The 5 Hacking NewsLetter 23

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 5 to 12 of October.

T5HN23.png

Our favorite 5 hacking items

1. Book of the week

The Art of Subdomain Enumeration by Appsecco

The folks from Appsecco regularly share great information and tools on recon and particularly subdomain enumeration, including two LevelUp talks and now this free book. I highly recommend it, but make sure to take notes and integrate the different techniques into your subdomain enumeration methodology to benefit from it.

2. Writeup of the week

How I hacked modern Vending Machines

This was a fun read! It’s a bug found on a vending machine’s Android app: anyone could buy stuff with a zero-credit account.

It’s a nice example of reverse engineering an Android app, detecting and exploiting weak database encryption.

3. Tool of the week

Certstream by Cali Dog Security

There are a lot of tools to monitor Certificate Transparency logs nowadays. Although I already use some of them like Censys, Crt.sh & Facebook’s CT monitoring tool, I immediately added this one to my methodology because it presents a stream that is updated with SSL certificates in real time!

You can interact with the CT log stream using libraries provided in Python, Javascript, Go or Java.

4. Video of the week

Eliminating False Assumptions in Bug Bounties by Frans Rosén @fransrosen (OWASP Stockholm)

This is a relatively short talk but the advice given is gold, especially if you are new to bug hunting. Frans talks about ups and downs of bug bounty and some tips to avoid dupes, N/As and boredom.

For example, he recommends hunting on old programs with a large attack surface like Google, Facebook or Yahoo because they put up new code all the time and are less tested since most newbies go for the new programs.

5. Resource of the week

XSS Cheat Sheet by @brutelogic

This is a good cheatsheet that can be helpful if you’re stuck with an XSS filter or learning about this type of bugs.

It contains a list of XSS payloads broken down by context (HTML, JavaScript, File Upload, DOM…), exploitation examples and other tips all related to XSS.

Other amazing things we stumbled upon this week

Videos, Conferences & Podcasts

Conferences
Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Tools

If you don’t have time

  • NNDefaccts: nnposter’s alternate fingerprint dataset for Nmap script http-default-accounts
  • Metadata-Attacker: A tool to generate media files (.jpg, .mp3, .mp4) with malicious metadata like XSS vectors

More tools, if you have time

  • ReconDog: Reconnaissance Swiss Army Knife
  • Atlas: Quick SQLMap Tamper Suggester
  • Andrax: A penetration testing platform developed specifically for Android smartphones, ANDRAX has the ability to run natively on Android so it behaves like a Linux distribution
  • Unc0ver: Directory Fuzzer for Pentesting and Host Recon
  • KEIHash: A program to parse pcap files and calculate the KEIHash of SSH connections to fingerprint them
  • XXRF-Shots: Useful for testing SSRF vulnerability
  • AutoRDPwn: The Shadow Attack Framework
  • MicroBurst: A collection of scripts for assessing Microsoft Azure security
  • domain_hunter: A Burp Suite Extender that search sub domain and similar domain from sitemap,get related domains from certification
  • tcpbin: Very crude and poorly written HTTP(s) and SMTP bin. It sets up TCP sockets on ports 80(http), 443(https), 25(smtp) to listen for incoming data. Then it dumps these to a log folder which can be viewed on port 8000(https).

Misc. pentest & bug bounty resources

Challenges

News

  • Retesting (beta): Each hacker that participates in the retest of a vulnerabilitywill receive a $100 bounty upon completion
  • Developing the Researcher Experience on Bugcrowd
  • Project Strobe

    We discovered a bug in one of the Google+ People APIs:

    • Users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API.
    • The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public.

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/05/2018 to 10/12/2018


Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…


Comments