> For the complete documentation index, see [llms.txt](https://davidtancredi.gitbook.io/pentesting-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://davidtancredi.gitbook.io/pentesting-notes/r3dcl1ff/bbp.md).

# BBP

```
Grab updated list of open BBPS from Project Discovery's repo

https://github.com/projectdiscovery/public-bugbounty-programs/blob/main/chaos-bugbounty-list.json

https://raw.githubusercontent.com/projectdiscovery/public-bugbounty-programs/main/chaos-bugbounty-list.json

#Parse out only domains using jq

jq -r '.programs[].domains[]?' data.json > domains.txt

#Run subfinder to acquire targets

subfinder -dL domains.txt -o subs.txt

-------------------------

#be a cheap cun7 and use the facets option on shodan to acquire ips, then

grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' ips.txt > ip

------------------------

#Grab all unique ips from an http list, useful when feeding into naabu

cat http.txt | httpx -mc 200 -ip -silent | awk '{print $2}' | sort -u | grep -o '[^][]\+' > ips.txt

Optionally follow up naabu with:

....cut -d':' -f2 | sort -u | paste -sd',' -

This will essentially provide a list of comma separated ports (80,88,..) that you can feed 
into httpx for further recon  
```
