SlideShare a Scribd company logo

Bug bounty recon.pdf

E
EusebiuDanielBlindu

Bug bounty methodology

Technology
1 of 16
Download to read offline
Bug bounty recon @blindu_ch https://www.blindu.ch Eusebiu Daniel Blindu
Context is everything ● Recon is an iterative process ● Recon depends on the bug bounty program ● Recon depends of the scope (limitation)
Finding domains in scope ● Whois lookup ● Google search site:whois.* inurl:domain.com “org: Domain” ● Hurricane Electric (bgp.he.net) ● Shodan/Censys.io ● Acquisitions (crunchbase.com) ● Current and historic databases, documents, leaks and investigations (aleph.occrp.org) ● Website profiler, lead generation, competitive analysis and business intelligence tools (builtwith.com) ● IP ranges -> reverse dns -> domains/subdomains ● Domain search engines ( whoxy.com ) ● Online scanning tools kaeferjaeger.gay ● SSL Certificate info ● Crawling the known domains/subdomains (Acunetix Discovery) ● https://dns.coffee/ ● Amass (https://github.com/owasp-amass/amass ) `amass intel -org 'Netflix'` ● Github
Finding subdomains ● Existing tools: subfinder/sublist3r/amass ● Brute force subdomain scanner ● Crawling the known domains/subdomains that belong to same organization ● https://crt.sh/?q=domain.com ● https://securitytrails.com/list/apex_domain/domain.com ● https://www.shodan.io/search?query=ssl.cert.subject.CN%3Adomain.com ● Censys.io ● https://lab.dynamite.ai/ (search in public pcap files) ● Github ● Google/Bing search ‘site:domain.com’ ● IP ranges -> reverse DNS ● https://github.com/iamthefrogy/frogy ● https://github.com/Cyber-Guy1/domainCollector
Cleaning ● Clean subdomains by same IP (keep max 1 to 3 subdomains that have same IP - with exceptions) ● Check the wildcard subdomains if it makes sense to continue with some of them ● Sort|uniq ● Grab screenshots or other techniques to group similar subdomains together to remove duplicate content ● Subdomains that don’t resolve to (a public) IP - separate from the main list, but keep it
Optional but userful: Continuous asset monitoring Advantages: Some assets(domains, subdomains, ports) might be open at certain times (batch jobs, deploys, test/UAT/staging/QA environments) - and might have lower security, exposing sensitive data Disadvantages: could be a costly implementation
Port scanning Nmap - main tool cat subdomains.txt | httpx -o subdomains_live.txt naabu -list subdomains.txt -top-ports 1000 -exclude-port 80,443,21,22,25 -o ports.txt Some public/paid online websites have ports up to datte
Collecting URL endpoints ● Tools: waybackurls, gau ● Websites: urlscan.io, web.archive.org ● Google/Bing dorking site:domain.com ● Crawling: Scanners (Burp Suite crawl, Acunetix) hakrawler, Xenu ● Brute force: ffuf,dirbuster ● Javascript .js file source code ● Github ● Android/iOS mobile app ● Desktop app ● Public pcap files (lab.dynamite.ai)
Search backup/source code files For https://subdomain.domain.com/ search for: ● https://subdomain.domain.com/subdomain.zip , https://subdomain.domain.com/subdomain.tar.gz, ● https://subdomain.domain.com/domain.zip, https://subdomain.domain.com/domain.tar.gz ● https://subdomain.domain.com/subdomain/subdomain.zip, https://subdomain.domain.com/subdomain/subdomain.tar.gz ● https://subdomain.domain.com/domain/domain.zip, https://subdomain.domain.com/domain/domain.tar.gz
Parameter mining ● Arjun ● ParamSpider ● Param-Miner (Burp) ● Also ffuf can be used too for param discovery
Leaks finding ● gist.github.com ● Gitlab.com ● site: docs.google.com/spreadsheets “company name” ● Site: groups.google.com/ “company name” ● Javascript files .js ● android/iOS source code ● Pcap uploaded by mistake publicly https://lab.dynamite.ai/
One bug found -> scan all your BB subdomains ● Keep a large list of subdomains/urls for multiple BB (preferable a database) ● Once you find a bug, scan all the urls for the same bug ● This can work out to find your favourite next bounty program
HTTP headers - manipulation ● Burp Proxy match/replace functionality ● Blind XSS/Log4Shell - UserAgent/Referal headers ● Modify response code ● Check for reverse proxy `GET https://burpcollab HTTP/1.1`
Scanner tips ● Feed previous gathered endpoints for a target to the scanner, not only the base url ● Combine tools: Use Acunetix/nuclei/ZAP via Burp Proxy/Fiddler with match/replace ● Intercept mobile app traffic , feed the scanner those requests ● Parse pcap public files for requests, feed the scanner ● Intercept SmartTV network traffic feed the scanner
Thank you! @blindu_ch https://www.blindu.ch Eusebiu Daniel Blindu

Recommended

Meet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsMeet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsHackerOne
 
BugBounty Tips.pdf
BugBounty Tips.pdfBugBounty Tips.pdf
BugBounty Tips.pdfKhaledMohamed767546
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For MoneyShubham Gupta
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - BeginnersHimanshu Kumar Das
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 

Recommended

Meet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsMeet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsHackerOne
 
BugBounty Tips.pdf
BugBounty Tips.pdfBugBounty Tips.pdf
BugBounty Tips.pdfKhaledMohamed767546
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For MoneyShubham Gupta
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - BeginnersHimanshu Kumar Das
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
 
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)Ben Hayak
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets n|u - The Open Security Community
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
Information Gathering With Google
Information Gathering With GoogleInformation Gathering With Google
Information Gathering With GoogleZero Science Lab
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
Jesús Alcalde & Daniel Gonzalez- - OSINT: La verdad está ahí fuera [rooted2018]
Jesús Alcalde & Daniel Gonzalez- - OSINT: La verdad está ahí fuera [rooted2018]Jesús Alcalde & Daniel Gonzalez- - OSINT: La verdad está ahí fuera [rooted2018]
Jesús Alcalde & Daniel Gonzalez- - OSINT: La verdad está ahí fuera [rooted2018]RootedCON
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Software Development
Software DevelopmentSoftware Development
Software DevelopmentMark Jhon Oxillo
 
Developing High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptxDeveloping High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptxElvin Gentiles
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装FIDO Alliance
 
Osint {open source intelligence }
Osint {open source intelligence }Osint {open source intelligence }
Osint {open source intelligence }AkshayJha40
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012F _
 
Recon like a pro
Recon like a proRecon like a pro
Recon like a proNirmalthapa24
 

More Related Content

What's hot

Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
 
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)Ben Hayak
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
Information Gathering With Google
Information Gathering With GoogleInformation Gathering With Google
Information Gathering With GoogleZero Science Lab
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
Jesús Alcalde & Daniel Gonzalez- - OSINT: La verdad está ahí fuera [rooted2018]
Jesús Alcalde & Daniel Gonzalez- - OSINT: La verdad está ahí fuera [rooted2018]Jesús Alcalde & Daniel Gonzalez- - OSINT: La verdad está ahí fuera [rooted2018]
Jesús Alcalde & Daniel Gonzalez- - OSINT: La verdad está ahí fuera [rooted2018]RootedCON
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Developing High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptxDeveloping High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptxElvin Gentiles
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装FIDO Alliance
 
Osint {open source intelligence }
Osint {open source intelligence }Osint {open source intelligence }
Osint {open source intelligence }AkshayJha40
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 

What's hot (20)

Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers Job
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
 
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
 
Information Gathering With Google
Information Gathering With GoogleInformation Gathering With Google
Information Gathering With Google
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
Jesús Alcalde & Daniel Gonzalez- - OSINT: La verdad está ahí fuera [rooted2018]
Jesús Alcalde & Daniel Gonzalez- - OSINT: La verdad está ahí fuera [rooted2018]Jesús Alcalde & Daniel Gonzalez- - OSINT: La verdad está ahí fuera [rooted2018]
Jesús Alcalde & Daniel Gonzalez- - OSINT: La verdad está ahí fuera [rooted2018]
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
Software Development
Software DevelopmentSoftware Development
Software Development
 
Developing High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptxDeveloping High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptx
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
 
Osint {open source intelligence }
Osint {open source intelligence }Osint {open source intelligence }
Osint {open source intelligence }
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 

Similar to Bug bounty recon.pdf

Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012F _
 
Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringChris Gates
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsGraham Dumpleton
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with pythonJose Manuel Ortega Candel
 
Building infrastructure with Terraform (Google)
Building infrastructure with Terraform (Google)Building infrastructure with Terraform (Google)
Building infrastructure with Terraform (Google)Radek Simko
 
Traefik on Kubernetes at MySocialApp (CNCF Paris Meetup)
Traefik on Kubernetes at MySocialApp (CNCF Paris Meetup)Traefik on Kubernetes at MySocialApp (CNCF Paris Meetup)
Traefik on Kubernetes at MySocialApp (CNCF Paris Meetup)Pierre Mavro
 
Fast Detection of New Malicious Domains using DNS
Fast Detection of New Malicious Domains using DNSFast Detection of New Malicious Domains using DNS
Fast Detection of New Malicious Domains using DNSOpenDNS
 
Arcomem training Specifying Crawls Advanced
Arcomem training Specifying Crawls AdvancedArcomem training Specifying Crawls Advanced
Arcomem training Specifying Crawls Advancedarcomem
 
Taming botnets
Taming botnetsTaming botnets
Taming botnetsf00d
 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisPositive Hack Days
 
Arcomem training Specifying Crawls Beginners
Arcomem training Specifying Crawls BeginnersArcomem training Specifying Crawls Beginners
Arcomem training Specifying Crawls Beginnersarcomem
 
Arcomem training specifying-crawls
Arcomem training specifying-crawlsArcomem training specifying-crawls
Arcomem training specifying-crawlsarcomem
 
Automating Research Data Flows and Introduction to the Globus Platform
Automating Research Data Flows and Introduction to the Globus PlatformAutomating Research Data Flows and Introduction to the Globus Platform
Automating Research Data Flows and Introduction to the Globus PlatformGlobus
 
Automating Research Data Flows and an Introduction to the Globus Platform
Automating Research Data Flows and an Introduction to the Globus PlatformAutomating Research Data Flows and an Introduction to the Globus Platform
Automating Research Data Flows and an Introduction to the Globus PlatformGlobus
 
How to automate all your SEO projects
How to automate all your SEO projectsHow to automate all your SEO projects
How to automate all your SEO projectsVincent Terrasi
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Fluent 2018: Tracking Performance of the Web with HTTP Archive
Fluent 2018: Tracking Performance of the Web with HTTP ArchiveFluent 2018: Tracking Performance of the Web with HTTP Archive
Fluent 2018: Tracking Performance of the Web with HTTP ArchivePaul Calvano
 

Similar to Bug bounty recon.pdf (20)

Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012
 
Recon like a pro
Recon like a proRecon like a pro
Recon like a pro
 
Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information Gathering
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web Applications
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with python
 
Building infrastructure with Terraform (Google)
Building infrastructure with Terraform (Google)Building infrastructure with Terraform (Google)
Building infrastructure with Terraform (Google)
 
Traefik on Kubernetes at MySocialApp (CNCF Paris Meetup)
Traefik on Kubernetes at MySocialApp (CNCF Paris Meetup)Traefik on Kubernetes at MySocialApp (CNCF Paris Meetup)
Traefik on Kubernetes at MySocialApp (CNCF Paris Meetup)
 
Fast Detection of New Malicious Domains using DNS
Fast Detection of New Malicious Domains using DNSFast Detection of New Malicious Domains using DNS
Fast Detection of New Malicious Domains using DNS
 
Arcomem training Specifying Crawls Advanced
Arcomem training Specifying Crawls AdvancedArcomem training Specifying Crawls Advanced
Arcomem training Specifying Crawls Advanced
 
Taming botnets
Taming botnetsTaming botnets
Taming botnets
 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
 
Arcomem training Specifying Crawls Beginners
Arcomem training Specifying Crawls BeginnersArcomem training Specifying Crawls Beginners
Arcomem training Specifying Crawls Beginners
 
Arcomem training specifying-crawls
Arcomem training specifying-crawlsArcomem training specifying-crawls
Arcomem training specifying-crawls
 
Automating Research Data Flows and Introduction to the Globus Platform
Automating Research Data Flows and Introduction to the Globus PlatformAutomating Research Data Flows and Introduction to the Globus Platform
Automating Research Data Flows and Introduction to the Globus Platform
 
Automating Research Data Flows and an Introduction to the Globus Platform
Automating Research Data Flows and an Introduction to the Globus PlatformAutomating Research Data Flows and an Introduction to the Globus Platform
Automating Research Data Flows and an Introduction to the Globus Platform
 
How to automate all your SEO projects
How to automate all your SEO projectsHow to automate all your SEO projects
How to automate all your SEO projects
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
Fluent 2018: Tracking Performance of the Web with HTTP Archive
Fluent 2018: Tracking Performance of the Web with HTTP ArchiveFluent 2018: Tracking Performance of the Web with HTTP Archive
Fluent 2018: Tracking Performance of the Web with HTTP Archive
 
Recon in Pentesting
Recon in PentestingRecon in Pentesting
Recon in Pentesting
 

Recently uploaded

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 

Recently uploaded (20)

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 

Bug bounty recon.pdf

  • 2. Context is everything ● Recon is an iterative process ● Recon depends on the bug bounty program ● Recon depends of the scope (limitation)
  • 3. Finding domains in scope ● Whois lookup ● Google search site:whois.* inurl:domain.com “org: Domain” ● Hurricane Electric (bgp.he.net) ● Shodan/Censys.io ● Acquisitions (crunchbase.com) ● Current and historic databases, documents, leaks and investigations (aleph.occrp.org) ● Website profiler, lead generation, competitive analysis and business intelligence tools (builtwith.com) ● IP ranges -> reverse dns -> domains/subdomains ● Domain search engines ( whoxy.com ) ● Online scanning tools kaeferjaeger.gay ● SSL Certificate info ● Crawling the known domains/subdomains (Acunetix Discovery) ● https://dns.coffee/ ● Amass (https://github.com/owasp-amass/amass ) `amass intel -org 'Netflix'` ● Github
  • 4. Finding subdomains ● Existing tools: subfinder/sublist3r/amass ● Brute force subdomain scanner ● Crawling the known domains/subdomains that belong to same organization ● https://crt.sh/?q=domain.com ● https://securitytrails.com/list/apex_domain/domain.com ● https://www.shodan.io/search?query=ssl.cert.subject.CN%3Adomain.com ● Censys.io ● https://lab.dynamite.ai/ (search in public pcap files) ● Github ● Google/Bing search ‘site:domain.com’ ● IP ranges -> reverse DNS ● https://github.com/iamthefrogy/frogy ● https://github.com/Cyber-Guy1/domainCollector
  • 5. Cleaning ● Clean subdomains by same IP (keep max 1 to 3 subdomains that have same IP - with exceptions) ● Check the wildcard subdomains if it makes sense to continue with some of them ● Sort|uniq ● Grab screenshots or other techniques to group similar subdomains together to remove duplicate content ● Subdomains that don’t resolve to (a public) IP - separate from the main list, but keep it
  • 6. Optional but userful: Continuous asset monitoring Advantages: Some assets(domains, subdomains, ports) might be open at certain times (batch jobs, deploys, test/UAT/staging/QA environments) - and might have lower security, exposing sensitive data Disadvantages: could be a costly implementation
  • 7. Port scanning Nmap - main tool cat subdomains.txt | httpx -o subdomains_live.txt naabu -list subdomains.txt -top-ports 1000 -exclude-port 80,443,21,22,25 -o ports.txt Some public/paid online websites have ports up to datte
  • 8. Collecting URL endpoints ● Tools: waybackurls, gau ● Websites: urlscan.io, web.archive.org ● Google/Bing dorking site:domain.com ● Crawling: Scanners (Burp Suite crawl, Acunetix) hakrawler, Xenu ● Brute force: ffuf,dirbuster ● Javascript .js file source code ● Github ● Android/iOS mobile app ● Desktop app ● Public pcap files (lab.dynamite.ai)
  • 9. Search backup/source code files For https://subdomain.domain.com/ search for: ● https://subdomain.domain.com/subdomain.zip , https://subdomain.domain.com/subdomain.tar.gz, ● https://subdomain.domain.com/domain.zip, https://subdomain.domain.com/domain.tar.gz ● https://subdomain.domain.com/subdomain/subdomain.zip, https://subdomain.domain.com/subdomain/subdomain.tar.gz ● https://subdomain.domain.com/domain/domain.zip, https://subdomain.domain.com/domain/domain.tar.gz
  • 10. Parameter mining ● Arjun ● ParamSpider ● Param-Miner (Burp) ● Also ffuf can be used too for param discovery
  • 11.
  • 12. Leaks finding ● gist.github.com ● Gitlab.com ● site: docs.google.com/spreadsheets “company name” ● Site: groups.google.com/ “company name” ● Javascript files .js ● android/iOS source code ● Pcap uploaded by mistake publicly https://lab.dynamite.ai/
  • 13. One bug found -> scan all your BB subdomains ● Keep a large list of subdomains/urls for multiple BB (preferable a database) ● Once you find a bug, scan all the urls for the same bug ● This can work out to find your favourite next bounty program
  • 14. HTTP headers - manipulation ● Burp Proxy match/replace functionality ● Blind XSS/Log4Shell - UserAgent/Referal headers ● Modify response code ● Check for reverse proxy `GET https://burpcollab HTTP/1.1`
  • 15. Scanner tips ● Feed previous gathered endpoints for a target to the scanner, not only the base url ● Combine tools: Use Acunetix/nuclei/ZAP via Burp Proxy/Fiddler with match/replace ● Intercept mobile app traffic , feed the scanner those requests ● Parse pcap public files for requests, feed the scanner ● Intercept SmartTV network traffic feed the scanner