Recon Slides by Anon_Y0gi

Recon For Bug Bounty H A C K L I
D O . C O M

WHOAMI? Security Analyst Pursuing MBBS Part-time Bug bounty hunter Agnibha
Dutta Anon_Y0gi eJPT Certified Successfully Hacked and Secured: Sony Acronis NASA + 20 other companies https://twitter.com/AnonY0gi https://www.youtube.com/@y0gisec

WHAT IS RECONNAISSANCE? The Reconnaissance is one of the most
important aspect of penetration testing. Its also known as Recon. Recon will help you to increase attack surface area and may allow you to get more vulnerabilities but ultimate goal is to dig deep in the target Recon = Increase in Attack surface = More vulnerabilities Recon = Finding untouched endpoints = Less duplicates Recon = Sharpening your axe before attack

SUBDOMAIN ENUMERATION Subdomain enumeration is the process of finding subdomains
for one or more domain. Tools used: Visual Recon: VirusTotal, subdomainfinder.c99.nl https://crt.sh/?q=%25.target.com https://securitytrails.com/list/apex_domain/target.com https://www.shodan.io/search?query=Ssl.cert.subject.CN%3A%22t arget.com%22 Amass Dnsx Subfinder Chaos AssetFinder

SUBDOMAIN ENUMERATION amass enum -passive -norecursive -noalts -df domians.txt -o
subs-list.txt dnsx -silent -d $domain -w ~/wordlist.txt -o ~/dnsbrute.txt cat domain.txt | dnsgen - | massdns -r ~/resolvers.txt -o S -w alive.txt

FILTERING THE SUBDOMAINS WITH HTTPX httpx -l domain.txt -timeout 13
-o domain-probe.txt PORT SCANNING naabu -list sub-list.txt -top-ports 1000 -exclude-ports 80,443,21,22,25 -o ports.txt naabu -list sub-list.txt -p - -exclude-ports 80,443,21,22,25 -o ports.txt cat domain-subs.txt | aquatone -ports xlarge -scan-timeout 300 -out aquatone.txt

SUBDOMAIN OF SUBDOMAIN ENUMERATION One of the rare things people
search of. Tools used: Subbrute: https://github.com/TheRook/subbrute altdns: https://github.com/infosec-au/altdns Usage: ./altdns.py -i subdomains.txt -o data_output -w words.txt -r -s output.txt

SCREENSHOT TOOLS Capable of taking screenshots of websites to view
offline anytime. Tools used: Eyewitness: https://github.com/FortyNorthSecurity/EyeWitness httpscreenshot: https://github.com/breenmachine/httpscreenshot

BROADENING YOUR SCOPE More targets lead to more option which
ultimately lead to more opportunities. Crunchbase bgp.he.net tools.whoisxmlapi.com https://whois.arin.net

WHAT TO DO AFTER ENUMERATION? | Collecting URLs Waybackurls: https://github.com/tomnomnom/waybackurls
Gau: https://github.com/lc/gau for i in $(cat domain-subs.txt);do gau $i | egrep -vE "\.(woff | woff2 | ttf | toff | eot | webp | gif | tiff | bmp | wav | png | jpg | jpeg | svg | ico | css | mp4 | m4v)" | httpx -silent -fc 404 | tee -a domain-archive.txt;done https://web.archive.org/cdx/search/cdx?url=*.target.com&fl=original&collapse= urlkey

After collecting URLs, curl out the responses of the URLs
and grep for the following URLs: drive.google docs.google /spreadsheets/d/ /document/d/ TIPS AND TRICKS By Aditya_Shende cat domains.txt | katana -silent | while read url; do cu=$(curl -s $url | grep -E '(drive. google | docs. google | spreadsheet\/d | document.\/d\/)';echo -e "==> $url" "\n"" $cu"; done

TIPS AND TRICKS Using SQLidetector to search for sqli Tool
Link: https://github.com/eslam3kl/SQLiDetector

Shodan: https://www.shodan.io/ SHODAN FOR RECON ssl:"target[.]com" 200 http.title:"dashboard" --unauthenticated dashboard
org:"target.com" x-jenkins 200 --- unauthenticated jenkins server ssl:"target.com" 200 proftpd port:21 --- proftpd port:21 org:"target.com" http.html:zabbix --- CVE-2022-24255 Main & Admin Portals: Authentication Bypass org:"target.com" http.title:"phpmyadmin" ----php my admin ssl:"target.com" http.title:"BIG-IP ---F5 BIG-IP using CVE-2020-5902 Shodan Dork: How I found XSS by searching in Shodan - Writeup

Censys: https://www.censys.io/ CENSYS FOR RECON Let’s fuck waf using Origin
IP: My approach on censys By Deepak Dhiman

ffuf: https://github.com/ffuf/ffuf FUZZING FOR SENSITIVE FILES & DIRECTORIES FFUF-ing RECON
Writeup on FFuf for i in `cat host.txt`; do ffuf -u $i/FUZZ -w wordlist.txt -mc 200,302,401 -se ;done Tip: Fuzz for "/wp-content/debug.log" || Sometimes they contain SQL error, which can be chained.

y0gi.hacklido.com /y0gi.zip - hacklido.zip – admin.zip – backup.zip y0gi.hacklido.com/y0gi/y0gi.zip -
hacklido.zip – admin.zip – backup.zip y0gi. hacklido.com/hacklido/y0gi.zip - hacklido.zip – admin.zip – backup.zip y0gi. hacklido.com/admin/y0gi.zip - hacklido.zip – admin.zip – backup.zip y0gi.hacklido.com FINDING SOURCE/BACKUP FILES Tool: https://github.com/musana/fuzzuli Credit: GodfatherOrwa

Find Sensitive Data in Cloud storage: site:http://s3.amazonaws.com "target[.]com" site:http://blob.core.windows.net "target[.]com"
site:http://googleapis.com "target[.]com" site:http://drive.google.com "target[.]com" Github Leaks for AWS, Jira, Okta, etc: Org:"target" pwd/pass/passwd/password "target.atlassian" pwd/pass/passwd/password "target.okta" pwd/pass/passwd/password "Jira.target" pwd/pass/passwd/password Also search in Google groups, Gitlabs. Trivial Tricks: GOOGLE & GITHUB DORKING Credit: GodfatherOrwa

Collect all js file ".js" Filter js file: " httpx
-content-type | grep 'application/javascript'" Perform Nuclei scan "nuclei -t /root/nuclei-templates/exposures/" Grep all urls from wayback or gau. JAVASCRIPT[JS] FILES RECON Collect all endpoints from Js files & Create a wordlist from those. Craft a POST request with any parameter. Use that request to fuzz for sensitive directory. Js Recon Tip: Tools: JSFSCAN , Jsminer {Burp Extension} , Trufflehog

Sudomy: https://github.com/Screetsec/Sudomy SOME AUTOMATION FRAMEWORKS Reconftw: https://github.com/six2dez/reconftw

Some data are intended, No bug here. Verify Data Don't
get angry, You may lose bonds with good program Reported > Invalid Your crafting and exploits are gold. Make it high as you can Yes, They do accept Third Party Money going no where. Don't message constant to team Be humble with Program

QNA SESSION https://twitter.com/AnonY0gi https://www.youtube.com/@y0gisec

THANK YOU W W W . H A C K
L I D O . C O M

Recon Slides by Anon_Y0gi

Recon Slides by Anon_Y0gi

Anon_Y0gi

Other Decks in Programming

Featured

Transcript

Recon For Bug Bounty H A C K L I

WHOAMI? Security Analyst Pursuing MBBS Part-time Bug bounty hunter Agnibha

WHAT IS RECONNAISSANCE? The Reconnaissance is one of the most

SUBDOMAIN ENUMERATION Subdomain enumeration is the process of finding subdomains

SUBDOMAIN ENUMERATION amass enum -passive -norecursive -noalts -df domians.txt -o

FILTERING THE SUBDOMAINS WITH HTTPX httpx -l domain.txt -timeout 13

SUBDOMAIN OF SUBDOMAIN ENUMERATION One of the rare things people

SCREENSHOT TOOLS Capable of taking screenshots of websites to view

BROADENING YOUR SCOPE More targets lead to more option which

WHAT TO DO AFTER ENUMERATION? | Collecting URLs Waybackurls: https://github.com/tomnomnom/waybackurls

After collecting URLs, curl out the responses of the URLs

TIPS AND TRICKS Using SQLidetector to search for sqli Tool

Shodan: https://www.shodan.io/ SHODAN FOR RECON ssl:"target[.]com" 200 http.title:"dashboard" --unauthenticated dashboard

Censys: https://www.censys.io/ CENSYS FOR RECON Let’s fuck waf using Origin

ffuf: https://github.com/ffuf/ffuf FUZZING FOR SENSITIVE FILES & DIRECTORIES FFUF-ing RECON

y0gi.hacklido.com /y0gi.zip - hacklido.zip – admin.zip – backup.zip y0gi.hacklido.com/y0gi/y0gi.zip -

Find Sensitive Data in Cloud storage: site:http://s3.amazonaws.com "target[.]com" site:http://blob.core.windows.net "target[.]com"

Collect all js file ".js" Filter js file: " httpx

Sudomy: https://github.com/Screetsec/Sudomy SOME AUTOMATION FRAMEWORKS Reconftw: https://github.com/six2dez/reconftw

Some data are intended, No bug here. Verify Data Don't

QNA SESSION https://twitter.com/AnonY0gi https://www.youtube.com/@y0gisec

THANK YOU W W W . H A C K