Bug Bounty Recon The Right Way

okay ladies and gentlemen we have the uh the the final presentation of b-sides 2022 kelly lemtafa on a subject that mark uh mentioned um book bounty khalil thank you so hello everyone and uh welcome to the last talk of today which is titled bug bounty recon the right way and as you may have noticed that the word right is between two double quotes so we will discover together in this small discussion or just small talk is it really right or not so who am i i'm a full-time student i have a bachelor in network security and computer systems from kade ayad university in my home country morocco and currently i'm following a cyber security master's degree at elte and i am a student software developer at ericsson also during this year i created the cyber security club at my university which is called ecsc and on my free time i love to do bug bounty hunting on hacker one and syna creatine so the first slide of this talk starts with three words understand the organization and when i say this i really mean it because you have to understand everything about the organization and who is this organization you are going to deal with and like when it was created and i mean i have some questions here like you should ask ask yourself like who is this company home it's working with where is it located and this is a very important question that you should remember because we will cover later in the slides and uh have i used this applications before and so on um for recon you have a lot of tools to play with there's wikipedia there's crunchbase census google zuma github being duckduckgo like literally anything that has a search bar on the internet can help you in this process and more assets equals bigger recon surface this is a very simple equation that you should put in your mind while doing recon the scope is divided into two types in bug bounties in general there are wide scope targets and small scope targets or programs so for the small scope programs they generally have one to five assets maybe more by two or three assets but not too much and in the other hand you will find the wide scope targets so they may have a lot of things that you can play with and since this talk is focusing on recon we will talk only about wide scope targets so the components of the wide scope are a lot of things like you can find sub domains like star.target.tld uh you may also find cidr or cdo notations for ip addresses or mobile applications like android ios you can even find cars that are included in scope or hardware and a good practical example for a wide scope target is tesla which has its own program over background platform which is a bug bounty platform and by the way for each slide where i referenced something you will find the link down below where you can just go and it will take you to the same page so why tesla has a big scope or white scope because as you can see here it has a lot of things to look for bugs there and uh they mentioned in the first line that a hardware product that you own or or are authorized to test against like a vehicle power wall etc so if you have a tesla vehicle you can definitely hack it if you found a bug a critical bug for example you may get fifteen thousand dollars for it the web section of the scope is this so there is a tesla.com tesla.cm tesla services and they even explicitly mentioned down below that any house verified to be owned or to be owned by tesla motors inc is included in scope domains ip space and anything that is explicitly mentioned that it's owned by tesla is definitely in scope and this is the mobile section of the scope they included the official tesla android apps and the official tesla ios apps for the small scope it's the same story except that they have a limited attack surface and they definitely need a different approach so automation might not be useful here now comes the tips and mindset part of the talk where am i i'm going to give you some tips that you should put in your mind and the first one is an answer for the question that i told you to remember where is it located about the company and this tip i called it a country based subs or subdomain brute forcing why you should always check out the origin of the company because for example if you have a company which is based in netherlands you can do subdomain brute forcing based on dutch word list or dutch words so you have the target and you can brute force its subdomains using dutch words since it look since it's located in netherlands and it is always recommended to use this method after gathering subdomains with other tools and general world lists i did an experiment for this and i used knockby which is a subdomain brute forcing tool that works through dictionary attack and it's available on github and i combined it with a dutch word list from the cyclists uh this was the first one of the tool using normal subdomain brute forcing using the default word list of the knock by tool and as you can see here it gave me some results but they are not really good because there's a lot of things that you can find so i added the word list using the tag w option custom word list which is in this case the dutch based word list and as you may notice here i got some different results like active.worksgrant.nl yeah i forgot to mention that works grant is a pro a target which is available on integrity and this is the link for the program integrity is another european bug bounty platform uh yeah and these were the subdomains that the two found using the other word list like verger dot volksgrand.nlv and and so on so yeah you just have to be creative and look for the right things in the right place don't do what everyone else does because you will not find something and an extra tip that it is always recommended to run sub domain enumeration on a big list that you already gathered like for example if you gathered subdomains using asset finders subfinder sublister all the tools that you know it is recommended to run subdomain brute forcing on that big list like this command right there subfinder like dl subdomains and httpx for resolving them and don't be like this cut right here don't wait for the results to come out you can automate this part and go take a coffee or go sleep then return back you will get your fresh new word list of the sub sub domains um next tip is about copyright recon which is from the big ban of recon himself jason haddix by the way make sure to follow him on twitter he posts some great tips about recon and bug bounty in general so this tip is specific for wide scope targets including the acquisitions and the tip is every website has its own copyright in the footer so he just grabs that copyright word and puts it between two double quotes minus the main domain on as a google doc or on bing on or anywhere and he finds some other interesting domains and sub domains that are controlled by the same company and he even mentioned that he found all market insights outdated installs of software build tools and more and yeah i did again an experiment over a tnt which has another program over hacker one and atnt is another white scope program so i went to their official website atnt.com and i went to the footer of the website as you can see here it has the copyright word so i copied this sentence right here which is the copyright of a tnt and i put it as a google door in text column between two double quotes the copyright minus atnt.com and i got uh some interesting results that you can't even tell that they are owned by atm t and uh i'm sorry if it's not visible like for example turn up the love.com yeah and yeah it is owned by atnt and if you found a bug there you can get paid for it uh you can also search using older copyright words just replace 2022 by 2016 and you will get 2016 websites and all their copyright equals all their websites equals more vulnerabilities why because all their websites use all their software which which have already cves and zero days or i don't know and then there you can find more vulnerabilities uh to the next step is about note-taking and i always say that taking is the golden tip of bug bounty you should always track your progress note down every small detail that you found and use the time tracker personally i use notion for note taking and toggle track for time tracking time tracking story and you are actually tricking your mind to see the progress and do more because when you find something and note it down if you come back later like after one week or two weeks or i don't know you will see that you did the progress and you can do more yeah and set for yourself some goals like for example this month i will hunt for 20 hours and score 2 thousand dollars in bounties and why i said 20 hours because i guess it's a normal average free time for everyone if you're a full-time student or you are working in a company i mean five hours per week will be nothing and i did the same before the stock i picked the program i stick with it and i said that i will hunt on it minimum 20 hours and the score minimum 1 000 of bounties and this is a glance for my notes i divided each week or each day what am i going to do choose a program set up a vps tools recon and use the app as a normal user hack and pray and finally notes and some takeaways i also wrote down some rules do not cheat and yeah just to be consistent in this challenge and this is double track uh actually as you can see it gives a pretty good visual analysis about what you did so each time when you start bug bounty you can just click on the play button and it will start recording your time when you finish you just click stop and yeah this is the project and each week and how much i did so the results are the following i spent 29 hours on that target and i scored only three digits i didn't make it to four digits which is one thousand dollars probably i lost the battle but i know that i will one will want war for sure actually i didn't lose what i actually want from this sprint is cash recondara i want knowledge i made connections with the triagers and i successfully managed my time in exams period just making mind that i did this while preparing for exams to another secret subdomain gathering trick that nobody knows about as you everyone knows that websites use https for security and https have a relation with ssl certificates and these ssl certificates have a field which is called subject alternative names so what is subject alternative names or sam this field lets you make or register a lot of domain names or ip addresses that are going to be secured by the same ssl certificate and for example as you can see here this is youtube.com certificate and if we go to the subject alternative names section you will find a very big list of domains that are owned by google and uh yeah like urschin.com who knows that urchin is owned by google so you can just go there and hack like it's a less crowded area and definitely you will find something and it is always recommended to use this for a very wide scope target or a target that lets you hack on its acquisitions because if you find something which is in a third party application or an out of scope application they will not pay you and you can use an ip address approach for this using bgp.he.net which is a search engine search engine for asn or autonomous system numbers and you just write the name of the company for example tesla and it will give you all of the asn that are registered for that company and you can just pick that number the asn and put it in aslookup.com and it will translate that number to a ip address blocks or a list of ip address blocks and for the last part you can automate it using your favorite language such as bash python or ruby anything that you like and you've got for yourself a fresh subdomains list that is most probably missed by most of the hunters you just pick a domain or a pro sub domain and start the house yeah this is the note that i've covered before uh so when you talk to a server it's like you are talking to a stranger and as i see right now in some eyes that you are confused because there's some chinese in the slides uh actually i forgot what i translated here so if someone is can speak chinese he will he can help us after the talk but why i did this actually i did it on purpose to make you confused so as you can see here this little guy is brute forcing a server that has asp files using a php word list so the server will actually feel like you felt right now when i showed the chinese slide it will understand nothing and will return just 404 not found results so you have to always fingerprint your server you are dealing with and know which technology or which language that it runs just a simple control you and you will find out what it uses or there are some extensions like vapolizer that shows a lot of things that are useful on the server like the language or yeah some wordless tips you build your own word lists don't rely on the others that already built and this helps a lot in the future save endpoints from disclosed reports such as hacker1 slash activity there are a lot of disclosed endpoints that you can save in a new word list you can always fetch pads from js files using for example link finder which is a tool that does this from github or you can spider the web application and save the output and the burps with professional edition does this or if you don't have burps with professional you can just use some tool on github and you will get the same result so uh by coincidence the previous talk was about injections and uh right now i will talk about an sql injection that i recent not recently but i found some months ago i just picked the target and i started looking for the less crowded areas and domains i put wikipedia space the name of the target on google then i went to the wikipedia page of that target and i searched for the list of acquisitions that are owned by that target you can use many other services for this not just wikipedia and i found the seed which is controlled by the same company say for example target ebcd.com and now let's do some subdomain enumeration and a tip for alive subdomains i personally use the tool https using the following flags httpx by the way is a tool that does http probing on a subdomains list so that's okay whenever it runs over subdomains it will check if it's alive or not and it's a tool by project discovery and it's so fast so i recommend using it and i use it with the following options or tags tag title for the title of the webpage status code of the http response the content length in bytes of the page and follow redirects if there are any so this was the output of subfinder and edge and httpx on the target that i found in the acquisitions page and as you can see in the first line of the output there's a subdomain which ends with index.jsp after the redirect there's a 302 300 and 200 so i just decided to hack on that subdomain it gave a login panel and this was the example of the structure of the subdomain and the login panel had two inputs username and password i tested everything on that login panel or login field like sql injection code injection xss default credentials like admin admin admin password but i wasn't really successful i also checked the source code of the webpage i read javascript files but i found nothing did i surrender of course no i went to the burp suite log this was an actual screenshot of the login panel and as you can see there there's a post request sent to slash a2a slash redacted slash a2a underscore token and the three parameters were user id password and organization so i sent the http request to sql map and i continued my testing and while analyzing the request on burp suite i noticed that there's the word token in the path a to a underscore token so there is a token exchange in the logic of the application so i had to understand what's going on so the post request gives the following response which was a 302 find found to another subdomain subdomain which is called a2hs.target.com sql map gave nothing on the first try so i had to continue my digging and for this subdomain which was a2hs.target.com after some redirects it gets back to the first subdomain with the login error message that your credentials are not valid sorry uh yeah so this is interesting the token is fetched from another subdomain which was a blank page i went to the sub domain and i found nothing there so most probably it wasn't an unfinished tickets by the developers that they just make that server respond with a black blank page but in the back end there's some talking processing and there's no trace for that subdomain on the javascript files of the first sub domain and this was the big picture of the logic of the panel the login panel the post request is sent there a2a.target.com a2a underscore token and the token is fetched from the second subdomain which was a2hs.target.com if the token is valid it will return back to the first subdomain and it will grant you access so this was the first url that the post request is sent to and i thought if we have a sub domain what if we just don't put it as a directory and see what will happen and big surprise i got a new login panel which looks older and i felt it was vulnerable to any sql injection same fields as the first one i inserted single quotes and same parameters as you can see test single quote and see the response it's a 500 internal server error so definitely there's an sql injection there i tried normally to craft some payloads but that didn't work so i just copied that and sent it to sql map for automation and after 10 minutes i was already in i've got the whole dump of the database so the form was vulnerable to any error-based disqual injection where the database sold a lot of sensitive information and i tried to escalate it to an rce using the oshel tag but i wasn't successful so i just decided to stop here and report the injection to the program and that was the story of how i found the sql injection in one hour of good recon here are some takeaways you should always think of ways that others could have missed don't follow the crowd always be unique and go to a different path burp suit on the background always helps so if you just go back and analyze the requests and the responses you will definitely find something which is juicy and can make your money and put more time on something only if you feel that it's worth it don't just waste time on something and find nothing in the end and automate anything that the machine can do for you don't be like that cat that i showed before and yeah this is the end of my talk if you have any questions feel free to ask this is my twitter handler if you have any question in the future don't hesitate to ask me thank you [Applause] do we have any questions for kellie it would appear perhaps not uh you can always ask a question uh when we finish if you catch him khalil once again thank you