SlideShare a Scribd company logo

Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits

ā€¢
ā€¢
Harsh Bothra
Harsh Bothra

The process of penetration testing starts with the "Reconnaissance Phase". This phase, if performed carefully, always provides a winning situation. However, Often in the application security and bug bounty hunting, recon is mapped to finding some assets and uncovering hidden endpoints only & is somewhat under-utilized. Recon is the most crucial thing in application security and bug bounties which always keeps you separated from a competing crowd and gives easy wins. In "Weaponizing Recon - Weaponizing Recon - Shamshing Applications for Security Vulnerabilities & Profit", will cover the deepest and most interesting recon methodologies to be one step ahead of your competition and how to utilize the tools and publicly available information to map your attack surface & maximize the profit. During the talk, we will cover: 1. Introduction to Recon 2. Basic Recon 101 3. Mapping Attack Surface with Basic Recon 4. Weaponizing Recon to Hit Attack Surface 5. Recon Hacks 101 6. Practical Offensive Recon 7. Automating Recon for Profit 8. Finding Vulnerabilities with Recon 9. Creating your own Recon Map 10. Practical Examples & Demonstrations

Sports
1 of 27
Download to read offline
Weaponizing Recon Smashing Applications for Security Vulnerabilities & Profits Harsh Bothra
$echo(ā€˜whoamiā€™) ā€¢ Security Engineer at Security Innovation ā€¢ Bugcrowd Top 200 Researchers ā€“ All Time ā€¢ Synack Red Team Member ā€¢ Author ā€“ Hacking: Be a Hacker with Ethics ā€¢ Author ā€“ Mastering Hacking: The Art of Information Gathering & Scanning ā€¢ Blogger ā€¢ Occasional Trainer & Speaker ā€¢ Poet ā€¢ Lifelong Learner @harshbothra_
Get in Touch at Website ā€“ https://harshbothra.tech Twitter - @harshbothra_ Instagram - @harshbothra_ Medium - @hbothra22 LinkedIn - @harshbothra Facebook - @hrshbothra Email ā€“ hbothra22@gmail.com @harshbothra_
Agenda Recon 101 Recon for Pentesters & Bug Bounty Hunters Attack Surface (AS) & Attack Vectors (AV) Mapping AS & AV with Recon What we have vs What we get Building Recon Arsenal Weaponizing your Recon Game Smart Recon a.k.a. Recon Hacks 101 Automating Recon Finding Vulnerabilities with Recon Creating your own Recon Workflow Example of Easy Wins from Recon Final Notes and Further Roadmap @harshbothra_
RECON 101 ā€¢ What ā€¢ Why ā€¢ When ā€¢ How Of Recon @harshbothra_
Recon for Pentesters & Bug Bounty Hunters ā€¢ How Recon is useful for Bug Bounty Hunter & Pentesters ā€¢ Finding Hidden Endpoints ā€¢ Increasing Attack Surface ā€¢ Discovering More Assets ā€¢ Exposed IoT Services/Devices ā€¢ Exposed Sensitive Directories ā€¢ Exposed Internal Domains/Source Code/Secrets ā€¢ Accessing the limited/restricted resources More Assets == Bigger Attack Surface == More Vulnerabilities ā€¢ (But wait, what are those assets you are talking about???) @harshbothra_
Attack Surface (AS) & Attack Vectors (AV) ā€¢ Attack Surface ā€“ Areas, Endpoints, and every accessible point where an attacker can perform any potential vulnerability assessment which may impact C.I.A. . ā€¢ Attack Vectors ā€“ The possible methods an attacker can use to impact C.I.A. in the available attack surface. ā€¢ Why Mapping Attack Surface is Necessary? ā€¢ Most of the people donā€™t do it. ā€¢ Allows you to keep a track of all available options you must test and thus gives you a better visibility. ā€¢ Allows you discovery more hidden endpoints and content discovery. ā€¢ You wonā€™t miss any endpoint for sure. ā€¢ Organized approach especially when testing a huge scope target and helps you when you revisit the target later. ā€¢ Allows you to craft Attack Vectors accordingly and Saves a lot of time ā€¢ & Obviously, keeps you one step up than your competition. @harshbothra_
Mapping AS & AV with Recon ā€¢ Now, it is important to know how recon can help you map your AS & AVs. This is something that you can look at while trying to map AS & AVs: ā€¢ Based on Scope ā€“ (Small vs Large Scope) ā€¢ Based on Internet Presence (Github, Search Engines, OSINT Based AV are high there) ā€¢ Based on Asset Type (Is it a unique business logic or just another file upload functionality, you know how to hit it right?) ā€¢ Based on Visual Inspection (Visiting every functionality and looking for viable test cases for each functionality) Letā€™s Understand all of these with the help of examples. @harshbothra_
What we have (Before Recon) vs What we get (After Recon) ā€¢ Before Recon ā€¢ Targetā€™s Name ā€¢ Scope Details ā€¢ High-Level Overview of Application ā€¢ Credentials/Access to the Application ā€¢ And some other information based upon target, thatā€™s it on high level? ā€¢ After Recon ā€¢ List of all live subdomains ā€¢ List of interesting IPs and Open Ports ā€¢ Sensitive Data Exposed on Github ā€¢ Hidden Endpoints ā€¢ Juicy Directories with Sensitive Information ā€¢ Publicly exposed secrets over various platforms ā€¢ Hidden Parameters ā€¢ Low hanging vulnerabilities such as Simple RXSS, Open Redirect, SQLi (Yeah, I am serious) ā€¢ Scope from 1x to 1000x ā€¢ And list goes on like thisā€¦. @harshbothra_
Building Recon Arsenal /// Here we will talk about the process we need to carry out during recon and tools and services that will help us speed up things /// @harshbothra_
/// Tools That I Use /// ā€¢ Subdomain Enumeration ā€¢ Assetfinder ā€¢ Amass ā€¢ Subfinder ā€¢ Aquatone ā€¢ Chaos.projectdiscovery.io ā€¢ Securitytrails.com ā€¢ OneForAll ā€¢ Intel Gathering ā€¢ Amass ā€¢ Whois ā€¢ Shodan ā€¢ Github ā€¢ Search Engine Dorking @harshbothra_
/// Tools That I Use /// ā€¢ Directory Bruteforcing/Content Discovery ā€¢ dirsearch ā€¢ fuff ā€¢ gospider ā€¢ gobuster ā€¢ Burp Suite :D with appropriate lists ā€¢ Subdomain Takeovers ā€¢ Subjack ā€¢ Aquatone ā€¢ Tko-subs ā€¢ Can-i-takeover-xyz (for a quick reference for manual reference) @harshbothra_
/// Tools That I Use /// ā€¢ Parameter Discovery ā€¢ Arjun ā€¢ ParamSpider ā€¢ Github Recon/Leak Finding ā€¢ Githound ā€¢ Secret Finder ā€¢ Gitrob ā€¢ Trufflehog ā€¢ Port Scanning & Vulnerable Service Identification ā€¢ Nmap ā€¢ Masscan ā€¢ Naabu ā€¢ JS Link Analysers ā€¢ JS-Scan ā€¢ Burp JS Link Finder ā€¢ Link Finder @harshbothra_
/// Tools That I Use /// ā€¢ Useful Scripts & Tools to Automate Recon ā€¢ Httprobe ā€¢ Waybackurls ā€¢ Tomnomnomā€™s Hacks ā€¢ gwen001/pentest-tools ā€¢ Haklukeā€™s Scripts (Hakrawler and others) ā€¢ Dalfox ā€¢ GF ā€¢ GAU ā€¢ S3Scanner ā€¢ AWSBucketDump ā€¢ Online Services & Search Engines ā€¢ Shodan ā€¢ Censys ā€¢ Fofa.so ā€¢ Binaryedge ā€¢ Google/Bing/DuckDuckGo ā€¢ Github/BitBucket Search ā€¢ Hardenize.io ā€¢ Httpstatus.io ā€¢ Mxtoolbox.com ā€¢ Postb.in ā€¢ Crunchbase ā€¢ Owler ā€¢ Wikipedia @harshbothra_
Weaponizing your Recon Game ā€¢ Remember, using each tool is always not a good idea. It is overwhelming and sometimes is just a waste of resources. It is essential to see what tools fit in to your arsenal and recon approach and use them accordingly. >> Now, we know everything that we need to hit our target, the next things is Letā€™s see some of these tools in action and start weaponizing your Recon GAME << @harshbothra_
@harshbothra_
Automating Recon ā€¢Sudomy ā€¢TotalRecon /// OSMEDEUS & Nuclei /// (My Personal Favorite) (Big up to @j3ssiejjj & @projectdiscovery.io) @harshbothra_
Hacking While Sleeping Exit Exit SSH and Enjoy Netflix :D Enable Enable SSH & Start Recon in Screen Install Install Automation Tools such as Osmedeus Install Install Kali Linux Repositories CLOUD CLOUD Based VM @harshbothra_
Letā€™s See this in Actionā€¦ @harshbothra_
Finding Vulnerabilities with Recon ā€¢Letā€™s see how can we automate finding some of the interesting vulnerabilities. ā€¢ Reflected XSS ā€¢ Open Redirect ā€¢ SQL Injection ā€¢ SSRF ā€¢ SSTI ā€¢ LFI/RFI (Automation doesnā€™t guarantee finding a vulnerability. It may miss or produce false-Ps. It is just to aid the Pentesting and not missing something obvious). @harshbothra_
Writing your Own ONE Liners /// Letā€™s see how you can use simple bash tools to write your own one-liners and automate things on the go /// @harshbothra_
RECON HACKS 101 ā€¢ Automate as Much as you Can but never ignore looking manually if you have time. ā€¢ Learn using Linux utilities and scrape useful information out of the data gathered. ā€¢ Modify your Recon methodology according to your target and do a target-specific recon for quick, better and efficient results. ā€¢ Do not just limit yourself to what you see or what you read! Recon is all about being creative and thinking out of the box. Apply your own logics, itā€™s okay to fail but happiness when it gives unexpected results. :D ā€¢ Write your own bash wrappers including the tools you like to automate the use of all the tools and save your time performing multiple actions. ā€¢ Keep your recon on a Cloud VM so that your CPU consumption stays free and hack on the main application for OWASP TOP 10 or SANS 25 while you get something from Recon. ā€¢ Keep Researching new tools, test them on known vulnerable (real-world) targets and check their efficiency. If some tool looks go, add them to your workflow and integrate with your own scripts/wrappers/one-liners. @harshbothra_
Creating your own Recon Workflow /// Letā€™s see how we can create our own Recon Workflow for being for target and scope specific & not waste our time /// @harshbothra_
Some EASY Recon WINSā€¦.. @harshbothra_
A Special Shoutout to ALL THE TOOLS & Resource Creators ā€¦ :D (Apologies if I miss any, Efforts of Every single person is appreciated) @TomNomNom @owaspamass @pdiscoveryio @michenriksen @securitytrails @shmilylty @shodanhq @TobiunddasMoe @_maurosoria @j3ssiejjj @OJ Reeves @PortSwigger @Anshuman Bhartiya @Cody Zacharias @EdOverflow @imran_parray @0xAsm0d3us @s0md3v @Robert David Graham @nmap @zseano @stevenvachon @tillson @m4ll0k @jhaddix @dxa4481 @GerbenJavado @gwendallecoguic @hakluke @sa7mon @jordanpotti @hahwul
Q/A are Welcomedā€¦ You can Reach out to me POST Talk as well and will try to Answer at earliest ā˜ŗ @harshbothra_
HAPPY HACKING HACKERS ā€¦ :D /// Thank You ///

Recommended

Different Methodology To Recon Your Targets
Different Methodology To Recon Your TargetsDifferent Methodology To Recon Your Targets
Different Methodology To Recon Your Targets
EslamAkl
Ā 
Recon
ReconRecon
Recon
UTD Computer Security Group
Ā 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
Ā 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
amiable_indian
Ā 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
Ā 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
Ā 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
Leon Teale
Ā 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
Ā 

Recommended

Different Methodology To Recon Your Targets
Different Methodology To Recon Your TargetsDifferent Methodology To Recon Your Targets
Different Methodology To Recon Your Targets
EslamAkl
Ā 
Recon
ReconRecon
Recon
UTD Computer Security Group
Ā 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
Ā 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
amiable_indian
Ā 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
Ā 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
Ā 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
Leon Teale
Ā 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
Ā 
Google Dorks
Google DorksGoogle Dorks
Google Dorks
Adhoura Academy
Ā 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhyd
n|u - The Open Security Community
Ā 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
Ā 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
Ā 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
Ā 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
Ā 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
Ā 
Burp suite
Burp suiteBurp suite
Burp suite
hamdi_sevben
Ā 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!
Abhijeth D
Ā 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
Ā 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
Ā 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
Ā 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
Shubham Gupta
Ā 
OSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligence
Deep Shankar Yadav
Ā 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch
Ā 
Difference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netDifference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.net
Umar Ali
Ā 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
Ā 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Deepu S Nath
Ā 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
Fadi Abdulwahab
Ā 
Nmap
NmapNmap
Nmap
Fat-Thing Gabriel-Culley
Ā 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
jasonhaddix
Ā 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
Anant Shrivastava
Ā 

More Related Content

What's hot

Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch
Ā 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Deepu S Nath
Ā 

What's hot (20)

Google Dorks
Google DorksGoogle Dorks
Google Dorks
Ā 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhyd
Ā 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ā 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Ā 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
Ā 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
Ā 
Security testing
Security testingSecurity testing
Security testing
Ā 
Burp suite
Burp suiteBurp suite
Burp suite
Ā 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!
Ā 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Ā 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
Ā 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Ā 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
Ā 
OSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligence
Ā 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Ā 
Difference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netDifference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.net
Ā 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Ā 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Ā 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
Ā 
Nmap
NmapNmap
Nmap
Ā 

Similar to Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits

If you want to automate, you learn to code
If you want to automate, you learn to codeIf you want to automate, you learn to code
If you want to automate, you learn to code
Alan Richardson
Ā 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
Ā 
The Final Frontier
The Final FrontierThe Final Frontier
The Final Frontier
jClarity
Ā 

Similar to Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits (20)

The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
Ā 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
Ā 
If you want to automate, you learn to code
If you want to automate, you learn to codeIf you want to automate, you learn to code
If you want to automate, you learn to code
Ā 
Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1
Ā 
Case study
Case studyCase study
Case study
Ā 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Ā 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
Ā 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Ā 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
Ā 
The Dirty Little Secrets They Didnā€™t Teach You In Pentesting Class
The Dirty Little Secrets They Didnā€™t Teach You In Pentesting Class The Dirty Little Secrets They Didnā€™t Teach You In Pentesting Class
The Dirty Little Secrets They Didnā€™t Teach You In Pentesting Class
Ā 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wp
Ā 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Ā 
Adversary Emulation and Cracking The Bridge ā€“ Overview EMERSON EDUARDO RODRIGUES
Adversary Emulation and Cracking The Bridge ā€“ Overview EMERSON EDUARDO RODRIGUESAdversary Emulation and Cracking The Bridge ā€“ Overview EMERSON EDUARDO RODRIGUES
Adversary Emulation and Cracking The Bridge ā€“ Overview EMERSON EDUARDO RODRIGUES
Ā 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
Ā 
The Final Frontier
The Final FrontierThe Final Frontier
The Final Frontier
Ā 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
Ā 
Automated tools for penetration testing
Automated tools for penetration testingAutomated tools for penetration testing
Automated tools for penetration testing
Ā 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystacks
Ā 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
Ā 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
Ā 

Recently uploaded

Ramban Escorts ā˜Žļø8617697112 Starting From 5K to 15K High Profile Escorts In...
Ramban Escorts ā˜Žļø8617697112 Starting From 5K to 15K High Profile Escorts In...Ramban Escorts ā˜Žļø8617697112 Starting From 5K to 15K High Profile Escorts In...
Ramban Escorts ā˜Žļø8617697112 Starting From 5K to 15K High Profile Escorts In...
Nitya salvi
Ā 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
Ā 
Hire šŸ’• 8617697112 Kasauli Call Girls Service Call Girls Agency
Hire šŸ’• 8617697112 Kasauli Call Girls Service Call Girls AgencyHire šŸ’• 8617697112 Kasauli Call Girls Service Call Girls Agency
Hire šŸ’• 8617697112 Kasauli Call Girls Service Call Girls Agency
Nitya salvi
Ā 
WhatsApp Chat: šŸ“ž 8617697112 Birbhum Call Girl available for hotel room package
WhatsApp Chat: šŸ“ž 8617697112 Birbhum Call Girl available for hotel room packageWhatsApp Chat: šŸ“ž 8617697112 Birbhum Call Girl available for hotel room package
WhatsApp Chat: šŸ“ž 8617697112 Birbhum Call Girl available for hotel room package
Nitya salvi
Ā 
JORNADA 6 LIGA MURO 2024TUXTEPECOAXACA.pdf
JORNADA 6 LIGA MURO 2024TUXTEPECOAXACA.pdfJORNADA 6 LIGA MURO 2024TUXTEPECOAXACA.pdf
JORNADA 6 LIGA MURO 2024TUXTEPECOAXACA.pdf
Arturo Pacheco Alvarez
Ā 
Sector 62, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Model Escorts | 100% verified
Delhi Call girls
Ā 

Recently uploaded (20)

European Football Icons that Missed Opportunities at UEFA Euro 2024.docx
European Football Icons that Missed Opportunities at UEFA Euro 2024.docxEuropean Football Icons that Missed Opportunities at UEFA Euro 2024.docx
European Football Icons that Missed Opportunities at UEFA Euro 2024.docx
Ā 
Muzaffarpur Call Girls šŸ„° 8617370543 Service Offer VIP Hot Model
Muzaffarpur Call Girls šŸ„° 8617370543 Service Offer VIP Hot ModelMuzaffarpur Call Girls šŸ„° 8617370543 Service Offer VIP Hot Model
Muzaffarpur Call Girls šŸ„° 8617370543 Service Offer VIP Hot Model
Ā 
Spain Vs Italy Spain to be banned from participating in Euro 2024.docx
Spain Vs Italy Spain to be banned from participating in Euro 2024.docxSpain Vs Italy Spain to be banned from participating in Euro 2024.docx
Spain Vs Italy Spain to be banned from participating in Euro 2024.docx
Ā 
Ramban Escorts ā˜Žļø8617697112 Starting From 5K to 15K High Profile Escorts In...
Ramban Escorts ā˜Žļø8617697112 Starting From 5K to 15K High Profile Escorts In...Ramban Escorts ā˜Žļø8617697112 Starting From 5K to 15K High Profile Escorts In...
Ramban Escorts ā˜Žļø8617697112 Starting From 5K to 15K High Profile Escorts In...
Ā 
Technical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics Trade
Technical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics TradeTechnical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics Trade
Technical Data | Sig Sauer Easy6 BDX 1-6x24 | Optics Trade
Ā 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Ā 
Hire šŸ’• 8617697112 Kasauli Call Girls Service Call Girls Agency
Hire šŸ’• 8617697112 Kasauli Call Girls Service Call Girls AgencyHire šŸ’• 8617697112 Kasauli Call Girls Service Call Girls Agency
Hire šŸ’• 8617697112 Kasauli Call Girls Service Call Girls Agency
Ā 
Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docx
Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docxSlovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docx
Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docx
Ā 
Who Is Emmanuel Katto Uganda? His Career, personal life etc.
Who Is Emmanuel Katto Uganda? His Career, personal life etc.Who Is Emmanuel Katto Uganda? His Career, personal life etc.
Who Is Emmanuel Katto Uganda? His Career, personal life etc.
Ā 
Personal Brand Exploration - By Bradley Dennis
Personal Brand Exploration - By Bradley DennisPersonal Brand Exploration - By Bradley Dennis
Personal Brand Exploration - By Bradley Dennis
Ā 
WhatsApp Chat: šŸ“ž 8617697112 Birbhum Call Girl available for hotel room package
WhatsApp Chat: šŸ“ž 8617697112 Birbhum Call Girl available for hotel room packageWhatsApp Chat: šŸ“ž 8617697112 Birbhum Call Girl available for hotel room package
WhatsApp Chat: šŸ“ž 8617697112 Birbhum Call Girl available for hotel room package
Ā 
UEFA Euro 2024 Squad Check-in Who is Most Favorite.docx
UEFA Euro 2024 Squad Check-in Who is Most Favorite.docxUEFA Euro 2024 Squad Check-in Who is Most Favorite.docx
UEFA Euro 2024 Squad Check-in Who is Most Favorite.docx
Ā 
JORNADA 6 LIGA MURO 2024TUXTEPECOAXACA.pdf
JORNADA 6 LIGA MURO 2024TUXTEPECOAXACA.pdfJORNADA 6 LIGA MURO 2024TUXTEPECOAXACA.pdf
JORNADA 6 LIGA MURO 2024TUXTEPECOAXACA.pdf
Ā 
Sector 62, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Model Escorts | 100% verified
Ā 
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spallettiā€™s Italy in Group ...
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spallettiā€™s Italy in Group ...Croatia vs Italy Euro Cup 2024 Three pitfalls for Spallettiā€™s Italy in Group ...
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spallettiā€™s Italy in Group ...
Ā 
Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...
Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...
Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...
Ā 
Albania Vs Spain South American coaches lead Albania to Euro 2024 spot.docx
Albania Vs Spain South American coaches lead Albania to Euro 2024 spot.docxAlbania Vs Spain South American coaches lead Albania to Euro 2024 spot.docx
Albania Vs Spain South American coaches lead Albania to Euro 2024 spot.docx
Ā 
Unveiling the Mystery of Main Bazar Chart
Unveiling the Mystery of Main Bazar ChartUnveiling the Mystery of Main Bazar Chart
Unveiling the Mystery of Main Bazar Chart
Ā 
Italy vs Albania Italy Euro 2024 squad Luciano Spalletti's full team ahead of...
Italy vs Albania Italy Euro 2024 squad Luciano Spalletti's full team ahead of...Italy vs Albania Italy Euro 2024 squad Luciano Spalletti's full team ahead of...
Italy vs Albania Italy Euro 2024 squad Luciano Spalletti's full team ahead of...
Ā 
Netherlands Players expected to miss UEFA Euro 2024 due to injury.docx
Netherlands Players expected to miss UEFA Euro 2024 due to injury.docxNetherlands Players expected to miss UEFA Euro 2024 due to injury.docx
Netherlands Players expected to miss UEFA Euro 2024 due to injury.docx
Ā 

Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits

  • 1. Weaponizing Recon Smashing Applications for Security Vulnerabilities & Profits Harsh Bothra
  • 2. $echo(ā€˜whoamiā€™) ā€¢ Security Engineer at Security Innovation ā€¢ Bugcrowd Top 200 Researchers ā€“ All Time ā€¢ Synack Red Team Member ā€¢ Author ā€“ Hacking: Be a Hacker with Ethics ā€¢ Author ā€“ Mastering Hacking: The Art of Information Gathering & Scanning ā€¢ Blogger ā€¢ Occasional Trainer & Speaker ā€¢ Poet ā€¢ Lifelong Learner @harshbothra_
  • 3. Get in Touch at Website ā€“ https://harshbothra.tech Twitter - @harshbothra_ Instagram - @harshbothra_ Medium - @hbothra22 LinkedIn - @harshbothra Facebook - @hrshbothra Email ā€“ hbothra22@gmail.com @harshbothra_
  • 4. Agenda Recon 101 Recon for Pentesters & Bug Bounty Hunters Attack Surface (AS) & Attack Vectors (AV) Mapping AS & AV with Recon What we have vs What we get Building Recon Arsenal Weaponizing your Recon Game Smart Recon a.k.a. Recon Hacks 101 Automating Recon Finding Vulnerabilities with Recon Creating your own Recon Workflow Example of Easy Wins from Recon Final Notes and Further Roadmap @harshbothra_
  • 5. RECON 101 ā€¢ What ā€¢ Why ā€¢ When ā€¢ How Of Recon @harshbothra_
  • 6. Recon for Pentesters & Bug Bounty Hunters ā€¢ How Recon is useful for Bug Bounty Hunter & Pentesters ā€¢ Finding Hidden Endpoints ā€¢ Increasing Attack Surface ā€¢ Discovering More Assets ā€¢ Exposed IoT Services/Devices ā€¢ Exposed Sensitive Directories ā€¢ Exposed Internal Domains/Source Code/Secrets ā€¢ Accessing the limited/restricted resources More Assets == Bigger Attack Surface == More Vulnerabilities ā€¢ (But wait, what are those assets you are talking about???) @harshbothra_
  • 7. Attack Surface (AS) & Attack Vectors (AV) ā€¢ Attack Surface ā€“ Areas, Endpoints, and every accessible point where an attacker can perform any potential vulnerability assessment which may impact C.I.A. . ā€¢ Attack Vectors ā€“ The possible methods an attacker can use to impact C.I.A. in the available attack surface. ā€¢ Why Mapping Attack Surface is Necessary? ā€¢ Most of the people donā€™t do it. ā€¢ Allows you to keep a track of all available options you must test and thus gives you a better visibility. ā€¢ Allows you discovery more hidden endpoints and content discovery. ā€¢ You wonā€™t miss any endpoint for sure. ā€¢ Organized approach especially when testing a huge scope target and helps you when you revisit the target later. ā€¢ Allows you to craft Attack Vectors accordingly and Saves a lot of time ā€¢ & Obviously, keeps you one step up than your competition. @harshbothra_
  • 8. Mapping AS & AV with Recon ā€¢ Now, it is important to know how recon can help you map your AS & AVs. This is something that you can look at while trying to map AS & AVs: ā€¢ Based on Scope ā€“ (Small vs Large Scope) ā€¢ Based on Internet Presence (Github, Search Engines, OSINT Based AV are high there) ā€¢ Based on Asset Type (Is it a unique business logic or just another file upload functionality, you know how to hit it right?) ā€¢ Based on Visual Inspection (Visiting every functionality and looking for viable test cases for each functionality) Letā€™s Understand all of these with the help of examples. @harshbothra_
  • 9. What we have (Before Recon) vs What we get (After Recon) ā€¢ Before Recon ā€¢ Targetā€™s Name ā€¢ Scope Details ā€¢ High-Level Overview of Application ā€¢ Credentials/Access to the Application ā€¢ And some other information based upon target, thatā€™s it on high level? ā€¢ After Recon ā€¢ List of all live subdomains ā€¢ List of interesting IPs and Open Ports ā€¢ Sensitive Data Exposed on Github ā€¢ Hidden Endpoints ā€¢ Juicy Directories with Sensitive Information ā€¢ Publicly exposed secrets over various platforms ā€¢ Hidden Parameters ā€¢ Low hanging vulnerabilities such as Simple RXSS, Open Redirect, SQLi (Yeah, I am serious) ā€¢ Scope from 1x to 1000x ā€¢ And list goes on like thisā€¦. @harshbothra_
  • 10. Building Recon Arsenal /// Here we will talk about the process we need to carry out during recon and tools and services that will help us speed up things /// @harshbothra_
  • 11. /// Tools That I Use /// ā€¢ Subdomain Enumeration ā€¢ Assetfinder ā€¢ Amass ā€¢ Subfinder ā€¢ Aquatone ā€¢ Chaos.projectdiscovery.io ā€¢ Securitytrails.com ā€¢ OneForAll ā€¢ Intel Gathering ā€¢ Amass ā€¢ Whois ā€¢ Shodan ā€¢ Github ā€¢ Search Engine Dorking @harshbothra_
  • 12. /// Tools That I Use /// ā€¢ Directory Bruteforcing/Content Discovery ā€¢ dirsearch ā€¢ fuff ā€¢ gospider ā€¢ gobuster ā€¢ Burp Suite :D with appropriate lists ā€¢ Subdomain Takeovers ā€¢ Subjack ā€¢ Aquatone ā€¢ Tko-subs ā€¢ Can-i-takeover-xyz (for a quick reference for manual reference) @harshbothra_
  • 13. /// Tools That I Use /// ā€¢ Parameter Discovery ā€¢ Arjun ā€¢ ParamSpider ā€¢ Github Recon/Leak Finding ā€¢ Githound ā€¢ Secret Finder ā€¢ Gitrob ā€¢ Trufflehog ā€¢ Port Scanning & Vulnerable Service Identification ā€¢ Nmap ā€¢ Masscan ā€¢ Naabu ā€¢ JS Link Analysers ā€¢ JS-Scan ā€¢ Burp JS Link Finder ā€¢ Link Finder @harshbothra_
  • 14. /// Tools That I Use /// ā€¢ Useful Scripts & Tools to Automate Recon ā€¢ Httprobe ā€¢ Waybackurls ā€¢ Tomnomnomā€™s Hacks ā€¢ gwen001/pentest-tools ā€¢ Haklukeā€™s Scripts (Hakrawler and others) ā€¢ Dalfox ā€¢ GF ā€¢ GAU ā€¢ S3Scanner ā€¢ AWSBucketDump ā€¢ Online Services & Search Engines ā€¢ Shodan ā€¢ Censys ā€¢ Fofa.so ā€¢ Binaryedge ā€¢ Google/Bing/DuckDuckGo ā€¢ Github/BitBucket Search ā€¢ Hardenize.io ā€¢ Httpstatus.io ā€¢ Mxtoolbox.com ā€¢ Postb.in ā€¢ Crunchbase ā€¢ Owler ā€¢ Wikipedia @harshbothra_
  • 15. Weaponizing your Recon Game ā€¢ Remember, using each tool is always not a good idea. It is overwhelming and sometimes is just a waste of resources. It is essential to see what tools fit in to your arsenal and recon approach and use them accordingly. >> Now, we know everything that we need to hit our target, the next things is Letā€™s see some of these tools in action and start weaponizing your Recon GAME << @harshbothra_
  • 17. Automating Recon ā€¢Sudomy ā€¢TotalRecon /// OSMEDEUS & Nuclei /// (My Personal Favorite) (Big up to @j3ssiejjj & @projectdiscovery.io) @harshbothra_
  • 18. Hacking While Sleeping Exit Exit SSH and Enjoy Netflix :D Enable Enable SSH & Start Recon in Screen Install Install Automation Tools such as Osmedeus Install Install Kali Linux Repositories CLOUD CLOUD Based VM @harshbothra_
  • 19. Letā€™s See this in Actionā€¦ @harshbothra_
  • 20. Finding Vulnerabilities with Recon ā€¢Letā€™s see how can we automate finding some of the interesting vulnerabilities. ā€¢ Reflected XSS ā€¢ Open Redirect ā€¢ SQL Injection ā€¢ SSRF ā€¢ SSTI ā€¢ LFI/RFI (Automation doesnā€™t guarantee finding a vulnerability. It may miss or produce false-Ps. It is just to aid the Pentesting and not missing something obvious). @harshbothra_
  • 21. Writing your Own ONE Liners /// Letā€™s see how you can use simple bash tools to write your own one-liners and automate things on the go /// @harshbothra_
  • 22. RECON HACKS 101 ā€¢ Automate as Much as you Can but never ignore looking manually if you have time. ā€¢ Learn using Linux utilities and scrape useful information out of the data gathered. ā€¢ Modify your Recon methodology according to your target and do a target-specific recon for quick, better and efficient results. ā€¢ Do not just limit yourself to what you see or what you read! Recon is all about being creative and thinking out of the box. Apply your own logics, itā€™s okay to fail but happiness when it gives unexpected results. :D ā€¢ Write your own bash wrappers including the tools you like to automate the use of all the tools and save your time performing multiple actions. ā€¢ Keep your recon on a Cloud VM so that your CPU consumption stays free and hack on the main application for OWASP TOP 10 or SANS 25 while you get something from Recon. ā€¢ Keep Researching new tools, test them on known vulnerable (real-world) targets and check their efficiency. If some tool looks go, add them to your workflow and integrate with your own scripts/wrappers/one-liners. @harshbothra_
  • 23. Creating your own Recon Workflow /// Letā€™s see how we can create our own Recon Workflow for being for target and scope specific & not waste our time /// @harshbothra_
  • 24. Some EASY Recon WINSā€¦.. @harshbothra_
  • 25. A Special Shoutout to ALL THE TOOLS & Resource Creators ā€¦ :D (Apologies if I miss any, Efforts of Every single person is appreciated) @TomNomNom @owaspamass @pdiscoveryio @michenriksen @securitytrails @shmilylty @shodanhq @TobiunddasMoe @_maurosoria @j3ssiejjj @OJ Reeves @PortSwigger @Anshuman Bhartiya @Cody Zacharias @EdOverflow @imran_parray @0xAsm0d3us @s0md3v @Robert David Graham @nmap @zseano @stevenvachon @tillson @m4ll0k @jhaddix @dxa4481 @GerbenJavado @gwendallecoguic @hakluke @sa7mon @jordanpotti @hahwul
  • 26. Q/A are Welcomedā€¦ You can Reach out to me POST Talk as well and will try to Answer at earliest ā˜ŗ @harshbothra_
  • 27. HAPPY HACKING HACKERS ā€¦ :D /// Thank You ///