Bug bounty vs. Big companies.pdf

Viewer
Transcript

Bug bounty vs. Big companies Paul Amar, Hack.lu, 19/10/2017

Le Puy de Dôme, Auvergne.

Puy de Dome, Auvergne.

Charming attraction in the City of London - Tube during strike + rush hour combo, lovely.

“If attackers get to choose what time we're going to engage with them, we get to choose the battlefield.” Haroon Meer, “Learning the wrong lessons from Offense”, 2016

La bataille de Marengo, 14th of June 1800 - http://desaix.unblog.fr/

“If the cost to attack is less than the value of your information to the attacker, you will be attacked.” Dino A. Dai Zovi, “Attackers Math 101”

“Build your defenses from an offensive mindset.” Zane Lackey, “Attack-driven defense”, 2013

-

Found http://bf1-adxdb-001.data.bf1.yahoo.com

https://medium.com/bugbountywriteup/900-xss-in-yahoo-recon-wins-65ee6d4bfcbd

-

Found http://bf1-adxdb-001.data.bf1.yahoo.com Enumerated files and found: - about.php - nginx.conf - testdb.php < vulnerable to XSS - 900 USD$ bounty

https://medium.com/bugbountywriteup/900-xss-in-yahoo-recon-wins-65ee6d4bfcbd

-

Found http://bf1-adxdb-001.data.bf1.yahoo.com Enumerated files and found: - about.php - nginx.conf - testdb.php < vulnerable to XSS - 900 USD$ bounty

Enumeration also led him to (5 subdomains deep): -

target.*.*.*.yahoo.com target.*.*.*.*.yahoo.com

https://medium.com/bugbountywriteup/900-xss-in-yahoo-recon-wins-65ee6d4bfcbd

IP Ranges & Exposure

So what? Monitor your ranges and *automatically* check: - New IP addresses? -

What’s open on it?

So what? Monitor your ranges and *automatically* check: - New IP addresses? -

What’s open on it?

- Any delta? -

Open/Closed ports, changed services? (Apache > Nginx, …)

So what? Monitor your ranges and *automatically* check: - New IP addresses? -

What’s open on it?

- Any delta? -

Open/Closed ports, changed services? (Apache > Nginx, …)

- Go for low-hanging fruits -

“product: tomcat”, port:445, port:3389, port:21 “successfuly logged in”, …

So what? Monitor your ranges and *automatically* check: - New IP addresses? -

What’s open on it?

- Any delta? -

Open/Closed ports, changed services? (Apache > Nginx, …)

- Go for low-hanging fruits -

“product: tomcat”, port:445, port:3389, port:21 “successfuly logged in”, …

- Always ask you the question: -

Should it be exposed online?

Domains names

What’s out there? -

theHarvester (https://github.com/laramies/theHarvester) Knockpy (https://github.com/guelfoweb/knock) Enumall (https://github.com/jhaddix/domain) GoBuster (https://github.com/OJ/gobuster) dnsrecon (https://github.com/darkoperator/dnsrecon) subbrute (https://github.com/TheRook/subbrute) Aquatone (https://github.com/michenriksen/aquatone)

Domain wordlist? @jhaddix got you covered: https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056

https://media.rootcon.org/ROOTCON%2011/Trainings/RECON.pdf

https://www.blackhillsinfosec.com/eyewitness-and-why-it-rocks/

https://www.blackhillsinfosec.com/eyewitness-and-why-it-rocks/ https://github.com/ChrisTruncer/EyeWitness

https://hub.docker.com/r/wappalyzer/cli/

https://github.com/evilsocket/xray

SSL certificates

https://mishresec.wordpress.com/2 017/10/13/uber-bug-bounty-gainin g-access-to-an-internal-chat-syste m/

(Unofficial) Python API: https://github.com/PaulSec/crt.sh

(Unofficial) Python wrapper : https://github.com/PaulSec/censysio

http://nahamsec.com/secure-your-jenkins-instance-or-hackers-will-force-you-to/

Sensitive source code

What to look for? Use their search engine and start looking for g00di3s: "company" API_key "company" secret_key "company" aws_key "company" Password "company" FTP "company" Login "company" Github_token

https://www.hackerone.com/blog/how-to-recon-and-content-discovery

Remember this?

Remember this?

Remember this?

Automated tools within CI

https://bugbountyforum.com/tools/

Amazon Web Services (S3)

https://flaws.cloud

https://gist.github.com/PaulSec/50c5075017e3021d46d4560793353f1d

Wrapping-up

Few takeovers - Pepito ¡Arriba, arriba! -

https://github.com/PaulSec/pepito

- Wrapper for Censys.io -

https://github.com/PaulSec/censysio

- AWS scan script to test AWS S3 bucket configuration/security -

https://gist.github.com/PaulSec/50c5075017e3021d46d4560793353f1d

- Python script to gather scopes and public reports from HackerOne (in csv) -

https://gist.github.com/PaulSec/fd29abf7d596ccc58439e21376d3eabf

- eyeWitness - Perform footprint of web servers, RDP, VNC, ... -

https://github.com/ChrisTruncer/EyeWitness

- Wappalyzer docker container -

https://hub.docker.com/r/wappalyzer/cli/

How to keep up? - @jhaddix and @nahamsec are really good resources -

Also many hunters but I will not try to name them all here…

- @disclosedh1 for public reports on HackerOne - /r/netsec/ -

Public blog post get usually posted there. Lurk and wait for MOAR.

- Develop stuff.

Embrace hackiness. (and thanks for not sleeping)

Paul Amar

@PaulWebSec

Resources - “Learning the wrong lessons from Offense”, Haroon Meer https://www.youtube.com/watch?v=AQfbPpkaq88 - Zane Lackey - Attack-driven defense https://www.youtube.com/watch?v=_4vSurKPl6I - Recon slides from jhaddix https://media.rootcon.org/ROOTCON%2011/Trainings/RECON.pdf - How to recon? https://www.hackerone.com/blog/how-to-recon-and-content-discovery