Conference notes: How to Differentiate Yourself as a Bug Bounty Hunter (OWASP Stockholm)
Posted in Conference notes on November 7, 2018
Posted in Conference notes on July 12, 2018
Hi, these are the notes I took while watching the “Modern Pentest Tricks For Faster, Wider, Greater Engagements” talk given by Thomas Debize on both Area 41 & HITB 2018 conferences.
Because:
Current pentest assessment require pentesters to SCALE!
Input | |
---|---|
in2csv, sql2csv | convert anything to csv |
csvclean, csvformat | ensure your inout or output files are correctly formatted |
Processing | |
---|---|
csvcut | just like UNIX “cut” |
csvgrep | not just like UNIX “grep”, allows to search regex/patterns only in desired columns |
csvjoin | execute an SQL-like join to merge CSV files on a specified column or columns |
csvsort | not just like UNIX “grep”, allows to sort desired fields |
csvstack | concatenate/merge multiple CSV files |
Output & Analysis | |
---|---|
csvjson | convert a CSV file into JSON |
csvlook | just admire the beauty of a CSV file in your interpreter |
csvpy | load a CSV file into a CSVKitReader object and then drop into a Python shell |
csvsql | perform SQL queries on a CSV file |
csvstat | print some statistics per columns |
| — | — |
| --progress
| a percentage of done/to be done |
| --bar
| a nice progress bar |
| --joblog
| a log of executed tasks, allows resuming |
| -- resume
| resume to your current execution status |
| --sshlogin
| distribute the tasks on remote computers through SSH |
$ parallel -a target_list.txt --joblog joblog --progress --bar
"wfuzz
-f 'results/result_wfuzz_{= s/[:\/]/_/g =}.json',json
--filter 'c<403'
-R 3 -Z -c
-z file, '/usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-small.txt
{1}/FUZZ"
- `{= s/[:\/]/_/g}` is a Perl/sed expression to remove bad chars in filename
- Format of *target_list.txt*:
http://foo
https://foobar
https://bar:443
$ ls ./results/result_wfuzz_*.json | parallel
"cat {} | jq '.[] | if (.code == 200) then .url else empty end' | sed 's/"//g' >> list_to_webscreenshot.txt"
$ parallel -a subdomains.txt --joblog joblog --progress --bar
"dig +noall +answer {}.<target domain>"
- Format of subdomains.txt:
foo
bar
admin
$ git clone https://github.com/OJ/gobuster.git && cd gobuster
$ time go run main.go -u google.com -w ~/subdomains.txt -m dns -q -o google.com_subdomains_by_gobuster.txt
=> ~22s
$time parallel -a ~/subdomains.txt "dig +noall +answer {}.google.com | tee -a google.com_subdomains_by_parallel.txt"
=> ~27s
pip install pyinstaller
--onefile
: creates a standalone executable file which is a self-extracting zip payload--onedir
: creates a single directory with everything inside if you don’t want a standalone executable file, as large standalones (> 18 MB) take time to unzip before execution--key <key>
: a specific key to encrypt the zip payload, of course included in the executable (Tutorial)--icon <icon_file>
: for visual fanciness--key
option to bypass them!git clone https://github.com/klsecservices/rpivot.git
cd pivot
pyinstaller --clean --onefile server.py
./dist/server -h
Conclusion:
See you next time!