Hey hackers! This is our latest selection of resources for pentesters and bug hunters. It covers the week from 21 to 28 of September.

Our favorite 5 hacking items #

1. Tips of the week #

5 Tips Bug Bounty Programs Want You to Know About by @d0nutptr

Lately on Twitter, there has been a lot of controversy/noise/discontentment around bug bounty platforms, particularly HackerOne. Personally, I believe that the best way to succeed and be happy at work in general is to have a flawless attitude, give constructive criticism, then, if you’re really not happy with your work environment, move on to another one.

With this same spirit, this blog post offers great information that could help you improve your bug hunting experience. It’s a must read.

2. Writeup of the week #

Thick Client - Attacking databases the fun/easy way by Richard Clifford

This is a very simple bug with high impact: by analyzing a desktop application’s traffic, Richard found database credentials sent over a clear-text connection. He used them to remotely connect to the database, dump its contents and (because it was running as SYSTEM!) create new users on the system and pivot through the network.

Testing thick clients is not necessarily complicated and could allow you to discover high reward bugs without much effort.

3. Tools of the week #

• gimmecredz for Linux by @0xmitsurugi
• PassCat for Windows by @maldevel

These are two tools to use post-exploitation, to extract passwords from many known locations like files, browsers, apps, etc.

There are many cheatsheets out there to follow once you have a foothold on a target, and also tools for generic information gathering and privilege escalation, but it’s the first time I see tools that gather credentials specifically. This is very handy for pentesters, especially if you lack time and want to quickly gather sensitive information for a PoC or for pivoting.

4. Tutorial of the week #

Static Analysis of Client-Side JavaScript for pen testers and bug bounty hunters by @yamakira_

Ah, JavaScript! So many good bugs disclosed by bug hunters are found by manual analysis of JavaScript code: sensitive information disclosure, new endpoints, hardcoded credentials, usage of dangerous functions… So even if I have an aversion for source code analysis, JavaScript bugs are too good to ignore.

This tutorial is a very nice start: It explains how to obtain JavaScript files, make the code readable and identify common vulnerabilities manually or using tools.

5. Resource of the week #

BugBountyNotes, particularly the Challenges & Tutorials section by @zseano

@zseano did an amazing job with this site! It has several good sections all dedicated to bug hunting: forum, challenges, tutorials, references to tools, bug bounty programs, disclosed bugs… Other features are also on the way.

If you haven’t already checking it out, I recommended starting with the challenges and the Hacking with ZSeano: Recon Part two tutorial.

Other amazing things we stumbled upon this week #

Videos, Conferences & Podcasts #

Videos #

• The Curse of Cross-Origin Stylesheets - Web Security Research
• Hacking Basic Authentication with Nmap and Hydra - Web Application Pentesting Series 2018 | Lesson 6
• Hacker101 - Secure Architecture Review

Podcasts #

• 5 Year Plan into InfoSec Part 2 & WEBCAST: John Strand’s 5 Year Plan into InfoSec Part 2
• Ep. 25, No Trevor jokes

Tutorials #

Medium to advanced #

• Auditing Bitbucket Server Data for Credentials in AWS
• MSF Meterpreter and Railgun
• Hacking with Git: Git-Enum metasploit module release
• How to hack VeChainThor?

Beginners corner #

• Email Spoofing With Netcat/Telnet
• Nmap Cheatsheet
• Hashcat Tutorial – The basics of cracking passwords with hashcat

Writeups #

• TradingView Charting Library XSS Vulnerablity | Victor Zhu
• Missing Updates and Site Misconfiguration Can Lead to Exposed Backups

Tools #

If you don’t have time #

• WiPray: Wifi Password Spray
• celerystalk: An asynchronous enumeration & vulnerability scanner. Run all the tools on all the hosts.
• Acamar: A Python3 based single-file subdomain enumerator
• SubScraper: External pentest tool that performs subdomain enumeration through various techniques. In addition, SubScraper will provide information such as HTTP & DNS lookups to aid in potential next steps.

More tools, if you have time #

• cspparse: A tool to evaluate Content Security Policies
• WhatWaf: Detect and bypass web application firewalls and protection systems
• Vibe: A framework for stealthy domain reconnaissance
• Mail Security Testing Framework: A testing framework for mail security and filtering solutions
• Recon Pi: ReconPi - A lightweight recon tool that performs extensive scanning with the latest tools

Misc. pentest & bug bounty resources #

• Week in OSINT #2018–38
• Facebook Security Update: Technical details on Facebook’s latest hack affecting almost 50 million accounts
• Password Tips from a Pen Tester: Are 12-Character Passwords Really Stronger, or Just a Dime a Dozen?
• awesome-security-apis: A collective list of public JSON APIs for use in security

Non technical #

• The Penetration Testing Report
• How Can I Become A Pentester?
• A Career in Information Security: FAQ (Part 1)
• Can You Enjoy Work Too Much?
• Becoming more productive while working less

Tweeted this week #

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/21/2018 to 09/28/2018

Have a nice week folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…