Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Power of Recon_ Leveraging Recon for Easy $$$$

The Power of Recon_ Leveraging Recon for Easy $$$$

Tushar Verma

January 19, 2024
Tweet

More Decks by Tushar Verma

Other Decks in Technology

Transcript

  1. The Power of Recon Leveraging Recon for Easy $$$$ T

    U S H A R V E RM A O F F E N S I V E S E C U RI T Y C O N S U L T A N T A T N E T S E N T RI E S T E C H N O L O G I E S
  2. WHOAMI • Offensive Security Guy • Certifications • 1:AWS Certified

    Security – Speciality • 2:eLearnSecurity Certified Professional Penetration Tester • 3:eLearnSecurity Web Application Penetration Tester eXtreme • 4:AWS Certified Solutions Architect – Associate • 5:HTB Rastalabs(Red Team Operator Level 1) • 6:EC Council Certified Ethical Hacker • Interest: Application Security, Cloud Security, Red Teaming, Penetration Testing • Hall of Fame: Google, Apple and many more...........
  3. Recon -->>> $$$$$ Understanding the scope Making the right approach

    and performing testing on target Increasing attack surface of target
  4. Finding more subdomains than your friends amass enum -passive -d

    example.com -config config.ini subfinder -d example.com -all -config config.yaml gau --threads 5 --subs example.com | unfurl -u domains | sort -u waybackurls example.com | unfurl -u domains | sort -u -o output.txt github-subdomains -d example.com -t tokens.txt Crt.sh python3 ctfr.py -d target.com ( Refer this : https://sidxparab.gitbook.io/subdomain-enumeration-guide
  5. Web Archives to Easy P1($$$$$) • PII Data Leakage •

    Juicy Endpoints – can be used for injections based attacks • Outdated API Versions not in use or maintained
  6. • gau http://hacked-site.com | waybackurls | grep ".xlsx" • gau

    http://hacked-site.com | waybackurls | grep ".pdf" • gau http://hacked-site.com | waybackurls | grep ".json" • ->Use various extensions to get the PII data leakage or sensitive endpoints • ->Try to find unused login panels • ->JavaScript endpoint enumeration and run nuclei exposure templates
  7. Dorks for easy $$$$ • Jira Servers that may vulnerable

    to Template injection vulnerability [CVE-2019-11581] • Shodan:"/secure/ContactAdministrators!default.jspa" • Google: inurl:/secure/ContactAdministrators!default.jspa • CVE-2022-47966: ManageEngine RCE • Shodan Query: title:"ManageEngine" • CVE-2020-7961: Liferay Portal Unauthenticated RCE • Google dork:- inurl:/api/jsonws • Shodan:- Powered+By+Liferay • CVE-2023–36845 : Unauthenticated RCE in Juniper shodan: ”Juniper Web Device Manager”