Bug Bounty (how to make money HACKING!!) // ft. STÖK

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] foreign [Music] [Applause] what's going on guys welcome back to network chuck today man we're talking more hacking i promised you guys i have some hacking people on and i got this guy i want to be him when i grow up seriously he's awesome it's stuck you've probably seen him he's a youtuber man he's got like almost 70 000 subscribers talks a lot about bug bounty which is kind of a crazy thing it's a way to make money hacking legally but anyways i'm gonna go ahead and play his intro real quick it's such a cool thing and i have to play it so here it is real quick oh wait that's not it here it is hi i'm stuck and this is bounty thursdays so super cool dude i mean his his video editing puts me to shame his look and feel i just i i envy over that um but anyways stoke is on right now what's going on say hi to people hi everybody it's so awesome to be here thank you for bringing me on your show yeah dude i you've been on my list for a long time so it's just a pleasure to have you on here and i brought you on to talk about what you love doing you have your show called bounty thursdays which is talking about bug bounty when i first started getting into hacking i had no idea bug bounty was a thing so like real quick we'll go into who you are where people can find you and everything else but first what is this bug bounty thing what is it it's kind of complex but also very very simple so let's for instance that you found a vulnerability or let's break it down it's a way for security people like security researchers developers security curious people to identify security vulnerabilities in applications and programs or companies that have something that is defined as a bug bounty program which means it's a way for for people to actually report those kind of bugs into their security system and if it's a valid bug like a serious security issue because bug bounties is all about impact and we'll talk about that later you will get some kind of reward it could be some kind of points it could be a hall of fame mansion or it can actually be hard cash so okay bug bounty so basically these companies and we're talking like not just small companies or even mid-size we're talking like fortune 500s they're paying random hackers to find vulnerabilities in their systems yeah yeah that's how it works it's leveraging the the um leveraging the crowd is kind of the way to say it because crowdsourcing yeah yeah crowdsourcing instead of using this one kind of pentester um organization or company that every quarter comes in and tests your systems you're more or less having a continuous testing of certain parts on on your application your websites and some companies even have something that is defined as an open scope like uber for once everything that's related to uber is in scope which means wow yeah i am they got they got it start.uber.com and there might just be a certain like a couple of them i haven't read up on their uh current um report or or the way that they explain what we're they're doing over at hacker one but usually what it is it's that the company like let's say like verizon or uber or maybe dropbox or some of the big organizations that have this kind of stuff says that okay we we have the bug bounty now and these are the things that we have in scope and we would like for you as a security researcher or just a security curious person to poke at stuff until it breaks and then if it breaks badly we'll throw money at you which is kind of the way it is that's crazy to me because like i know that a lot of people have the understanding that these big companies like apple and uber they probably like i assume i have assumed for a longest time that they just have the most amazing security staff on their teams and they probably do but they realize that even with that they are still vulnerable they can't uh they can't look at everything and find every single issue so they depend on companies like hacker one to find people like yourself to come in and try to break in and yeah that you all do you do find places to break and you do find vulnerabilities which blows my mind um so hacking illegally is a thing how did how did you because i've been watching your channel for a long time so some of these questions already know the answer to but a lot of people don't how did you become a bug bounty hunter is that the appropriate name are you called a bug bounty hunter are you do you like the term hacker what do you like i like to be called a hacker because i want to normalize the the thing that that's what said yeah that's the thing we we because people do this misconception where they think hackers are criminals and they have this term called it's called now it's called ethical hacking and and that kind of annoys me a bit because we have we have ethical doctors yeah of course we have that and do we also have ethical plumbers in theory anyone that just follows the code and does it right is define a plumber we don't need to have an ethical plumber because i like that the other plumber is going to be shady oh sorry that was french guys [Laughter] and that's the thing for me hacker is a hacker somebody that breaks the law is a criminal so i i love the way that casey ellis explains it he usually says it this does caselli is the founder of bug crowd which is also one of those marketplaces where hackers can meet companies and exchange bugs kind of um and and and he explains it in such a good way let's say that um you know a locksmith right somebody that could help you open your door if you lost your keys like you're standing there outside the door like damn i don't have my keys on and my phone is locked inside the car and the extra pair of things that i need is in there so you're knocking on your neighbor's door and you can borrow the phone you call a locksmith that person comes over there and uses this this locking picking thingy and then opens your door lets you in and they have the skill maybe you know to disarm your alarm if something broke and that kind of stuff they are professionals they are professionals on opening doors and when they're done we'll say thank you this this was the problem you apparently lost your key here um but we'll replace the cylinders and and we're good to go so bye bye now and they leave on the other hand a burglar or a criminal would be somebody that uses the same techniques but then he steals all your leaves the notes and maybe takes a dump in your bathroom and goes out that's a criminal you know that that's not something they're supposed to do we are professionals hackers see that as your friendly locksmith and the ones that like to break the law and do the other things they are burglars they are criminals i'm not a criminal i like to sleep at night you know that's why i do bug bounties because bug bounties gives me the way to poke at all these amazing companies and try their security posture without the risk of being thrown into jail and that wasn't possible 10 years ago that and that's crazy like 10 years ago that wasn't really a thing like i know that they would have like the random things like where these rogue hackers might find something in the company would go oh thank you for doing that here's a reward i'm not gonna i'm not gonna throw you in jail but now it's like an official totally above the book above the board situation so how did how did so i i love that we're in the the term hacker as a badge of honor it's it's like a plumber it's like a locksmith it's like anything you can do it bad and do it good um yeah and i honestly i do kind of like the whole black hat white hat ethical like whatever there's just hackers once summer good some i love that i love that so much anyways um so how did how did you get into hacking and bug bounty have you been doing it for a very long time it started back in i think it's early 2018 like i think in the spring of 2018 that's where i really got got started with it okay and i got introduced to bug bounties in 2017 when i went to defcon and i knew this um i i i wasn't really fully invested in what what hacker one was but i had a couple of friends uh called a friend called franz rosen that's seen some of the some of the before i started doing hacker educational or cyber security related content i did some blue teaming kind of video content and he really liked that and he said i got this really cool dude that i wanted to meet over at hackerone his name is ted kramer and they're going to be at this hotel and it's going to be this live hacking conference or event and i'm like whoa that seems cool what can i do to do that and then i spent like most of the day trying to socially engineer myself to be at the bar and i got in eventually and and then just got in there and you started to talk to people and because i was on i was on the defensive side i was working as a systems architect and and um and i had 25 years of experience as an i.t professional so i was there just because i was more interested in the in the defending end of kind of things and i was interested in having to the offensive part but when i find out that you can actually just poke it stuff get paid and you can experiment and and learn stuff on these companies that i thought was totally like you you can't touch those it just blew my mind and and i started to to try to figure things out and then eventually let's say three quarters later in early in uh in may i think i had a possibility to join france rosen to goa india for nolcon which is the security conference and there i met gilbert alma which is the founder of hacker one and we were sitting i was sitting editing some stuff and having some beers in his room and he said and i and i used to ask him like could you show me some hacking and he said and he pulled up burp suite and uh he said okay check this out and then show me some kind of things in there and i'm like i need to do this this is my calling in life and then then i did nothing but eat sleep and i can repeat that for the last two and a half years and and yeah i i made a lot of money and i traveled the world doing these live hacking events and uh and that and i love it and now every chance i have i'm sharing my adventure and experience that i'll pick up along the way with others so this is just the coolest story so many things i want to unpack so i'm just like okay i'm trying to figure out where to start first um nominsek said that you can make pretty good money hacking i believe him i believe him that bug bounty is lucrative is it truly that lucrative for you um to tax reasons i'm not going to give you any numbers but i did i did more than i earned in a full year as a systems architect in a re at a really good firm in a few months what okay okay so my audience is already like okay tell me more how do we do this so i i want to walk through because i know everyone's not starting from where you're starting from you were already at a hacking conference so you obviously had a strong interest in hacking you were blue teaming now i do have this honest question like i i have some fuzziness on it what's the main difference between someone who's just an i.t security so maybe like a networking security expert or system security and then also what's the difference between them and a like a blue team expert is there a large difference no not really they they are all doing the same thing but maybe you're let's say that your job is to secure like like we talked about vulnerabilities right we did that before and you're a network kind of guy and you know that you're not you're only as good as the latest firmware that that your knowledge just reached it's that's how it works a new release comes out you kind of need to upgrade your game because there are some fixes or some other things that that's been put into that people companies like cisco or or or arrow hive or whatever you don't release things for the fun of it it's feature updates and there's there's vulnerabilities that they oh yes i literally said that in my last video i'm like guys i was telling people to upgrade their router firmware at their house like there's a reason they update these things it's not just to make you have to reboot your router no you need these things because they want to protect you right and if that's one of your area that you specialized in but if we're taking it a broader uh let's say that you're stepping up a couple of notch then you have a team of network engineers that the only job that they have to do is to work for uptime like keep the uptime up there's redundancy there's patching there's there's load balancers there are all this um high-end infrastructure that's running but then you got some shitty windows boxes behind those that that needs to be updated but they are legacy so you need to defend those like windows xp or something maybe maybe you know you know where i'm going for real though i walked into a cisco data center i was doing a tour there i saw a windows xp terminal up and running and they used that sucker i was and this was like two years ago i was so appalled anyways continue you see see how it looks in the transport industry it's it's it's super common anyway so you got all these um these computers and servers and everything and somebody needs to monitor and take care of that that's usually like a knock or a sock or something and in the whole idea about blue teaming is also being able to identify breaches okay so we got a breach how do we deal with it how does the threat hunting work how does the how do does the incident response team work all that kind of stuff that you need to protect inside your organization that's what blue tumors do we defend the system against external attackers and we need to have systems and things to monitor that so let's say that you have a siam or something that your your switch is talking to and all that we will see some malicious traffic on somebody trying to fiddle around with the ports then okay we okay that's probably something physical that something's happening but or maybe there's just a lot of brute force uh logins happening over at the vpn uh or the the or the asa or something like you you want to know what's going on and okay it's more in the defending role but it's more like a global role you need to know everything you can't just protect one thing yeah see like i've been did it clarify a bit oh it totally did and now that now that you tell me that i've been in situations of my companies to where um i was that role like even though my my focus my specialty was networking i did the window stuff i did everything else we didn't have a dedicated security staff security was left up to me and uh and i was monitoring those things looking we didn't have a proper now i always called it a seem the s-i-e-m i'd see him science sounds better to me um so i i did have that and i used that so yeah i guess i was a blue teamer at one point uh so you you were a blue teamer and you were what would you say is your specialty or did it just have to be everything like you're monitoring the whole network and the all the the systems i think like going back at it you know my specialty is troubleshooting or or just finding anomalies that's always been the thing you know if and it's more like the soft infrastructure now now when devops has turned into what it is today like application is infrastructure or code code is infrastructure uh it's it's different so so i can't wait that way man the world has just changed a bit so but i would say my passion is still and always has to be an active directory you know it's the heart and the source of windows environments especially in big bigger enterprises if you reach over like um two forests and and five to ten thousand users in your organizations you need to be able to manage to understand what's going on if you don't do that you're that's kind of how it is that's that's encouraging for those people i'm just kidding no it's all good that's my background so you kind of that you kind of need to know that i've been doing this for like professionally as a consultant i have over 45 000 hours built that's and and that's not just on one company it's i went to companies to help them sort things out and and and that's that's what i've been doing most of my life so i've seen a plethora of different environments and i just realized that i'm so good at finding the anomalies and we see where people cheat or where they miss doing stuff that i was a really good offensive person because i knew where people kind of missed things and that led me into taking that background and we know web experience but but then understanding how applications and logic work and how things communicate that just gave me a big heads up on the things that i do i still don't know cross-site scripting i suck at it but but i'm good at logical bugs and race conditions and weird stuff so okay that that bleeds into a great um question i want to get into and that's um you obviously had a leg up because you did a lot of blue team security for someone who doesn't have that experience what would you say is the best way for them to step into uh bug bounty hunting which is basically red teaming and offensive oh yeah i would say uh get yourself some kind of or this is what this is how i did it from from an absolute beginner to uh doing the things and not and i i know powershell i and i probably could reconfigure a couple of old cisco routers using the old language or but but i'm i'm not i'm not a developer by heart that i can read code i can read a lot of code but i don't i don't write it i can copy paste myself through life like that's probably how it's that that's nicely said um so i would say some what i did is that i got myself a burp license right and and burp is a proxy so what it does is that if you're having a browser because you need some way to interact with this server or application so usually that's a browser or it could be a phone with an app on it that app communicates over the network to this application and it's going to be some authentication in there there's going to be some tokens and there's going to be a lot of jam to authorize you as a user to get access to that system and a way for us to do that kind of matrix breakdown where we can actually look at it and see what's going on without kind of guessing is to use either uh we can use the the chrome developer tools or we can use a proxy my preferred approximate choices is porzburger's burp suite and and a couple of plugins like logger plus plus is some of the ones i use and some others and i use started to browse each and every website that i ever normally visited and had it in a passive monitoring mode so i didn't want it to actively use poke stuff but i wanted it to report things that you know kind of stood up and doing that i used gracefully understood how applications worked i i just had it passively on one screen while i was doing my norma jam on the other one and then i could see things in the beginning it was like ugh you know i have no idea what's going on seems fun i guess but after a while you're getting used to it it's like when you're doing juggling you you need to learn how to do the throws first before you can add a third ball and then the fourth and then eventually you're up and going and it's all fun so i would recommend anyone to get some kind of proxy and then you start looking at stuff and you're basically putting yourself in the middle of your web browsing right kind of like a man you're a man in the middle of attacking yourself right you're just kind of putting yourself in the middle and you're monitoring 100 that's what i'm doing and i'm looking at stuff because you can intercept it on both ways and say you can say login user blah blah and then it will respond back the web application is going to respond back okay sturk seems to be a member of this organization he has the role of user and then you intercept that and change that to admin instead and suddenly you have access to the admin panel fun stuff and that's just a simple match and replace rule because the browser doesn't know it and maybe it's a browser side authentication part so you will get access to it they need to harden stuff on the api of course but you get the idea maybe you will get some part of the ui that you're not supposed to see and you can automate stuff and do brute force attacks and a lot of fun jazz with these kind of applications i recommend anyone to do that but then again you know if you're super super curious about web application hacking hacker 101 is a great resource for you hacking one has that horse figures academy super good too very educational okay and and if you want to spend a little bit of that good cash throw that over at lewis over at penthouses lab.com they're sponsoring my shows but primarily because i love the that they do it's a very simple getting from beginning to end kind of trying stuff you learn how to use the linux terminal then eventually you learn how to do some basic web pen testing and then eventually you grow because it's it's all about doing these live kind of things in a tutored way try hack me hack the box all these amazing sites try to look for the ones that have any kind of web application based stuff because you won't be doing the oscp on this one it has nothing to do with it it's internal networking for ocp and this is a different kind of jam interesting okay so there's no like official certification path for bug bounty no interesting okay so it's kind of the wild west right now it's it's a little bit different and there's a couple of courses out there that you can attend but none of them are like really good and if you let's say that you're let's say that you're able to to master the top 10 on on the oh wasp top 10 list good for you go get that dough that's how it is so um you mentioned that you don't really know any like you you can read code uh but you don't know how to code is it is that accurate i kind of you know i do bash i do python okay and i do normal stuff and i and i dabble with you know i can write to an html and css and maybe dabble with some javascript but that's about it but two years ago i had no idea about that because i spent all my time into powershell so i kind of had to learn this because i want to break web i think web is fun it's the frontier it's the front end it's getting past the waff and destroying stuff or no helping organization being more secure of course let's adjust that so that's that's interesting so it's so cool to hear that you were a windows person pretty much like you were powershell you were active directory were you were you big into linux before any of this no at all really interesting wow so two years ago this is my primary operational system now that's that's wild so obviously linux is a big deal because it runs most the internet right so how did you start learning and picking up linux html css python was it just getting into it getting your hands dirty or did you follow any kind of structured path to learn i got too much adhd to study man i'm seeing the things that you guys do and you're sitting there studying reading i can't do that it's only hands-on for me it's it's i'm extremely auto visual so i need to have that kind of interaction youtube big helper but then again being able to just call people up and ask people i got a strong network of people that i can talk to but most of the things that i do is primarily built upon me just doing the grind it seems ridiculous but the only way to really level up in this is not to get any handouts if you get a handout it's like it's this old christian saying that that's if you if you give a man a fish you will feed him for a day if you show a man how to fish you know he'll be probably sustained for for a lifetime and and that's the whole idea you need to do the work and for me i know this really cool website it's called www.google.com i type things in there and things come back that's kind of how i do it i google all the things i see myself as a black belt in in google that's how i do that's that's such an underrated skill that people just don't realize how important that is my gosh um i feel like i talk about it on every stream because it every every person i bring on who's an expert in their field which i mean you're an expert in your field that's the skill they bring up google there's no secret to like learning all this stuff it's like you google something and someone has done it or learned about it or dealt with it it's amazing i think the skill is to find an anomaly or the way that is to some kind like i don't know sort out the information what is actually important for me at this time i think that's the the skill set that's and i love and i think a lot of people are attracted to the way um that like learning hacking and becoming a bug bouncer bug bounty hunter the path to that isn't necessarily like okay study for the certification then pass your test and then maybe you can like no it's not that it's it's mostly hands-on it's mostly developing those skills as you do and that's attractive but i know there are people and this is kind of half me where i kind of want that structured skill set i want to like okay if i want to be a bug bounty hunter i need to know this much linux this much python whatever what would you say are like the top five skills and this is on the spot because no matter here we go top five skills you would say that a bug bounty hunter needs to start kind of building on right now i would say um first off know how to do internet cloud infrastructure you need to be able to spin up vpss so you're able to because you don't want you don't want to attack from your own server bear with me oh man i'm going to give you this let's say that you're doing a race condition you understand the concept of a race condition right that you're sending a request in and then the response is coming back and if you send multiple requests in then the backend needs to kind of figure that out it is all based around the concept about around time and bandwidth so let's say you're sitting in india and you're trying to have a race condition on something in in on a website you're trying to redeem a coupon for for ten dollars at starbucks right and and you want to send not one request and you want to send 100 requests at the same time and hopefully the system's not going to be fast enough so it will redeem two of them so you get you get 20 worth of coffee instead of just 10. how often do you understand the concept there yeah it's it's a race condition it it's one of those things that the back-end can't handle the amount of traffic going on but if you are sitting on the other side of the world let's now now we network nerdy here and we're having latency and bandwidth issues because you're you're having a lot of router hops before you reach that site on the west coast of the us what happens if you do a little bit of osnt and realize that okay these guys are in the the second data center on in that amazons where that's going to be probably somewhere around here then you spin up a ssd drive high bandwidth kind of service there and run one of your tiny python scripts from their headless suddenly you're sending thousands of requests with super low latency if you're really really good at it you might be able to spin it up in exactly the same rack now you're in for the good money because how do you protect against that that's using the internal infrastructure that's crazy okay i know i know cloud i've got i'm azure certified in aws i know that pretty well so that's that's crazy being able to use the skills and figure out how to find places in the infrastructure get that low latency and be able to attack very quickly now question for you though is there kind of like a gray legality in that area because it technically you are offensively hacking someone using aws infrastructure understandably if you're using bug crowd or hacker one that company gave you permission but will aws get kind of mad at you for using their infrastructure no why would they they might just abuse you like you get you get some abuse things but the thing what you're doing is that you you are using their infrastructure to attack a target that have given you permission to do so so if are you allowed to host random stuff on your website in aws are you allowed to use that as a vpn and then surf on the internet on the other side of the planet yes you are so it's all about that stuff you're not attacking somebody that's not asking for it you're only doing it on the things that are in scope and that's the important thing don't step because if you are in scope you got safe harbor there's then then there's a lot of things that will help you out because you say you can say that oh i accidentally sent away 5 million requests that was a bit problematic so it's all about being smart right and what i normally do is that i i run you know um you know and map right oh yeah okay cool so you know and map on internal networks can take a little bit of a time if you're trying to scan like a couple of thousand addresses you can go to bed and you get up in the morning but instead what you do is that you spin up 25 droplets on digital ocean and give them five ip addresses each and then you send that away with a full pcp scan and each and every one of those are sending the requests in now you're staying underneath the radar and bypassing the wafers because you're using these only five requests coming out from this independent ips that's distributed scanning interesting no a droplet is it like a a docker or kubernetes kind of thing or is that just a little virtual machine it's a small virtual machine okay but you don't you don't need massive you need one one of these tiny you know one gigabyte rom kind of because you're using nmap on it use one have massive bandwidth throughput wow okay that's pretty cool and and it gets me thinking you know there's kubernetes which is you know deploying mass scale architecture uh containerized could totally do something like that that's interesting okay so cloud skills didn't see that coming honestly being one of the things that you might want to have as you're developing your bug bounty skills what's the next one i'll say the other one would be uh understanding of the the second one would be understanding impact and it's ridiculous because you're going to end up in a situation where you find something you're like holy smokes this is a really massive bug i'm going to report it in and then it's just you know a faulty configured spf record on on a host that somewhere like nobody cares about that unless you're doing a vulnerability assessment for for a company so they know about certain stuff because in pen testing you need to report everything but in this case you kind of need to know understand impact what is impactful for this organization because it's changed from organization to organization let's say uh information disclosure on on one organization for instance let's say uber let's say we had an information and disclosure on uber where we will get the um the pii information of drivers would you consider that free to be uh impactful bug maybe it depends right but if you had if you had the possibility to to ask somebody an unknown person to get pii information on that uber driver's clients now we're talking about information that really shouldn't be out there personal information credit card information all that stuff that's connected to that that that's information that they will be very very concerned about if that information goes was found out it could also be like trading data like in if you would see if you had a possibility to get information from an api let's say that the x amount of sales has been going on from blah blah during this period and that's not public information then you can use that to do insider threats or insider trading for that company because you know how to place the stocks that would be an information disclosure that's valuable but somebody's email address not as much interesting interesting okay and that's a big deal how often do you find yourself like discovering like these like you're you're first of all how long does it take to like hack a target and try to find a bug it depends on the target like on average like what's what's the shortest amount of time you've spent and like the longest amount of time you spent that's not a relevant answer because it it it would be um it would be weird because you can stumble upon something that could be a 15k bug just randomly you can you stumble upon that and and then because what could happen is that two three one now a developer just pushed some code into a developer instance that they wasn't planning on and the aws keys for the whole infrastructure is now in clear text available to access on that host on the internet that's a critical bug it's an information disclosure that's really really terrible and i can ramble and randomly stumble upon it but it can also be one of those bugs that that are very very deeply inside the code base that this old api re um endpoint that hasn't been used for a very very very long time and it's been ported from one generation to another and it responds back with i don't know clear text you and password from users and you wouldn't know that because unless you really studied the the design of that api that would take a lot of time yes i totally get what you're saying here so it could be completely random it could be like the first five minutes of you just monitoring it on a daily basis and you come in on a friday and the developer push some code and crap you just found a vulnerability now that that that opens up another idea do you currently have just active scans that are all the time happening and checking open websites to see if there's any vulnerabilities like just kind of like throwing your your net and your bait in the water and just have a bunch of traps set a lot of people do i don't i have a couple uh monitoring things that i monitor sites that i really like to hack on for changes like if if there's been a push of a new javascript somewhere i want to know that they committed code because today in in the landscape we are today um does and i and this is also a question does it make sense to do security audits every quarter when you're pushing code every 15 minutes um yeah gosh with with the devops life cycle now it's just yeah constant it's continuous right so you need to have continuous testing that's why bug bounties is so important part of the whole uh security posture that's why organizations once they have matured enough because not all or not organizations can deal with this because there's got a lot of noise coming in there's going to be a lot of crap reports being sent in because there's a lot of beginners in the field that's want to send stuff in that they think are super critical i was one of them i've done some crappy reports but you send those in and because you're testing the water you don't know there's no playbook here and and you're sending those in and you're happy and you're hoping that it's going to be the big win and like no we don't care about that that's informative or what a letdown though right because you feel so like proud of yourself yeah yeah yeah you're like oh oh beefy up but i got this going and then they slap you on their head like no that's not for you and you need to go back to the drawing board and just build up a new posture so i would say understanding impact is a very important part if you want to be a bug hunter to understand the organization why are they doing this what is important for them and then look for things that would be relevant to that that's the second thing that you you kind of need to understand so cloud infrastructure because you don't want to if you're running and the reason why maybe you're you're living alone in your apartment you got a fiber connection is all good but as soon as you get a girlfriend and she wants to check out netflix and you get that acumen ban it's not a happy family so you want to make sure that you vpn up not for your protection but for your but for your local home ips and not getting flagged or just being cloud fired all over so that's why i do most of my hacking through a vpn or through a vps service so i can distribute it and i can just live my life in my normal box quick question before we go to the third one do you use proxy chains at all or just mainly vpn in mvps no i i do yeah i i do proxy chains over ssl okay okay cool cool so that that's what i do and then i use um i use different kind of vpn providers i have been particularly fond of mullivod vpn and f-secures freedom because they they just have good throughput and uh and they have many exit points because sometimes when i'm gonna bypass counter restrictions because i want to hack on a website that that kind of has this code that is defined to a country i want to be in that country to hack because i can't see that if i'm if i'm on another country ip so i use those i've never heard of any of those providers are those like i i have the ones that do not sell your privacy [Laughter] [Music] so what were those again one more time mouldboard.net how do you spell that and i'll type it in the chat for you yes yes because i have no idea how to spell it that sounds interesting though check out that moonwalk.net and it's because they they really don't log because if you're using a vpn you need you you talked about this but if you use a vpn that's kind of shady you're sending all your traffic to them and it's congratulations this is a man in middle attack for you and somebody else can just listen to what a traffic do you do i use those because they are not financially um driven and they are independent and i like that that's good that's good um so okay third one what what's the third skill that we should look at and uh trying to develop bug bounty skills um be a part of the community uh being able to find people to hack with because collaboration is key in the end you can be on your own but then you you're going to end up in a situation where you think life is really really boring because you're hacking on your own and you want to talk to somebody and if you only have friends that don't do the same things that you do you don't have anyone to ask and you and you is probably going to stop because you're not having anyone that motivates you like you're having your study group now there's a bunch of people that are studying together because well you have a community there this is the study community we do this kind of stuff try to find yourself a discord that people on your skill set or your level are also as well like you had been on like the the nahomis discord is cool definitely insider uh phds uh discord is cool there's a bunch of them that you can just chill out and maybe you have your own i don't know if you have discord i don't create some kind of yeah you do hey everybody should be at network shops this in in the bug bounty channel and talk about bug bounties because then you will find people to hack with and then you'll connect people so i would say that's a good thing um fourth be uh be persistent this is going to take time it it could be it could take up to a year for you to find your first bug but if you're in yeah but then again say you never okay so you wake up tomorrow and you realize that you everything you learn about networking through the years is gone how long does it take for you to set up a new cisco cluster yeah it's that would take a take a bit it'd be a lot take a bit right yeah and you'll look at that and but this is all blind as well so you'll have no manuals you will have no interface you need to figure out you need to solder the interface first to to get into it and then because that's kind of how it is it takes time so it's persistence and patience because we are in this industry because we are curious we are in this industry because we love to learn and and just adapt those skills into looking for vulnerabilities i would say i spent about three weeks before i got my first bug and about a month before before i got my first really good paying buck and that and that's coming from someone who's been doing cyber security for a very long time and just kind of flipping the switch over to offensive interesting interesting so um so let's go back to that because i'm kind of curious you were mainly a window i'm not gonna give you a fourth or fifth i just forget about it i don't know i don't have any tips i'm just throwing the balls here catch no worries i mean i didn't i didn't guys so you know i didn't prep stoked on any of this before i just come up with these things i'm like okay no pressure give me your top five you're like i don't know i didn't prep for this so no pressure there um so going back to when you were uh you're a windows guy you know powershell all that kind of stuff and then you flip the script you're like okay i'm going to become more of a bug bounty person three weeks in you find your first bug and then you find your good payday later on what is it you first started learning like obviously you got your um your your uh like burp suite you got burp going you're you're scanning everything what did you start looking for what did you know to look for i guess that's the thing as well like i i looked up the obas top 10 list and i looked at it and and i said okay is there any particular kind of bug class here that interests me is there anything that makes my like heart tangle a bit you know or as marie curie would say does this spark joy [Laughter] minimal attacking and i found business and i found that i really since i had that infrastructure background and i understand i understood bandwidth and communications and networking and all that yes i figured why not just go for race conditions and i picked race conditions and i went all in for that and after like three weeks on just trying to understand how it worked and and trying to find tools because there weren't any tools around burp turbo intruder which is a very commonly used for that today didn't exist so we um we had to write different kind of stuff to use be able to send that many requests at the same time um and i figured that out and like holy smoke this is awesome this is super fun but and then i understood that i gained that skill set so i moved on to the next one and then i move on to the next one and then i move on to the next one so i i would go all in on live targets i i i didn't do the hack the box i didn't do the try hack me i didn't do the pentest labs i just went hacking on live targets and bunk slapping my head against the wall continuously until i found something and then i'm like hooray this is awesome i know how to do this then moved on to the next one it's like skateboarding right you do one trick at a time you don't try to learn 800 tricks you do one until you nail it and if it takes you 5 000 tries to do that kick flip after the after you nail it you kind of know how it works it's like riding a bike it's hard in the beginning but eventually you get good at it and once you're good at it you don't forget how it works i love that okay so you basically picked one type of uh vulnerability you might find and you went hard on that one yeah you you learned it well consumed everything everything around it like everything i could understand how the payloads work i set up my labs i tried to really you know get deep into just understanding how that and then with that knowledge all armed up and ready to go i went on and just poked out the internet on the targets that allowed me to do that and wow okay and it paid off so what was your i'm curious you don't have to tell me if you don't want to but what was your first bounty how much 5k and that's that's not a bad payday man that's pretty cool for your first bounty and um and you know again you don't have to answer like what's your biggest bounty you've had 30 30 my gosh what's the caliber like what do you what would a company give you for 30k what kind of vulnerability rc execution code execution okay wow that's crazy goodness gracious so um i want to kind of shift gears for a bit because you you've come so far you're now you've been doing this for two years offensively and you're you're doing awesome is this your full-time job now like bug bounty it used to be for a year but in january i'm starting as a cyber security expert and a content creator for trusec which is a swedish company that specializes in incident response and and and just good old cyber security and they they have a bunch of microsoft mvps which is a really cool shop to work at so i'm joining those in january um congratulations awesome yeah thanks it's all good and uh some i'm happy about that i decided to quit my old job in november last year uh because i wanted to do bounties for a year and see what happened but then corona hit and you know so all the live hacking events that i was supposed to go on and all these adventures and all that all got cancelled so i needed to rethink my stuff that's why i started doing youtube videos because i figured that okay at least you know i can share the kind of knowledge that i learned with people and just get other people inspired because they're going to be in the situation just like i am like i you want to hack stuff you want to learn stuff and it's kind of hard to curate information so that's why i do bounty thursdays because that's just my view on things that i know are cool and but it's my all it's all my opinions it's not like the console of bug bounty has decided that this week these are the tools that's going to be shown on stoke show it it's more like me just finding stuff that i think looked cool in a tweet then he was talking about it but good that's awesome it's a news source so um i know right now you're kind of doing a few interesting things you have like your own clothing brand right i do tell me about it and i have a sustainable fashion store so i do that and i got a couple of sunglasses coming out i got these ones here and i got these blue light glasses here coming out and then i got these adapted ones these are still in in um in a beta test it's a collaboration with cheapo that made sunglasses and so they are blue glass but they also as soon as they get in contact with uv light they dim so you'll you'll get you have both in in the same so you look really cool outside but then you can look at the screen for those late night hacksawing nice it's the hacker glasses i appreciate it so what's your what's your site for your clothing store and thrive store dot se tribe it's in swedish though so bear with me there it's a sustainable fashion store where we sell everything that's organic sustainable fairly produced and vegan and i run it together with my wife and we have a physical store here in gothenburg and a small team of people working with us and we've been doing that for five years it's pretty cool good stuff that's so cool my gosh yeah no worries i can uh use google translate and i know what's going on here now no this is awesome thanks man check it out so there's a lot of cool stuff like that and um and uh yeah i do that but then again i i have a clothing brand called fitzmisfits that do uh sustainable sweaters t-shirts and uh and all this kind of stuff but that kind of got put on hold with corona as well due to the deliveries i really need to go visit the factories in india uh due to the fact that when it comes to sustainable manufacturing and working laws and laborers i want to be top of the game it's going to be the best product it's going to be fair working wages and all that stuff is super important to me so i need to go visit the factories and i can't do that right now so put that on hold until you know this corona situation lifts but then we're back on producing really cool swag again yeah i have to admit like i was this year i was so stoked stoked stoked to uh to actually meet you and all the other hackers in person uh because i mean i was gonna go to all the hacking events i could i had it planned out i was so excited and it sucks it really sucks right now um so i'm curious you kind of already answered the question for me i'm curious like what's next for you you're gonna be starting at this company but as far as like your channel and what you're gonna plan on creating a content-wise what's next what are you going to do i'm going to i think i think i'm going to continue doing this kind of stuff and then eventually hopefully you know i want to talk more about cyberware and cybersecurity awareness that's definitely the kind of content that i want to gonna be creating for for truesec just to get get that bridge out like not being specifically deep in two bounties but more getting people that are maybe cis admins today and get those cybersecurity curious like these are the tools that you can use to hack your own organization so you know what's going on so you don't need to be in the situation to not know what's happening and these are the tools you can use to identify what's going on so more kind of more branching into the awareness side of things while keeping you spunk to thursdays because i love the fringe that bounties are it's just it's actually just pushing the edge all the time always pushing always pushing always the latest kind of coolest things just come out about these and i love that and as soon as this world just gets in some kind of order and i can get back to the live hacking circuit again i'm going to do that like that's that's my plan but we'll see what happens i have to be honest i i can't look into the stokes crystal ball and say this is what's going to happen but but i'm definitely going to keep on creating content and and and doing stuff like that but i really wanted to get deep into incident response and and threat hunting and understand that deeply from the inside so doing that together with the truesec team is something that i'm really really looking forward to do that's going to be fun to see i expect like i i can't wait to watch all that now i'm curious with with the way you talked before about how things are definitely changing in technology we've gone from having infrastructure on-prem it's now on the cloud so now we're even changing to where infrastructure is just now code devops the devops teams programmers are responsible for their own security and their code they're they're running kubernetes and docker how has this changed the bug bounty scene is it actually increasing the opportunities or decreasing because of all the automation now i would say it's it's definitely increasing everything is increasing as soon as somebody decides to do something and put something on the internet there's a risk that somebody's going to that up bear with me here i'm just going to give you a a a mind-boggling adventure and a thing to think about i'm buckling my seatbelt let's go cool so this year is the first year in 2020 where the cyber security no this the cyber criminal money amount has surpassed the total global narcotic sales you need to understand how big that is and how little people talk about it people are talking about zero zero discussions or zero allowance on narcotics and all this cocaine and stuff that is really troubling but then again there's this ransomware company this organization now these apts that are super super mega organizations very fine-tuned that are distributing malware locking systems and demanding ransoms all over and they're using misconfigured vpns they're using all these cv sincerely everything that bounties is all about that's also what the criminal side is doing so i would say it it doesn't matter if you're deploying the latest thing in the kubernetes at scale if you're doing it wrong because it's going to break anyway like nobody thought that f5s load balancer were crappy until they everybody realized that there is hold on real quick what's wrong with f5 load balancers [Laughter] too many cvs man too many cvs because i've deployed those yeah you know but then again if you can do it like like a dot semicolon to do a pass reversal and then just get you know this straight up just clear password on all the users that are logged in into the active directory isn't that like bothering [Laughter] maybe that wasn't just f5 maybe there was juniper or some of the other all these providers are just having issues with things that they push and and that's why we need security researchers that's why we need people because sysad means like i was and and people we trust these organizations blindly we think that well of course they know what's going on they of course they make everything very secure yeah we thought that about the u.s voting system as well that apparently was so there's iot devices constantly coming out you know code is being pushed every day every day under high high high pressure we need to push code now we need to get the latest receipt release people don't have time to do the kind of identification of vulnerabilities and bugs like they did when they built you know nasa built their spaceships that cost a lot of money yeah like what people don't realize and like a lot of my people in the chat aren't familiar with like cicd pipelines and things but like how we used to do code development and we still do is you know people someone write their code it would go through a whole pipeline of people making sure it's safe security team would check it out everything now it's a bit different things are so rapid the security teams don't get their hands on it immediately sometimes like it's crazy man um so i i got we're almost out of time here so i got one question for you bug bounty sounds cool and it does sound like it's obviously not a quick path to success you have to put some work in and it could take a bit to get to that up to snuff to get to the point where you could do stuff so for someone who's maybe 13 14 15 16 who's like man i want to be a hacker it looks so cool my favorite show is mr robot uh would you say that becoming a bug bounty hunter full time is a viable career path for a lot of people i would say so absolutely but then again you need to understand if you're really smart in playing this game right and you're 13 to 80 maybe maybe or maybe you're even 20 in your 20s it doesn't matter because use that as a springboard most of the people that i know that have really cool jobs now in in some of the major companies they are from the bounty scene because we all get kind of we instead of just having that that oh yeah i got the ethical hacker cm certified blah blah blah certificate that shows you that you can answer a couple of questions right compared to look at these disclosed bugs that i did look at all these hall of fames that i got look at all these bugs that i get that i reported that got solved that i found that's true work that's like show what show them what you got it's like if you're asking an artist you don't ask him did you go to art school i'm curious about how good you are at handling the pens you'll see show me your work show me work that's cool and that's that's how it is i'm um i respect for the hr uh the need for certificates but if you if that's not your path show that you the work that you've done and bounties is a very good way to do that your bugs do nice write-ups talk about it interesting interesting so it's it's almost like you're man it's almost like you're interning immediately you're interning for those companies immediately you do something cool they're going to end up hiring you eventually especially if you're good if you find a vulnerability in their network they're probably sitting in their ic going why didn't bob find that let's fire bob and hire this guy yeah and and then they're going to ask you like okay so we noticed that you sent in like 20 reports on our organization you seem to be very interested in the things that we do they're well written we have high respect for you and our security team are very interesting it's a high chance that they're going to research reach out to you and want you on the inside there's it's a very very good career path so if you're 14 and you want to start hacking do that do all the ctfs do all the fun stuff play have fun instead of just watching that mr robot show do some hack the box i it might seems like i'm some kind of elotistic person i don't own a tv because i hack instead like when i get home i'll you know i have some tea you know i'm listening to some music and i'm hanging out with my wife and i'm hacking a bit and and then of course i got some screens i got an ipad and such that maybe i'll watch some tv show on but i'll do that as a part of doing something else because i'm just i'm just always poking at stuff and then eventually poking and stuff turns into getting hard cash i'm down with that there's a few there's this is the only hobby that i had in my life as a 40 year old person that actually is paying me to do my hobby fishing used costs a lot of money snowboarding costs a lot of money raising car costs a lot of money but i'm getting paid for this one and i like it dude that's that's what that first of all that is weird you don't own a tv but it's awesome that you don't i think a lot more people will be crazy successful if they just throw out the tvs right now that's good motivation it adds a lot of production value because you get bored and like ah man i can't watch the barbecue tv series again maybe i'll just hack a bit and then you're gaining knowledge like that's that's how i see it i'm tempted to get one of those tvs well that's amazing because like god i'll say it i see this all the time on my channel but that's why i i really love hacking all the other it professions most of them anyway you have to go down that traditional path of either going to school or getting certifications you kind of build up to that point and maybe you'll get a job by having a great interview great resume but hacking you just go in there and start doing it you're playing you're messing with it you're actually doing what you're learning you can immediately add that to your resume it's really cool like i love that so much hands-on that's all it is you know you get down to it you you i usually say this um this is the way i say you will not be a really great american football nfl player by watching super bowl sundays you need to touch the ball that's good that's how it is you need to you need to do the work because it's like having a camera right you can be you can watch all the youtube's youtube um shows and series about how to use a camera and all these unboxing and everything but if you don't use your camera to take pictures you will not become a good photographer no no you're exactly right that's really great advice now i i know i said the last question was the last question but i lied and this is the last question um i lie a lot on this uh we talked about like people earlier in the career maybe trying to decide what they're doing uh let's talk about some mid-career maybe they're they're 35 or something and they're looking at a career change that's happening to people right now because of the situation right i mean i know some people who have great careers that just went down the toilet because of the situation whoa what would you recommend for them right now would this be a good path to go down absolutely and and because one you can work from anywhere two you don't have a boss that tells you what to do three you can spend as much money time as you want and four it doesn't really cost anything to get started you can have a crappy laptop and you can use uh you can use uh like getting a droplet or aws box you can even use those free tier ones if you if you want to have one of those and and and you can just start poking at it and and i bet somebody that you know owns a computer that they're not using take that computer if you if you want to use windows put some of that ws2 thingy on it or just install ubuntu on it and have fun and and then take it from there you know kali linux comes with burp installed like play around with it try try some wasps sap just do things and every second you invest in yourself is it's going to be growth you're leveling up dude i love that that's like the best advice and it's so cool that we we have this industry it it really i it's cheat codes for life really it's it's amazing if you could find that you like doing it you win it's so cool yeah well if you if you want to be in a situation where you don't have that money i know you want to quit cancel this but i'm not letting you so but yeah you don't have any cash and you're worried like like what should i do like can i sort this out then you just have a side gig hustle like do do your normal stuff during the days and do this a couple of nights the thing that i did in the beginning was that i asked my boss and said okay i'm willing to take a pay cut and i want to take thursdays off i don't want to work on thursdays because then i want to invest eight hours into my passion called black bounties interesting i took the pay cut that's why it's called bounty thursdays because on thursdays i did bounties and i did that after week after week after week i got up in the morning i did my eight hours and i got to bed because i realized that me getting home from work cooking dinner for my wife and then trying to hack my my brain was just mushy i wasn't wasn't wasn't hungry for it so i would start a couple of nice scans running on wednesday nights go to bed and they just have a fresh bread in the morning that i can just poke at and figure out and if i found some bugs that was cool if i didn't i spent a day learning man that's dedication that's cool that you did that um wow it paid off i i got a year's salary in under six months i'm good with that yeah well and that you know people i get questions every time it's a high risk yeah high return kind of game so yeah yeah so people like where do i invest my money like dude like investing yourself like you are your greatest investment invest like taking that one day out of your paycheck each month yeah obviously paid off and it's still paying off like it's crazy so um i i want to be respectful of your time so let's go ahead and uh bring this to a close stoke where can people find you uh i'm over at youtube.com stoke frederick and twitter the same so it's twitter.comstockfreedirect and instagram.com i don't have a discord but i heard you have a really cool one so go there if anyone haven't joined the network discord it's going to be a it's going to be a bug bounty um channel there that people can hang out in it's going to be really cool i heard good good things about that maybe even stoke might show up in there who knows maybe maybe i'll even give it up cool so youtube instagram uh twitter i'll put links to that all below also i'll include the links to your your your company your clothing company which is super cool now i saw on your twitter while back you had this like um it was like noobs but it was like all different looks and sweat like you have that somewhere right yeah okay cool stoke is gone we're ready to go he's getting a shirt a sweater still has some of the coolest uh styles of fashions now real quick while silk is gone never mind no i'm back again [Laughter] that's amazing i love that where can we get that uh you can't at the moment because i need to figure the factory out but as soon as i as soon as i got that up and running and got my glasses running and those are going to be available over at stoke frederick.com so you're going to be able to get those i did a pre-test with ben has won a couple of other friends i sold 100 of them in in the first one but they were really expensive to produce so and and and shipping things to singapore apparently cost 150 dollars that i had to pay for so that was a minus deal there so so yeah no those are going to be out uh at a later stage so please just be patient with the current situation but i'll get them out i'll get them out i'll be patient i'm looking for it though i want one man put me on that list one of those guys if you haven't subscribed to stoke i don't know what you're doing go subscribe bounty thursdays is fantastic so if you're looking at going down the bug bounty path which sounds like man it's just a cool way to just even if you don't want to become a hacker like it could be a cool hobby it's definitely more lucrative and better for your brain than video games so just do that like i'm that's what i want to start doing start playing around see what happens um you should yeah yeah it's i'm a noob i know that that's why i want that shirt but uh yeah i'll give it a try but stoke i so appreciate it coming on man it's awesome to have someone like yourself with so much industry expertise to come on and just shed your your knowledge with my audience and me honestly because i'm again i'm a noob uh yeah dude well we'll have to have you on again uh maybe i'll have better questions with a bit more knowledge and we'll have a more advanced discussion on bug bounty right now i'm just like hey what's bug bounty um what's our race condition so we'll have more more knowledgeable things as i as i grow up a little bit and become more like you well uh guys that's about it thanks again stoke and we'll catch you guys next time so [Music] so [Music] long and following again [Music] again [Music] [Music] so [Music] come on guys [Music] [Music] again feel comfortable [Music] do [Music] so [Music] you

Info

Channel: NetworkChuck

Views: 177,358

Rating: undefined out of 5

Keywords: bug bounty, how to get started in bug bounty, bug bounties, burp suite, how to hack, pentesting website, write up, a day in the life of a hacker, cyber security, bounty thursdays, how to pentest, how to hack on website, bug bounty automation, bug bounty recon, stok

Id: HbcY1HQtLms

Channel Id: undefined

Length: 77min 4sec (4624 seconds)

Published: Mon Dec 07 2020