It's the Little Things

Benedict you're poor I am currently working at hacker one prior to working on how come when I was actually one of the hackers on the platform so I kind of made my way through the work for the company at one point I have something about 600 varieties on hacker one to about a hundred programs my favorite ones are Airbnb which I will talk about a little bit DoD which wall not talked about at all Yahoo snapchat valve and a bunch of other ones I've also created this community called bug pony forum if you're interested in learning about bug bounties how to get started read some about hay maze with some of the top hackers in the community I was

just going to bug Ronnie for him calm we're just going on Twitter and stuff we post to go about Bob Bonney forum was there was four of us originally called the alcoholics that was our group we would just drink beer and hack together on skype and it eventually got out of control and we saw there was a hundred people on our skype channel that we didn't know about and yeah I got kind of dangerous so we made a slack channel which is kind of private but if you're in a community would love to have you on board but a lot of the content we put on it was the idea was how do we collaborate how do we enable hackers to

collaborate together and other platform for people to talk to each other directly without it being on Twitter and how can we help people get started in hacking so that's how the entire idea of building a community started and then taking it a step further we started doing talks so I do this talk about recon it's one of the things that I try to get better out on a yearly basis I try to set a goal and get better at topic so a lot of its gonna be focused on recon but before I get started I just kind of want to see how many of you guys here don't know what a bug bounty is oh

I love this okay perfect I don't have to worry about explain what a bug bounty is and I'm not here to do a sales pitch by the way I'm just gonna show you talk about hacking and some other things that I've found it's a little overview we'll talk about what I'm gonna be doing we'll go and talk about asset discovery content discovery we're gonna do some automation and then I like doing dumpster diving a lot it's been one of my favorite things lately especially when it's online and then we'll talk about some real life examples of how I've done all of these and I've got some really cool bounties or some other people on hacker one who have done it as

well if you guys do see a piece of code that you want to take a note don't worry about it everything is on my github so I'm gonna wrap up with tools that I have used or I created everything is on my github don't worry about taking any notes just if you wanna take pictures go for it about I want you guys to be focused on taking notes or whatever so everything is going to go on github they I think they're recording this will be on YouTube so just enjoy the content so I personally do bug bounties for self-improvement four years ago I was in college not knowing what I'm gonna do with my CS

degree if you have been to a small State University you know your degree isn't really going to take you that far if you rely on it bread nicely you don't get the experience so I roamed around my hallways of Sacramento State University not knowing what I wanted to do and here comes bug bounties I gave me an option to do something I liked so I pretty much went out of the year of college senior year I became a fifth year in a 6-year because I was focused on doing bug bounties but at the end of the day it helped me do a lot of things so the South improvement mount was the best thing networking was the biggest one I

got my first object job by just submitting a bug to Hulu and then a year later exactly I reached out to Eric who is a OPSEC lead at Hulu I was like hey I'm looking for a job are you guys hiring and in about a week or two I was hired by them just because that interaction through their bug bounty program and back then there was a mid bug bounty program they just had a phone disclosure over to say hey give us your bugs would want to show you we won't call the cops and I did and I worked out for me so yeah I built my entire career based on doing bug bounties I didn't do anything

other than bug bounties for the past four years so I'm pretty locked down on making my career out of this so in ten years we'll see where I end up also I do a lot of comm there's also a competition part about this bug bounty things we have leaderboards my buddy and I yes scene we'd like to talk a lot of to each other so what every time he passes me one time he passes me we start talking crap and then we go we go as far as going on Facebook and Instagram and you know clowning each other so it makes it a little fun it's not always about you know hacking it's also building

those relationships I'd you know I've never met the guy until a year ago but we've been talking crap to each other for two years now also who doesn't like to make it Akash right at the end of the day you can make a very large amount of money I don't mean to say this that I do make more money hacking than my job but in some cases I may be able to do that if they realize some of these companies are paying up to 15k or maybe in case of Intel they're paying a hundred K for a bug so if you get 100k bug that's about a salary an hour a day so your major

entire year's worth in one night right but there's a lot of time and dedication and all the work so recon recon is a definition it's a military term you want to know what's going on house are your friendly zone right you want to know what who owns what what do they have how can you get into those non friendly environments it's the same thing with hacking you won't understand the application works you want to find every entry point possible for this app I also want to find as many files and folders and endpoints as you can but this gets hard some of these companies like example Yahoo has 2,000 subdomains anymore how do you keep all that right

how do you go out for such a large company and a lot of us especially NAAFI we spend a lot more time on doing recon than anything else because it's been a process when you have to actually enjoy doing build your own process around it build your own methodology and it gets very fun because you find some really crazy stuff it might not be even a bug but you go what did I just look at and that's at the end of the day this is all because we're all humans right we all make errors we're all leak our passwords on github at some point it happens but this is what makes tweakin fun for a lot

of us so for today's discussion this is kind of a overview of what I'll be talking about I'll talk about recon through asset discovery then you can do the same thing with ascent and then you talk about vendor services and how we can dumpster-dive online so yeah let's get started so on the first part of it is asset discovery will talk about subdomain brute force and certificate transparency the supplement discovery part is literally a brute force you give it you use one of these tools on the right hand side you say hey here's a list of words I have throw it before the domain and see how many of these come back and how many of them alive with the

subdomain cool that works but then you find other environments like you find their corporate domain Quartzsite calm that maybe have a stateside UAT whatever that domain is or that environment is you find those environments and you go after it because those are the juicy ones like a corporate side it's probably juicier than a dev site and also the dev site is probably better than the product side or the proud site because there's less restriction restriction on those sites and new functionality and other things you can find on these different sites right so you want to go after those and what I mean by the different environment is you can literally just be something like - dashboard dev site calm or in

some cases could just be dashboard - dev site calm so you want to find out how this site is my hardest company isn't creating all these different subdomains find that pattern and go after every single subdomain if they're in the scope of the program you can also go on google and do a little thing on google and it could give you some of the results but Google could not index all these subdomains but all this is really boring because you're literally sitting behind a computer looking at scripts just running and giving you results and some of these cases you can't find all these supplements that exist so I rely on certificate transparency heavily there isn't why I do that is

because if the company cares about the subdomain they're gonna assign it a certificate right so why not cut the cut the work in half and just go after all these sir transparency site so there are some companies out there who created search engines when you can literally go on this census you can go on there and search for companies if you actually look up the syntax on how they do it so for census if you type in this giant string it looks for all these DNS names I've been parsed on their database and it matches the name snapshot so if I'm looking for you know snapchat - payment snatch gateway snapchat calm chances are with a wordless or brute force attack I

wouldn't be able to find any of these because I don't have these giant long names I don't have snapchat in my word list I don't have - gateway - payments in my I don't mind that's right so going out for this transparency search in sparrin see stuff kind of helps finding these in these subdomains there's also show then if you are going to school apparently you get a free membership I messed up memo I paid 40 bucks for a lifetime subscription about 40 bucks is probably one of the best investments I've made we'll talk about why in a little bit most we get into the examples but the best part about sure Dana is you can do a lot of filtering

you can go based on port number you can go based on your organization name you can go based on certificates you can do anything pretty much there's also the whole host name and org because if they're hosting a sub domain that the IP address it doesn't belong to them then the organization is gonna be example amazon.com versus the host would be example.com so you want to admit sure you look at both of those and sure that makes it very possible so that pretty much scanned all of the internet and app indexing on their site you pay forty bucks and get access to it or you can cheat the system and just gonna free one if you have a edu email it also starts

Potter this is probably one of my favorite ones search boater is the same thing but they have a very nice API and unlike that census and show them they don't charge you to use any of this they don't have a limit on their API you just hit this URL give it a your username and give it a domain name and it pulls all this data in JSON format and if you're really good at doing some - scripting you can kind of clean it up which we'll talk about that in a little bit when we get to the automation part which is another one same exact thing you can actually use a wild-card cert that Sh just the best part about it

which is different so if I want to look for every snapchat TLD subdomain other than com I can put the wallet code at the end and it gives you stuff like snapchat pizza didn't know that existed but snapchat that sells properties production all these other things you can move their wallet go to the other end of it and look for everything before snapchat comm you can see like on the right in this image I'm just hitting the certain Sh end point or the API and has given you a hundred thirty six unique subdomains on Facebook and yeah it's pretty nice we'll talk about how to automate this too in a little bit so the search ends fancy thing is a part of OSN

but i kind of wanted to take it out it goes more with the you know subdomain finding and asset discovery thing but there's other things we can look for example we can go to Aaron and look for all the IP addresses or we can just go and find acquisitions with other companies and sites out bot so in case of Google or Facebook there's companies are buying smaller ones on a regular basis and after six months of being acquired they usually go into the scope of their program right you also want to make sure you check those out so the rest one is to go to a CrunchBase you literally type in the company name so in this one I'm looking

for Yahoo which is not o'the I mean you can see all the companies that they own so in case of Yahoo half of those are in scope but if this was Google their policy for Google is give us six months after we buy this company out then it's fair game to hack on it so if you go to Google if you go to crunchbase and type in Google things like ness would come up google.com alphabet ways whatever else they own it comes up and all of that it's a new attack attack vector or surface you can go after so that makes your attack surface a lot bigger you can also go on Eryn same thing you type on

the you type in the company name it brings you this page you click on organization then it brings it to this page and you can just look at the network's so the third line down it says related networks you click on it and it gives you all their IP addresses that belongs to Yahoo and then you can start doing more things with it which will also talk about it a little bit we'll get to it also you can do this on show then I kind of said you can just put an organization as whatever so for this one I put org is Yahoo Yahoo and it's gave me a phone a thousand IP addresses someone may not belong to Yahoo but a

good majority of them are and you can actually start looking at their who is process and see actually how many of them are belonging to God so content discovery is when everything starts getting fun so imagine you find it all these subdomains you find 2000 subdomains and the question becomes so much like what do you do next so you start looking for visual the first thing you want to do is you want to visualize the entire process or all the data you have found in all the subdomains you want to see which one of these supplements are actually alive and not dead what are they hosting at a first glance and then you want to start doing port

scanning and look for interesting directories and files and take it from there so this is the short version of how I do my content discovery so when I do this screenshot thing I usually go for port 80 and 443 I look at both because for some awful reason some of these developers love to serve different content on different ports I don't know why believe me it's I see their faces that you guys aren't making I made the same face when I saw this and I find different things like sometimes I go to 443 slash an end point it's like 401 you need to log in and I go okay port 80 no I don't have to log in here's all the

data you were looking for I keep that in mind different ports could be showing different stuff so example is let's say you go on example.com you do a port scan port 8 443 is open okay boot force see what kind of directories and files are on there let's say you find admin folder that returns a 403 which indicates is forbidden which is a good sign for you as a hacker that means there is an admin folder we just got to find the right file to open up the app and panel it's not always an index file it could be changed to something else right so you brute force 105 files and directories on admin and

let's say user dot PHP returns 200 and this is when things start to get better so you repeat this until you find more files I'm or folder names enough folder sometimes it could be from developer files it could be some get folders that's left behind it could be backup folders you never know so when I look for those in your process so for the port scanning part I just want nmap like everybody else those are a number of ports that I usually look for some of them are based on bugs that I have found also some of are the most popular ones that I have seen have services on and I only do these ports because I want to speed up

my process instead of scanning 65,000 ports I want to just do the ones that mattered to me but doing this also allows me to miss some cool things so if you have the time and patience to make this faster and do all the ports I was just doing all the ports are adding more to this list and then for the screenshot part I use web screenshot PI you can give web screenshot up high a list of domains and it just goes to all of them you can give it a port number also like what ports to hit and if those ports to actually respond back it will take a screenshot of whatever it's serving so

having that data kind of helps you not to have to click on 2,000 subdomain one-by-one to see what they're serving I'm just keep that in mind as well enough for a directory and file brute force there is these giant list of programs you can tools you can use these are the best ones I've seen I personally like to use a fourth one down our search it's in Python it's threaded allowed to do a bunch of cool stuff and it's also very stable so that's the one that I use personally also there is robots.txt if you're not aware robots.txt has a lot of good information there was a time when I just want to robots.txt just to see what

they had and then there was an admin secret admin folder and then when you type it in he gets better doesn't have any authentication and I just had access to it so robots exe and the costume I found as well helps so also the other thing that I do is using any other tools on the right the rectory research is the best one because it also allows me to keep an archive of all my findings so if I do a directory search no matter if it finds anything it makes a report for it and you can archive those reports so let's say you find a very cool endpoint on accident on a site you can go through

all your reports from other subdomains and other sites and see if that's up if that file or directory for our name appears in other places you can just do that by doing the grep so you cat all your you read all your reports on the report folder I have the rip to research and you grip for things so I'm looking for jmx console that one wasn't the best so I got a little bit more specific so I looked at the Tomcat manager HTML endpoint and I looked for anything that was a 401 that means it's there it just requires you to be authorized to the application for you to see it and nine out of ten times you could add Manhattan

and that works and you get in so those are the things that I usually look for when I run a huge scan I just grabbed through it and find all the details but all of these again take a lot of time right I go back to Yahoo where you do two thousand subdomains and if you're doing it all manually you're sitting behind a computer waiting for once can to be done and then you type in directory search all the syntax next domain right there's a lot of time so you want to automate it which we'll talk about a little bit so the biggest thing the past year was s3 buckets alright anybody hear about Verizon or

moment or any other companies that had just s3 buckets laying around with like read and write as a big you can automate that you can find those you can do it on google if this people are hitting that side it's gonna be indexed on google you can just go s3 amazon.com and I want you to find anything that has the company name in its URL that's giving me a couple of them that's been helpful you can also look on you can also look for instances like ec2 instances it doesn't have to be an s3 bucket by doing the same thing just Amazon AWS you can take out the s3 and then look for what comes

up you can also do this on github which have been better you find more stuff I mean you can automate it so this is what it looks like doing uber and Trello on github and on Google on the right you can see I'm looking for anything that has a burr and its URL sometimes these may not belong to the company because people can just make these arbitrary you can give it what other name they want but in most cases if you click around the data that it's holding to give away if it's owned by the company or not the same thing on github so there are two tools that I use one of them is called

lazy s3 which is written by myself and a co-worker of mine yo Bert where you give it a company name so this I'm giving a test and it starts looking for these different environments and permutations so it puts the company name before in the middle and after all these keywords and whatever one comes back so this one saying four or three the admin one is saying 200 it gives you all these different response headers so you know which ones are active and which ones can exploit there's also one that's written bashed by another co-worker of mine that's the exact same thing but it's in bash it's a little bit faster than the Ruby one we actually merge both

of our environments that we had like whatever list I was using is being used on both tools but it literally just take the company name and puts it around these different things dashboard downloads uploads avatar whatever and it tells you which one you can read which ones you can write from so search Potter was the one that I talked to about earlier you can make an alias automate it and find more sub means in the earlier slide I showed the JSON response was kind of ugly but you can just literally hit the search bar a common API give it the domain this is an alias that I wrote in bash when you parsed using jq+ JSON and you look

forward to DNS name values and then you use set to clean up the data so doesn't have any quotes single quotes and then you do sort you so it gives you all the unique data and then you grab for it to make sure it's not giving you some random subdomain that doesn't belong to this company and you write it all to the folder and the file name that's the same as a company so you want to take us a step further by automatically also doing directory search the same thing you say do it we you made it I make it bash alias called I our brute force I go to a directory search folder and then I say

hey read the file from the folder above the 1 1 th see which the ones are user input for a company name and then while you read the file I want you to run this command on directory search with the extension that I'm giving it and then I say look for HTTPS with the line that's what you're looking at right now and there is my I do HTTP is because I'm pulling all the data from a cert transparency side so they all have certificates and it's gonna be on HTTPS so I have to worry about looking which one is alive then you take it a step further and say hey I also want you to

do screenshot so same thing you do Python you want to output it to a screenshot folder for that company so I always have them organized and I do you certainly work on hideaway so I don't get lost in my own folders and then you give it an input you say hey I want you to eat this file and do the screenshots on this file and then you give it a time out of 10 seconds so if it's not responding intense again I wasn't alive just move on don't sit there for hours at a time I'm doing nothing and then you make it even better you put all of them together you call it recon and you say recon and you give me

the company name and goes through all those three different aliases and it doesn't model for you as you wait that was a game changer which brought me to my next point which is I'm created this tool called lazy recon it's literally the laziest Kaurava very rena-san please don't read the code I promise it doesn't shell your box but uh it's really horrible but it works it's made me a lot of money so it does exactly what we talked about a couple more things so it grabs the headers it looks for all the subdomains it organizes it for you I texted screenshots and there's an nmap and then it gives you this ugly HTML report that actually helps

visualize it so this is what it looks like when you type in lazy recon I'm doing this Nitin Escom which is owned by Google and found it uses all these different tools and different sources to compile this of subdomains so one more time and then after it's done it starts looking - which ones are actually alive up and which ones are in and it starts to create different files for each one so it puts all the ones that are dead and a different file and they're all the ones that are alive I put some a different file so in case you want to ever ever look at the differences the next month when you do on the same exact

screen you have the archives for both of them and then it says hey take a screenshot but I fail to do this because there was 73,000 subdomains and I really didn't want to stay behind there sticking a giffy of it and make it look like a mess but yeah that does the same thing and then it creates this screenshot so this is home QA desktop calm on the top there is a screenshot on port 80 and 443 it doesn't dig it also does a curl so you can look at the headers I sending so if you want to start fingerprinting different things so if one I want point someone drops a node a on JIRA that happened a year ago you

can literally go through all your scans and look for the JIRA header and see how many of this supplement reports that you created have that header in it and then you start exploding every single one of them for a bounty and on the left side it has a directory search and at the bottom I don't have this screen shot for it but at the bottom of it it also does an nmap and tells you what ports are open as well digital dumpster-diving this is a good way to pass time if you have a lot of it on your hand takes a lot of patience and a lot of beer I am a poor added I've graduated

successfully from dumpster diving so what do you do with dumpster diving as you look for leak potentials I said that earlier we all human to make mistakes some of us make worse mistakes and others not getting our company in trouble by putting our passwords on github but yeah you look for different things you want to look for credentials shut up SSO logins LDAP logins that happens now you want to look for internal API keys internal headers and so on you can see it as a pattern and you just start looking for all these leaks on github there are all these different tools that you can use I don't know what tool I use for this one take a

screenshot but all these different tools look at code on github and tell you this I found anything I like to waste my time and do it manually then there's a reason why I do that if I'm doing these things manually are automated and I get this snippet of you know code that could be potentially leak credentials if that parameter is empty I missed the top and bottom of the code where it could have some internal subdomain maybe they could have an email address it could have a user name it could have an IP address so if I don't know automated for this it's it works out better for me because I don't want to miss on that information

and there's been times when I look at one instance on my okay this is useless but I take a code and I'm like oh well this endpoint looks interesting let's see what this endpoint gives us on github and then that finds me of all my ability and I'll talk about an example of that eventually at the end of the talk those are some of the patterns I look for it's literally about getting creative you want to think of like what would this company call this API points these are some of the most popular ones that I've seen happen or the ones that I've found ex PayPal is a fun one because you get access to the PayPal

account and some cases have a lot of money in it the other one is the secret key for AWS instances and there is tons of em on there yeah there's the different values that you can look forward at people using their code anyone here watch mr. robot I hope so cool you wanna remember this episode when they catch DJ Mobley and they tell how they found him so oops you're a couple years behind buddy well he didn't know he gets caught sorry you can one start me on this but so they found him on going on this thing called the wayback machine which is archived at Horry where you can find a not gonna beat this giant quibble this is the

conversation they had with them while this was happening sorry for spoiling it so you go to a craft that org for this case I'm putting Hakka Wong calm and it brings up all these different version of Hakka Montcalm from 2009 I didn't know we're around back then 2014-15 and all the way to today the best part is it's indexing all these different JavaScript files they can review in a lot of cases they may have been a JavaScript endpoint that is not getting used anymore but because of whoever developed that endpoint left the other hood that took over it's completely forgot and they left it there for someone to exploit so if you can get your hands on the old

data it helps but going through JavaScript files is very very ugly but you can find some really cool stuff right you can find some really cool endpoints I've seen people put the AWS keys inside of a JavaScript file over there SSO logins for some reason and there's a ton of more bugs but there's a tool that a buddy of mine and myself Ziya and I wrote it's called jeaious parser if you guys have a word spend a day looking at javascript on our website it looks kind of ugly very confusing but we made it easy so what this tool does is literally you give it a javascript file or you can give it no 10 of them if

you want just make sure they're not like hundred Meg's each because then it's gonna just crash but it highlights all the end points that this tool things that the javascript file is using so if in case in this case it's going after Airbnb and it's showing you all these different endpoints on their API that the javascript file relies on to make the calls um so if you do that with 20 other different files in some cases you could find hidden functionality that's not released and it's probably for nerble before waiting for it to get released which I have an example of that in a little bit too there's also Trello please don't be this person they weren't

on Trello for some reason and they thought it was a great idea to put all of their information about the company on a Trello board I don't think there is nothing in there that's not not bad you know they have the database info they have their WordPress admin and the best part is somewhere here there's a GoDaddy customer info even their pins on there this was supposed to be used internally but if you go to Chavo calm and you look for different keywords it's not so internal I think Trello took this very seriously at one point I'm sorry if you're here but they took it very serious and started shutting things down but some people are still making am I

making it public forgetting that uh it's gonna index on Google oops I don't know who put that there all right so I have about fifteen minutes and now I'm gonna add a little bit of time on the examples so just finding easy vulnerabilities just by relying on search transparency so these were two that I found actually both on showdown the first one is I literally just Quaid for the hostname being the company comm and then looking for an open for port does anyone know what port this is the guy says it on the title so rabbitmq port and then they were using default credentials that got me and this was a corporate IP address so the actual

stop domain wasn't accessible but if you got the IP for it from Shaun a-and just go to the IP networks yeah so there's also the other thing you can do you can audit the Jenkins instance I went in and put in the host name for the company comm and then in the title I say look for dashboard Jenkins and then this shiny little dashboard came up that has all they're building for all their API keys all that AWS keys and it was great it was easy about twenty minutes so it wasn't that bad but ya can find his different things on there alright I did an entire write-up on how you can own a company in this case snapchat by just

getting into the Jenkins instance they actually paid another research for fifteen thousand dollars six months before I did this bug for the same exact thing on a different environment yeah also if you were here from snapchat I'm sorry so you can look this up and yeah it's on my blog I don't want to get into it too much but the TLDR was I hit this Jenkins site and it asked me to authenticate with Google hell yeah I'm gonna think it with Google my gmail account works I put in my hooked on my shiny picture and didn't check if they forgot to blacklist Gmail I guess and that got me in without any problems and then it gave me access to this thing

which you can actually just execute code and do more than just echo so discovering endpoints and head and JavaScript files this is probably my favorite phone because this this bug along led us to find more bugs and this is how we started making js4 so this is a reason why we build Travis parser so this is actually public it's not something I've done privately that I can actually talk about so this is actually a we got a way to read other people's push notifications on Airbnb and if you haven't used Airbnb those push notifications have a lot of data like warehouses or what the pen code on the lock boxes what time the checking is and

what time to checkout is all that good stuff goes through that so we literally ran this so I booked our Airbnb and I got really nosy one day and I went and looked at the JavaScript file that was in that booking so Brett and I reside and I were pretty much found this thing that there were two end points one was the air push notification and one is the air SMS they each had a vulnerability in him but they were very hard to figure out because the SMS one requires you to have a verified phone number in your profile which is fine I could put my phone number but then it also allows you to send yourself an SMS which is a text

message but the problem with that is that it's only a hundred and sixty characters so I only see the first top which maybe not have information that I need and then also there's a throttle because it costs money so they're going through only that you send a couple of them a minute and if you're trying to export something fast and you're impatient like I am the three or four a minute isn't going to cut it so we go to plan B push notification push notification doesn't have a limit on this push notification things if you don't know what they are you know those farmville invites you guys get on Facebook it says hey you've been invited

to play formula with your phone you're on your phone those are the push notification so again it requires you have a phone number which is far I'll put my phone number on there but instead of sending you a text message it sends your notification on your phone using the app so there's two things that's really great about that there's no limitations anymore I can see the whole thing and - there's no throttle because it doesn't cost them a single penny so what can we do with it the great thing about so the great thing about doing JavaScript you can see how the request is being created so we were supposed to send this post request I had

a bunch of different things like your phone number your country your template which a template one is really funny if I get to it in a sec and then the user ID is obviously your user ID but what was funny is that it also looks for an object ID which is the notification that was sent to a user and we wanted to see if we can get access to another users object so can we see someone else's push notification but the funniest thing was if I were to give it a wrong template here what's ahead no no no no no you have to give me one of these like I'm gonna tell you what I'm expecting you to

give me and only these things work so on the left you can see the SMS one and on the right as a post notification so we know exactly what we wanted to get out of this so why not just put it to good use well the first thing we did was we said okay let's just figure out to send a push notification to ourselves so we gave it our user ID which i think is Bret's user IDs I it and then we said okay well send me a title and body of tests and 12:50 p.m. we got a test test given to us on our phone and then we go well what else can we do with this maybe

we can enumerate the user ID or an object ID and see if we can find one that matches the other but it was just way easier than that we just ended up using via just keeping the user ID as it was and just going through all the object IDs and then our first hard to blow up with their phone notifications that did not belong to us so this was fixed and I can I can tell you guys like the time how much it took us to figure this out 12:50 p.m. and then 1:07 p.m. 806 a.m. the next morning is when we figured it out finally I took us a lot of time to figure it out

but at the end of the day give us $9,000 for 12 hours of work which isn't bad to be honest and then he gave us a tool called James parser that we ran through Airbnb with it before he released the tool and gave us a remote command execution on their pot site which is also on our blog it gave us a SS RF which gave us access to the internal network which is also on our blog and then they told us hey can you stop publishing stuff sorry if machs and they'd watch this I'm sorry but yeah they told us hey enough but send us bugs so we kept going at it but javascript has been the biggest moneymaker for this

case dumpster-diving this is what I have a lot of examples of so yeah this company came up and was like hey we have a bug bounty program can you look at our company oh yeah I want to but they were owned by another company so I figured out what they let's say in this case this is not Google I promise in this case let's say Google I'm looking at nest labs next stop is go it was owned by Google which is now half of it so alphabet becomes an umbrella company right so I was like ok well let's see if that made any mistakes the developers on the umbrella company was developing this have they made a mistake in regards to

this company specifically and then this thing came up I put it in the company name the asset that I was testing and then I looked for password in this this thing came up which was a FTP that had a lot of backups not just from that company specifically it was all the other companies they owned there was a lot of content on there I was like terabytes of stuff and this was a little bit after Christmas but it was a very fun one this was on December 28th which I got $10,000 for it it was a little too late because Christmas already gone by but you know New Year's was fun yeah I went to dinner with 10k my pocket which

isn't a problem this to be honest this took me about 15 minutes you know wasn't expecting it so I can't complain about the ten thousand when there were the best company ever because there were really nice and friend I kind of wrote like a oh I don't know if this belongs to you guys but if it doesn't can you figure out who was it is because that's a lot of your data on it it turned out it was there so it worked out in our favor um there's an autumn or if there's more of these that I found I found the UH some FTP credentials on github that was 750 dollars again under 10 minutes it's not

ten thousand but fifty it's fine found some AWS keys this company they don't understand what the problem was with this they're like okay here's 500 bucks go away they don't understand how bad this was they rotated the keys but I couldn't convince them to understand like hey like this thing has a database sitting on it as your LDAP credentials like it's gonna take me forever to you know crack these but if I had malicious intent 10 hours 10 days 20 days and isn't anything for the payout I'm gonna get from this they didn't care I didn't care I just took that money I said okay next one next one was the PayPal one I talked about this

one was horrible because this is PayPal account belonged to the I don't know what the highest accounting thing is in the counting but whoever runs the accounting team at that firm this was their PayPal account for the company which was great because I could see how much money they had was worth five hundred dollars to them just fine is still another five hundred dollars that I found easily by just sitting on a computer looking for mistakes and then another one was an RCE I legit just found an FTP credentials I wasn't in there I logged in pop the PHP file send it to them and I got taken down an hour those are the kind of things that you

can find I think I found about 50 of these this year it adds up sometimes I don't find anything doing github but it gives me just information on how this company operates so it's it's good to see some of these come up and get paid for it so talk about the s3 thing this was actually sent to us on how come on itself Peter your worst gig was also the author of web packing one on one excellent book on how to get started nearby packing he uses all of our disclosed bugs on Hakka Wan comp so if you go to haka 1.com such activity you can see all the bugs that our hackers have disclosed and he wrote

a book around it so for this case alone he found the subdomain on s3 which is redacted from this but he was able to use the AWS CLI he did an LS first he did at AWS LS so to give him a list of all the files and then same thing you can just copy a file to this folder so you can overwrite files delete files or add extra files to it so in case of like if they're serving JavaScript file from the s3 bucket and you override it there's a lot of things that could go wrong with that there's also times when people create these like C names or subdomains and they point it

to like AWS or a third party and they're like okay I'm gonna grab it you know go grab lunch come back and claim this on the other part and they just completely forget so it's just sitting there for someone to see where it's pointing to and you go and claim that domain on the third-party service and you can serve whatever content you want you can fish you can put a login page whatever you want to do there's another example this was reported to Starbucks on December 19 2016 and this hacker got to Kay for finding it also if you heard from Starbucks hello I don't if I know they're from Seattle so I don't know if you're here see it

always works if we say someone's name randomly this last one yeah this is the last one so this last example is how you put everything that I talked about in this talk and put it in one single vulnerability guys ready so first thing was when did an asset discovery so I found this stage something something dot something Target calm it has to be heavily redacted and then I found this internal subdomain and I'm an internal folder that returned a login page cool well have a login I can't get in but I want to get hub and look for the subdomain it's like hey here's a username password that may work so I tried the username password didn't work

but was really interesting was that it gave me an idea of there's an auth token that they're expecting it somewhere redacted in here and the current request so gave me the idea of this auth token header that I have to redact I started looking for any game it is curly a handy curl domain I'm sorry handy curl syntax that hit this internal dashboard it hit the API so I was bypassing the API without a login since everything instead of looking for a credential it was looking to see hey do you have this header in your request and doesn't have a valid token if you do you can hit our API so I found this on

github and I give it a reboot and he came back with okay so that indicates that this token is working if I would have given it a I changed a character in the token to I know one character I deleted it and he came back and said no no access and you're not authorized so that was really interesting so I went through the site I went to the login page and I looked at a javascript file and on the JavaScript file I found more endpoints and one of them was really cool because it was something about accounts so if I were to hit this internal API with the get request and gave it this a thing with the you know

all these two headers combined he gave me a list of all the LDAP users and the user name so I could boot force and do more things with that was really really fun and that got me a five thousand dollar bounty which I gave a portion of it to somebody else but that was also a good payout I get to put all these different bugs from asset discovery to finding a directory going on github finding more information about it isn't that information to find a token that actually authorizes me to use the app without having to have a username and password and then finding usernames and taking it from them so this $5,000 was the max payout which was great I like to

collect those sometimes I feels great so yeah this was all of the topics had to talk about again if you guys want to keep in touch Twitter and github would be the best way again all the tools that I personally have written that's on my github you can go and check out our Oliver programs on hacker one at home / to victory if you want to reach out to me those are both my emails once for work and once my personal one when I welcome to reach out for any questions if you want to get started whatever that is we're also hiring a hacker one hacker one dog home slash careers I'm supposed to hire some folks so if you guys need a

job and now you enjoy what we do you can check us out I'm also doing a training next week it's a little short notice at hackfest so if you guys want to come and check out a class in three days training on how to do recon and chop an application to find more bone so I'll be out hackfest this is the list of tools that I talked about earlier if we want to take a screenshot this is your chance and a lot of them again out of might get help too so just keep that in mind

did everyone get a screenshot of this cool thank you for you guys let me go on about blackberries and how I do what I do big thing is all the hacker community on Twitter if we look for bug bounty tips on Twitter you can find a lot of good stuff on there some of these things that I talked about are coming from the community a big thank you to all these hackers especially zayats actually SEC John was also also at the booth with me outside Luke's migos you're burning mcil and i think you guys were listening also I'm giving away a couple of things at our booth to IOT devices all you have to do

is give us your business card in the next 15 minutes and we're gonna do a drawing if you guys want to talk to me more I'll be all set up [Applause]

you