Bug Bounty Hunting on Steroids [DEF CON 26]

Slide 1

Slide 1 text

@anshuman_bh @_devalias @mhmdiaa Bug Bounty Hunting on Steroids

Slide 2

Slide 2 text

@anshuman_bh @_devalias @mhmdiaa Mohammed Diaa @mhmdiaa Developer, Bug Hunter Never send a human to do a machine’s job Glenn ‘devalias’ Grant @_devalias Hacker, Polyglot Developer, Bounty Hunter, #SecDevOpsInTheCloudCyber™ enthusiast... Penetration Tester and Offensive Capability Development at TSS The Team Anshuman Bhartiya @anshuman_bh Security Engineer, Bug Bounty Hunter Automate all the things!! All things as code!! 2

Slide 3

Slide 3 text

@anshuman_bh @_devalias @mhmdiaa Agenda ● Problem? ● Current Situation ● Target: Ellingson Mineral Corporation ● Introducing BountyMachine ● Lessons Learned ● Conclusion 3

Slide 4

Slide 4 text

@anshuman_bh @_devalias @mhmdiaa Problem? ● Not all hacking is fun. A lot of manual repetitive work. ● Building everything from scratch is a bad idea.. ● How do we scale across thousands of targets? ● Things change all the time, we need continuous monitoring 4

Slide 5

Slide 5 text

@anshuman_bh @_devalias @mhmdiaa Current Situation 5

Slide 6

Slide 6 text

@anshuman_bh @_devalias @mhmdiaa Redundancy Between Tools Not invented here / anti unix philosophy is prevalent

Slide 7

Slide 7 text

@anshuman_bh @_devalias @mhmdiaa An unmaintained tool is born 7 https://xkcd.com/927/ ToolA released: does a few things ToolB released: handles some missing bits, but fails in other areas Maintainers (often a single point of failure) move on to something new.. Back to square one!

Slide 8

Slide 8 text

@anshuman_bh @_devalias @mhmdiaa 8 You can’t build everything from scratch shouldn’t

Slide 9

Slide 9 text

@anshuman_bh @_devalias @mhmdiaa Lack of Reliable Tool Comparisons You don’t know the right tool for the job unless you try all of them.. and there are a lot...

Slide 10

Slide 10 text

@anshuman_bh @_devalias @mhmdiaa The situation is improving! The Bug Hunter’s Methodology by Jason Haddix (@jhaddix) https://github.com/jhaddix/tbhm Thanks, Jason! You’re awesome \m/ 10

Slide 11

Slide 11 text

@anshuman_bh @_devalias @mhmdiaa 11

Slide 12

Slide 12 text

@anshuman_bh @_devalias @mhmdiaa Poor Interoperability Many tools just don’t play nicely with each other

Slide 13

Slide 13 text

@anshuman_bh @_devalias @mhmdiaa ● JSON-based recon tool data output standard ● Increase interoperability between tools ● Enable a unix-philosophy recon tooling digital utopia! Join the discussion: https://github.com/ReconJSON/ReconJSON ReconJSON 13

Slide 14

Slide 14 text

@anshuman_bh @_devalias @mhmdiaa Scaling & Reliability Learning from the dev side of the tech world

Slide 15

Slide 15 text

@anshuman_bh @_devalias @mhmdiaa Scaling & Reliability ● Vertical scaling ○ More server, more money, more problems ● Horizontal scaling ○ Flexible, fault tolerant, cheaper ● Learn from the tech giants ○ Great architectures and tools to leverage 15

Slide 16

Slide 16 text

@anshuman_bh @_devalias @mhmdiaa Practical Research Environment There are tons of assets that you can hack legally

Slide 17

Slide 17 text

@anshuman_bh @_devalias @mhmdiaa I just want to hack things... Wouldn’t it be nice to have: ● An organized database with all the assets that are legal to hack ○ Stick to the scope ● A supporting platform that collects data about these assets ○ Fast feedback loop ● A way to easily explore the asset data ○ Locate targets and #HackAllTheThings™ 17

Slide 18

Slide 18 text

@anshuman_bh @_devalias @mhmdiaa It’s all about identifying assets What you don’t know about, you can’t protect

Slide 19

Slide 19 text

@anshuman_bh @_devalias @mhmdiaa Unmaintained assets cause breaches 19 https://snyk.io/blog/owasp-top-10-breaches

Slide 20

Slide 20 text

@anshuman_bh @_devalias @mhmdiaa Unmaintained assets cause breaches A9-Using Components with Known Vulnerabilities 12/50 breaches 24% A5-Security Misconfiguration 10/50 breaches 20% 20

Slide 21

Slide 21 text

@anshuman_bh @_devalias @mhmdiaa Real-time inventory of target assets Ephemeral assets, they said. It will be fine, they said.

Slide 22

Slide 22 text

@anshuman_bh @_devalias @mhmdiaa Attack surface is always evolving Code changes Bugs/regressions New code Backups New assets Hosts Cloud services Subdomains 22

Slide 23

Slide 23 text

@anshuman_bh @_devalias @mhmdiaa Target 23

Slide 24

Slide 24 text

@anshuman_bh @_devalias @mhmdiaa 24

Slide 25

Slide 25 text

@anshuman_bh @_devalias @mhmdiaa What we know... 25

Slide 26

Slide 26 text

@anshuman_bh @_devalias @mhmdiaa 26 Let’s start the demo...

Slide 27

Slide 27 text

@anshuman_bh @_devalias @mhmdiaa Introducing BountyMachine 27

Slide 28

Slide 28 text

@anshuman_bh @_devalias @mhmdiaa 28 Technologies

Slide 29

Slide 29 text

@anshuman_bh @_devalias @mhmdiaa Golang 29 https://golang.org/

Slide 30

Slide 30 text

@anshuman_bh @_devalias @mhmdiaa Docker 30 https://www.docker.com

Slide 31

Slide 31 text

@anshuman_bh @_devalias @mhmdiaa Kubernetes 31 https://kubernetes.io/

Slide 32

Slide 32 text

@anshuman_bh @_devalias @mhmdiaa Argo 32 https://argoproj.github.io/argo

Slide 33

Slide 33 text

@anshuman_bh @_devalias @mhmdiaa Architecture 33

Slide 34

Slide 34 text

@anshuman_bh @_devalias @mhmdiaa It starts with a target 34

Slide 35

Slide 35 text

@anshuman_bh @_devalias @mhmdiaa Everything is managed by queues 35

Slide 36

Slide 36 text

@anshuman_bh @_devalias @mhmdiaa The output of a workflow can be passed to another 36

Slide 37

Slide 37 text

@anshuman_bh @_devalias @mhmdiaa New results are identified by a diff worker 37

Slide 38

Slide 38 text

@anshuman_bh @_devalias @mhmdiaa Notifications only include new results 38

Slide 39

Slide 39 text

@anshuman_bh @_devalias @mhmdiaa The monitoring worker re-checks things as scheduled 39

Slide 40

Slide 40 text

@anshuman_bh @_devalias @mhmdiaa 40 To sum up...

Slide 41

Slide 41 text

@anshuman_bh @_devalias @mhmdiaa 41 Lessons Learned

Slide 42

Slide 42 text

@anshuman_bh @_devalias @mhmdiaa Geographic Limitations 42

Slide 43

Slide 43 text

@anshuman_bh @_devalias @mhmdiaa World Domination Headquarters 43 GMT+2 GMT-7 GMT+10

Slide 44

Slide 44 text

@anshuman_bh @_devalias @mhmdiaa Communication 44

Slide 45

Slide 45 text

@anshuman_bh @_devalias @mhmdiaa Dealing with conflicts 45 ● Check your ego ● Communicate openly, honestly and thoroughly! ● Stay open to new suggestions ● Delegate responsibilities ● Be flexible ● Code/data trumps assumptions

Slide 46

Slide 46 text

@anshuman_bh @_devalias @mhmdiaa Technology 46

Slide 47

Slide 47 text

@anshuman_bh @_devalias @mhmdiaa Technology 47 ● Keep an open mind ● Explore what is out there ● Dig deep, understand how the underlying tech works ● Sometimes what you want doesn’t quite exist yet.. and that’s ok ● ‘Simple’ problems sometimes take a while to solve well

Slide 48

Slide 48 text

@anshuman_bh @_devalias @mhmdiaa MVP? JIT! 48

Slide 49

Slide 49 text

@anshuman_bh @_devalias @mhmdiaa MVP? JIT! 49 ● Plan at the macro level ● Handle intricate details Just In Time (JIT) ● Backlog anything not needed now ● Move fast and (hopefully don’t) break (too many) things ● Done is better than perfect

Slide 50

Slide 50 text

@anshuman_bh @_devalias @mhmdiaa About that demo... Remember Ellingson Mineral Corp? 50

Slide 51

Slide 51 text

@anshuman_bh @_devalias @mhmdiaa We started with... 51

Slide 52

Slide 52 text

@anshuman_bh @_devalias @mhmdiaa BountyMachine’s Bounty 52

Slide 53

Slide 53 text

@anshuman_bh @_devalias @mhmdiaa GitHub 53

Slide 54

Slide 54 text

@anshuman_bh @_devalias @mhmdiaa S3 54

Slide 55

Slide 55 text

@anshuman_bh @_devalias @mhmdiaa DNS 55

Slide 56

Slide 56 text

@anshuman_bh @_devalias @mhmdiaa www.ellingsoncorp.com 56

Slide 57

Slide 57 text

@anshuman_bh @_devalias @mhmdiaa press.ellingsoncorp.com 57

Slide 58

Slide 58 text

@anshuman_bh @_devalias @mhmdiaa support.ellingsoncorp.com 58

Slide 59

Slide 59 text

@anshuman_bh @_devalias @mhmdiaa blog.ellingsoncorp.com 59

Slide 60

Slide 60 text

@anshuman_bh @_devalias @mhmdiaa help.ellingsoncorp.com 60

Slide 61

Slide 61 text

@anshuman_bh @_devalias @mhmdiaa gibson.ellingsoncorp.com 61

Slide 62

Slide 62 text

@anshuman_bh @_devalias @mhmdiaa Conclusion 62

Slide 63

Slide 63 text

@anshuman_bh @_devalias @mhmdiaa Conclusion 63 ● We can’t automate everything, but there is a lot we can ● Less wasted time means more fun hacks! ● Explore new tech, don’t be afraid to innovate ● Keep tooling simple and consumable (unix philosophy) ● Improve existing tools, don’t reinvent the wheel! ● Check your ego, collaborate, learn, share, and keep an open mind

Slide 64

Slide 64 text

@anshuman_bh @_devalias @mhmdiaa Special Thanks Thanks to the people who write open source tools. Those who understand that “Sharing is Caring”. For in the end, “None of us is good as all of us.” 64

Slide 65

Slide 65 text

@anshuman_bh @_devalias @mhmdiaa 65 Thanks! Any questions? Reach out to us! @anshuman_bh @_devalias @mhmdiaa