Successfully reported this slideshow.

Recon and Bug Bounties - What a great love story!

2

Share

Aug. 04, 2017
2 likes 1,423 views
Upcoming SlideShare
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2
Loading in …3
×
1 of 32
1 of 32

Recon and Bug Bounties - What a great love story!

Aug. 04, 2017
2 likes 1,423 views

2

Share

Download to read offline

Internet

n this talk, the speaker will demonstrate few effective techniques using which researchers/pen testers can do better information gathering. The speaker would also share many stories which allowed him to earn some bounties using these recon techniques. This techniques might also be useful to red teams/incident response teams to identify rogue devices in their organisation which are often missed out during normal penetration testing. These might not be “best practices” but are definitely “good practices” and “nice to know” things while doing Penetration Testing.

n this talk, the speaker will demonstrate few effective techniques using which researchers/pen testers can do better information gathering. The speaker would also share many stories which allowed him to earn some bounties using these recon techniques. This techniques might also be useful to red teams/incident response teams to identify rogue devices in their organisation which are often missed out during normal penetration testing. These might not be “best practices” but are definitely “good practices” and “nice to know” things while doing Penetration Testing.

Internet

Recommended

More Related Content

Similar to Recon and Bug Bounties - What a great love story!

GoHachi - trial run of the app
Rebecca Caroe
Threatcrowd
Christopher Doman
Trends in Web Attacks
IWMW
Better watch your apps - MJ Keith
m j
Roelof Temmingh FIRST07 slides
Leon Kuunders
Webapp security-tut-2017
Solita Oy
Understanding Application Threat Modelling & Architecture
Priyanka Aash
Hacker tooltalk: Social Engineering Toolkit (SET)
Chris Hammond-Thrasher
WhiteHat SEO for Blog Owner
Delaserna Bonarte
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
CiNPA Security SIG
The Web Application Hackers Toolchain
jasonhaddix
The moment my site got hacked - WordCamp Sofia
Marko Heijnen
Modern Malware and Threats
MarketingArrowECS_CZ
curl - a hobby project that conquered the world
Daniel Stenberg
Ransomware - what is it, how to protect against it
Zoltan Balazs
Breaking out of restricted RDP
Security BSides London
Introduction to the open rights group censorship monitoring project
Richard King
Memaksimalkan Non-Blocking IO pada Node.js
CodePolitan
Whitehat seo tips for bloggers
imarketingtrends
Hackito Ergo Sum 2011: Capture me if you can!
stricaud

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
An Army of Davids: How Markets and Technology Empower Ordinary People to Beat Big Media, Big Government, and Other Goliaths Glenn Reynolds
(4/5)
Free
World Wide Mind: The Coming Integration of Humanity, Machines, and the Internet Michael Chorost
(4/5)
Free
Emergence: The Connected Lives of Ants, Brains, Cities, and Software Steven Johnson
(4.5/5)
Free
Tubes: A Journey to the Center of the Internet Andrew Blum
(4/5)
Free
The Impulse Economy: Understanding Mobile Shoppers and What Makes Them Buy Gary Schwartz
(4.5/5)
Free
Hamlet's BlackBerry: A Practical Philosophy for Building a Good Life in the Digital Age William Powers
(4/5)
Free
In the Plex: How Google Thinks, Works, and Shapes Our Lives Steven Levy
(4.5/5)
Free
Socialnomics: How Social Media Transforms the Way We Live and Do Business Erik Qualman
(4/5)
Free
Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live Jeff Jarvis
(3.5/5)
Free
The Nature of the Future: Dispatches from the Socialstructed World Marina Gorbis
(4/5)
Free
Talking Back to Facebook: The Common Sense Guide to Raising Kids in the Digital Age James P. Steyer
(4.5/5)
Free
The Thank You Economy Gary Vaynerchuk
(4/5)
Free
Blog Schmog: The Truth About What Blogs Can (and Can't) Do for Your Business Robert W. Bly
(4/5)
Free
The End of Business As Usual: Rewire the Way You Work to Succeed in the Consumer Revolution Brian Solis
(5/5)
Free
Bit by Bit: Social Research in the Digital Age Matthew J. Salganik
(4/5)
Free
No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State Glenn Greenwald
(4.5/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
Kill All Normies: Online Culture Wars From 4Chan And Tumblr To Trump And The Alt-Right Angela Nagle
(4/5)
Free
Cryptography: The Key to Digital Security, How It Works, and Why It Matters Keith Martin
(4/5)
Free
Who Owns the Future? Jaron Lanier
(4/5)
Free
The Dark Net: Inside the Digital Underworld Jamie Bartlett
(4/5)
Free
This Machine Kills Secrets: How Wikileakers, Cypherpunks, and Hacktivists Aim to Free the World's Information Andy Greenberg
(4/5)
Free
Stop Checking Your Likes: Shake Off the Need for Approval and Live an Incredible Life Susie Moore
(4/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community that Will Listen Findaway
(4.5/5)
Free
Ten Arguments for Deleting Your Social Media Accounts Right Now Jaron Lanier
(4/5)
Free
Platform: Get Noticed in a Noisy World Michael Hyatt
(4.5/5)
Free
The Secret Life: Three True Stories of the Digital Age Andrew O'Hagan
(4/5)
Free
Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World Don Tapscott
(4/5)
Free
Internet Riches: The Simple Money-Making Secrets of Online Millionaires Scott Fox
(4/5)
Free
Exploding Data: Reclaiming Our Cyber Security in the Digital Age Michael Chertoff
(4.5/5)
Free
Cyberwar: How Russian Hackers and Trolls Helped Elect a President—What We Don't, Can't, and Do Know Kathleen Hall Jamieson
(3/5)
Free
Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous Gabriella Coleman
(4/5)
Free
The Art of Social Media: Power Tips for Power Users Guy Kawasaki
(4/5)
Free

Recon and Bug Bounties - What a great love story!

  1. 1. --Abhijeth Dugginapeddi RECON AND BUG BOUNTIES WHAT A GREAT <3 STORY
  2. 2. PPT 101– INTRODUCE THE SPEAKER • I think I’m still a script kiddie maybe? • 9:00-17:00 work at a large organization • 17:00-9:00 work on the internet • Got lucky in finding bugs with Google, Facebook, Microsoft, Ebay etc • One among top 5 bug bounty researchers on Synack • Stop bragging and start the preso man
  3. 3. AGENDA
  4. 4. DO YOU DO PEN TESTING?
  5. 5. WEB SECURITY
  6. 6. AN UNINFORMED THREAT MODEL... www.website.com shop.website.com blog.website.com stage.website.com db.website.com api.website.com dev.website.com backup-syd.website.com archive.website.com s3 Buckets github pastebin third party providers mobile applications analytics etc etc…
  7. 7. BUT WHY?
  8. 8. ATTACK DIFFERENTLY
  9. 9. OK COOL BUT HOW?
  10. 10. DO YOU STILL REVERSE IP
  11. 11. SUB DOMAIN-ING
  12. 12. SUB DOMAINS • Sublist3r • Masscan • Shodan • censys
  13. 13. Yo!! Does this work?
  14. 14. OH YEA TEST DATABASES MADE PUBLIC? SURE THANKS
  15. 15. SNAPSHOT-ING YOUR SUB DOMAIN LIST
  16. 16. SOMETHING TO HELP YOU ALONG... snapple.py
  17. 17. DIVING IN: HACKING WITH GOOGLE(DEMO)
  18. 18. DO YOU GITHUB? • Site.com API_key • Password @site.com • Site.com secret_key • Site.com FTP password • Site.com ssh • Will leave combinations to your imagination
  19. 19. EVER TRIED LINK FINDER?
  20. 20. #RANDOM TARGET
  21. 21. #RANDOM TARGET
  22. 22. OOPSY
  23. 23. MORAL OF THE STORY
  24. 24. FEW PEOPLE YOU SHOULD FOLLOW FOR SOME COOL STUFF IN THIS SPACE • Jason Haddix • Nahamsec • Naffy • Shubs_shah • Bharath kumar • Edoverflow • And me ;)
  25. 25. CREDITS https://imgflip.com/memegenerator for memes/gifs All the authors of these tools  Great job guys and Thank you!!
  26. 26. Thanks to these guys for making internet secure again  @Bugcrowd @synack @Hacker0x01
  27. 27. Cheers to @Reconvillage questions? @abhijeth

×