 The speaker is Abhijeet and he generally does pen testing and is interested in mobile infrastructure testing as well. So I'm passing on the stage to him. Hi Abhijeet. Let's welcome him. Does this work? Mic testing 1, 2, 3. It doesn't work. I can shout. Mic testing 1, 2, 3, 4, 5, 6, 7, 8, 9. It just, it works like this but... Mic testing 1, 2, 3. Mic testing 1, 2, 3. Okay guys, this is, I'm going to give my presentation today. Sorry. Now I'm just going to be, I'm just going to shout as much as I can. I was giving a virtual talk like two weeks ago and someone told me my accent slash my voice slash my speech sounds like an IRS camera. So I really can't help it if it sounds like an IRS camera. You guys know what an IRS camera is, right? If you don't, just go to YouTube and type IRS camera. There are a few conversations where normal people troll IRS cameras when these guys try to play around with normal people but it's like super funny. My mother's maiden name. It's Recon Village. Good try. Okay. Hello everyone. Thanks for coming. I know one PM is like lunch time. So I'm really happy that you guys are skipping lunch for me. I feel like, I feel the love there. So that's why I'm going to talk about Recon Village. Sorry. Recon and Bug Bond is what a great love story. If you would have already attended Jason Haddock's talk, Jason has pretty much covered most of the stuff that I wanted to cover. I have absolutely no idea why this is on my screen. Yes. Okay. Oops. So, Jason Haddock. So he pretty much covered most of the stuff but I'm probably here to tell you if those things work or not. That's why I have named this talk saying Recon and Bug Bond. What a great love story because I'm going to share a few of my stories where a few of the techniques that Jason Haddock has told you guys that have worked for me and they might actually work for you too. About me, I'm from Sydney, Australia. I work in application security. I may be a script kitty. I work in a large organization, blah, blah, blah. Got lucky with finding bugs in Google, Facebook, Microsoft, eBay, etc. One among top five bug hunters on Synac. Synac is like these guys who have sponsored Recon Village. Yeah, I have another slide which I'll show you but yeah. So I do a lot of bug volunteers with Synac. They have private slash crowd sourcing platforms. That's one reason you will find a lot of redacted text on my screenshots because I cannot really reveal the name of the client slash organizations. I'm really sorry about that. This is the agenda. I'm sure you would have read the agenda before walking in. If you didn't, this talk is probably about few techniques that have worked for me that might work for you. I would love to use the word might throughout the presentation because things work sometimes and things don't work sometimes. Nobody is responsible for whatever I talk. If there's someone you have to blame, it's iterate, A, B, H, I, J, E, T, H, that's just me. You just have to blame me, rant suggestions and things. You just have to tweet it to me. So just out of curiosity, how many of you do pen testing here? Good question. How many of you are devs here? Dev developers? Dev slash DevOps slash infrastructure, admin slash. I love the word DevOps, by the way. I don't want to rant about the word DevOps here, but yeah. This is our web application securities today, fortunately or unfortunately. When I was a kid in 2008, 2009, if I had to hack a web application, I would go to Google and type how to hack a web application. Probably one of the first few results would be SQL injection and then there would be this random magic string which says single code 101 equal to 1 and it would say, hey, just copy and paste this everywhere where you see a username and password. And there is a great probability that you might be able to do an authentication bypass. I see a few people nodding their heads and I'm pretty sure a few people have started their pen testing career just like that, just like me. But today, if you do that, as we all understand, devs have become smarter, frameworks and organizations have become smarter. So it's definitely not possible for us to do the same hacking that we used to do in the early 2000s. But shit is still vulnerable. People assume that they have stuff, they believe they have firewalls, they have network, they have honey pots and stuff like that. There are billion ways by which attackers could basically bypass them and still find vulnerabilities. If that's your beautiful castle, people always take care of their beautiful castle. That's like your website.com. So if you have an organization, I'm sure your www.website.com is super secure, super safe, because you would have paid thousands of dollars to hire external pen testers to do pen testing. But hey, you know what? Hackers are no longer interested on website.com. They're interested in, say, your subdomains or they're interested in other stuff. Say api.website.com or dev.website.com or your third party applications or your GitHub repos. I'll talk about GitHub repos. I love GitHub repos. But why? Like I said before, because it's no longer the same concept, you don't want to do single quota one equal to one and then you would not get SQL injection. So even if you have a shield, it doesn't really matter because people are just going to come up with new techniques. The best part about this gift is the longer you watch, the funnier it is. That's the reason I have it. Yeah, so okay, cool. Recon is great. But how do you do it? How many of you here know about reverse IP? A lot of you? Okay, you have to be very honest here. Do you actually do reverse IP in every pentest that you do? Yes and no. I see a few people saying no because to be honest, even I don't do like a few of these stuff in every pentest that I do. But if we actually did it, you could find a lot of stuff. I'm going to run through the slides first and then I'm going to do the demos because I'm running on someone's mobile internet. I don't want to like, I hope it works. I'm sure it'll be pretty slow. Another site is called DNS Dumpster. I guess throughout the talk, you want to take photos of my slides or something. I'm going to post them online too. But in fact, I was just asking one of the organizers if we could not record this talk so that I could show some live shit. But unfortunately, I can't. So DNS Dumpster is a really cool site. Again, I love DNS Dumpster. Jason has talked about a few other tools like Sublister. There's another tool called Subrude. Jason has also talked about Mascan. But DNS Dumpster is something that works for me. It's a pretty easy thing. All you have to do is go to DNS Dumpster and then give a yahoo.com. I love yahoo. Yahoo is one of my favorite targets. Anyone here from yahoo? No, thank you. Okay. The moment you do that, you see that there are so many subdomains on yahoo.com. And if you would have observed carefully, there would have been some subdomains which says cob.yahoo.com, mail.cob.yahoo.com. Now, every time I see words like cob or stage or test, I'm like, that's my target. That's my dinner for today. Because the moment you see it, you know something is public that shouldn't have been public. So there is a high likelihood that there might be another way to get into the application. Yes, they might have excellent, you know, LDAP protection and you might not be able to do an LDAP injection or a SQL injection. Fantastic. But who knows, maybe you just run Derbuster and then you get access to some directory in which you get access to some other subdomain or some other API. And then you simply open the API and then you would basically see someone's credit card details. I've seen that sometimes. That's one reason. So most of the things that I'll be talking in the next 15, 10, 15 minutes are based out of my own experiences. So if I speak something, that must be something I must have found in the past. Again, this is census.io. There's another website called shodan.io. At this point, I assume everyone should have known shodan.io. If you don't, just open shodan.io and then start searching for stuff. It's like really amazing. Census is really cool, too. I like census because they keep updating. And then all you need to do is go to census and then type for a domain name. Do I have a video? No, I don't have a video. It's just a screenshot. So you just have to type for a domain name and then census basically gives you a bunch of domain names. So does this work? I don't know. Let's check it out. I hope my demos are working. This is my Google. I am going to dnsdomster.com. Just a heads up, guys, if you are giving corporate presentations, make sure you clear your browser history because the other day I was giving a corporate presentation and I was opening something like P-O-R-T-A-L. I typed P-O-R and something else comes up in my history. Luckily, my colleague was like, hey, man, I know Pohn Hub has a bug bounty program. I'm sure you would have found some cross-site scripting. I'm like, no, I found a SQL injection on Pohn Hub. And then it was like, did you get some bounty? I'm like, no, I didn't. But yeah, that was an awkward moment. Do you guys have? I'm sorry? Yeah. Yes. Yes. Yes. Any target, guys? Any organization? Just whatever. Okay, let's do that. I'm sorry? Okay. I'm actually doing that. Cool. Yeah, so I'm just trying to search. So Pohn Hub has a bug bounty program. If you don't do bug bounty programs, you should definitely do it. Go to hackoman.com slash Pohn Hub. It's really hard to find bugs on Pohn Hub.com. But yeah, you should totally do it. As you can see, it's basically giving us a few sub-domains. So at this point, you have a sub-domain and you also have an associated IP address. I don't know how many of you do it, but I love this technique where I'm like, I just capture this IP address. This is not a big organization, but if I'm testing Yahoo or Google, I know that there is a high likelihood that the entire subnet of 0 to 256, 255 might be owned by Yahoo or Google. So all I do is nmap space, the IP address was 0 to 255 port 80 and 443, because I guess that's the only ports that you're legally allowed to look at if you're scanning some other ports. Using your own internet, using your own internet if you're looking at some other ports, I don't think it's a great idea. So yeah, you get some sub-domains here because this is a very small site. You have very less sub-domains, but as you have seen previously, if you search for yahoo.com, there are a bunch of sub-domains. At this point, all you would want to do is copy the IP address and then go to nmap and then do a subnet scan. I'm sure you would see some juicy information there. There's another site that I love the most. It's called YouGetSignal. Anyone heard of it? Yeah, YouGetSignal is a really cool site, too. Any questions before this gets loaded? No questions. That's great. Reverse IP domain lookup. So I'm just going to click that. By the time this gets loaded, I'm sure you guys must have heard about why this is total 2. Did you ever think that why is total can also give you with a list of sub-domains? No? Okay, cool. I'm going to show you. Thanks for saying no. Just going to search for uber.com. This is just a simple reverse IP domain check. I do it sometimes. I just capture the IP address because this also shows me a few other sub-domains which are hosted on the same IP address. Why is total? There is an option which says search. Like you can just say twilio.com. So most of the demos I'm showing you, they have a bug-boundy program. So I'm just trying to make sure that I'm legally safe. I'm not going to get into trouble, but because they have bug-boundy programs. And I'm sure I'm not finding any vulnerabilities live. So I think that should be okay. Twilio.com, it says observed sub-domains. You can just click on more and you can see there are a bunch of sub-domains. I mean, there is no way a person like me, a human like me, could guess a sub-domain like this. Like it's like A, C, D, whatever. You know what I mean? So it's really hard for humans to guess such sub-domains and that's where you would use websites like this or scripts like this. And because most of these websites are updated on a day-to-day basis, if not day-to-day basis regularly, I personally love to rely on them. Those are some very basic techniques. I would call them recon 101 techniques. And if you are doing a pen test, I would definitely recommend you to start with this. Does this work? The answer is yes. This is PHP MyAdmin of a large community contribution organization. Like if you want to have a forums page for your own organization, this would be one of the top three vendors that you would go to. I don't want to talk about the vendor. But then, yeah, I was just doing this. And on widest total, I got a sub-domain. I did a reverse IP, found an IP address. I opened the IP address and this is the default page. And I don't think I have to explain anything more and the screenshot is self-explanatory. And I reported this one and they basically fixed it in like 24 to 48 hours because SINAC is like really quick in triaging vulnerabilities. They triaged the vulnerability in like eight hours. I got paid in eight hours and they sent it to the client and the client basically fixed it in 24 to 48 hours. And this was his reply. It was like, thanks. The database used for testing, that was the database used for testing and it was terminated the instance. Which means it was a test server that they were using for something else and it was made public by mistake. So stuff like this is fortunately or unfortunately on the Internet and if you have a large organization, I would definitely recommend you to ask your red team or you yourself do a perimeter scan. Yeah, because sometimes you would be surprised to see the stuff that is online for your organization on the Internet. Like, I used to work with this company and then I did a sub-domain scan and then I went to my DevOps engineer and I told him, hey man, do you know where this sub-domain is? And he's like, no, I never knew that this existed and it was a Jenkins dashboard. So you know what Jenkins does, right? And it had no authentication and it was lying on the Internet. That was one of the first things I did in that organization in the first one week, so I got a good bonus. That's a different story. Yeah, and this thing works well, too. Like, oh, shit, there should be another screenshot on this slide. Okay, I found several JBoss EJB invokers so let's remote code executions on Yahoo. They pay well, too. I got like $2,000. I should have got more, but I've got few such vulnerabilities. Again, this is something Jason has talked about, iWitness. If you don't know what iWitness, I would definitely recommend you to go and play around with it. If you have a bunch of sub-domains, you just send it to iWitness and ask it to scan and it's going to do something like this. This is a screenshot of another tool called Snapple. So what these tools basically do is they hit the URL, try to capture a screenshot from the index.html page or welcome page and they just show you. If I have something like this, the first thing I would try to do is if there's a login screen or if there's something that says it works, you know what it works means. If it works, then it should work for you, too. And if I say something like iOS 6 and not iOS 8, I'm like, yeah, sure, I'll take that. I would love to play around with that. And things like this, I don't find them when I do normal pen testing, but then when I'm just about to go to sleep and I'm like, I just run a scan, I find these things and I basically spoil my sleep. I'm sure everybody, everyone here knows how to use Google and Google Docs. I really don't want to talk about it, but I just want to show you a small, very small thingy here. This is where it is. If you go to Google.com, oh, yes, Google.com, and say site call in yahoo.com, that's absolutely fine. So when you do that, it's going to basically give you all the websites which have a domain name yahoo.com, no rocket science in this, but one really cool feature about Google.com is this advanced search. There's something called tools, and you can have a date range here, and for organizations like yahoo.com, which have been started in early 1990s, if I'm not wrong, just modify the dates to 1991 to 2000, and just click on Go, and basically what Google is trying to do is it's trying to give you all the list of URLs which were live in between 1991 and 2000, and I guess this is self-explanatory for you. A few of these pages must be even running basic HTML and then older versions of JavaScript. This is a huge playground for you now. All you need to do is go there and then start looking at what are the different JavaScript versions and then play around, and then that's it. It's self-explanatory, and I also used to use this technique for bug bounties, like I used to say in-urls, bug-space bounty. There are a few organizations who still don't have a bug bounty program on BucroD or Hacker One or Synac. They have their own websites, so when you do that, if I try to search for something like this, instead of having a date range which says from 1991 to 2000, I'll have a date range of last one month or last one week, which keeps me updated about all the latest bug bounty programs which come on the Internet, which means you are one of the first people who are looking at the target which just means you have a better probability of finding vulnerabilities. I see that I just have three more minutes, so I'm going to quickly run. Again, Google Docs. Everyone knows about it. If you don't know, you should definitely go and check this out. It's fun. And this is again with Yahoo. I was using some Google Docs. I just put fms underscore admin console. This is an Adobe Flash Media Administration console. Adobe basically decided that they'll stop supporting Flash after 2020 if I'm not wrong. That's what I read the other day. Again, this was an administration console I got access to. No access controls, no passwords, nothing just subdomain.jahoo.com fms admin console and that's it. And I actually found this on Google, literally using Google search. So I'm like, free money. Thank you. I mean, if you're walking on street and if you just... I don't want to give that example. That's okay. Do you use GitHub? I'm sure most of you do. Has anyone of you ever made one of your private reports public for two minutes and then made it private? That's a bunch of smart people there. Thank you. Thanks for raising hand with me because I've done it once. Now, as we all understand, there are a lot of scrapers on the internet. So even if your private repo is public even for like two or three minutes, it's already gone. I'm really sorry. And if you have a... GitHub, please give them some training and then please tell them not to have private keys on GitHub. Please tell them not to have usernames and passwords on GitHub because, I don't know, unfortunately, it's a sad story to see usernames and passwords on GitHub. I know few of you would be thinking I'm bullshitting. I'm not. So this is a vulnerability I've submitted with one of the largest organizations. You know what it is. This was an year ago, so that's still all right. There was this random user who had this at the ratesalesforce.com username and password on their one of the git-trippers and I was like, thanks for giving me your username and password, man. I really appreciate it. I just reported it to them. At first, they said it's the employee's problem. They don't want to really pay bounty for it, but then they agreed to pay bounty and I'm like, do you really think it's an employee's problem or do you think the organization is going to pay bounty? I don't know. Microsoft has DLC. We all have to do that. Yeah. This is another tool. It's called Link Finder. I'm going to quickly run through Link Finder in about 30 seconds. What it basically does is you give an input of a JavaScript file and it's going to basically run a scan on the JS file and it's going to basically spit out all the URLs which are inside a JS file. I was ignoring all .js and .css files, but trust me, never ignore .js files. You might find some juicy links. I'll just give you a simple example. This is a very large organization. A few of you might recognize it. If you don't recognize it, I'm really happy. Just right-clicked it. I tried to view the page source. It gave me access to a subdomain. I was like, I've not found this subdomain or just sublister tools or subdomain scanning tools. I might as well check out what's in here and I just check out. I start playing around and there you go. It's self-explanatory. I did cat space ETC space password and I was like, oh, it's command injection. Thank you. That's free money there. How much time did it take for me to do it? I guess less than an hour. I wouldn't say five or ten minutes, but it's worth more than $2,000. So I'm like, yeah, sure. I don't mind $2,000 for 30, 40 minutes. So for this, Link Finder. So it's on GitHub. I do have a quick demo for this. So you just download it. There should be simple English. Python space, linkfinder.py space, ispace. I'm just running it on demo.tespire because it's easy for me. It will generally not take SSL error. Oh, that's because of the phone, I guess. I'm sorry. I think it's smaller. I'm sorry. I didn't get that. Yeah. I'm sorry. We can't see it in the back. There's an SSL error anyways. So that's like, shit. So you should try Link Finder. I guess there are a couple of other tools called Nahumsec and ZCiano. That's Sean. There are a few top bug-bondy researchers. So I forgot to change the title, but yeah. Play around with JS files. Try to find some links. You would find some juicy information. Start playing around. I'm sure you'll find some critical ones. So the whole point of doing this kind of recon is you no longer find SQL injection and command injection on login pages and then domain web applications. That's why you would try to find other places where you can find candies and cookies. So you just try to find those places, go to the store and then get your free candies. So moral of the story, recon is really cool. If you are doing pen testing, if you are doing red teaming, you should definitely do recon. If you are a red team engineer and if you have not heard of a few of the things that I've talked about, Jason had excess talk, then you should probably go back, quickly do a Google search and then try to play around with those tools and run it against your own organization. Again, run it against your own organization first before doing it in bug bond days because you don't want to get hacked and you don't want to get nameshamed. There is one final thing that I want to demo. This is another cool tool by Naham Sek. Let me zoom it. It's called Hostile Subbrute Forcer. So there's this attack called subdomain takeover if you have heard of it. So this tool is really cool. It not only gives you a list of subdomains, but it also checks if you could do a subdomain takeover and I really love using Naham Sek's tool because if I use this tool, it's just helping me with the subdomains. It's giving me the IP addresses and it also gives me the response codes. So if there is a 301, I generally don't like to check it because obviously I think they are redacting the subdomain to the original domain if it's a 200, that's when I like to play around. And if the tool says there might be a subdomain takeover, that's when I go back and see if there's a subdomain takeover and then to be very honest, I've only found one subdomain takeover in the last one or two years, which is really sad. I think I should probably work on it more, but maybe that's not my skill. So these are a few cool people that you would want to follow if you're interested in recon. Most of them have pretty cool tools. Most of them do a lot of research in recon. And me, you also want to follow me. Credits have not used a lot of memes and gifs. Yes? Last page, this one? With the names, okay. Ten seconds to take a photograph. Nine, eight, seven. Okay. Six, five. Okay. Oops. Credits, thanks to all the authors. Again, I didn't write these tools. I have a tool, it's called Fuzzappi. I basically presented it in the morning and at Black Eyed Arsenal, so I don't want to talk about it because I've talked enough about it, but thanks to these guys for writing these tools. If you have some other ideas with respect to automation and recon, you should definitely do it. If you do it, please open source it because sharing is caring, right? Thanks to these guys for making Internet Secure again. Like, yay. I work with Cinect. You should definitely check out these guys and then... I don't work with Cinect. I do bugbondis with Cinect. Sorry, just to be clear. You should do bugbondis. If you don't do bugbondis, it's probably the right time for you to get in because you can learn a lot at the end of the day. Forget about bounty. You can definitely learn a lot and I would definitely recommend you guys to do it. If you guys don't have a bugbondi program, if you want to learn a lot, you can do it. Thank you for listening to me. Any questions? Yes, hi. Yes. So, unfortunately, I'm not... Yeah, his question is how to attack stuff that's behind CloudFare or, unfortunately, I'm not an expert in that area. I can give you an answer, but my answer would not be the best answer. So I don't want to direct you in the wrong direction. So I'm a nice guy. Yeah, so there is this guy called Pete Peter. So if you just go to YouTube and type Peter S3 buckets, so he talks about how to take over S3 buckets and he talks a bit about CloudFare too. So if I were you, I would probably go there and then look at his talk instead of taking a point from someone like me who's not an expert. Any other questions? Thank you. You'll find me around if you have questions.