Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bug Bounty Hunting on Steroids

Bug Bounty Hunting on Steroids

Not all hacking is fun. A lot of repetitive manual work is usually required to map the target infrastructure and decide which assets are worthy of giving attention to first. Surely there’s a better approach.

BountyMachine

August 11, 2018
Tweet

Other Decks in Technology

Transcript

  1. @anshuman_bh @_devalias @mhmdiaa
    Bug Bounty Hunting
    on Steroids

    View Slide

  2. @anshuman_bh @_devalias @mhmdiaa
    Mohammed Diaa
    @mhmdiaa
    Developer, Bug Hunter
    Never send a human to do a
    machine’s job
    Glenn ‘devalias’ Grant
    @_devalias
    Hacker, Polyglot Developer, Bounty
    Hunter,
    #SecDevOpsInTheCloudCyber™
    enthusiast...
    Penetration Tester and Offensive
    Capability Development at TSS
    The Team
    Anshuman Bhartiya
    @anshuman_bh
    Security Engineer, Bug Bounty
    Hunter
    Automate all the things!!
    All things as code!!
    2

    View Slide

  3. @anshuman_bh @_devalias @mhmdiaa
    Agenda
    ● Problem?
    ● Current Situation
    ● Target: Ellingson Mineral Corporation
    ● Introducing BountyMachine
    ● Lessons Learned
    ● Conclusion
    3

    View Slide

  4. @anshuman_bh @_devalias @mhmdiaa
    Problem?
    ● Not all hacking is fun. A lot of manual repetitive work.
    ● Building everything from scratch is a bad idea..
    ● How do we scale across thousands of targets?
    ● Things change all the time, we need continuous
    monitoring
    4

    View Slide

  5. @anshuman_bh @_devalias @mhmdiaa
    Current Situation
    5

    View Slide

  6. @anshuman_bh @_devalias @mhmdiaa
    Redundancy Between Tools
    Not invented here / anti unix philosophy is
    prevalent

    View Slide

  7. @anshuman_bh @_devalias @mhmdiaa
    An unmaintained tool is born
    7
    https://xkcd.com/927/
    ToolA released: does a few things
    ToolB released: handles some
    missing bits, but fails in other areas
    Maintainers (often a single point of
    failure) move on to something new..
    Back to square one!

    View Slide

  8. @anshuman_bh @_devalias @mhmdiaa 8
    You can’t build everything from
    scratch
    shouldn’t

    View Slide

  9. @anshuman_bh @_devalias @mhmdiaa
    Lack of Reliable Tool
    Comparisons
    You don’t know the right tool for the job unless
    you try all of them.. and there are a lot...

    View Slide

  10. @anshuman_bh @_devalias @mhmdiaa
    The situation is improving!
    The Bug Hunter’s Methodology by Jason
    Haddix (@jhaddix)
    https://github.com/jhaddix/tbhm
    Thanks, Jason! You’re awesome \m/
    10

    View Slide

  11. @anshuman_bh @_devalias @mhmdiaa 11

    View Slide

  12. @anshuman_bh @_devalias @mhmdiaa
    Poor Interoperability
    Many tools just don’t play nicely with each other

    View Slide

  13. @anshuman_bh @_devalias @mhmdiaa
    ● JSON-based recon tool data output standard
    ● Increase interoperability between tools
    ● Enable a unix-philosophy recon tooling digital utopia!
    Join the discussion:
    https://github.com/ReconJSON/ReconJSON
    ReconJSON
    13

    View Slide

  14. @anshuman_bh @_devalias @mhmdiaa
    Scaling & Reliability
    Learning from the dev side of the tech world

    View Slide

  15. @anshuman_bh @_devalias @mhmdiaa
    Scaling & Reliability
    ● Vertical scaling
    ○ More server, more money, more problems
    ● Horizontal scaling
    ○ Flexible, fault tolerant, cheaper
    ● Learn from the tech giants
    ○ Great architectures and tools to leverage
    15

    View Slide

  16. @anshuman_bh @_devalias @mhmdiaa
    Practical Research
    Environment
    There are tons of assets that you can hack legally

    View Slide

  17. @anshuman_bh @_devalias @mhmdiaa
    I just want to hack things...
    Wouldn’t it be nice to have:
    ● An organized database with all the assets that are legal to hack
    ○ Stick to the scope
    ● A supporting platform that collects data about these assets
    ○ Fast feedback loop
    ● A way to easily explore the asset data
    ○ Locate targets and #HackAllTheThings™
    17

    View Slide

  18. @anshuman_bh @_devalias @mhmdiaa
    It’s all about identifying assets
    What you don’t know about, you can’t protect

    View Slide

  19. @anshuman_bh @_devalias @mhmdiaa
    Unmaintained assets cause breaches
    19
    https://snyk.io/blog/owasp-top-10-breaches

    View Slide

  20. @anshuman_bh @_devalias @mhmdiaa
    Unmaintained assets cause breaches
    A9-Using
    Components with
    Known
    Vulnerabilities
    12/50 breaches 24%
    A5-Security
    Misconfiguration
    10/50 breaches 20%
    20

    View Slide

  21. @anshuman_bh @_devalias @mhmdiaa
    Real-time inventory of target
    assets
    Ephemeral assets, they said.
    It will be fine, they said.

    View Slide

  22. @anshuman_bh @_devalias @mhmdiaa
    Attack surface is always evolving
    Code changes
    Bugs/regressions
    New code
    Backups
    New assets
    Hosts
    Cloud services
    Subdomains
    22

    View Slide

  23. @anshuman_bh @_devalias @mhmdiaa
    Target
    23

    View Slide

  24. @anshuman_bh @_devalias @mhmdiaa 24

    View Slide

  25. @anshuman_bh @_devalias @mhmdiaa
    What we know...
    25

    View Slide

  26. @anshuman_bh @_devalias @mhmdiaa 26
    Let’s start the demo...

    View Slide

  27. @anshuman_bh @_devalias @mhmdiaa
    Introducing
    BountyMachine
    27

    View Slide

  28. @anshuman_bh @_devalias @mhmdiaa 28
    Technologies

    View Slide

  29. @anshuman_bh @_devalias @mhmdiaa
    Golang
    29
    https://golang.org/

    View Slide

  30. @anshuman_bh @_devalias @mhmdiaa
    Docker
    30
    https://www.docker.com

    View Slide

  31. @anshuman_bh @_devalias @mhmdiaa
    Kubernetes
    31
    https://kubernetes.io/

    View Slide

  32. @anshuman_bh @_devalias @mhmdiaa
    Argo
    32
    https://argoproj.github.io/argo

    View Slide

  33. @anshuman_bh @_devalias @mhmdiaa
    Architecture
    33

    View Slide

  34. @anshuman_bh @_devalias @mhmdiaa
    It starts with a target
    34

    View Slide

  35. @anshuman_bh @_devalias @mhmdiaa
    Everything is managed by queues
    35

    View Slide

  36. @anshuman_bh @_devalias @mhmdiaa
    The output of a workflow can be passed to
    another
    36

    View Slide

  37. @anshuman_bh @_devalias @mhmdiaa
    New results are identified by a diff worker
    37

    View Slide

  38. @anshuman_bh @_devalias @mhmdiaa
    Notifications only include new results
    38

    View Slide

  39. @anshuman_bh @_devalias @mhmdiaa
    The monitoring worker re-checks things as
    scheduled
    39

    View Slide

  40. @anshuman_bh @_devalias @mhmdiaa 40
    To sum up...

    View Slide

  41. @anshuman_bh @_devalias @mhmdiaa 41
    Lessons Learned

    View Slide

  42. @anshuman_bh @_devalias @mhmdiaa
    Geographic Limitations
    42

    View Slide

  43. @anshuman_bh @_devalias @mhmdiaa
    World Domination Headquarters
    43
    GMT+2
    GMT-7
    GMT+10

    View Slide

  44. @anshuman_bh @_devalias @mhmdiaa
    Communication
    44

    View Slide

  45. @anshuman_bh @_devalias @mhmdiaa
    Dealing with conflicts
    45
    ● Check your ego
    ● Communicate openly, honestly and thoroughly!
    ● Stay open to new suggestions
    ● Delegate responsibilities
    ● Be flexible
    ● Code/data trumps assumptions

    View Slide

  46. @anshuman_bh @_devalias @mhmdiaa
    Technology
    46

    View Slide

  47. @anshuman_bh @_devalias @mhmdiaa
    Technology
    47
    ● Keep an open mind
    ● Explore what is out there
    ● Dig deep, understand how the underlying tech works
    ● Sometimes what you want doesn’t quite exist yet.. and that’s ok
    ● ‘Simple’ problems sometimes take a while to solve well

    View Slide

  48. @anshuman_bh @_devalias @mhmdiaa
    MVP? JIT!
    48

    View Slide

  49. @anshuman_bh @_devalias @mhmdiaa
    MVP? JIT!
    49
    ● Plan at the macro level
    ● Handle intricate details Just In Time (JIT)
    ● Backlog anything not needed now
    ● Move fast and (hopefully don’t) break (too many) things
    ● Done is better than perfect

    View Slide

  50. @anshuman_bh @_devalias @mhmdiaa
    About that demo...
    Remember Ellingson Mineral Corp?
    50

    View Slide

  51. @anshuman_bh @_devalias @mhmdiaa
    We started with...
    51

    View Slide

  52. @anshuman_bh @_devalias @mhmdiaa
    BountyMachine’s Bounty
    52

    View Slide

  53. @anshuman_bh @_devalias @mhmdiaa
    GitHub
    53

    View Slide

  54. @anshuman_bh @_devalias @mhmdiaa
    S3
    54

    View Slide

  55. @anshuman_bh @_devalias @mhmdiaa
    DNS
    55

    View Slide

  56. @anshuman_bh @_devalias @mhmdiaa
    www.ellingsoncorp.com
    56

    View Slide

  57. @anshuman_bh @_devalias @mhmdiaa
    press.ellingsoncorp.com
    57

    View Slide

  58. @anshuman_bh @_devalias @mhmdiaa
    support.ellingsoncorp.com
    58

    View Slide

  59. @anshuman_bh @_devalias @mhmdiaa
    blog.ellingsoncorp.com
    59

    View Slide

  60. @anshuman_bh @_devalias @mhmdiaa
    help.ellingsoncorp.com
    60

    View Slide

  61. @anshuman_bh @_devalias @mhmdiaa
    gibson.ellingsoncorp.com
    61

    View Slide

  62. @anshuman_bh @_devalias @mhmdiaa
    Conclusion
    62

    View Slide

  63. @anshuman_bh @_devalias @mhmdiaa
    Conclusion
    63
    ● We can’t automate everything, but there is a lot we can
    ● Less wasted time means more fun hacks!
    ● Explore new tech, don’t be afraid to innovate
    ● Keep tooling simple and consumable (unix philosophy)
    ● Improve existing tools, don’t reinvent the wheel!
    ● Check your ego, collaborate, learn, share, and keep an open mind

    View Slide

  64. @anshuman_bh @_devalias @mhmdiaa
    Special Thanks
    Thanks to the people who write open source tools.
    Those who understand that “Sharing is Caring”.
    For in the end, “None of us is good as all of us.”
    64

    View Slide

  65. @anshuman_bh @_devalias @mhmdiaa 65
    Thanks!
    Any questions? Reach out to us!
    @anshuman_bh @_devalias @mhmdiaa

    View Slide