Hi, these are the notes I took while watching the “Doing recon like a boss” talk given by Ben Sadeghipour (@nahamsec) on LevelUp 2017.
[UPDATE] I modified these notes after watching the updated version of this talk: “It’s the little things” by Ben Sadeghipour & Jon Bottarini (Disobey 2018).
Links
- “Doing recon like a boss” video: https://www.youtube.com/watch?v=1Kg0_53ZEq8
- “It’s the little things” video: https://www.youtube.com/watch?v=5clT3JN7R8w
Overview
- Why: Bigger attack surface, more bugs, more bounties, more problems
Traditional way for finding subdomains (brute forcing)
- Brute force
- Sublist3r
- enumall
- massdns
- altdns
- brutesubs
- dns-parallel-prober
- dnscan
- knockpy
- tko-subs
- HostileSubBruteforce
- Find patterns (.dev, .corp, .stage)
- Brute force again: Subdomain brute-force patterns dicovered to find:
- Different permutations
- Different environment (like staging environments)
- Google Dork:
site.com -www -cdn
AWS recon
- Look for S3 buckets
site:s3.amazonaws.com + ...
(for e.gsite:s3.amazonaws.com + inurl:HackerOne
)- You might find an internal domain that is not accessible directly but if you go to the Amazon Web Services they are
- AWS instances
site:amazonaws.com -s3
site:amazonsaws.com inurl:bugcrowd
- Use Google for patterns
- Github
- Search example:
"amazonaws.com" trello
- Search example:
- Automate your work
- Create a list of subdomains
- Create a list of environment: Prod, Stage, Dev
- Automate with tools like:
- bucket_finder now integrated with CloudStorageFinder by diji.ninja
- SandCastle by YasinS
- Lazys3 by Ben Sadeghipour & Jobert Abma (I’m not sure this is the tool mentioned in the video, but it was created by the presenter)
- What could go wrong?
- S3 bucket not owned by company (despite its name sounding like it does)
- Going out of scope
- Domain on which you have read/write access but it was taken out of scope
- S3 bucket that has directory listing enabed but doesn’t contain any sensitive info, or just has static assets
- Third party apps & third party developers
Github recon
- What you can find:
- Environments (dev, stage, prod)
- Secret Keys (API_key, AWS_Secret, LDAP, FTP…)
- Internal credentials
- API endpoints
- Domain patterns (internal or external)
- Search examples:
"company.com" "dev"
"dev.company.com"
"dev.company.com" password/api_key
"company.com" API_key
"company.com" password
"api.company.com"
- Google Dork:
site:"Github.com" + "ORG" + ...
- Tools
- gitrob
- git-all-secrets
- truffleHog
- git-secrets
- repo-supervisor
- You can find more things by doing it manually
- What could go wrong?
- Logging in to the app with too many accounts or with the CTO account can upset the company
- Finding credentials of an employee that no longer works at the company but still has some limited access
- Old secret_keys
- Always test secret keys you find before reporting to make sure they’re valid
- The S3 bucket doesn’t contain any sensitive info
- Third party apps
- Example / Demo creds / Fake info / 3rd party contractors
- Random people trying to build something by using the target’s API’s
Asset identification
Search engines
Get creative!
- censys.io
- Look for SSL certificates
443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_name:bugcrowd.com
- Look for Internal certificates
"COMPANY" + internal (get creative)
=> might allow you to find a company internal subdomain or IP address not mentioned anywhere
- Look for SSL certificates
- shodan.io
- Search by hostname
- Filter for:
Ports: 8443, 8080, 8180, 15672, etc
Title: "Dashboard [Jenkins]"
Product: Tomcat
Hostname: corp.levelup.com
Org: Bugcrowd
- Search queries to do:
Org: Bugcrowd [option]
hostname: company.com [option]
Where [option] is one of the options above (filter on ports, title or product)
- Buy book Complete Guide to Shodan by Shodan creator for only 4.99$
- Certspotter
- Great API
- Easy to automate
- Find corporate certs, servers, other litle things that orgs think you’ll never find like internal IP addresses…
JavaScript files
- What you can find:
- URL endpoints
- Credentials/tokens
- More (internal) subdomains
- Secret internal API’s
- Sensitive comments
- Where to find JS files?
- Go to the website
- archive.org & look for old JS files
- Tools:
archive.org
- Search for your target
- Select a date
- Review the source Find old endpoints/functionality
- Look for JS files
- Exploit them!
See you next time!
Comments