Hey hackers! This is our latest selection of resources for pentesters and bug hunters. It covers the week from 21 to 28 of September.
Our favorite 5 hacking items
1. Tips of the week
5 Tips Bug Bounty Programs Want You to Know About by @d0nutptr
Lately on Twitter, there has been a lot of controversy/noise/discontentment around bug bounty platforms, particularly HackerOne. Personally, I believe that the best way to succeed and be happy at work in general is to have a flawless attitude, give constructive criticism, then, if you’re really not happy with your work environment, move on to another one.
With this same spirit, this blog post offers great information that could help you improve your bug hunting experience. It’s a must read.
2. Writeup of the week
Thick Client - Attacking databases the fun/easy way by Richard Clifford
This is a very simple bug with high impact: by analyzing a desktop application’s traffic, Richard found database credentials sent over a clear-text connection. He used them to remotely connect to the database, dump its contents and (because it was running as SYSTEM!) create new users on the system and pivot through the network.
Testing thick clients is not necessarily complicated and could allow you to discover high reward bugs without much effort.
3. Tools of the week
gimmecredz for Linux by @0xmitsurugi
PassCat for Windows by @maldevel
These are two tools to use post-exploitation, to extract passwords from many known locations like files, browsers, apps, etc.
There are many cheatsheets out there to follow once you have a foothold on a target, and also tools for generic information gathering and privilege escalation, but it’s the first time I see tools that gather credentials specifically. This is very handy for pentesters, especially if you lack time and want to quickly gather sensitive information for a PoC or for pivoting.
4. Tutorial of the week
Static Analysis of Client-Side JavaScript for pen testers and bug bounty hunters by @yamakira_
Ah, JavaScript! So many good bugs disclosed by bug hunters are found by manual analysis of JavaScript code: sensitive information disclosure, new endpoints, hardcoded credentials, usage of dangerous functions… So even if I have an aversion for source code analysis, JavaScript bugs are too good to ignore.
This tutorial is a very nice start: It explains how to obtain JavaScript files, make the code readable and identify common vulnerabilities manually or using tools.
5. Resource of the week
BugBountyNotes, particularly the Challenges & Tutorials section by @zseano
@zseano did an amazing job with this site! It has several good sections all dedicated to bug hunting: forum, challenges, tutorials, references to tools, bug bounty programs, disclosed bugs… Other features are also on the way.
If you haven’t already checking it out, I recommended starting with the challenges and the Hacking with ZSeano: Recon Part two tutorial.
Other amazing things we stumbled upon this week
Videos, Conferences & Podcasts
Videos
- The Curse of Cross-Origin Stylesheets - Web Security Research
- Hacking Basic Authentication with Nmap and Hydra - Web Application Pentesting Series 2018 | Lesson 6
- Hacker101 - Secure Architecture Review
Podcasts
- 5 Year Plan into InfoSec Part 2 & WEBCAST: John Strand’s 5 Year Plan into InfoSec Part 2
- Ep. 25, No Trevor jokes
Tutorials
Medium to advanced
- Auditing Bitbucket Server Data for Credentials in AWS
- MSF Meterpreter and Railgun
- Hacking with Git: Git-Enum metasploit module release
- How to hack VeChainThor?
Beginners corner
- Email Spoofing With Netcat/Telnet
- Nmap Cheatsheet
- Hashcat Tutorial – The basics of cracking passwords with hashcat
Writeups
- TradingView Charting Library XSS Vulnerablity | Victor Zhu
- Missing Updates and Site Misconfiguration Can Lead to Exposed Backups
Tools
If you don’t have time
- WiPray: Wifi Password Spray
- celerystalk: An asynchronous enumeration & vulnerability scanner. Run all the tools on all the hosts.
Don't just scan IPs. Or just subdomains. Scan every IP and every subdomain that resolves to an in-scope IP. Oh, and get a list of the out of scope subdomains to review
— Seth Art (@sethsec) September 25, 2018
./celerystalk scan -f nmap.xml -o /pentest/client -d domain1[dot]com, domain1[dot]net https://t.co/D76A04r2xA
- Acamar: A Python3 based single-file subdomain enumerator
- SubScraper: External pentest tool that performs subdomain enumeration through various techniques. In addition, SubScraper will provide information such as HTTP & DNS lookups to aid in potential next steps.
More tools, if you have time
- cspparse: A tool to evaluate Content Security Policies
- WhatWaf: Detect and bypass web application firewalls and protection systems
- Vibe: A framework for stealthy domain reconnaissance
- Mail Security Testing Framework: A testing framework for mail security and filtering solutions
- Recon Pi: ReconPi - A lightweight recon tool that performs extensive scanning with the latest tools
Misc. pentest & bug bounty resources
- Week in OSINT #2018–38
- Facebook Security Update: Technical details on Facebook’s latest hack affecting almost 50 million accounts
- Password Tips from a Pen Tester: Are 12-Character Passwords Really Stronger, or Just a Dime a Dozen?
- awesome-security-apis: A collective list of public JSON APIs for use in security
Non technical
- The Penetration Testing Report
- How Can I Become A Pentester?
- A Career in Information Security: FAQ (Part 1)
- Can You Enjoy Work Too Much?
- Becoming more productive while working less
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/21/2018 to 09/28/2018
Have a nice week folks!
If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.
And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…
Comments