The Power of Recon_ Leveraging Recon for Easy $$$$

Slide 1

Slide 1 text

The Power of Recon Leveraging Recon for Easy $$$$ T U S H A R V E RM A O F F E N S I V E S E C U RI T Y C O N S U L T A N T A T N E T S E N T RI E S T E C H N O L O G I E S

Slide 2

Slide 2 text

WHOAMI • Offensive Security Guy • Certifications • 1:AWS Certified Security – Speciality • 2:eLearnSecurity Certified Professional Penetration Tester • 3:eLearnSecurity Web Application Penetration Tester eXtreme • 4:AWS Certified Solutions Architect – Associate • 5:HTB Rastalabs(Red Team Operator Level 1) • 6:EC Council Certified Ethical Hacker • Interest: Application Security, Cloud Security, Red Teaming, Penetration Testing • Hall of Fame: Google, Apple and many more...........

Slide 3

Slide 3 text

Recon -->>> $$$$$ Understanding the scope Making the right approach and performing testing on target Increasing attack surface of target

Slide 4

Slide 4 text

What you should focus on????? Top Level Domains(TLDs) Subdomains Ip Addresses 3rd Party Services

Slide 5

Slide 5 text

If you are good at recon – always choose wide scope targets

Slide 6

Slide 6 text

Creating workflows by analyzing pro bug hunters

Slide 7

Slide 7 text

BUILDING YOUR OWN RECON APPROACH

Slide 8

Slide 8 text

Finding more subdomains than your friends amass enum -passive -d example.com -config config.ini subfinder -d example.com -all -config config.yaml gau --threads 5 --subs example.com | unfurl -u domains | sort -u waybackurls example.com | unfurl -u domains | sort -u -o output.txt github-subdomains -d example.com -t tokens.txt Crt.sh python3 ctfr.py -d target.com ( Refer this : https://sidxparab.gitbook.io/subdomain-enumeration-guide

Slide 9

Slide 9 text

Web probing & Technology Enumeration • Httpx • Unimap • Wappalyzer

Slide 10

Slide 10 text

Make Shodan Your Friend.... • More exposed assets • Easy P1s • Tools Shodan cli karma_v2

Slide 11

Slide 11 text

Exposed Services ---> RCE ---> $$$$

Slide 12

Slide 12 text

Demo Time

Slide 13

Slide 13 text

Web Archives to Easy P1($$$$$) • PII Data Leakage • Juicy Endpoints – can be used for injections based attacks • Outdated API Versions not in use or maintained

Slide 14

Slide 14 text

• gau http://hacked-site.com | waybackurls | grep ".xlsx" • gau http://hacked-site.com | waybackurls | grep ".pdf" • gau http://hacked-site.com | waybackurls | grep ".json" • ->Use various extensions to get the PII data leakage or sensitive endpoints • ->Try to find unused login panels • ->JavaScript endpoint enumeration and run nuclei exposure templates

Slide 15

Slide 15 text

Dorks for easy $$$$ • Jira Servers that may vulnerable to Template injection vulnerability [CVE-2019-11581] • Shodan:"/secure/ContactAdministrators!default.jspa" • Google: inurl:/secure/ContactAdministrators!default.jspa • CVE-2022-47966: ManageEngine RCE • Shodan Query: title:"ManageEngine" • CVE-2020-7961: Liferay Portal Unauthenticated RCE • Google dork:- inurl:/api/jsonws • Shodan:- Powered+By+Liferay • CVE-2023–36845 : Unauthenticated RCE in Juniper shodan: ”Juniper Web Device Manager”

Slide 16

Slide 16 text

Ignoring 403 – Big Mistake of your life

Slide 17

Slide 17 text

Questions

Slide 18

Slide 18 text

Reach out • Twitter: e11i0t_4lders0n • LinkedIn: tushars25 • Email: tushar.infosec@gmail.com