The Power of Recon

hello everyone this is Ora god father and our topic today will be H the power of Recon H to introduce myself I'm or from Jordan my my nickname is Ora Godfather or just like some of friends call me Rober H Robin Robin Hood of the beginners yeah I'm I'm a fulltime B Bounty Hunter I start bu bounty in h 2020 and I moved to fulltime bu bounty hunter in the last of 2021 so now I'm ranked on a crow as a third in P1 Warrior ER I submit more than 500 critical and high bugs ER also for meta for Google for Microsoft for apple and I got some titles from H bu crowd such as

ER High Cup winner H the team captain level X champion and more than 10 zero days and cves now I start B Bounty without any experience or without any background ER in the 2020 and in that time the first people who support me who collab with me who work with me it was a Indian people so from this stage I want to thank biders to inviting B I want to thank especially Nick ni and everyone here so are you ready yeah okay now we are discussed three topics today the first one it will be uh Microsoft is testing and the second one it will be about response manipulation bugs and examples and the last one it will be excited it's about

methods and some back Bounty tips so in general I ER we are going to discuss here I think chaps it's talk about it but from Recon part not from a technical part so H we are talking about the viability that's Microsoft is till the directory in numeration what is it this viability allow to act short names uh of files and directory in I app by using some uh vectors and varial version of Microsoft iOS now as a attacker can find the important file and folders ER that's normally not visible as example uh backup files or something like that now uh the next part will be in I it's how to discover I tools that require when we working on I

word list also uh for fuzzing ER testing and tips and the last part will be a some examples for a critical bux on is so discovering there is a lot of tips and methods uh to find is app but I can say the best three it's first one it's Nite template there's a specific template to identify the is app the second one it's from a browser extension it's called Aizer as you can see in the picture it's uh sometimes allow you to see the is also the Virgin ER the most interesting one it's from Shodan from Shodan there is a HB title dork it's used a for I now if one of be specific now as you can see the

total result of Showdown it's more than 1 million so if want to be a specific by searching for as example a company name company that's running a a very big scoop so we can add the DOR that SSL beside this ahed Ahmed Abad IC as an example and with HTTP title I now if working on specific domain we can use this door that SSL SE subject CN besides Ahmed Abad and we can add after that the HTP title is this is the three methods to find I now we are moving the to the next part now the tools that are required for as first thing there is a extension and there's a a tool for criminal the

extensions for for B it's called I the enumeration and uh the tool for criminal it's called short scan now you can use this tool or this tool this tool it's it's just to De act the short name of files and directories now the second tool it's D primes dop now ER this tool it's a to analyze files such as dll files and Export The Source from that DL file and the next tool it will be a I think all all of you know what that tool it's a studio code Visual Studio code and it's three to review the code and Source ffuf it's a web directory Pro for and uh the word list I just uploaded

this word list on uh my GitHub two days ago now this word list ER I create I created this word list we can say from my pous bags from my prous Recon anything new I found it I added to this word list I keep it updated day by day so it can be used for vable I and non vable and for any other ER web app now the the normal testing for is it's by uh running this command it's short scan and HTTP or htbs and the URL or you can do the same on the Barb extension just we can copy and paste the URL but now here it's we don't test it just on

URL sometimes we test on the URL itself and it's show it's nonvulnerable so we we have to do to run this H subdomain or this H or this IP on the word list any valid in po such as a forbidden and unauthorized access a 301 H 200 uh we can scan this end point again on this tool now here we have uh examples ER like for running short scan tool we can run it on the domain we can H run it on a directory end point now let's C for the fuzzing part now we can run the word list normally and as I told any valid end point even if H forbidden we can use it

okay now ER in the next part we we show uh I will present examples for short names but now in ffuf we can also use the example that uh running ffuf that fuz after the short name directly we can also after short name add a dash and start fuzzing from there we can also add a short name underscore and we can also add a space now here a example for scanning directly Target or IP now we have a a first directory and we have the second one it's ASP net so all the time forget ESP

it this is other example here we have a i unidentified a directory we have also some files and sometime if if the short name it's it's valid it's show actual file name or actual directory so now as we can see it it's there is a security without toy there is a bu up but it's not full maybe let's move to next picture here the scanning on a specific end point we got some results for directories for uh files now let's come for the example of testing now we have here a directory we have here a file now desktop and it's me that it's it's a maybe a bua file maybe a setup file but we don't know what's after a

desktop and we have the there a directory it's called DS under _ stto stto maybe it's shortcut for Studio maybe shortcut for something else so the first thing we are going to do on directory that's running a ffuf for fuzzing after stto my word let is support this this words can complete it this but if NS work there's other tips we will coming for it now let's came for the backup file that I want to completed now I know it's a desktop but what after desktop so we can start fuzzing after desktop directly we can add a dash and start fuzing directly we can add a underscore we can add a space and fuzzing directly because it's maybe a a

desktop uncore pup or maybe desktop Dash setup as a example for directory short name we can also as you can see use this dor in GitHub and it's very helpful that by adding this dor path ER dto and as you can see we have about 200 results and er it's we have here a the the s store if Network we have DS store exp so there's a lot of examples here and also we can use uh chat AI like generate a large word list starting with a DS St and you can see the options we have here to testic for fing and directly also don't forget all the time anything you got like this add it for

your word list Intruder is important just in in in in number cases because sometimes H you can find a short name it's called desktop or it's backup or anything else but it's end with a date or with a specific number so here the int Intruder is very helpful to fuzzing on numbers now examples for some critical bugs that I was able to look at now I found a short name it's called admin and the extension of file uh the file now with a previous tips that I I talk about I was able to locate the source backup on on admin backup from that what I got first thing credentials in the source code itself second thing

machine key and that's LED for directly for RC ER third third thing I was able from The Source itself to locate a Uno upload in point and from there I uploaded uh ASB sh ASB X shell and get the RC

now here other example now from short name I got some directory it's called QB test so I F it with this word list and er in the end I got just one valid end points it was called g g sorry QP test I care so when I opened this end point it's reduct me for a login so first thing I start testing in this login it was a default credentials or weak credentials and yes I get a valid login by using test test as a user and password that's was the first P1 the second P1 that also I was able to locate a SQL injection in username parameter as a post request just by discovering a this end

point

now here example for a D5 now I got a short name it's called utility Now searching by that and all the method and GitHub I was able to find a the completely file name and it was utilities so directly I send it to Jet br. Peak then after that I export the project then now I have a source file for this file for this DL file after starting review this code I was able to locate AWS credentials access key and secret key and for sure there is more and more and more and uh as chops say this bag when you see the the blue screen stuck on that screen it's it's more it's it's more important

and from also from this stage I want to thank shabs because he's give a very very very good results and videos about is and in in the start I learned from his video and also yeah here some references to to more ER for something yeah more more testing in I now H response manipulation part now we are we are now to talk now about some authentication bypass cases by a response manipulation and er permission like such as edit add delete and prices and currency now as start how can we edit in response itself there is two two methods the first one it's simply a do intercept response dis request the second one it's from proxy

options that intercept

responses and now let's start with the examples now in this photo we have a example for a login panel and this login panel when you try to login by any user or any password we have a response it's a 3 or2 found and we have a header it's location but the only interesting thing was there that was a huge ER content Le there so what I did there that I it changed the response from 302 pound to 200 okay and and I removed the full header location and I get a valid login for that panel so H the tip here that if you found a response such as 302 and the content Li was so huge so here you can

start checking for authentication bypass by response manipulation also you can use the same tip on the match and replace by when you open it match and replace the type its response header match 302 to replace to 200 and match type response header match the location and replace it empty to delete the header here's the other example it's a post login we have a username we have a password the response it was 400 bad request and it's for simply I changed 400 bad request to 200 okay and I Chang it false to true and I got a valid login it was also by response manipulation and it can be done also by match and replace another example a create account

in an employee login panel now directly when I start a looking for a some panel is like employee panel that's there's no any function just login no registration nothing else I started checking response for everything in this panel starting by opening that panel so in some cases you can find in the response that registration value it's false so it's happened a lot when I change the the value from false to true I have now a new function I can create account in this employee panel

now let's move to permission examples now here we have a normal response we have here a edited or replaced response such as we have after getting log to the to any page we have a login permission it's user now we can try to change that for admin to root to something like that or we can see here it's admin it's false we can change it to true we have a permission in that page the value it can read so we can add other value like such as can write can edit can delete there is also a example for a status it's zero we can change it to one and it's came the status as a one we can

change it to zero or to two and there's H State it's failure we can change it to

success the prices and currency example now here we have a normal response the code it's USD it's a currency and the P amount it's a $99 so what we can do in the the first thing changing the location of numbers like here we have 9 9 10 we change 99 there and 10 there now the same number but we add before that number a zero in the second part third part the same number but we we have we removed just one it came just $9 and 10 cent and the interesting thing that's when when we play in currency because we know now Indian rupe it's not like dollar it's not like

Euro now let's C for the method and tips part now ER I received a lot of questions for uh last week about some specific thing that from people here that ask me to talk about it so I say yes it's okay so er first question was about what is my method to bypass the W second question H was how can I get more subdomains and more subdomains and the last one it's how to discovering more domains ER more subdomains more thir parties more end points so I think everyone here know the the old videos that I create and tips that about Recon and how to get more domains and in points from ctsh so everything here it's let's say

it's new okay now my method by by passing The W using origin IP via match and replace in bar now the P resources as a start to find the original IPS it's Shan and we can use this door that subject and domain or subdomain we can use fufa doino we can use a sensus we can use security TRS okay now ER in a lot of videos and write up we I discussed that we can find the origin IPS from Shan but it's a live origin IPS okay now we are going to talk about not life origin IPS like if you got as example for this IP the response it's a bad request or a 44 4 not

found okay now as an example here we have a a domain it's called godfather. ora.com and this this domain it's running with AWA okay so we look to that domain or that subdomains on the showan or any engine we found here that we have the IP and we have H the subdomains and other subdomains similar such as this Dev test okay now how how I'm going to mix that with that now as as we can see an example now we have a life subdomains running with w and IP for that subdomains but it's not working it's bad request in match and replace we add the IP that not working to the match and to the replace we add

the host or subdomains that running with w now when you visit the IP the response now it's it's worked and without wor and you have access to the app without W the request example it will be like this the host name it's in the host header and the IP it's different here now my method ER by finding more and more subdomains now I just use Ams for enumerate subdomains but the first thing important that's as I can see a lot ignore that that editing in config of Ms now when you check config for Ms we are speak about a huge of resources you just have to visit and start added a API Keys a credentials to

get more subdomains so this this is the first thing that add the API keys and start working on the config file before start using AMS so the normal do the and command that I use for get subdomains this one but now we have two steps step one it's enumerate the normal subdomains for for p sides Ahmedabad the second part now we have a subdomains list we run it again by addit A- DF not DD so now we are enumerate a subdomains for subdomain list so I I check it uh two or 3 days ago on a normal Target so without add the confing API keys I got just 230 subdomains so after I edit the config

file I got 259 so now we are speaking on about 30 subdomains so it's a good number for 200 subdomains after running the step two I got the 300 subdomains nearly 300 so we talk about 100 subdomains more

my method or we can say the new method to find ER more domains third parties end points now the first thing it's a URL scan but now in ur ur scan we can use the normal dor or the normal domain okay that that's familiar okay what you can do else we can write the domain do star to get more other as a example we can say pide Ahmedabad doc.com or something like that we can also add the the domain name dash star so maybe as example we can get uh pus Ahmed Abad dasc corp.com or it's running on a third party such as OA such as service now okay but when we when we use this dork

we have a lot of duplicates how to remove that duplicate by adding dash for the domain that I want to remove it from this list like as an example I want to check for pides Ahmed Abad or just pides and I want to remove this pide Ahmed Abad in from my sarch so I add Dash and here are other examples also I can add not just one subdomain or two subdomains I can add more than domains and subdomains by the same keyword here's the example I want to H get some end points for tesla.com but I want to remove this because I got a lot of duplicates for this subdomains Now Bing and Google ding it's a very

very similar tip it's just about remove duplicate now in in bank or in Google to remove duplicates we have to add Dash site not Dash domain direct Dash site we can add anything and we can remove all the duplicated from search also and also ding on Google or in bank it's keep updated every day so it's not not one one time working and here other example from Bing

browser okay now mixing fufa and Shan search engine now the first thing we have to get all F icon hashes from fufa so as an example we try tesla.com we have more and we have all of these uh F icon hatches so when you check one by one we have the hash for that F icon so we can copy that and use it on fufa and start searching or we can move to Showdown by using the this dor HTTP Fab icon. has and we can add here the hash number and we can get uh a good results now this same testing or this same tip it's also very helpful and useful for customers because they can

also locate by by this way the spam the passion hostes now ER I also add here a a URL of videos that for more technical in Shodan that the video it was called The Power of Shodan and I think it was 3 months ago now amazing tool for Gathering end points now I think we can say mostly for col end points they use a tool it's called way back URL is that right okay now we back URL it's just collect subdomains just from web archive but here we have a tool it's called way more this tool it's very similar but this tool collect a subdomains from this four resources from we back machine or web archive from

commun CER from Aliant Vault and from URL scan and yeah and on Aliant volt URLs keep updated

daily now here we have uh that checking end points manually it's more useful why because when you collect the end points for domains for apps and you started checking that end point manually you can find a end point it's just like this not full end point it's ended with a zi okay so if I send this for uh as example for already tools to start checking GS file or to start checking xss or anything else I will not get anything valid from this so when I start checking manually I can find a lot of result like that so we have a do zi it mean I have to complete it to z i and here I have a file to

download now I maybe I can find a end point it's in just by P so it's maybe a PHP endpoint and it's maybe P PDF file other example it's a ex it's maybe exe and it's application and normally getting end points from this resources if we got a exe application or a zip file pup we can say mostly it it's unauthorized accsp and checking in point dily also ER as example on Aliant Vault now there's a end point it's updated day by day by day what's that help I was able to locate H more than account take over just by a found it AED URL with activation token and from there I got full access to the

account thank you and I think I'm done here