Hi, these are the notes I took while watching the “Doing recon like a boss” talk given by Ben Sadeghipour (@nahamsec) on LevelUp 2017.

[UPDATE] I modified these notes after watching the updated version of this talk: “It’s the little things” by Ben Sadeghipour & Jon Bottarini (Disobey 2018).

Links #

• “Doing recon like a boss” video: https://www.youtube.com/watch?v=1Kg0_53ZEq8
• “It’s the little things” video: https://www.youtube.com/watch?v=5clT3JN7R8w

Overview #

• Why: Bigger attack surface, more bugs, more bounties, more problems

Traditional way for finding subdomains (brute forcing) #

• Brute force
  • Sublist3r
  • enumall
  • massdns
  • altdns
  • brutesubs
  • dns-parallel-prober
  • dnscan
  • knockpy
  • tko-subs
  • HostileSubBruteforce
• Find patterns (.dev, .corp, .stage)
• Brute force again: Subdomain brute-force patterns dicovered to find:
  • Different permutations
  • Different environment (like staging environments)
• Google Dork: site.com -www -cdn

AWS recon #

• Look for S3 buckets
  • site:s3.amazonaws.com + ... (for e.g site:s3.amazonaws.com + inurl:HackerOne)
  • You might find an internal domain that is not accessible directly but if you go to the Amazon Web Services they are
• AWS instances
  • site:amazonaws.com -s3
  • site:amazonsaws.com inurl:bugcrowd
• Use Google for patterns
• Github
  • Search example: "amazonaws.com" trello
• Automate your work
  • Create a list of subdomains
  • Create a list of environment: Prod, Stage, Dev
  • Automate with tools like:
    • bucket_finder now integrated with CloudStorageFinder by diji.ninja
    • SandCastle by YasinS
    • Lazys3 by Ben Sadeghipour & Jobert Abma (I’m not sure this is the tool mentioned in the video, but it was created by the presenter)
• What could go wrong?
  • S3 bucket not owned by company (despite its name sounding like it does)
  • Going out of scope
    • Domain on which you have read/write access but it was taken out of scope
  • S3 bucket that has directory listing enabed but doesn’t contain any sensitive info, or just has static assets
  • Third party apps & third party developers

Github recon #

• What you can find:
  • Environments (dev, stage, prod)
  • Secret Keys (API_key, AWS_Secret, LDAP, FTP…)
  • Internal credentials
  • API endpoints
  • Domain patterns (internal or external)
• Search examples:
  • "company.com" "dev"
  • "dev.company.com"
  • "dev.company.com" password/api_key
  • "company.com" API_key
  • "company.com" password
  • "api.company.com"
• Google Dork: site:"Github.com" + "ORG" + ...
• Tools
  • gitrob
  • git-all-secrets
  • truffleHog
  • git-secrets
  • repo-supervisor
  • You can find more things by doing it manually
• What could go wrong?
  • Logging in to the app with too many accounts or with the CTO account can upset the company
  • Finding credentials of an employee that no longer works at the company but still has some limited access
  • Old secret_keys
    • Always test secret keys you find before reporting to make sure they’re valid
  • The S3 bucket doesn’t contain any sensitive info
  • Third party apps
  • Example / Demo creds / Fake info / 3rd party contractors
  • Random people trying to build something by using the target’s API’s

Asset identification #

Search engines #

Get creative!

• censys.io
  • Look for SSL certificates
    • 443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_name:bugcrowd.com
  • Look for Internal certificates
    • "COMPANY" + internal (get creative)
      => might allow you to find a company internal subdomain or IP address not mentioned anywhere
• shodan.io
  • Search by hostname
  • Filter for:
    • Ports: 8443, 8080, 8180, 15672, etc
    • Title: "Dashboard [Jenkins]"
    • Product: Tomcat
    • Hostname: corp.levelup.com
    • Org: Bugcrowd
  • Search queries to do:
    • Org: Bugcrowd [option]
    • hostname: company.com [option] Where [option] is one of the options above (filter on ports, title or product)
  • Buy book Complete Guide to Shodan by Shodan creator for only 4.99$
• Certspotter
  • Great API
  • Easy to automate
  • Find corporate certs, servers, other litle things that orgs think you’ll never find like internal IP addresses…

JavaScript files #

• What you can find:
  • URL endpoints
  • Credentials/tokens
  • More (internal) subdomains
  • Secret internal API’s
  • Sensitive comments
• Where to find JS files?
  • Go to the website
  • archive.org & look for old JS files
• Tools:
  • JS Parser

archive.org #

• Search for your target
• Select a date
• Review the source Find old endpoints/functionality
• Look for JS files
• Exploit them!

See you next time!