Sponsored by

Conference notes: It's the little things (Disobey 2018) & Doing recon like a boss (LevelUp 2017)

Posted in Conference notes on April 26, 2018

Conference notes: It's the little things (Disobey 2018) & Doing recon like a boss (LevelUp 2017)

Hi, these are the notes I took while watching the “Doing recon like a boss” talk given by Ben Sadeghipour (@nahamsec) on LevelUp 2017.

[UPDATE] I modified these notes after watching the updated version of this talk: “It’s the little things” by Ben Sadeghipour & Jon Bottarini (Disobey 2018).


  • Why: Bigger attack surface, more bugs, more bounties, more problems

Traditional way for finding subdomains (brute forcing)

  • Brute force
    • Sublist3r
    • enumall
    • massdns
    • altdns
    • brutesubs
    • dns-parallel-prober
    • dnscan
    • knockpy
    • tko-subs
    • HostileSubBruteforce
  • Find patterns (.dev, .corp, .stage)
  • Brute force again: Subdomain brute-force patterns dicovered to find:
    • Different permutations
    • Different environment (like staging environments)
  • Google Dork: site.com -www -cdn

AWS recon

  • Look for S3 buckets
    • site:s3.amazonaws.com + ... (for e.g site:s3.amazonaws.com + inurl:HackerOne)
    • You might find an internal domain that is not accessible directly but if you go to the Amazon Web Services they are
  • AWS instances
    • site:amazonaws.com -s3
    • site:amazonsaws.com inurl:bugcrowd
  • Use Google for patterns
  • Github
    • Search example: "amazonaws.com" trello
  • Automate your work
    • Create a list of subdomains
    • Create a list of environment: Prod, Stage, Dev
    • Automate with tools like:
  • What could go wrong?
    • S3 bucket not owned by company (despite its name sounding like it does)
    • Going out of scope
      • Domain on which you have read/write access but it was taken out of scope
    • S3 bucket that has directory listing enabed but doesn’t contain any sensitive info, or just has static assets
    • Third party apps & third party developers

Github recon

  • What you can find:
    • Environments (dev, stage, prod)
    • Secret Keys (API_key, AWS_Secret, LDAP, FTP…)
    • Internal credentials
    • API endpoints
    • Domain patterns (internal or external)
  • Search examples:
    • "company.com" "dev"
    • "dev.company.com"
    • "dev.company.com" password/api_key
    • "company.com" API_key
    • "company.com" password
    • "api.company.com"
  • Google Dork: site:"Github.com" + "ORG" + ...
  • Tools
    • gitrob
    • git-all-secrets
    • truffleHog
    • git-secrets
    • repo-supervisor
    • You can find more things by doing it manually
  • What could go wrong?
    • Logging in to the app with too many accounts or with the CTO account can upset the company
    • Finding credentials of an employee that no longer works at the company but still has some limited access
    • Old secret_keys
      • Always test secret keys you find before reporting to make sure they’re valid
    • The S3 bucket doesn’t contain any sensitive info
    • Third party apps
    • Example / Demo creds / Fake info / 3rd party contractors
    • Random people trying to build something by using the target’s API’s

Asset identification

Search engines

Get creative!

  • censys.io
    • Look for SSL certificates
      • 443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_name:bugcrowd.com
    • Look for Internal certificates
      • "COMPANY" + internal (get creative)
        => might allow you to find a company internal subdomain or IP address not mentioned anywhere
  • shodan.io
    • Search by hostname
    • Filter for:
      • Ports: 8443, 8080, 8180, 15672, etc
      • Title: "Dashboard [Jenkins]"
      • Product: Tomcat
      • Hostname: corp.levelup.com
      • Org: Bugcrowd
    • Search queries to do:
      • Org: Bugcrowd [option]
      • hostname: company.com [option] Where [option] is one of the options above (filter on ports, title or product)
    • Buy book Complete Guide to Shodan by Shodan creator for only 4.99$
  • Certspotter
    • Great API
    • Easy to automate
    • Find corporate certs, servers, other litle things that orgs think you’ll never find like internal IP addresses…

JavaScript files

  • What you can find:
    • URL endpoints
    • Credentials/tokens
    • More (internal) subdomains
    • Secret internal API’s
    • Sensitive comments
  • Where to find JS files?
    • Go to the website
    • archive.org & look for old JS files
  • Tools:


  • Search for your target
  • Select a date
  • Review the source Find old endpoints/functionality
  • Look for JS files
  • Exploit them!

See you next time!