rebooted/started. The example command below will run nuclei every time the laptop is rebooted:-

@reboot cd /home/user/nuclei-scans/ && nuclei -t https\://www\.example.com -as -o nuclei-scan.txt

And the crypto mining (not related to this topic but for fun)

Since the task won’t be running all the time, we should utilize it for something. So, I do crypto mining. There are multiple coins available but the coin best suitable for raspberry-pi/VPS is Duino-Coin. You could explore its website and start mining (you won’t get rich by this mining, but it will give you some experience with crypto mining, which could be a good investment).

Important: Make sure you don’t mine with the machine you do your work on as it consumes a lot of processing power of your machine.

I hope that this article will help you set up your monitoring machine. Feel free to comment on this article your thoughts 🙂


Writing scripts to monitor bug bounty targets, for fun and profit

Monitoring your targets for bug bounties

Yet another Hello World post on the internet


My first blog post on the internet: Hello, World!

Hello, World!

Read the latest security research, bug bounty writeups, and tutorials by Shriyanss.

Blog