The 5 Hacking NewsLetter 14

Hey hackers! Once again, we scoured the Web to bring you the latest best resources related to pentest & bug bounty.

This issue covers the week from 27 of July to 03 of August.

T5HN14.png

Our favorite 5 hacking items

1. Tip of the week

Finding domains belonging to a specific target by @edoverflow

One of the most important steps during recon is finding domains that belong to your target.

Many talks and tweets tackle the question of subdomains enumeration, but there is a lot less information out there about finding domains. So it’s nice to read these practical tips from a confirmed bug hunter.

2. Site of the week

Eternal Noobs: Forum for IT security noobs

This is a new forum so there aren’t that many discussion threads yet, but the moderators are very reactive, and noob questions are welcome. So this seems to be the right place if you have any bug bounty or pentest questions and don’t know who to ask.

A couple of Web challenges have also been submitted by @brutelogic.

3. Video / Tool of the week

Haxcellent Adventures [Arsenal] - WPForce by @n00py1

As you can see in the Tools section of this newsletter, there are so many tools released every week! Some are innovative and efficient, others not so much. It is difficult to assess them without trying them, and as I lack time to perform a review of the dozen of tools that seems interesting to me each week, I prefer simply shared them with you so that you can have the information and make your own mind.

For these reasons, I love this new series by @sneakerhax where he tries a tool and gives his opinion on whether it is worth adding to his hacking arsenal or not. The tool in this first video is WPForce. I’ve already played with it while doing a challenge and confirm that it is very fast and effective.

4. Non technical item of the week

ZTH-CH2: - Security For Everyone by @ZephrFish

This article presents basic common sense advice to secure yourself online. It’s nothing new but a nice refresher, and could also serve as a tutorial to which you could refer friends, family or anyone that need easy practical tips to improve their online security.

5. Writeup of the week

Hacking IoT Cameras with s/swnb479e7d24/swn1bf9f32f2/g
Hacking Swann & FLIR/Lorex home security camera video

This is a great real-life example of how to exploit IoT devices. The attacks are not technically complicated and there isn’t any mention of a bounty, but I think it is fascinating and scary to see how easy it is to hack these cameras. A simple IDOR to access the video feed of any other camera that’s online!

Other amazing things we stumbled upon this week

Stuff to watch/listen to

Tutorials

Medium to advanced

Beginners corner

Writeups

You can find the latest bug bounty writeups in our dedicated page: List of bug bounty writeups.
Only writeups that did not make it to this selection are listed below. This does not mean that they aren’t worth reading, just that they are not BUG BOUNTY writeups. We will soon post more details about how our curation process.

Tools

  • Cisco Hostscan Bypass: Script for bypassing AnyConnect hostscan requirements
  • Neto: A tool to analyse browser extensions
  • Raccoon: A high performance offensive security tool for reconnaissance and vulnerability scanning
  • Fluxion: Hacking WPA/WPA2 without brute force
  • AutoSploit: Automated Mass Exploiter
  • CertCrunchy: A recon tool that uses data from SSL Certificates to find potential host names
  • OWASP Dependency-Check: A software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies
  • Telewreck: A Burp extension to detect and exploit versions of Telerik Web UI vulnerable to CVE-2017-9248
  • GoAltdns: A permutation generation tool written in golang
  • Remote-Desktop-Caching-: Recover old RDP (mstsc) session information in the form of broken PNG files

Misc. pentest & bug bounty resources

Challenges

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this last week. You’re welcome to read them directly on Twitter: Tweets from 07/27/2018 to 08/03/2018


Have a nice weekend folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…


Comments