The Power of Recon_ Leveraging Recon for Easy $$$$

Transcript

1. The Power of Recon Leveraging Recon for Easy $$$$ T

   U S H A R V E RM A O F F E N S I V E S E C U RI T Y C O N S U L T A N T A T N E T S E N T RI E S T E C H N O L O G I E S

2. WHOAMI • Offensive Security Guy • Certifications • 1:AWS Certified

   Security – Speciality • 2:eLearnSecurity Certified Professional Penetration Tester • 3:eLearnSecurity Web Application Penetration Tester eXtreme • 4:AWS Certified Solutions Architect – Associate • 5:HTB Rastalabs(Red Team Operator Level 1) • 6:EC Council Certified Ethical Hacker • Interest: Application Security, Cloud Security, Red Teaming, Penetration Testing • Hall of Fame: Google, Apple and many more...........

3. Recon -->>> $$$$$ Understanding the scope Making the right approach

   and performing testing on target Increasing attack surface of target

4. What you should focus on????? Top Level Domains(TLDs) Subdomains Ip

   Addresses 3rd Party Services

5. If you are good at recon – always choose wide

   scope targets

6. Creating workflows by analyzing pro bug hunters

7. BUILDING YOUR OWN RECON APPROACH

8. Finding more subdomains than your friends amass enum -passive -d

   example.com -config config.ini subfinder -d example.com -all -config config.yaml gau --threads 5 --subs example.com | unfurl -u domains | sort -u waybackurls example.com | unfurl -u domains | sort -u -o output.txt github-subdomains -d example.com -t tokens.txt Crt.sh python3 ctfr.py -d target.com ( Refer this : https://sidxparab.gitbook.io/subdomain-enumeration-guide

9. Web probing & Technology Enumeration • Httpx • Unimap •

   Wappalyzer

10. Make Shodan Your Friend.... • More exposed assets • Easy

    P1s • Tools Shodan cli karma_v2

11. Exposed Services ---> RCE ---> $$$$

12. Demo Time

13. Web Archives to Easy P1($$$$$) • PII Data Leakage •

    Juicy Endpoints – can be used for injections based attacks • Outdated API Versions not in use or maintained

14. • gau http://hacked-site.com | waybackurls | grep ".xlsx" • gau

    http://hacked-site.com | waybackurls | grep ".pdf" • gau http://hacked-site.com | waybackurls | grep ".json" • ->Use various extensions to get the PII data leakage or sensitive endpoints • ->Try to find unused login panels • ->JavaScript endpoint enumeration and run nuclei exposure templates

15. Dorks for easy $$$$ • Jira Servers that may vulnerable

    to Template injection vulnerability [CVE-2019-11581] • Shodan:"/secure/ContactAdministrators!default.jspa" • Google: inurl:/secure/ContactAdministrators!default.jspa • CVE-2022-47966: ManageEngine RCE • Shodan Query: title:"ManageEngine" • CVE-2020-7961: Liferay Portal Unauthenticated RCE • Google dork:- inurl:/api/jsonws • Shodan:- Powered+By+Liferay • CVE-2023–36845 : Unauthenticated RCE in Juniper shodan: ”Juniper Web Device Manager”

16. Ignoring 403 – Big Mistake of your life

17. Questions

18. Reach out • Twitter: e11i0t_4lders0n • LinkedIn: tushars25 • Email:

    [email protected]