 Okay, so I'm going to hand over pretty quickly. This is our first comprehensive talk of the day after the workshop We've just had and this is on bug bounty hunting on steroids Which is a report that has just been released by these two guys If they're also going to be talking about their recent internal project that they've been working on a bounty hunter And I'm not no I'm going to hand over to you guys. Thanks Hello everybody, so let's get started without delaying a lot So first introductions. We are a team of three myself and shaman. I am a security engineer by day I normally do bug bounties after work, but it's been super busy of it I really believe in automating as much as we can and we should and All things is called infrastructure is called, you know security is called What are we can solve so that we don't have to manually spend a lot of Efforts in solving these problems Muhammad is not here with us. He is from Egypt He is You've been working all of us together So he's here with in spirit, but yeah, and then So hi, I'm Glenn or dev alias, and I'm a bit of a hacker bit of a polyglot developer I like to automate things build things and yeah I mentioned my company down here because they let me come today So we're not hiring at the moment But if you want to in future and you're from Australia hit me up and yeah, let's get into it So first of all just a bit of an overview of what we're gonna talk about We've got what the problem is where things are out at the moment We've got our target that we're gonna be hacking talk a little bit about bounty machine Which is a project we've been working on some lessons learned and finally just conclude everything So first of all hacking can be fun But there's a lot of really boring manual stuff that has to go on with the recon that the numeration Doing all those dumb checks that just shouldn't be there these days But still are and there's just heaps of tools out there that keep repeating themselves do the same things And it's just a shitty situation really So how can we get that and scale across all of the targets we want to hit without wasting our time and actually getting some good sleep And then when things change, how do we know and what can we do about it? So where things are out at the moment as I said, there's just too many tools out there If you've ever looked at sub-domain enumeration or s3 bucket scan is on github It's like five or ten different tools and they all sort of do the same thing But sort of not some work some are broken and it's just kind of annoying It's like if you want to get them and combine all that data together or extract it out in a nice way to automate things They don't really make it easy. A lot of it's just dumping text onto logs So a bit of a anti-unix tool philosophy there if you've seen this xkcd before you might understand this but The guy comes along and he's like I've got this great idea for a new tool And he builds it and he releases it and some people use it for a while But it doesn't do all of those things he wants it to do So someone comes along builds a clone of it does some more things doesn't do some things pretty well Eventually they run for a while. They get abandoned people move on to new things and someone new comes along Besides let's make another tool So you can build everything from scratch, but please don't like look what's out there improve existing stuff Like let's just bring the whole bar up a little instead of reinventing that wheel So given there's so many tools out there like how do we even know which ones to use? You can sit down there and you can like play through them all read the code read the features Hope they work and it's really time-consuming and it would be great if we had some better comparisons between these or new Which ones we were going to be getting the most bangs a buck from So there's some good stuff happening out there like Jason's bug hunter methodology And he sort of digs in and does some great Comparisons figures out like just how slow some of these tools can be and maybe which ones you want to look out when you're doing some hunting Interoperability between tools so as I said like when things just dump out the results as a text file It's not really that nice to consume like you can have some rejects together pause it out But then you've got rejects and you've got more problems So if we could have something that makes it easier to consume from a tool perspective that would be really nice Recon Jason is a thing that's been happening a bit on Twitter lately a bunch of guys got together And we're just like you know what let's define how we want this output to come And then we'll actually be able to build things that can talk nicely together so there's heaps of discussion happening over on that get hub repo and Please head there check it out contribute like it'll really make our lives easier as hunters Scaling and reliability so running a Python script or hacking together some bash is great when you're attacking one thing or two things But what if you want to hit like all targets on something like I don't know Uber or one of these huge bug bounties Like you need something that can scale and handle that kind of thing So obviously there are big tech companies out there that do this Maybe you've heard of Google these things like they kind of know how to do things at scale So why don't we leverage some of the things they know don't throw a giant server at it But scale out horizontally maybe use things like Kubernetes containers like let's get some full tolerance built in there So there's lots of things we can learn if we look to that dev and tech side of things rather than just focusing really closely on our security area and Then having a practical research environment So when you have all of these targets like millions of bug bounty assets out there like How do you know which ones to look at there's so many people looking and you just kind of want to know where to start So having a research environment where you can kind of get that salient information so I can just hack the things I want to have So gathering the information about the scopes getting that recon data and just kind of saving it away in database So when I'm ready to hack on something I can just get started Yeah, and then I guess what this comes back to is identifying the assets like you don't know what to hack if you don't know what's out there So keeping up with new hosts as they come online or when things have changed It's really important for kind of knowing what you want to hit um as There's articles out there that talk about this but there are so many things where companies are getting owned or huge Bounties are being paid just because the company didn't know what they had and it just sat out there some dudes found it and was like sweet I'm gonna own that one So looking at just two of the oh what's the top 10? We have almost 50 percent of the breaches in this report and They're really easy things to automate and look for so why aren't we doing more of that? and I guess on that automated side having that real-time update to your inventory of assets So it's not some guy there writing down like oh, we've got a box over here And I set that up there but feeding it in and automatically keeping this stuff happening Code changes all the time you can spin up new servers like with no effort these days So we really want to know what changes and when so that we can focus our efforts. I'm looking at those things Alrighty, so that was some background to give you more Context on what we're gonna show next which is the more exciting part. So what are we going after today? So let's talk about that. We have set up a company. We call it links in mineral corporation There are two things we know about this company first is a GitHub repository links and Corp if you go online, you can probably find it and it's main domain links and card comm So this is all we know about this company and we try to show you if we run what we've built against this Organization all the things that I can find in a way that you know, we don't have to do a lot of work Ourselves, but those results just come to us So The whole run from end to end it probably takes around 50 many minutes So I'm gonna start it right now a Glenn is gonna continue the rest of the presentation and then when once he finishes We'll actually go over the results show you how it all works and things like that. So I'm just gonna show That how we start the workflow for like let's say an org So the way It works right now is we treat slack as a front-end. So you see that this is a slack group that we have and this is a Private channel that we have so I'm just gonna start to work flows against this arc The first workflow will be to find all the secrets in the repositories And the second one would be against a main domain links and cop comm and then we'll see what it can find And the way we do it here is using slash commands in slack. So so if I don't know Still pretty small well, I just Read out what I've written. So what I what I'm doing there is I am issuing a slash command that says add thing And then I have what workflow I want to run So that is the domain workflow and then I specify the actual domain now this I just want to mention that we can do this for multiple domains in one go by just like separating them using some kind of Delimiter right now. We're just doing it against links and cop comm so that's where you just see that if I were to add more domains I could just do Google.com, you know, like what have you so I'm just gonna press enter Hopefully it works. So you can see that One of the two workflows have started. I'm gonna do the same thing for the GitHub repositories as well Is that very thank you So I'm doing something similar for the GitHub repositories. I'm just issuing a slash command that thing I'm mentioning what workflow I want to run which is GitHub org and then I'm mentioning mentioning the organization Which is a links and cop? Hopefully spell it right Right, so let's get that going. So now you can see that I've also submitted the other Workflow and we'll start seeing the results here pretty soon But let's just continue with the presentation and then we'll get back to it Cool. So now that we've got that running I might actually talk a little bit about what we have there So we call it bounty machine and we've tied together a bunch of open source and pretty prevalent Technologies from the development side of things and kind of turned it back against the security domain that we're more interested in So to start off this cute little guy here playing with gopher Golang's a compiled language that came up by Google and it's really nice for writing these little like cloud microservice kind of architectures you get a static binary and You can do nice things with that like throw it into a tiny little docker container So docker if you don't know is a container runtime and it's really nice for just Encapsulating all of the dependencies you need so your project just runs the same no matter what server you throw it on Now this is nice But when you want to scale you kind of need to go beyond running a single container So we bring in kubernetes, which is an orchestration framework and it basically allows us to set up a bunch of servers and just be like Here it is throw my containers at it distribute that run scale handle all my things I don't want to think about it. So that's really nice And then finally, this is a pretty new project that's been coming out of the last sort of year or so Argo it runs on top of kubernetes uses docker containers and it defines a sort of workflow language So you can say run these containers in parallel put them in series plus the inputs and outputs together It allows you to wire this whole kind of workflow together in a really nice way So that's sort of the core things we've built on and we also use sort of Google Cloud and similar things to title together so Talking about the architecture a little As we mentioned before like we start off normally from slack Though we can have a CLI a web interface or anything else that goes in there That talks to an API and that throws some data on to our first queue Now with each of these queues we can have a number of workers that are listening on them And so it might say hey, you just put in a domain. I'm interested in that. Let me run some stuff Now when we run that it might just be a simple little tool dealing with it directly Maybe we'll pass it off to a whole workflow made out in Argo And then when it's all done pauses out its results and puts the salient information back on the new queue So let's say we went to a sub-domain and we did some domain Directory brute forcing we find a whole bunch of endpoints and then we send those endpoints out in a really consumable way for other tools That they're interested in that Which is what I said that So once it goes out there We've got the diff worker as we call it and that kind of handles our persistence So we're building up this database of all the things we know and also figuring out what new information Did we get so that other tools can then use that to react depending on what they're interested in? At the moment one of the main things we do with that is pass it into notifications So that could be slack Maybe we want to get it on like a mobile phone if it's a really urgent thing out at the bar And you just want to know so you can get that down here and Pretty much this is set up in a really flexible way so that you can just plug in whatever Output you want to get so it's pretty nice And then once you've done all that how do we know when things are changing? So we can set up stuff to schedule to go back and revisit these things see has a change Is there anything new here? Maybe I found a new sub domain or something so that kind of keeps our stuff up to date so that we know what we're So when you put it all together This is kind of what the basic workflow ends up looking like and in any of these kind of worker areas you can just add more and more plugging them in individually and This is all set up in a really Decoupled sort of way so most of these things you could rip out or replace or add new ones And it's not going to break anything. It all just kind of works together So that's really nice when you want to hack in a new tool that you found or maybe some new attack factors come out And you don't want to try and change this monolithic architecture Yeah All right, so let's discuss what we have learned There are quite a few lessons there. I'm just gonna walk through them The first one was geographical imitation. So Glenn is in Australia. I I live in San Diego and Muhammad is in Egypt. So pretty much all of us, you know, the three different Kind zones. So I remember there were only a few days where all of us could be online together So, you know, like we don't really have a company that we have all paid slack chance on Google Meads All of us just work by a slack, you know, we have a free slack Organization setup So yeah, it was a pretty Interesting thing that we've learned how to coordinate how to communicate with each other how to make sure that each one of us know what we're working on and Both of us have full-time jobs. It was really difficult, you know to do something after work as well Communication as I mentioned was super important You know, it was there were quite a few lessons there as well one to check your ego That's pretty much. I think should be the case Wherever you go, but communicating openly honestly with lots of input, right and Especially not to assume things. That's something that I used to do a lot I used to assume a lot and then I used to have conversations with Glenn and then he used to Basically explain why I was wrong. So, you know, taking yeah taking responsibilities kind of Doing program management of this entire project as well and all of us were doing multiple things. So it was quite a good learning experience for all of us Technology, what did we learn technology wise? So In the security industry what I've seen personally I've been in this industry for quite some time now is that people are really Afraid skeptical of trying out new things and I totally understand that, you know Because when new things come up, we don't really know how secure they are like for instance Containers are containers really secure. This question keeps getting asked I can tell you that, you know, there are ways you can securely deploy a dog or container But how you do that nobody even goes into that people just get scared that, you know, oh, this is some fancy new tool It's not really secure. Let's not go there So I want to point out that or stress on the point that this Thinking needs to change and it needs to happen in the security industry more than any anywhere else because there's some new Cool technologies out there that we should use and you know, do do more innovation Innovative stuff in a way that, you know, we can actually build something for us and also share with the community Which is what we're trying to do here, right? So just keep your eyes open keep, you know, explore what is out there and Especially if you take a particular technology that you want to go with try to understand how it works Try to understand how you can use that technology into what problem you're trying to solve Which is what we did here again. We looked at containers. We looked at orchestration frameworks We knew we had a problem to solve of automation of scalability How do we correlate both of them together and then we build this thing, right? So that's really important And yeah, sometimes There are things that you would want that you would like to have that don't necessarily exist But that's a case and pretty much everywhere. So don't get bogged down too much and One thing that we've learned a lot is even simple problems, you know, that it takes quite a while to get it right Like the first time so that's important to stress that it's an iterative process So don't get stuck at one point. So one thing that we focused on really was building MVP or a working prototype that we know will work it doesn't have to be perfect the perfect code, you know, everything runs perfectly and We feel that this approach of going after MVP product really worked out for us because we can see the results now and we've been doing it for this We've been working on this for almost a year. So it's it's been a long journey So for the MVP product, what are some things that, you know, we focused on One thing is that don't get too bogged down in details. I mentioned earlier, but Just look at the overall picture just have an idea of what we're trying to solve and then once we encounter problems Try to solve them just in time, right? And if there's anything else that you can think of just keep it in the backlog Once you have something running come back to it again, it's it's a feedback loop keep migrating on it and move fast This is so these are some principles that we kind of advocate in the DevSecOps If you will, you know Things like just keep migrating have a feedback loop I don't go after the perfect product go after the best or go after the MVP product All right, so But coming back to the demo, let's see if you have anything. I hope you do. Oh, yeah, so You see that Okay, so it's probably not take a few final few minutes more, but let's see what we have so far. So Remember we found we ran the workflow to find secrets and get a repository. So that's the first output we get It basically shows that, you know, we you have this repository here and these are all the secrets in there So that was the output from that GitHub repository worker. Let's come come Down we find that there's there's some new subdomains that are workflow found So we started with elinx and cob.com The end results are still coming. That's awesome So We started with elinx and cob.com and now you can see that it found all these other subdomains that might be interesting Might not be interesting, but we don't have to worry about it or workflows. Just take care of that, right? It's come down We can see that it found some subdomains that can be taken over By that what I mean is this subdomain elinx and quiz dot github.io It's I think it's online right now if somebody wants to take it over feel free, you know, you can actually take it over So the way it would work is you would go to your DNS account You would like set up a CNAME pointing to github.io and if you go to that page, it would be your domain It would not belong to us anymore. It would look like that. But yeah, so the tool actually found that for us as well Right coming lower down. You see that so what you see here is It actually ran port scans across all 65535 ports against all the subdomains and these are the results So you can see that we report the port the protocol the service the status right and you can see that it's a whole bunch of things there So there's some interesting ports open there. You can see we have oh, this looks nice for 8080 see that Normally you just see port 80 or 443 on these web servers, but anything interesting Should definitely be looked at and for the part and this one's interesting too. I wonder what that is All right, moving on We also find endpoints. So, you know, oftentimes, there's these web endpoints that are hidden that you that nobody really knows Unless you actually go to that point and try to access it. It's At that time where you realize, you know, things are accessible without even needing any sort of authentication Authorization so our workflows found all these interesting endpoints Right, let's see. What else did it find? Oh, this looks nice, okay So what it did was you remember put 8080 so it actually ran a CMS finder And it found that it is running Jenkins and it ran a tool. I believe it is Jack's boss or something like that To see if this Jenkins instance is vulnerable or not and it is vulnerable. You see that result So the reason you see the output is Like this it's because this output is from the tool that ran. We're not doing anything We're just taking that output and sending it to slack now This can work on this can be improved, but you get the idea, right? So we ran a tool first we found a subdomain then we port scan it Then we ran a CMS finder against it We found it as Jenkins then we run a tool specific to Jenkins to see if it is vulnerable or not so you see the entire workflow and You see the result. All right, let's move on It found this subdomain blog dot elinxon cob calm and it identified it's a WordPress site So now again, this output is poorly formatted and the reason it's actually funny because there's so much data Reported back from a tool that slack cannot handle it So, you know, like how you will like format a piece of code in slack you you mentioned those three Whatever those are called so we actually try to do that, but there's so much information that slack just you know Basically says I cannot show it in a good way. So that's why you see this data in a poorly formatted way But it ran Again port scan it found that it's running WordPress. It ran WP scan WP scan is a very famous open source tool. We didn't build it ourselves. We just use it So we ran WP scan against this website and look at all the stuff that it found it found various CVs a Bunch whole bunch of information. So all we do is just look at our slack on our cell phones and just see what keeps coming, right? Anything interesting we can go and look into it further. So all this stuff is from that WP scan or this poorly formatted output. This is a whole bunch of things Now we know that slack is probably not the ideal place to you know, see it, but I am lazy I don't know about you I'm really lazy. So I don't want to even go on the laptop. I just want, you know, my cell phone and everything just be there So that's why I chose like this was my decision But I'm pretty sure we are past that point where we need something else for at least for the output I mean we can start the workflows from slack from our cell phones To get back the output. We should have something nicer So that's I mean, I still think there are a few work workflows still About to run, but this is what we have so far. So let's come back to it Let's continue with the presentation and then we'll see if we have some more stuff. So Again, we started with just knowing two things about this domain, right? Just that it has a GitHub repository and its main domain And this is what we end up finding. This is I know I'm gonna Go into each section in details, but this is how it looks like. So these are all the things that it's supposed to find and it will find So just showing that you know, we started with them and then kind of branched out and found a whole bunch of things So if we are to go into each one of these sections and just kind of explain What are some of the different workers that ran some of the different workflows that it ran? The first one was obviously the GitHub repository, right? It found that it had the organization had two repositories and there's some secrets in there now What tool did I run right? So to finding secrets on GitHub repositories as a whole bunch of tools there's Truffle hog There's get secrets There's get draw. There's one tool that I've written. It's called get all secrets So one big advantage of our framework is that you're not restricted to running just one tool, you know We mentioned Argo Argo Let's you define a yaml file in that yaml file. You can have multiple tools running in parallel You can orchestrate in such a way that you take you run a tool You take the output from that you feed into something else So what you're seeing right here is not just running one tool, but a bunch of tools finding a bunch of things Moving on it it should find s3 bucket You know, so we run a bunch of tools for that to find all the s3 buckets belonging to that organization It found some subdomains right, but this is not really interesting It just found some subdomains, but we'll see how interesting it gets later on So it found a subdomain it started port scanning It found that it's running a web server at port 443 So it ran a bunch of other tools it found there's a cross origin resource sharing misconfig At a particular endpoint, so it reported that it should it found that we have a dot BAK file These files are interesting because normally we don't look for such files, but the tools to do that. It's basically Some file that has been forgotten Long back, but it might contain interesting information. So it's important to look for for those things This I spoke about it found that you know, there's a subdomain It has a CNM pointing to that and it can be taken over. So it reported that It also found another subdomain the CNM. It was basically Non-existent. So if you want you could take over that as well. I think so. Yeah It it found so this is a part where it found the CMS stuff, right? So it found it's running WordPress It ran a tool to find all the cross domain or XML files to see, you know, if that file has interesting stuff inside it It ran WP scan to just basically do all the scanning it found port 3306 open and it ran I think it's called Brute Spray. So Brute Spray is a tool that can take in a port and try to You know, basically brute force all the default credits So that's what it did it found port 3306 open figure out It was my sequel and it ran the my sequel attack against that What else? So you can see that here we found a JavaScript file, right? So there's a tool that we ran to find all the JavaScript endpoints That belong to a web server or a web endpoint and after it found the JavaScript file It actually tries to read that JavaScript file for all the potential endpoints or anything sensitive or secretive So you can see that we actually had Variable admin underscore a panel defined with a secret inside it. So it must have found that as well And then this is a part where it found Jenkins. You can see that it ran the scan It found that it is vulnerable to a particular CVE it didn't exploit it so We can go a step further and actually exploit and start taking over stuff like, you know Taking shells or just like hacking but we understand that sort of starts going into the gray area Where we don't necessarily want to do offensive stuff stuff and automate in such a way that we don't really have any control Of what's going on so Right now we just try to do a very non-intusive scans for us to know what's out there And so that we can go and look at it manually, but if needed we can definitely go a step further and get that shell back And then it found a whole bunch of things it found this an endpoint If you hit that it find finds 200 ok message if if not it it returns a 401 unauthorized message So that was it in terms of you know what all it can find. Let's go back to slag and see if it found some Most of right looks like it did so So, let's see what else is new So it found some Course course is cross-origin resource sharing that the tools out there that basically looks for the header It's called access control allowed origin header and there are different attacks that you can do so again It's a very You know a very simple tool that like anybody can run it's open source So we do that and it it runs and it Let's you know if something is well or not so right now I don't think anything is well number, but you can see that all the statuses are non vulnerable Well, there is one so this status alert basically says that this domain might be interesting Moving on it found some just JavaScript endpoints like I was mentioning So you can see that it reports the main domain and then all the stuff that it found inside that JavaScript So any interesting endpoints or any secretive stuff things like that So all these output are from different JavaScript files You can see that, you know, it found a whole bunch of things and different endpoints from there Here I was mentioning it ran a port scan. It found it's running my sequel It actually brute force it it found it's running with default crates So you can see that, you know, the password is password the user is root So we didn't even do anything. It just went out for us scanned brute force send back the output. There you go Cross domain or XML Files are again interesting. You might have domains that have wildcard search or that might allow access You know from different domains. So that's interesting to look at and I think finally just the backup files So, yeah, I think we've pretty much covered all the workflows here so, yeah, we started with just a domain and this is all the stuff we get and It took almost 15 20 minutes and this is a fairly small organization So if you were to run this against like let's say Google or calm It would probably take an hour But you would have so much stuff that you don't even need to go anywhere to look for or figure out What tool do I need to run you just take all this stuff and start looking at it and see if you can find anything interesting Right. So to conclude, let's see what we've learned or just a conclusion So few important things Definitely we cannot automate everything. I know people say I myself I'm guilty I say automate all the things but it's not possible We all know that but having said that there is still a whole bunch of things that you cannot automate You saw that right now these are things that can be automated and we have done that so do that make sure you don't spend your You know important time looking at stuff That's not interesting Do you mind holding on questions so that we can get sorry So and then exploring new technologies like I mentioned don't be afraid please go out there There's some cool stuff out there. That is really helpful for the security industry So go and explore play around with it build cool build something cool share it out get more people to help you out as well So that's something we learned Don't read in the wheel. Please don't do that. I mean I've been I've been advocating this forever. I see new tools solving the same freaking problem every day Don't do that go and look at what it's out there Try to read the code if you can't read the code go learn how to code first, you know in security. We say that I Can't quote or you know, you can't put that shouldn't be the case We are security people like if we can hack the code right or we can if you want to hack something Wouldn't help to understand how it works in the first place. So that's how I like to think I like to build and then I like to break what I've built so it's important to understand the fact that you know This stuff out there go look for it first without going and building your own little, you know, whatever you want Again checking your ego collaborating sharing, please keep that in mind And yeah, thanks. Just some closing notes. Thank you to everybody for all the good open source tools that have been shared out there We I personally try to share Write a bunch of open source tools if you go to my GitHub repository, you will see a whole bunch of things So I believe in the open source community and I believe sharing is caring. So yeah Any questions anything else you want to add? Not happy to get questions. Yeah, so the recording. I think we need to get you on mic before you ask So if you have any questions, please come in