Listen to this Post
Introduction:
The convergence of large language models (LLMs) with attack surface discovery APIs is redefining ethical hacking. By feeding Gemini CLI a single prompt, security researchers can autonomously scan FOFA and Censys for exposed instances (JIRA, Jenkins, WordPress), consolidate IPs, probe with httpx, and launch technology‑specific fuzzing—all without manual copy‑pasting. This article deconstructs that workflow, provides verified commands, and shows how to build your own AI‑driven reconnaissance pipeline.
Learning Objectives:
- Automate asset discovery using FOFA and Censys APIs with AI‑driven prompt engineering.
- Chain reconnaissance tools (httpx, ffuf, Nuclei) based on detected technology stacks.
- Integrate AI agents like Gemini into bug bounty workflows for efficient vulnerability hunting.
You Should Know:
1. Setting Up FOFA and Censys API Access
Step‑by‑step guide to obtain API credentials and test them from Linux/Windows.
Linux / macOS (using `curl` and `jq`):
FOFA export FOFA_EMAIL="your_email" export FOFA_KEY="your_fofa_key" curl -s "https://fofa.info/api/v1/search/all?email=$FOFA_EMAIL&key=$FOFA_KEY&qbase64=amlyYQ==" | jq '.results[] | .ip+":"+.port' Censys export CENSYS_API_ID="your_id" export CENSYS_API_SECRET="your_secret" curl -s -u "$CENSYS_API_ID:$CENSYS_API_SECRET" "https://search.censys.io/api/v2/hosts/search?q=services.service_name: HTTP&per_page=5" | jq '.result.hits[].ip'
Windows (PowerShell):
$env:FOFA_EMAIL="your_email" $env:FOFA_KEY="your_key" Invoke-RestMethod -Uri "https://fofa.info/api/v1/search/all?email=$env:FOFA_EMAIL&key=$env:FOFA_KEY&qbase64=amlyYQ==" | ConvertTo-Json
Use these commands to verify your API keys work before feeding them into the AI prompt.
2. Crafting the AI Prompt for Autonomous Recon
The original prompt targets “Bentley Systems” for JIRA, Jenkins, WordPress. Below is an extended version that includes Nuclei and custom wordlists.
Extended Prompt (copy‑paste):
Find all open instances of JIRA, Jenkins, WordPress in Bentley Systems using FOFA and Censys free APIs. Consolidate the IPs, probe using httpx, and start fuzzing them according to their technologies for sensitive endpoints. Then run Nuclei with tech‑specific templates. Use a custom wordlist for WordPress: /path/to/wordpress.txt.
How to use:
- Replace “Bentley Systems” with any target (e.g.,
.target.com). - Add `-o output.txt` to save results.
- Gemini will generate a bash script; review it before execution.
3. Automating IP Consolidation and Probing with httpx
After API queries return IPs, consolidate and probe live hosts.
Linux commands:
Combine IPs from both sources cat fofa_ips.txt censys_ips.txt | sort -u > all_ips.txt Probe with httpx (install: go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest) httpx -l all_ips.txt -status-code -title -tech-detect -o live_hosts.txt
Windows (using WSL or standalone httpx.exe):
Get-Content .\fofa_ips.txt, .\censys_ips.txt | Sort-Object -Unique | Out-File .\all_ips.txt .\httpx.exe -l .\all_ips.txt -status-code -title -tech-detect -o .\live_hosts.txt
This step filters dead hosts and detects technologies (e.g., WordPress, JIRA) for later fuzzing.
4. Technology‑Aware Fuzzing with ffuf and Custom Wordlists
Once technology is known, use ffuf with targeted wordlists.
Example for JIRA (sensitive endpoints):
Wordlist: https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/jira-sensitive.txt ffuf -u https://target.com/FUZZ -w jira_sensitive.txt -c -t 50 -fc 404 -o jira_fuzz.json
For WordPress:
ffuf -u https://target.com/FUZZ -w wordpress.txt -e .php,.bak,.sql -c -t 100 -fc 403,404
Windows equivalent:
.\ffuf.exe -u https://target.com/FUZZ -w .\wordpress.txt -e .php,.bak -c -t 50
The AI agent can auto‑select wordlists based on `httpx` tech‑detect output, saving manual effort.
5. Adding Nuclei for Vulnerability Scanning
Integrate Nuclei to find CVEs and misconfigurations.
Linux command:
Install nuclei: go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest nuclei -l live_hosts.txt -t ~/nuclei-templates/ -severity critical,high,medium -o nuclei_results.txt
Targeted by technology:
nuclei -l jira_hosts.txt -t ~/nuclei-templates/exposed-panels/jira/ -o jira_vulns.txt
Windows:
.\nuclei.exe -l .\live_hosts.txt -t .\nuclei-templates\ -severity critical,high -o .\results.txt
Add this line to the Gemini prompt to automate scanning after fuzzing.
6. Full Automation Script Example
Below is a bash script that replicates the entire Gemini workflow without the AI.
!/bin/bash Auto recon: FOFA + Censys -> httpx -> fuzzing -> nuclei TARGET="Bentley Systems" FOFA_QUERY=$(echo -n "domain=\"$TARGET\" && (app=\"JIRA\" || app=\"Jenkins\" || app=\"WordPress\")" | base64) CENSYS_QUERY="services.service_name: (http OR https) AND $TARGET" FOFA curl -s "https://fofa.info/api/v1/search/all?email=$FOFA_EMAIL&key=$FOFA_KEY&qbase64=$FOFA_QUERY&size=100" | jq -r '.results[] | .ip+":"+.port' > fofa.txt Censys curl -s -u "$CENSYS_API_ID:$CENSYS_API_SECRET" "https://search.censys.io/api/v2/hosts/search?q=$CENSYS_QUERY&per_page=100" | jq -r '.result.hits[].ip' > censys.txt Merge, probe cat fofa.txt censys.txt | sort -u | httpx -silent -status-code -tech-detect -o live.txt Fuzz per tech (simplified) grep "WordPress" live.txt | cut -d' ' -f1 > wp_hosts.txt ffuf -u https://FUZZ/ -w wordlist.txt -ac -t 50 -c -o fuzz_wp.json Add more techs (JIRA, Jenkins) similarly Nuclei nuclei -l live.txt -t ~/nuclei-templates/ -severity high,critical -o final_vulns.txt
Windows PowerShell version:
Similar logic using Invoke-RestMethod and custom functions
$target = "Bentley Systems"
$fofaResponse = Invoke-RestMethod "https://fofa.info/api/v1/search/all?email=$env:FOFA_EMAIL&key=$env:FOFA_KEY&qbase64=$fofaQuery"
$fofaResponse.results | ForEach-Object { "$($<em>.ip):$($</em>.port)" } | Out-File fofa.txt
... continue with httpx, ffuf, nuclei
This script can be scheduled or integrated into CI/CD for continuous monitoring.
7. Mitigation and Hardening for Defenders
Understanding these attacks helps defenders block them.
Key mitigations:
- Rate limiting on APIs: Restrict requests per IP to FOFA/Censys from your network.
- WAF rules: Block user‑agents like
httpx,nuclei,ffuf. Detect fuzzing patterns (many 404s). - Hide admin endpoints: Use non‑standard paths for JIRA, Jenkins, WordPress (e.g.,
/secure-admin). Implement IP whitelisting. - CDN + cloudflare: Enable “Under Attack” mode during scanning spikes.
- Monitor for API abuse: Log and alert on repeated `?qbase64=` parameters in FOFA requests.
Linux command to detect scanning from your logs:
grep "404" /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head -10
Windows (PowerShell):
Select-String -Path "C:\inetpub\logs\LogFiles.log" -Pattern " 404 " | Group-Object {($_ -split ' ')[bash]} | Sort-Object Count -Descending | Select-Object -First 10
What Undercode Say:
- Key Takeaway 1: AI agents like Gemini can autonomously execute multi‑step reconnaissance—API queries, host probing, and fuzzing—reducing hours of manual work to a single prompt. This democratizes advanced bug hunting but also lowers the barrier for malicious actors.
- Key Takeaway 2: Technology‑aware fuzzing (e.g., using JIRA‑specific wordlists after tech detection) dramatically increases hit rates. Combining Censys and FOFA compensates for each platform’s blind spots, yielding broader coverage than either alone.
The integration of LLMs with security tooling is still nascent, but this example proves that prompt engineering can replace glue code. However, relying on AI without understanding underlying commands risks missing edge cases or executing unintended scans. Always review AI‑generated scripts, respect scope, and use rate limiting to avoid being blocked by target infrastructures.
Prediction:
AI‑driven autonomous pentesting will become standard within 18 months, forcing bug bounty platforms to adopt AI‑based detection of automated scans. Defenders will respond with dynamic WAF rules and CAPTCHA‑challenged fuzzing. The ethical hacking community will split: those who master AI orchestration will outpace traditional manual testers, while regulators may impose disclosure requirements for AI‑generated vulnerability reports. Ultimately, the arms race will shift from finding low‑hanging fruits (exposed admin panels) to exploiting complex business logic flaws—areas where current AI still struggles.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Vaidikpandya Bugbounty – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
