Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Recon Slides by Anon_Y0gi

Recon Slides by Anon_Y0gi

The slides for Recon for BugBounty webinar dated at 5th March 2023 on hacklido

Anon_Y0gi

March 06, 2023
Tweet

Other Decks in Programming

Transcript

  1. Recon For


    Bug Bounty
    H A C K L I D O . C O M

    View Slide

  2. WHOAMI?
    Security Analyst
    Pursuing MBBS
    Part-time Bug bounty hunter
    Agnibha Dutta
    Anon_Y0gi
    eJPT Certified
    Successfully Hacked and Secured:
    Sony
    Acronis
    NASA + 20 other companies
    https://twitter.com/AnonY0gi
    https://www.youtube.com/@y0gisec

    View Slide

  3. WHAT IS RECONNAISSANCE?
    The Reconnaissance is one of the most important aspect of
    penetration testing. Its also known as Recon.
    Recon will help you to increase attack surface area and may allow you
    to get more vulnerabilities but ultimate goal is to dig deep in the target
    Recon = Increase in Attack surface = More vulnerabilities
    Recon = Finding untouched endpoints = Less duplicates
    Recon = Sharpening your axe before attack

    View Slide

  4. SUBDOMAIN ENUMERATION
    Subdomain enumeration is the process of finding subdomains
    for one or more domain.
    Tools used:
    Visual Recon: VirusTotal, subdomainfinder.c99.nl
    https://crt.sh/?q=%25.target.com
    https://securitytrails.com/list/apex_domain/target.com
    https://www.shodan.io/search?query=Ssl.cert.subject.CN%3A%22t arget.com%22
    Amass
    Dnsx
    Subfinder
    Chaos
    AssetFinder

    View Slide

  5. SUBDOMAIN ENUMERATION
    amass enum -passive -norecursive -noalts -df domians.txt -o subs-list.txt
    dnsx -silent -d $domain -w ~/wordlist.txt -o ~/dnsbrute.txt
    cat domain.txt | dnsgen - | massdns -r ~/resolvers.txt -o S -w alive.txt

    View Slide

  6. FILTERING THE SUBDOMAINS WITH HTTPX
    httpx -l domain.txt -timeout 13 -o domain-probe.txt
    PORT SCANNING
    naabu -list sub-list.txt -top-ports 1000 -exclude-ports 80,443,21,22,25 -o ports.txt
    naabu -list sub-list.txt -p - -exclude-ports 80,443,21,22,25 -o ports.txt
    cat domain-subs.txt | aquatone -ports xlarge -scan-timeout 300 -out aquatone.txt

    View Slide

  7. SUBDOMAIN OF SUBDOMAIN ENUMERATION
    One of the rare things people search of.
    Tools used:
    Subbrute: https://github.com/TheRook/subbrute
    altdns: https://github.com/infosec-au/altdns
    Usage: ./altdns.py -i subdomains.txt -o data_output -w words.txt -r -s output.txt

    View Slide

  8. SCREENSHOT TOOLS
    Capable of taking screenshots of websites to view offline anytime.
    Tools used:
    Eyewitness: https://github.com/FortyNorthSecurity/EyeWitness
    httpscreenshot: https://github.com/breenmachine/httpscreenshot

    View Slide

  9. BROADENING YOUR SCOPE
    More targets lead to more option which ultimately lead to more opportunities.
    Crunchbase
    bgp.he.net
    tools.whoisxmlapi.com
    https://whois.arin.net

    View Slide

  10. WHAT TO DO AFTER
    ENUMERATION? | Collecting URLs
    Waybackurls: https://github.com/tomnomnom/waybackurls
    Gau: https://github.com/lc/gau
    for i in $(cat domain-subs.txt);do gau $i | egrep -vE "\.(woff | woff2 | ttf | toff | eot | webp | gif
    | tiff | bmp | wav | png | jpg | jpeg | svg | ico | css | mp4 | m4v)" | httpx -silent -fc 404 | tee -a
    domain-archive.txt;done
    https://web.archive.org/cdx/search/cdx?url=*.target.com&fl=original&collapse= urlkey

    View Slide

  11. After collecting URLs, curl out the responses of the URLs and grep
    for the following URLs:
    drive.google
    docs.google
    /spreadsheets/d/
    /document/d/
    TIPS AND TRICKS
    By Aditya_Shende
    cat domains.txt | katana -silent | while read url; do cu=$(curl -s $url | grep -E '(drive. google |
    docs. google | spreadsheet\/d | document.\/d\/)';echo -e "==> $url" "\n"" $cu"; done

    View Slide

  12. TIPS AND TRICKS
    Using SQLidetector to search for sqli
    Tool Link: https://github.com/eslam3kl/SQLiDetector

    View Slide

  13. Shodan: https://www.shodan.io/
    SHODAN FOR RECON
    ssl:"target[.]com" 200 http.title:"dashboard" --unauthenticated dashboard
    org:"target.com" x-jenkins 200 --- unauthenticated jenkins server
    ssl:"target.com" 200 proftpd port:21 --- proftpd port:21 org:"target.com"
    http.html:zabbix --- CVE-2022-24255 Main & Admin Portals: Authentication
    Bypass org:"target.com" http.title:"phpmyadmin" ----php my admin
    ssl:"target.com" http.title:"BIG-IP ---F5 BIG-IP using CVE-2020-5902
    Shodan Dork:
    How I found XSS by searching in Shodan - Writeup

    View Slide

  14. Censys: https://www.censys.io/
    CENSYS FOR RECON
    Let’s fuck waf using Origin IP: My approach on censys By Deepak Dhiman

    View Slide

  15. ffuf: https://github.com/ffuf/ffuf
    FUZZING FOR SENSITIVE FILES & DIRECTORIES
    FFUF-ing RECON Writeup on FFuf
    for i in `cat host.txt`; do ffuf -u $i/FUZZ -w wordlist.txt -mc 200,302,401 -se ;done
    Tip: Fuzz for "/wp-content/debug.log" || Sometimes they contain SQL error, which can be chained.

    View Slide

  16. y0gi.hacklido.com /y0gi.zip - hacklido.zip – admin.zip – backup.zip
    y0gi.hacklido.com/y0gi/y0gi.zip - hacklido.zip – admin.zip – backup.zip
    y0gi. hacklido.com/hacklido/y0gi.zip - hacklido.zip – admin.zip – backup.zip
    y0gi. hacklido.com/admin/y0gi.zip - hacklido.zip – admin.zip – backup.zip
    y0gi.hacklido.com
    FINDING SOURCE/BACKUP FILES
    Tool: https://github.com/musana/fuzzuli
    Credit: GodfatherOrwa

    View Slide

  17. Find Sensitive Data in Cloud storage:
    site:http://s3.amazonaws.com "target[.]com"
    site:http://blob.core.windows.net "target[.]com"
    site:http://googleapis.com "target[.]com"
    site:http://drive.google.com "target[.]com"
    Github Leaks for AWS, Jira, Okta, etc:
    Org:"target" pwd/pass/passwd/password
    "target.atlassian" pwd/pass/passwd/password
    "target.okta" pwd/pass/passwd/password
    "Jira.target" pwd/pass/passwd/password
    Also search in Google groups, Gitlabs.
    Trivial Tricks:
    GOOGLE & GITHUB DORKING
    Credit: GodfatherOrwa

    View Slide

  18. Collect all js file ".js"
    Filter js file: " httpx -content-type | grep 'application/javascript'"
    Perform Nuclei scan "nuclei -t /root/nuclei-templates/exposures/"
    Grep all urls from wayback or gau.
    JAVASCRIPT[JS] FILES RECON
    Collect all endpoints from Js files & Create a wordlist from those.
    Craft a POST request with any parameter.
    Use that request to fuzz for sensitive directory.
    Js Recon Tip:
    Tools:
    JSFSCAN , Jsminer {Burp Extension} , Trufflehog

    View Slide

  19. Sudomy: https://github.com/Screetsec/Sudomy
    SOME AUTOMATION FRAMEWORKS
    Reconftw: https://github.com/six2dez/reconftw

    View Slide

  20. Some data are intended, No bug here.
    Verify Data
    Don't get angry, You may lose bonds with good program
    Reported > Invalid
    Your crafting and exploits are gold. Make it high as you can
    Yes, They do accept Third Party
    Money going no where. Don't message constant to team
    Be humble with Program

    View Slide

  21. QNA SESSION
    https://twitter.com/AnonY0gi
    https://www.youtube.com/@y0gisec

    View Slide

  22. THANK YOU
    W W W . H A C K L I D O . C O M

    View Slide