Bug Bounty Recon Course | Beginner's Guide

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

thanks for stopping by my channel in this course we're going to be covering Recon for web applications and Bug bounty hunting my goal in creating this course is to give you the best shot at finding a really good Target that you're going to find vulnerabilities on a lot of bug bounty hunters who do this every single day usually just run some kind of subdomain enumeration and then they go out and see what's there and start attacking those specific subdomains and for the rest of us we may want to find easier targets that have not had as many people attack them I want to help you find the really old subdomain that maybe has been forgotten about it's out of date and is going to have a lot of vulnerabilities or possible vulnerabilities for you to find this course is going to focus purely on recon sometimes you're going to come across videos that say we're here to focus on recon and then they're going to start showing you how to look for sensitive information disclosure and that's not really going to be our purpose this is purely about finding really good targets for you to attack and I decided to go ahead and show you one or two tools that is going to help you in this process in each specific area of your recon and the reason I decided to do this is because when I was new I remember reading through books and listening to other people talk and podcasts and they would cover five six seven eight different tools and I remember thinking there's no way I'm going to remember which one to use and in what specific case and then a lot of times these videos or books didn't even tell me which tool was the best so I've narrowed it down to one and most of the time two tools that is going to help you in your recon phase and I decided to show you two tools most of the time because sometimes one tool won't be working and you need to know the second that is going to work so I've decided to narrow down to the best tools that I think are going to help give you the best chance and the most success in finding bugs so I've gone ahead and streamlined this course for you and I believe it's going to give you the best attack surface and the best chance at success let's go ahead and jump into it in this video we're going to talk about how to scan specific Targets in bug Bounty programs as well as fuzzing our targets without getting ourselves into any trouble I know there's a lot of interest in learning how to scan and fuzz bug Bounty targets because sometimes you'll be reading through a program's rules and it'll specifically say that there is no scanning allowed now there's a couple ways to get around this and if you watch my Showdown video you can actually use Showdown to scan your bug Bounty targets and then you don't have to worry about anything because you're using Showdown and that is one way to get around scanning a Target and staying in the clear now you can use nmap and fuzzing tools to do this as well and that's the purpose of this video so we're going to go ahead and look at this and I'm going to show you how to do this without getting yourself into any hot water and to be able to scan these targets without any issue before we get going too far I want to explain to you why you're not allowed to scan these specific targets and there's really two main reasons one the company doesn't want a bunch of bug bounty hunters using fuff which is going to send several hundred requests per second to their server and have them get dosed and sometimes if you do this you will actually get rate limited or even have your IP ban which is why I always recommend using a VPN in but there is a way to go around this and I'm going to show you that at the end of this video and the second reason a lot of programs are going to tell you they don't want you scanning their network is people will use vulnerability scanners and this is just really a big No-No don't use vulnerability scanners recently a program went live and then they were getting scanned so much with vulnerability scanners that they actually removed themselves from the bug Bounty program so don't use vulnerability scanners these are the two big reasons why a lot of programs will say no scanning and so just be aware of that if you're going to fuzz for directories make sure to slow down the amount of requests which I'm going to show you how to do and don't use vulnerability scanners now first I want to show you how to use nmap without getting yourself into any trouble I've so I've gone ahead and opened up tenant from hack the box here if you follow my Channel at all you will know this is my go-to box for web app education and the first thing we are going to do is run an nmap scan so we have opened up our terminal here and you're probably familiar by now within in map scan now this is the typical nmap scan that I like to run I'm going to change the IP right here so if you would like to jot this down this is how I run an nmap scan if I'm doing a capture the flag but we are not doing a capture the flag we're going to be scanning a bug binding program and and it's going to look a little bit different so we still want this Dash a we will want a dash capital F and this is only going to scan the top 100 ports so the reason I'm telling you to use the dash f is because if you're new you're probably not going to know which ports you want to look at so I have a list of ports that I use when I run an nmap scan because you don't want to scan all sixty five thousand five hundred and thirty five ports I think that's how many there are you want to scan just a specific number of ports a lot of networks are not going to want you going out and scanning their entire network but it's okay to go out and scan the top 100 ports they're probably not even going to notice and I'll show you how to make it so that they're not going to notice and you're not going to cause any kind of intrusion and they're not going to care so we want to run the dash f for our ports and then you're going want to run a dash T and then a one or a two this is going to really slow down your network scan I think that nmap runs on a T3 automatically and if I'm in a hurry and I just want some ports to shoot at if I'm in a CTF I'll run as T5 that's as fast as you can go but if you run a T5 in a CTF you can actually miss some ports so if you're really nervous about running any kind of scan you can go ahead and run a T1 and they're not going to notice that you're scanning their ports this is going to really slow down your nmap scan and then this Dash view right here will tell you the open ports as it hits them so this is going to run a really slow scan on the top 100 ports and nobody's going to notice so you can go ahead and run this and it says that there are two ports and it's going to pop down with the ports as it hits them and So eventually you're going to see Port 80 pop up and I'm not really sure what other ports are open on this program but this is how I would run an nmap scan and so you can see right here it tells us that it's scanning the top 100 ports alright so I decided to go ahead and add in this nmap network scanning legal issues page so if you have any questions about using in up legally on your specific targets and you're still worried about it you can come and read this right here and it's going to give you a kind of the legalities of using on different networks I am not a lawyer so I decided to go ahead and add this disclaimer in there that you are using this at your own risk and you should check with the laws in your specific State on Port scanning so this is how I would run an nmap scan if I'm running one on a bug bunny program this is going to be a really safe scan to run and it's going to tell you the information that you want from these specific ports which ports are open what versions are running on your target so you can go ahead and play around within map this is how I do it though and I want to show you how to fuzz for directories in a safe Manner and you may still end up getting rate limited which is fine especially if you have VPN you can just switch your VPN so we're going to go ahead and run F now and this is the Syntax for fuff I'm going to show you this with this a common word list right here and then we'll go ahead and download seclist and you can see better are wordless than what is default on the Kali machine we can actually see what we have as options here and you'll see that I'm using the FC to filter out specific codes that I don't want to see and I think I had a 402 on here a 403 I don't want to see the 403s but you can leave those in if you want and then you can filter with other ways but we're looking for that Dash p and it is right here and it's going to tell you how to delay your requests and you can slow them down by however much you want from anywhere from 0.1 seconds to two seconds in between requests okay so we have this request here and let's say we really want to take our fuzzing really slow you can run this with a two second delay or a one second delay in between requests we don't really need to filter out by the not founds and then we're going to run our word list and we're going to run the common word List the common wordless.txt so if you want to you can go ahead and run it just like this and you will have this word list so if we run this you can actually see right here the progress you can see the number of requests that are being sent and so it's sending 37 requests every second which is actually kind of a lot one of the things about fuff is it is really fast you can actually we'll actually show you how fast this will run without slowing it down and you can see right here it's sending 680 around 600 requests per second and that is really fast you're definitely going to get yourself rate limited or or picked up running requests of that quickly but fuff is my go-to tool I often tell people that you can run derb just like this and you shouldn't find yourself in any trouble because derp is pretty slow but I like to use fluff because of the options that are available with it now I want to go ahead and show you how to install seclist I'm actually going to come back here I do have seclist already installed which will save us some time but you can come out to Google go to their GitHub page right here and you can run a git clone so we'll copy that right here and you'll want a CD into your opt and then you can type in a git clone right here just like this and you can see it's the last thing I actually installed on here this will take a little while to run and then you can CD into the seclist and you can start looking through all of the different word lists that they have in here so you have a fuzzing directory you have a discovery directory and I actually think the discovery has some pretty good word lists and then we can CD into the fuzzing because that's what we're doing and there is all of these different word lists for you to pick from when you're doing your fuzzings so this is how I would recommend scanning a bug Bounty program if you are looking for specific ports to be open or you are checking for directories so good luck with your bug hunting we're going to be covering the tool showdan for the purpose of a bug bounty hunting and searching for vulnerabilities as well as information disclosure and how to use the tool within the command line as well as the actual browser showdan is an excellent tool for those who are new to the world of bug bounty hunting or those who are attempted when they read a program and it says that you should not scan a network and you don't really want to run nmap and you're too afraid to actually scan the network you can go check out Showdown because showdan scans the network automatically and then stores all the information in its database so all we have to do is know what queries to run to pull the information from showdan and read their information from when they have crawled the network or the web browser previously and then we have access to all of that information without having to scan the actual Target and you don't have to worry about breaking any program rules so the way Showdown works is actually goes out and crawls every single device that is connected to the internet whether it be your thermostat your refrigerator or your web security cameras and it'll see if there's any vulnerabilities it'll store the information such as the software that is currently running on it and if it has any vulnerabilities it is now open to the web and anyone can access your information your thermostat refrigerator your webcam or even your printers if they have any vulnerability days then the whole world will know it because all they have to do is query that specific version such as WordPress 1.4.7 and if you have a web application that is running that specific WordPress version the whole world is going to know it because there will be a cve on it and you will be open to a potential attack so the way Showdown works is it just crawls all of the internet and stores all of the information that it can possibly grab for anything that is connected to the internet so what we're going to do in this video is run queries on Showdown but because we're going to be doing this with a free account you're only going to be able to run a very limited amount of commands or scans if you're actually wanting to use The Showdown scan feature you're going to actually have to pay for it I think it's 70 a month which is kind of steep I personally would rather just scan it myself with nmap and look at the ports I specifically want and read the information that comes back that way but I know that some of you would probably rather just pay the 70 a month and have access to the monitoring feature that we're going to cover a little bit later on so typically when I think of the people who are going to enjoy way it Showdown the most I often think that black hat hackers are going to be the ones who love Showdown the most because it stores all the different version numbers and if a new cve comes out and somebody says okay we have this vulnerability to this specific software they can just scan all of the internet and find out what devices are running that specific software because black hats don't really care they can just attack anything but this can also be helpful for bug bounty hunters as well because if a new CV comes out you can go out the same way as a black cat would and say Showdown show me all of the devices running the specific software that are vulnerable to this cve and then you can download all of those devices and look through them to see if there are any web applications that are running that specific software and then see if they have a bug binding program and report it this is going to be kind of tedious but it'll be really easy bugs to find and vulnerabilities to report because all you have to do is read the downloaded file and look for open Bug bounding programs on those specific web applications so an example of Showdown being used in a really massively way kind of for an unethical purpose can be seen on on Dark Net Diaries I forget the name of this specific episode I think it came out a couple months ago and the guy goes by the hacker giraffe where he actually used showdan to look for vulnerable printers and he printed subscribe to PewDiePie to over 50 000 different printers he was able to do this really easily and really quickly because he was able to just use a showdown to look for vulnerable printers and so in that episode of dark net Diaries I think you can just look up darknet Diaries hacker giraffe and listen to it if you want all that guy did specifically was go to Showdown and look for vulnerable printers and it seems like that's kind of one of his go-to tools is to go to Showdown look for some vulnerable software and then look at all of the devices that happen to be vulnerable to that specific software or cve so let's go ahead and jump into it here we are I have gone ahead and opened up a terminal which you will want to do and then you will also want to go to showdan.io I'm already logged in you'll click login over here I personally just log in with Google and this is a non-paid account so we you're going to be looking at basically the exact same setup that you're going to have when you first open up a showdan the first thing we're going to do is be using showdan from the terminal so if you just come in here and type in showdan and hit enter you're going to get a bunch of options now these options are going to be default and Showdown should already be installed on your Kali Linux machine so I'm not going to actually walk you through how to install Showdown because we're going to run it straight from here first in the terminal and then we'll go through and actually check out the browser version later on I've decided to show both the terminal and the browser because there are some people who really like running things straight from the terminal and you'll be able to play around with it and figure out exactly what you like and then there are other people who like to have a graphical user interface and they'll like the browsing version better and so what we're going to do is go ahead and initialize our Showdown for the terminal and you can see this right here this init so we're going to end up running a showdan init but we also also need to have our API key so you'll want to go ahead and log in so you'll want to go ahead and create an account and log in to Showdown just like this and then you will click account and you'll be able to grab your API key right here so we'll copy this and come back to our terminal and we're going to type in shonan init and then you will paste in your API key and hit enter and it tells us that it has successfully initialized and now we are ready to start making some Showdown queries so the first thing we can do is just run a showdown info right here and see what it tells us about our account so we can type in showdan info and then to enter and it's going to tell us we have zero credits available and scan credits available and that is probably because I have already ran some queries with this over here on the website but it's not really going to make a difference I'm going to show you how to run these queries I just might not get the results back that you will every time you make a request whether it is over here on the actual browser or it is inside of the terminal it is going to use one of the credits that you have but you can always pay And subscribe to Showdown and have more credits most of the bug Hunters who are successful will have a paid subscription to Showdown and they really like using Showdown and we're going to cover why it's helpful but personally a lot of the stuff you're going to be able to get on Showdown you can find your own self by running some different tools which I've covered on my channel previously but that is not the purpose of this video so the second thing I want to show you is often when you want to run something like let's say we want to run this showdown scan right here what we can do is we can run showdan scan and then a dash H and it's going to tell us the options for the actual scan right here so you can run a showdown Dash H and then you can run The Showdown scanned sh and it's going to tell you the list of commands that you can run with each one of these with each one of these commands that comes first so when you're using Showdown it'll be really helpful for you to know that you can run the Das H with each one of these so that you know exactly what you're going to be getting back and exactly how to get the information that you want in the future and a lot of your understanding from these right here is going to come from playing around with them and reading the documentation and just pressing the Das h on each one of them and figuring out what exactly they do it's one of the first ways to check out showdan is we can just say showdan and then count and then we'll say WordPress and when you run this this might not work for me because I don't have any credits but when you run something like this you can see that we just want want to count the number of results for this search so what will happen is a showdown will go out and count all of the servers that it has and it's a database that are running this WordPress right here and it actually did tell us it tells us it has 52 but if you wanted to run something a little more specific I spelled that wrong that makes more sense so 500 000 so if you were to run something like this you might want to say you're looking for a WordPress version 1.4.7 because that's what your target is running or there's maybe a new cve out there and you just want to see okay what web apps are running WordPress 1.4.7 and then you'll get Showdown will give you a list of those actual web apps that are running that and then you can see if any of them have a bug Bounty program and then report to them hey this new cve for this WordPress has come out so it saves you from having to go out and actually find a specific Target and then looking to see what it is running because Showdown will actually do the heavy lifting for you and so all you have to do if you are a bug Bounty Hunter is say this is the version the brand new cve has come out for it so you would say Showdown 1.4.7 which I actually don't even know if this is a real version you would run this and it is and you would say okay there's seven web apps that are running this version currently in The Showdown database and then you would just go out and look to see if any of these seven have a bug Bounty program and if they do you can report hey the cve came out and You're vulnerable to it and so that's a really simple way to find bugs and it's all based on recon and you really don't have to do any heavy lifting very simple you've seen how fast this has gone and you could potentially have found a bug if this version were vulnerable to a cve that had just come out so if you're familiar with nmap what Showdown does is pretty similar it goes out scans the network and it pulls all of the internet and pulls the banners the versions what's running if it's Apache if it's Windows if it's got WordPress running and what ports are open and so with Showdown we can just query all of this and it stores this in the database and that's how it already knows that there is seven web apps running this WordPress 1.4.7 because it is already all it has to do is check its database and it doesn't actually have to go out and scan but showed but we can scan with showdan and we're going to look at this in a little bit but I just want you to know how Showdown works and it already has stored all of this information on there so now you can see how this is kind of a go-to tool for the black hat hackers because they don't really care if these seven web applications have a bug Bounty program or not they just are going to attack it and see what information they can get out because they don't really care about following the legal rules and the law but as a bug Bounty Hunter you need to make sure that these seven web apps if they were vulnerable to a cve they could attack WordPress 1.4.7 you would want to make sure you do everything legally that you act actually don't exploit the cve there's no need to actually go and try and exploit it you can just report it hey there's the cve that came out and you are vulnerable and you should be rewarded for it and so as a Bug Hunter and a penetration tester we're looking for very specific targets and then we can just run through these seven real quick and see who actually is vulnerable so now if we actually want to see what these seven web applications are that are running this WordPress right here we can use the download feature within showdan now I personally if I was attacking a specific Target would just run in map instead of using showdan for this but I want you to be aware that you can actually pull down version numbers of web apps with showdan itself but personally I would run nmap just to grab the banners in the version of a specific Target this is something that you would be using if you were just looking for a cve that just came out like we were previously talking about and we would use the download function for this so we would just grab show showed in and then we would say download and then we're going to download the file as let's say WordPress file and I'm not actually sure if it will work with this version number I've only ever ran it without the version number so maybe we can throw this inside of quotes and see if this works if not we will just run it without quotes and see how that runs so we'll run this and it has saved Five results into our WordPress Json file dot gz and we can unzip this and grab the file by typing in a g unzip and then we want to run our WordPress file and then if we LS we should have our WordPress file.json and I do not have G edit installed because this is a new machine and if you don't have G edit installed either you can sudo apt update and I've already done a sudo apt update recently so I'm going to sudo apt install G edit and this will only take a second to download and now we can G edit our WordPress file right here and we can look at the contents and this looks really messy so what you can do is actually just copy this hit a command a and a command C and then we can come over here and we can just type in beaudifier like this and we can just click on the top one and see if it will work for us paste in the Json for us and type you can click beautify and now we have our results right here so it actually looks the same over here it actually didn't make any difference so maybe this one doesn't work for us it tells us we have an error okay we're gonna just look at it right here so you can actually see right here you get a hash you are told it's from Showdown it'll tell you the region from where the web app is coming where the web app is coming from it's going to give us the time that it was crawled we get the server that it is running on and we have all of this different information here that it that Showdown has crawled from this specific Target we actually grab an ASN number if you were looking for a specific Target and you needed to and you needed to pull down a version and you were looking for a specific cve and you wanted to download so you could actually see what the Showdown databases have stored for the WordPress 1.4.7 instead of just seeing Oh there's seven of them you would download it into a file just like this right here and then you would unzip it and then you can G edit and actually look at the contents of the file and find the servers and the subdomains the URLs the as numbers and there's a lot of information in there that's going to be really helpful for you in your recon phase if these targets are actually vulnerable and they do have a bug Bounty program so one of the other things you're able to do with Showdown is run a is to run an IP address on the showdan Crawlers and so you're and one of the ways to grab an IP address so one of the ways you're going to be able to find the IP address there's several different ways that are going to be really easy so if we wanted to run just say a host yahoo.com it's going to give us back right here this range of IP addresses that are running on yahoo.com and if you wanted to just ping Yahoo .com we will be told right here is one of the IP addresses that we were able to Ping so if you look for this 74.14326 we can scroll up and see that this is one of the IP addresses right here you're actually able to find IP addresses through burp as well so what we can do is come over here and open up a new tab type in yahoo.com and we can open up burp and intercept with the proxy and if we run this you'll actually be able to see right here on 443 you have this 98371163 and if you come back here you should be able to find right here and so there's a several different ways to find IP addresses for a specific domain I'm actually going to close out of this but this is one way to do that and then you can just type in showdan and then we would type in host and then we can grab one of these IP addresses that we just saw and run it within Showdown and it's going to give us some information right here it's going to tell us that this port 80 is open and Port 443 is open and it'll give us other information if you specifically want to look for an SSL certification you can find those and it's going to tell us it's running these different versions and you can go check to see if these SSL versions are out of date or what you can do with these within your recon phase you also get these other host names right here that can be associated with IP ranges and you can run a showdown host with an IP range and it's going to pull down a bunch more information for you within the entire range it'll give you all of the ports that are open within with the IPS and so the difference here between what we're able to find between Google and showdan is Google goes out and crawls the pages to see what is reachable but Showdown across all of the Internet connected devices and this is why you would find a refrigerator that might be connected or a webcam or somebody's property cameras or literally anything that is connected to the internet like a thermostat and Showdown actually crawls everything that is connected to the internet and stores the data so one of the good things about running showdan like this is sometimes you are going to come across a bug mounting programs they're going to tell you that you're not allowed to scan a specific Network and as new bug bounty hunters I know there is a lot of questions about what you're allowed to do and what you're not allowed to do and so Showdown is a great way to scan a network without actually scanning a network because showdan already has stored all of the information that you're going to be looking for and you just have to go out and find it you have to know what commands to give such as this one right here if you're looking for open ports I personally would rather just run nmap with the ports that I want to find such as Port 22 Port 80 443 1443-3389 or whatever other ports you might come across but I would rather run in map with specific ports on but I know there are some people who really worry about this and show Dan is a great option such as this showdown host right here to grab other domains you can grab subdomains and you can scan for ports and IP ranges and so this is an option if you're worried about scanning a Target in order to grab subdomains and open ports and what I like to use for running subdomains is amass and I'll go ahead and Link My amass video in the description if you would like to learn more about that so let's go ahead and look at scanning a host instead of just looking at this right here The Showdown host so with showdan you can actually just type in showdan we'll go scan Dash H and we can look to see what our options are for scanning a IP and so it tells us right here we can scan an IP and we can say showdan scan and then we can give it the IP that we want and we'll just run this same IP address right here and see what information it gives back to us it tells us we need to give it a command so we can say submit right here because we're going to submit an IP address it tells us that I don't have any credits to actually run this scan submit so I would need to actually go and pay in order to make get my I my API key right here some credits but I am not going to do that so this is another way to go ahead and scan a network or an IP address to find what is open and do a little more Recon with this you can also go out to I've I cannot remember what is called Hurricane Electric I think it's vgp.h e.net all right so here we are we can just type in yahoo.com and I've shown this before in another video so we'll just go Yahoo and this website seems to be running really slow but you would just run the search up and it has come back so you can grab these as numbers right here or these asns is the easier way to say it and I would run these through a mass personally because it would be easier but you can run these through showdan as well Showdown is going to be a lot faster because all it has to do is query back to the database whereas amass seems to take quite a bit longer in getting you the information back but you can come out here and grab a network rage scan a network range you can look through these asns and see what you can find right here I've already made a video about that so I'm not going to go into too much detail about that but like I said I personally would go with nmap if I was going to scan any kind of network or anything like that now we're going to move on to the web browser so what's really cool about running Showdown in the browser is they give you this filters cheat sheet so if you you wanted to look for a specific Network or a range or a cider range you can do that right here through the search filter and the way you would do these commands is by typing in say we wanted to find the organization Yahoo like this we can search it and it's going to pull it down for us let's see what else I've ran up here if we delete this we can run an IP address and we already ran this one and it'll pull down the information here's that Port 80 that it said was open here's Port 443 and it has grabbed us all of the banners right here and we can read through them and see what is running you can also download the reports from here as well one of the cool things about one of the cool things about running through the browser is you can actually look for sensitive information disclosures if you just continue to look through here and you'll need to read through the cheat sheet and I would also recommend reading through like their documentation because there's way more examples that you're going to be able to use so if we wanted to look for something that's running Apache with a specific Apache version you could look to see if you're able to run maybe there is a Apache 1.7.4 that actually has a vulnerability you can come up here and you can just type in the product Apache with the version number and and see if you're able to find any vulnerabilities for that Apache version just like this and you would run through here and say okay these people might be vulnerable to this do they have a bug banning program okay these people are running this version do they have a bug burning program and so there's a lot of different ways you can be creative with looking for known vulnerabilities new cves looking for bug Bounty programs that are vulnerable and then you can look for sensitive information with showdan because it doesn't know what is going to be sensitive or not it's just going to grab all of the information and stored in the database and it's up to you as the bug Bounty Hunter to look at that specific Target and see if there's any sensitive information being disclosed on Showdown and then you can report it okay and one of the last things I want to cover is the monitor function and you have to have an account in order to use this but this is something that you might be interested in the monitoring is you can enter in a specific Target such as yahoo.com and it will update you whenever a new software comes out or whenever there's an update made to the program that you are trying to monitor it'll let you know and you can be one of the first ones to go and check out that new subdomain or domain if it is in scope or if they update a software you can be one of the first ones to go see if there are any cves out for that specific software that they have updated so the monitor is one that bug mounting Hunters really like to use because you are able to get notifications of when things change on a specific Target and you'll be one of the first ones to know one of the first ones to be able to go out and test it but you will need to be willing to pay seventy dollars a month I personally don't think it's worth it but I know there are a lot of bug mounting Hunters who do think it's worth it so it might be worth it to you to Monitor and just pay the 70 a month so that you can follow specific targets and be one of the first ones to go out and check those targets for vulnerabilities so that cones includes our video on Showdown one of the things I want to make sure you understand is that when you run a showdown scan and you're thinking about trying to exploit something you need to make sure that it's in scope and has a bug Bounty program otherwise you could be getting yourself into some illegal trouble and make sure before you go ahead and start looking at a specific Target to see if it has a bug Bounty program so if you have any comments or questions please let me know down below and I'll try to get to those as soon as I can thanks for watching we are going to be covering how to take notes for the world of bug bounty hunting or maybe you are wanting to become a penetration tester note taking is going to be really important to you and your method of note-taking and actually being able to go back and overview what you have already done and gone through your checklist is going to be really important so in this video I'm going to show you how I take notes and we're going to use cherry tree within Linux because everybody's going to have access to this I personally use OneNote but it's going to be really similar to what I'm going to show you in this video some of the benefits of taking really good notes is going to be having organized thoughts and being able to write a really simple proof of concept you'll be able to have a screenshots and be able to see what you have previously done and you're not going to waste a lot of time going back to subdomains that you've already enumerated and looked at because you already have all of your notes there for you and know that you've already looked at it and if a new vulnerability comes out you can go and see when the last time you enumerated looked at this specific subdomain and know if the new cve is going to be applicable to this specific domain and the software that's running on it so with that let's go ahead and jump into it so here we are on our Kali Linux machine we can come up to the little drop down menu and we can type in cherry tree and it will be automatically installed if you're running at Kali Linux so using cherry tree is going to be really pretty simple the first thing you're going to want to do in your notes is you're going to have the main domain and all of the information that you found on it so you can type in the domain.com and this is going to give you this parent node right here and you can also change up your note-taking method and maybe you want to have the main domain and you have each subdomain right here like this you could have a subdomain one only it would actually be the subdomain name right here and then you'll have all of your nodes from that subdomain but if you do this there are some programs that have like 800 subdomains and this would take forever to do but you can come in here and do every single subdomain like this and so it'd be if we could just say a sub.domain.com spelled that wrong like this and then you would have all of your notes within this specific subdomain so if you decided to go this way one of the things I would suggest doing right out of the beginning is when you put in your first sub node is maybe just called this the software right here and you can run you can say that it's running some kind of CMS maybe it's running WordPress and then you would have the version of 4.2.4 and then you can know that this is what's running Subway in the future if there's any kind of cve that comes out for the WordPress version that's running you can come back to this subdomain and see if it's vulnerable to that new cve another reason you're going to want to have some kind of list of the subdomains so let's go ahead and delete this one right here so it looks a little better if you decided to run a bunch of subdomains in here so we can type in sub 1 dot domain Dot com and in here you have a list of all of your sub domains you can have actually subdomains in here within this specific thing that you're looking at so in here we could say software and you can see how this is going to organize our research for us and inside of the software in here you would put your WordPress and then the version that it is running so these are a couple different ways to kind of organize your notes and another way to save time instead of actually going through and typing all this out is on this box I already have lapalyzer installed so I could just come we can come to the browser and type in like google.com and open up wapalyzer to see what information is there and now we could open this up right here and I could just screenshot this and pull that screenshot over to my Cali machine and then I can put it into a cherry tree so I could grab this and pull it over and put it into a cherry tree I actually don't have this specific Cali box set up to do that so it's not going to work for this one but on my actual personal Kali Linux machine that I use I can just pull screenshots back and forth over to my Cali machine and save them inside of cherry tree but I use OneNote so I don't really have to worry about that too much so screenshotting and adding information in here is going to be helpful as well if you have that capability and one of the things I like to do is at the end of a Recon session is make a node like this and we'll just call it a Recon node and then in here I write down all the tools I ran and the way that I collected all of the information so that way I have a clear set of notes and that way if I ever come back to this specific Target I can see if maybe I've missed something or maybe I've learned some kind of new Recon technique that I can try out on this specific Target and I'll know what exactly I have done on this Target and what I can do in the future to further analyze the information on my specific Target so make sure to write down your methodology of your recon and attack because it may change in the future and you might be able to go back to Old notes and old targets and further do enumeration and testing and lastly one of the things that is going to be really helpful for you in your note-taking process is to have some kind of a checklist and so one of the last things you're going to want to have is a good checklist of vulnerabilities and Recon and you can just go out to Google and look for a bunch of different checklists and find whichever one works best for you maybe copy paste it and put it into a Word document and modify it and make your own but in the meantime you can just Google bug Bounty checklist and click on one of the checklists and then look to see what is in here and you can follow their Recon maybe there's something in here you don't like I used to use HTTP probe but I decided I actually like going out and checking things manually so I don't use this anymore but it would be helpful for you to have something like this some kind of checklist so that way you don't miss any bugs or vulnerabilities or maybe hidden subdomains that you would have otherwise missed without a checklist so this will be really helpful for you as you're working on on your recon skills in the future and developing them so there's a lot of ways to take notes I showed you Cherry Tree only because it's in Kali Linux and everybody who is going to be running a virtual machine is going to have access to Kali Linux and they're going to have access to Cherry Tree but I personally use OneNote and maybe there's something else out there that you like to use all right we are going to look at a URL real quick and look at the different parts of the URL just so you can get an understanding of what is going on when you look at these it's really important in your recon phase to be able to know what URLs look interesting that you can copy and paste into your notes so that you can come back once you have finished your recon phase and actually start testing so I've gone ahead here and just typed out a basic example and you're probably all familiar with https and the HTTP protocol and it is labeled as the schema the www dot is not always there this is labeled as the subdomain because sometimes this could be a this could be a subdomain listed as sub dot domain and so this is actually a subdomain but that is the same thing as the www dot and so right here we have the domain name which would be like google.com and I'm not really sure why the.com is actually listed as the top domain level because you can use in here like dot UK dot FR for different countries.net.org for an organization and it's still called the top domain level but that is this portion of the URL so all of this is a pretty basic you can fuzz this right here the subdomain and the most popular subdomain fuzzer that I can think of is W fuzz I'm sure you can use other fuzzers but W fuzz is one that seems to work really well for me when I'm doing a subdomain fuzzing and then right here is when we start to run into the the path or the location to the contents is how I have it labeled here but I usually think of this as a directory this is a directory and then eventually you're going to hit a actual page and you can actually delete some of these and you can just go to blog and see what's there but this is the path or the location of the page now here comes kind of the good part for us to look at and before we move on you can actually fuzz for different directories right here the same way you would fuzz for subdomains and look for different directories within the subdomain or domain and now when we move on to right here the question mark what you need to remember about the question mark within the URL is that it signifies a query and a parameter is about to be dropped in and this is where we can start messing with the URL to see what information we can pull back from the server so you can try you can try and look for an lfi an RFI and ssrf and actually right back here you can look for directory traversals but you have a parameter usually it'll be labeled usually it'll be labeled as something other than parameter one of the ones that automatically throw up a red flag for me is when I see a parameter that says URL and then this query you're going to look to see if this is querying the actual server itself and if it is you can start to look for a server-side request forgery or something along those lines but let's say this just has like an ID right here of 42 and you can go ahead and start changing this 42 to other numbers and see what information you can come back and maybe see if you can access some information that you're not supposed to so this is a URL and one of the reasons I wanted to show you this is because when you're in your recon phase and you're not yet testing to remember to save URLs that look really interesting to you with different parts that you're able to change or fuzz that you think might pull back some information that you should not have access to in this video we're going to talk about how the DNS works or the domain name server so if you decide you want to type in something like google.com how does your browser know where to go and find the Google IP address us to resolve the web page to you so I Googled how DNS works and had to go through a few pages before I found something that was actually good for an example and I thought this was a really good example so we're going to go ahead and walk through it so you have a person right here who types in a domain right here and they type in dnssimple.com and it will check the web browser's cache which you will see right here on your local machine to see if you have visited this page before so if you ever go to facebook.com and you're logged in in the future next time you go to facebook.com it automatically logs you in because you have stored your session and cookies in your cache on your actual browser so it will automatically log you in but if you log into facebook.com using Firefox and then you go to a chrome and you try to log into facebook.com you're gonna have to re-authenticate because it doesn't have that stored in your browser cache so the first place when you type been a web address it is going to go to the web browser to see if it's stored in the cache and before we move on here you can see right here google.com they have an IP address for that the reason you have actual domain names attached to IP addresses is because it's easier for us to remember a domain name such as a Facebook rather than a string of numbers for facebook.com or a bunch of other web apps we just remember we need to Google we don't need to remember this string of numbers right here so the purpose of a domain name is to give you an easy way to remember the contents of a specific IP address which is going to resolve to either Google or Facebook or Wikipedia as you see right here so that is the purpose of the domain name so after your browser tries to gather the information and it's not able to we can go to the next page and it shows the packets moving out to the ISP server which is going to be your internet service provider which we're told right here and it's going to ask how do we find this website and it is going to tell us that the root server knows where to find the location for the.com TDL and we've talked about the TDL before it is the top level domain which can be a dot com.org.edu dot UK dot FR and many others so those will be the top level domain servers and it's going to tell you to go out to the root server and the root server is going to give the information back for which TDL server you are looking for that's going to contain the information you want so if you want the.com TDL or if you want the dot org TDL and the root server is going to pass the information on to the next server inline to give you the information so here we are at the root server and our packets are going to make the request and we're going to be told that it doesn't know where to find DNS simple.com but it's going to be able to tell us where the the TLD is located and it's going to send us on our way so you can see here is root and here are the tlds and it's going to send us to the right one so before we move on too far if you're wondering how this would work with say something like the Tor Browser my understanding of how the Tor Browser works is that it's going to encrypt all of your data so that the ISP isn't actually able to track the web application that you are trying to reach and the Tor Network opens up a bunch of nodes for your encrypted data and it doesn't actually go through this process until actually until after it has reached the exit node and that is how your ISP your internet service provider is not actually able to track where you are sending your requests to to and the same thing would work with a VPN as well so on to the next page and it gives a little bit of a history that we don't really care about on the tlds and finally we make it to the.com TLD and it's going to say here is the name server one and the name server 2 name server 3 and name server four I'm not actually positive but I think all domains will have four name servers so if you host with cloudflare or Google domains or and I'm pretty sure with any other hosting companies you're going to have this ns1 and S2 and you're going to see this when you're actually setting up your domain to resolve to a specific IP address so it's going to send you to the name server at this point and you get sent on your way to the next page and here you make it to the ns1 and then S1 it says I can give you the IP address and then you get the IP address and you're able to resolve to that specific IP address that you query read in the beginning such as google.com so I hope this made sense if not you can watch it again or you can read through this you can see the URL is right here for you to go to or you can Google around and read maybe something else explains to you how DNS works if this was too confusing and if not you don't necessarily need to know all of this information to move on into the world of ethical hacking but I thought it'd be helpful for you to understand how the web works all right in this video we're going to cover a tool that is called dig and it will check for Zone transfers that you're going to hear about Zone transfers it is a great way to find additional subdomains you can use fluff and go Buster and W fuzz and try and Brute Force for subdomains and use sublister but you can also use dig it's really quick and if there are any subdomains it's really helpful tool because you'll find them right away so a DNS Zone transfer is supposed to replicate a DNS database between DNS servers which means if it is vulnerable to a Zone transfer it will give us information like subdomains and some other information which we'll see in just a second so we'll go ahead and run this I have opened up the box friend zone from hack the Box because it is vulnerable to a Zone transfer and if you find a bug mining program that's vulnerable to a Zone transfer you're not actually able to exploit it and hack per se the web application but when you find a Zone transfer and something is vulnerable to a Zone transfer you'll you can report it as information disclosure because it's something that should not be open to the world so the easy way to test this is with a tool called dig and we'll just type in dig so we'll go dig a xfr and then we will say at and then we're going to use the IP address and then we'll use friend zone because that is the domain that we are after dot red and then we can run this and see what it spits out for us we have friend zone friend zone friend zone and administrator one so this would be something that would be worth checking out we have this HR we have an uploads which would also be something worth checking out if you're doing a CTF or if you find this information out in the wild and so you can actually save all of this into an out file and we'll just call it Zone just like this and then from other Recon that is done on this box you also find a another domain called friend zone portal just like this and we can run it and we find admin files Imports VPN and you have all of these files as well and so if you double cure it it will just append to our file so if we cat out Zone we have all of this information and now if you have taken my little bash course you know that we can cat out the Zone and we can go like this and we can say grep friend zone and make sure that works and so It'll point out it'll give us all everywhere that friend zone is located and then we can say grep in and then we want to awk for our cut and go ahead and put in our curly braces and quotes and we can say print dollar sign one because we only want what is at the front of this file and then we will see what happens yep that's what I thought was going to happen it gives us what we want and then we can say sort Dash U and this should get rid of our replications right here and it does it sorts it out for us and we get rid of a lot of the repeats and now you have this nice little happy file with just the sub domains that we have pulled down from the Zone transfer so Zone transfer is something you should always look at and if you're in a hack the Box you might have to add more of these to your Etsy host file but out in the wild these would be really good targets to go ahead and try to attack and find exploits on so this is the Zone transfer with the Dig tool you'll want to remember it whenever you see a port 53 that is open that is the port that is used for a Zone transfer so a few things to remember about this specific tool if you run an nmap scan Port 53 if it's open you can always try for a Zone transfer and see if you can pull down additional subdomains it's a great place to grab subdomains you can also report it as information disclosure if you are actually able to pull off a Zone transfer so with that we will move on to the next tool all right I want to cover two more tools that are Recon tools that you're going to hear about but I don't really use a whole lot because I don't think I get a whole lot of helpful information from but you're gonna see these in pretty much every penetration testing textbook every certification course you ever come in contact with and they are who is and nslookup will you do NS look up real quick because it doesn't give us back a whole lot of information so we can just type in NS lookup just like this and then you can do something like www.google.com and it's going to tell you their IP address the domain name you're going to get the IPv6 name back and it's going through Port 53 and so this is a tool you would run if you see Port 53 open same as dig and you can get just a little bit of information back with NS lookup so you'll hear about this and you will definitely see it in the future this is what it does but then there's another one one that you're going to hear about and see regularly and it's who is and so if you type in who is google.com you're going to get back a whole bunch of information and if you're ever doing like a penetration test this is actually a good one to run because sometimes you can get back email addresses and a phone number and things like that about the company but you can find out a little bit more about the company so right here you see they're using the Google domain servers right here which isn't that surprising being from Google but if you look at this right here who is Google registered with it's not even registered with the Google domains which is kind of ironic that Google is not does not have their own domain name registered with themselves I'm guessing they must trust this Mark monitor more with security than they trust themselves which I mean is saying something I think Google should probably switch that but anyway if you know why they're using Mark monitor instead of Google domain names then you can feel free to let me know in the comments maybe they're just using it just because they've never changed it once Google domains came out anyway this is who is and it just tells you more information about the domain name and where it's registered and the kind of the security behind it and who's running it and you can look up to see if there's any vulnerabilities or anything like that you're probably not going to find a whole lot from who is other than just about the domain name where it's registered who's is registered with an IP address and basic information like that so these are two tools that you're going to hear about for sure in the future and would be worth remembering but I don't use them all that much because I don't find them to be that helpful I wanted to let you know about them because you will see them and hear about them in the future and now you know what they are and what they do a another tool that would be worth your time investigating is the Harvester it looks like this and this tool will go out and look for other domains and subdomains and it'll also find email addresses if you're a penetration tester for you to try and Target and the usage is really pretty simple you just type in the Harvester and then you would pass in a domain with the Dash D and then you can pass in the source that you want to look for something so you would just use domain dot com and then let's say we wanted to use Google you can put in a dash B and then google.com or any of these other options down here for the source and it will go out and it will try to look for domains and it will scrape all these search engines for subdomains email addresses and things of that nature so the Harvester is a penetration testing tool that you're going to hear about from time to time and it's one to be aware of and know that it exists you're probably not going to use it in any pursuit of certifications or ctfs but it is a really great Recon tool and one you should know about and be aware of to be looking at cert sh I've gone ahead and pulled it up here this is actually the second time shooting this video because I forgot to press record the first time but when all else fails when you're looking for subdomains the assert.sh is going to be a great place to come it's going to give you this sort of education tickets for the domain that you are looking at so we'll go ahead and open this up and I'm going to type in tesla.com and we can hit search and look at the subdomains that it pulls down and you're interested in this middle row right here because if you look at this closely you can see these subdomains right here for tesla.com and so this will give you a bunch of subdomains for you to go out and look and test for bugs and see if there's any information out there or anything you want to attest against when I look at something like this one of the first things when you have so many subdomains is to see which ones look specifically interesting to you and then you can go and check those but always make sure that they are in scope so you'd want to make sure that this assets first of all is owned by tesla.com and then you'd want to make sure that it's in scope and second a tip is to look for the dev of typically these Dev sites and these Dev subdomains right here are going to be hosting information or new software or new code before it goes live on the actual main domain and so these devs are always something good to look at another one that's good to look at is look at like admin portals and see if you can get into any of those or fuzz for directories because there might be something there that you might need authentic authentication for in order to see but you can access it without being authenticated so the devs the admins Pages like those this API would be interesting to look at and so you can come in and look at all these subdomains if amass and sublister are not pulling back enough subdomains for you you can always come to srt.sh and check this out so in this video what I think we're going to do is I'm going to show you how to grab all of the different possible URL targets for you within a bug Bounty program and then we're going to start to narrow it down to the URLs that are actually responsive and then the ones that I think will be helpful for you to Target as a beginner and so I'm going to show you how to find the most obscure URLs within a bug Bounty programs for you to a Target but always make sure to remember that these URLs are in scope that's going to be really important so always check that because sometimes you'll see URLs that maybe are several years old and a specific bug bunny program has forgotten to remove them and you're going to think this is a really great Target but it will end up falling into the category of out of scope so make sure as you go through your recon phase to only target URLs that are in the bug binding scope this is something that I really struggled with in the beginning I would end up out of scope so you don't want to do that all right there is something called the Wayback machine which is really cool and we're going to be utilizing this and thanks to Tom nom nom for making a way back tool that is really going to save us some time as well as a couple of other tools so if you want to check this out online you can type way back into Google and you'll be brought to the Wayback machine and we can come right in here and it tells us at the top that it has saved more than 737 million web pages and let's go ahead and check out what this does so we can type in yahoo.com and it's going to give us all of the screenshots that it has taken of yahoo.com from October 17 1996 so this is why it's called the Wayback machine and it doesn't just take screenshots it'll actually store the URLs and you can go back and check out the timestamps and it'll show you what the web page actually looked like at that time so if we click back here to the year 2000 and let's say we want to open up a February 29th 2000 we can do this so we'll right click say open in a new tab and it's going to render what that page looked like for us from its archive which is pretty cool and so this is what the main page looks like and some of the HTML might not render quite right but that's okay so we just really want to grab the URL and a lot of the links that were available at that time just in case they are still being hosted on our specific Target and they have not removed them which does happen programs and companies will be hosting up specific subdomains and then after a while that subdomain is no longer in use and this is really common with with blogs on large companies say PlayStation comes out with a new video game they'll create a subdomain all about that video game and then they will forget about that video game and years pass by and that subdomain will still be up and it won't be updated and it might be vulnerable to new exploits and cves and so that's why we want to look back into in the past and see if we can grab any subdomains or URLs or links that may lead us to bugs that other people have not checked for within those forgotten subdomains and links so this is the Wayback machine you can come in here and get a feel for how it works and now we're we're going to go ahead and install the Wayback tool by Tom Nom Nom so what you will do is come to Google and you're just going to type in way back Tom Nom Nom and it's going to be the first tool here for us and we're actually going to have to install the go language before we're able to install this so what you can do is open up a terminal and come in here and just type in go and if it doesn't turn green then you do not have the go language installed so what we're going to need to do is run a sudo apt update just like this and let this update and if yours it doesn't update or gives you some kind of warning you might have to run a sudo apt upgrade and then run the sudo app update so now that we're all updated we can run sudo app install go Lang like this and we'll say yes and now if we type in go it should turn blue for us or some other color meaning that we have the go language installed so we can come back to the Tom Nom Nom site and we can just highlight this and it's gonna and we can just copy this right here and it's actually going to install the tool for us and I think it installs it in in the directory Go slash bin so I'll show you that in just a second we can paste this in and I think we're gonna have to run this as a sudo okay so when I ran it with sudo it didn't work for me so when it actually installs the proper way it's going to run just like this and you're going to see nothing in the output and then what you're going to want to do is CD over to the go bin and it's going to look like this and you'll hit enter and you're going to automatically come into the directory like this and then if you LS you're going to see the Wayback URLs within the file here and the way we're going to run this is with this dot slash and then the name of the tool that we want to run and just so you can see what it looks like you can run a dash H and see the output here okay yeah so my other VM was freezing so I went ahead and opened up a new one which is just fine it will all work the same so I went ahead and installed it on this new machine and you're going to find it in the go bin and so if I run an LS you're going to see I actually have a couple other tools in here but I'm going to show you how to install those in just a second but this is the tool you just installed right here so the way we're going to run it is really simple but first we need to create a Target domain for us so we're going to G edit and I'm going to get it yahoo Dot txt and we can just type in yahoo.com and this is going to be our domain that we Target and if there's any subdomains in here you'd want to paste in like a sub.yahoo.com and I'm going to show you how to grab these subdomains here in just a second so we're going to leave it just like this we will save and now we can run the Wayback URLs tool and while it runs I'll show you how to grab the subdomains so what we'll do is cat that file that we just made and we're going to run it into the Wayback URLs just like this and then you can actually save all those into an out file by pointing it over to the file you would like to call it so we'll call it yahoo dot urls and we'll let this run and now while that runs we're going to go ahead and grab some subdomains so we're going to run an amass enum Dash passive Dash D yahoo.com and this might take a second and it's going to give us a ton of sub domains that we would want to run the Wayback tool on and so our goal is to find really old pages on these subdomains from the way back tool that are going to have some vulnerabilities so we'll go ahead and close out of this and what we're going to end up doing is just grabbing like 10 of these because I don't really want to run the Wayback tool on all of these you would run it on these if you were actually looking for any vulnerabilities Within These pages but my goal is just to showcase the tool for you so we will copy some of these URLs and come back over here and this is still running so oh it just finished so what we'll do is now we can G edit our yahoo.txt like this and what you would do is you would run all of these subdomains in a file just like this so you might want to save this a mouse right here into an out file so that you don't have to copy and paste but that's okay that we're not going to do that and we're going to save this and now if we ran it it would run and grab the valid URLs for all of these domain all of these subdomains for yahoo.com so now that we have that saved what you would do is you would run this the exact same way you did right here and it would run this way back tool on all of those subdomains that we just put in that file and it would save them over here in the URLs for us so what I want to show you is if we run a word count right here on this yahoo.txt it's going to show us uh that's the file that we made so we'd want to run it on the URLs and it'll show us that we have more than 128 000 valid responses from the way back tool and we don't necessarily want to visit all of these 100 128 000 URLs and if we ran the Wayback tool with all of these subdomains I bet we would have well over a million different URLs and we don't really want to check all of those so now we want to see which ones resolve in order for us to know which ones to Target so what we would do at this point is you're going to run a sudo app install HTTP probe and it's going to look like this I already have it installed so you can go ahead and run it and then after you run it you can type in HTTP probe to make sure that it's installed and it should turn blue for you just like this and the way we run it is the same way we would run the way back just like this so we're going to go ahead and cut out our Yahoo URLs just like this and I'm going to actually delete the valid URLs and you can save it into an out file if you want I'm not going to I'm just going to let it spit out to the console and then cancel it and so we would go ahead and run this and I think this is URLs with an S like that and it's going to go ahead and start running this all of those 128 000 URLs that we pulled down from up here and it's going to start printing the valid ones out down here in the terminal for us I'm going to go ahead and cancel that the valid URLs are going to get printed out just like this into the terminal or you could save them into an out file and then once you have the valid URLs you can start to look through which ones you think are juicy and you want to Target one other thing I want to show you is if we type in our HTTP robe just like this it'll be run a Das H just like this you can start to see if you want to give them a timeout in milliseconds so I think there's a thousand milliseconds in a second so if you wanted to run an HTTP probe and you didn't actually want to wait for it to try and resolve each one for the default of 10 seconds which is kind of a long time you could change this and see if the web URL resolves in like a second that's probably what I would do so I would run a dash T and I would say 1000 instead of ten thousand suddenly it only takes a second before it moves on to the next URL so if it went to this URL and it didn't resolve by default it's going to wait 10 seconds to go to the next URL and if you're running over a million subdomains that's going to take forever especially because a lot of them are really old and are not going to resolve so I would run it with a thousand subtle way to one second so if this did not resolve within a second it's going to go ahead and go to the next one so this is one of the most comprehensive ways to pull down the max number of URLs for you to Target within a bug Bounty program in this video I'm going to show you how to find the subdomains which are going to be really important for you if you do any kind of bug money hunting or penetration testing because subdomains are usually targeted at the least and usually what happens is beginners just log into the main page and try and hack on the main page and it doesn't really work out for them and they become really frustrated so let's go ahead and jump into it okay so here we are we have opened up a terminal and you're going to go ahead and and sudo apt update and then you're going to type in sudo apt install sublister I just want to show you sublister because it's really popular and I used to use it a lot but I've really stopped recently because it's not pulling down as many domains as I would like so if we just type in something like sublister and then yahoo.com we'll see what it pulls down so you'll type in sublister Dash D for the domain actually we can type in a dash H for help and you can see what all it's able to do so we're going to type in a sublister Dash D and then we'll just type in yahoo.com and it's going to go out and search all these different search engines and then bring back the results and remember when you see all of these subdomains that it brings back that you need to check to make sure they're in scope sometimes I'll show you what I do is I just open this up and I'll be like okay here's a subdomain here's a subdomain and let's go through these subdomains and I'll show you what I think is the best way to do this so if you're in Firefox you're going to want to download something called open list plugin and we want it on Firefox so we'll just go ahead and add this and it's telling you right here what this is going to do it's going to open multiple URLs at a time which becomes really helpful for us it says we want to add we're okay with adding and here it is so we now have this right here and what open list does is when you have all these subdomains and you want to see what happens you can just copy these and then you can paste them in so we'll just grab this one because I don't think it's going to have anything on it so we'll copy this one we can come over to open list and we can just paste in a bunch of URLs so what we would do is you'd really just copy a bunch of these instead of the same one over and over and then when you hit open URLs it's going to open all of these tabs for you it's going to be a lot faster than having to open one at a time so here they are it opened all those for us so that's one way to check out the subdomains you do find but that's not the purpose of this video that was kind of just an afterthought that popped in my head as we were shooting this video so you have sublister and here's a list of subdomains that it's brought down and you might be able to say well that's a that's a decent sized list so we'll scroll through it here it's fine but it's it's not as big as we would like so one of the tools I've been using here recently is amass and you can just type in amass H and you can see exactly what it does and it's going to tell you it's an in-depth attack surface mapping and asset directory a mass is really cool if you can get it to work so sometimes amass can be a little bit finicky but it'll work for us for what we're about to do you just type in a mass and then we want to use enum because we're going to do enumeration right here and then if you hit a dash if you just hit enter with amass enum it'll tell you everything you can do with the enumeration and we're actually going to scroll up and we're going to run a Dash D and we're just going to give it a domain and sometimes I like to run a dash IP to grab the IP addresses for the discovered names which can be really helpful so we're just going to run amass enum Dash D and then we'll just run yahoo.com actually now that I see this is running and it's actually taking a little while let's go ahead and close out of this I want to run an a mass enumeration and I want to run a dash passive and then the domain right here and then run this and this should run a little bit faster than what we did have going okay so amass is still running but I want to show you look at all of these subdomains that it has pulled down for us this is going to be way more it's so many that my terminal is actually lagging so we'll go ahead and close out of this so that the way it stops and if we just scroll through here look at all of these subdomains this has way more subdomains than we had with sublister it is an insane amount so all of these subdomains you'll want to check to make sure that they're in scope but look at all these yahoos like this is a crazy attack surface if you can find a program that has a really wide scope then you will then on most of the subdomains you find will be in scope but make sure to always check if I can't believe I'm still scrolling there has got to be like nearly a thousand sub domains right there so amass is something you'll want to check out I love amass enum and then I run the passive because I think it runs a little faster and then Yahoo in this video I'm going to show you some cool Recon tools that are going to be able to help you figure out what kind of technology is running on a specific website that you may be trying to Target and an easy way to find out some version numbers and search for vulnerabilities this can be really helpful for you to know what is being used and what technologies are running on a specific website so that way you know what kind of attacks you should be looking for so with that let's go ahead and jump into it alright so here we are at tenet.hdb this is a box from hack the box I decided to use this because if there was something vulnerable on a live web application I didn't want to accidentally show any information so a few ways to find out what tech stack is being used is with a tool called wapalizer and it is right here I already have the extension installed and you just come up here and you can click this extension and it'll show you what it is running so you're running WordPress A 5.6 so to Google and type in where WordPress 5.6 and then you can type in exploit or vulnerability and just read to it see if there are any vulnerabilities or anything that needs to be patched with this specific vulnerability sometimes inside of here you'll see something like this database this is really helpful for targeting SQL injection so you have a mySQL database so if you find any places for any inputs which I'm not sure if there are or not you can try to pull off some kind of a SQL injection the wapilizer tool is really helpful in giving you the programming language so if we're on a web application and we are testing it if there is something like the programming language of PHP there are some very specific ways to go about manipulating PHP or checking for PHP type juggling there's different things you can do knowing just the programming language and then something like this right here we have the web server is Apache and you can do the same thing we did with the WordPress 5.6 and we can go out and see if there's any vulnerabilities here that maybe have not been patched for this specific website so appalyzer is a really great way to find out what kind of Technology a web application is running and so if you wanted to install this you can just go to Google type in wapalyzer and you can type in wapa laser and we want I'm on Firefox you might be on Chrome and we can do Firefox and then here's the extension and you can just come over here instead of remove you will click install and the second one I want to show you is the react developer tools this is a really cool extension it will be right here and whenever you're using something that's using the react framework it will light up for you so I went ahead and opened up Instagram and you can see a light up blue right here and it'll tell you this page is using the production build of react and so we know Instagram is using react and there's actually a lot of popular websites that use reacts such as ubereats Discord Instagram Skype Pinterest and many others so knowing what is running such as react you're going to know that there's a JavaScript and then there are a lot of common Frameworks that are used within react and you can Google those we're not going to go into those in too much detail and then one of my favorite websites is right here the W3 text this is going to do something very similar to appalyzer so right here you can just enter a specific URL and it's going to tell you what is being used very similar to waplizer so if we just type in yahoo.com it will pull back for us all of the technology that is being used so it says it has some server-side programming with Java JavaScript jQuery so you have this really old library right here and it tells you there is a newer version and so there's a lot of information in here and if you have any questions about something like JavaScript you can click on it and it'll tell you what JavaScript is or jQuery and how it is used so there is one other way to kind of find out what kind of a tech stack is being used so if you come in here and you have vapilizer when we look at this we can also come in and try to figure out what is being used within the JavaScript sometimes you'll be able to see comments or be able to work out what is being used on the website by coming in here and clicking on the debugger right here and it'll tell you here is the JS and we have the JavaScript and then you can click the pretty print down at the bottom and you can look through this JavaScript and see what you are able to find inside of here so these are some of the common ways to find out what technologies are being used on websites they can be really helpful for you to know what's going on and exactly how to attack a website and these can be really helpful for you in your recon phase and maybe even lead you to some kind of vulnerabilities just because you have a version number given to you okay so now I want to show you the tool and map and if you followed my channel for any length of time you're familiar with the tool in map but I want to show you how I like to run this tool and the information I like to look at and pull back from my target Target so nmap is a port scanner and if we run in map Dash H it's going to spit out for us all of the things that we can do with nmap one of my favorite things to do is run the dash V with a dash a this is going to tell us about the open ports as they come back and this is going to give us all the information so it's going to tell us right here enable OS detection it's going to do script scanning and it's going to look for different versions as well so we can go ahead and type in an nmap Dash a and usually you would run a dash p dash if you're doing like some kind of CTF but if you were doing a bug Bonnie program and you're not wanting to knock on the doors of all the ports you would just run the specific ports that you would like to see if they are open and so I've gone ahead and opened up a hack the box and so if we run this this is what it's going to look like and the dash V is going to give us back the ports as it finds them so it says a 480 is open and it has finished and it tells us about the open ports and one thing to note about hack the box is it says it did not follow the redirect so it went out to see if Port 80 was open we were redirected to academy.htb and if I actually wanted to open that up and I keep getting this not found right here that is because I need to add this to my Etsy host file but we're not going to do that right now that's not the point of the video and we are told we have the Apache version and it tells us our methods and it gives us these ports are open as well so this is how I like to run in map and so we will continue on there is a one last way to search for subdomains and directories that I think will be helpful for you to know specifically subdomains we've seen this before dealing with directories but we're going to use the tool fuff and this is the syntax that we're going to use we're going to go ahead and fuzz for subdomains on yahoo.com so the tool is pretty simple to use we just type in fluff the URL which is going to be right here and the location that we want to fuzz which is for subdomains before yahoo.com and and this is going to a Brute Force for us any subdomains that come back with the status code 200 and then we're going to use our word list which is right here and then we're going to use a Slowdown of one second so we can go ahead and run this and you should be able to see subdomains start spitting out as it finds them and here are a few different subdomains and I want to just we'll stop this right here I want to show you so we got this 301 which I believe is going to be a redirect but we have different sizes different word sizes so you might want to go and check these out anyway but just in case we didn't want to see these 301s what we can do is I think it is a dash FC and we can say 301 and now it won't show us any of those 301s sometimes that comes in handy when you are fuzzing and you keep getting 401 or 403 and we really don't want to see those and so you can see here are some 200s so if we wanted to we could go out and look for these subdomains and see if any of them look interesting to us now I have mentioned this before you can also fuzz for directories and you can use the fuzz like this and this location and now if we run it it's going to look for directories and lastly one thing I also want to mention is when you are fuzzing for apis fuff is also a really great tool for this so we'll go ahead and delete this and if we were going to be looking for let's say there's an API that looks like this api.yahoo.com and we wanted to fuzz for valid endpoints and see what we could find we would just go ahead and run fluff like this and look for endpoints and then go out to the web page if we are able to and look at the Json if not I have a tool that will fuzz apis for us and actually give us the Json right here in our terminal and you can go check that video out I'll link it in the description if you would like to build that tool it'll save you some time having to to go out and look at the Json itself and it'll just print it right here in the terminal for you so with that that is fuff and how we fuzz for subdomains and directories all right so it is always good to have a couple of tools in your tool belt so you can go ahead and run derb like this and we can run a yahoo.com and we don't really need any more than just this right here so it's just an HTTP s and then we'll run yahoo.com and it'll automatically start fuzzing for us just like that it's really simple to use so sometimes fuff might give you some errors or it's not working quite right and it's always good to know of other tools one of the cool things about derb is you can run it recursively it's so once it runs all the way through your word list and it let's say it found yahoo.com football the next time it runs it'll run yahoo.com football and then it will look for more directories within that football directory which is really cool so derb is also a backup fuzzer just in case fuff isn't working for you another helpful tool that you're going to use especially inside of ctfs is a WP scan and you're going to use this with WordPress sites so I've gone ahead and opened up hack the box and I have a tenant running here and if you have a hack the box subscription and you're wanting to follow along you will need to add tenant.htb to your Etsy host to file which I have already done so the wp scan tool is going to go out and look at all of the plugins on the WordPress site and see if any of them are vulnerable if any of them are out of date it's going to check the actual theme and see how old it is and how long it's been since it's had updates and we can go ahead and check out WordPress scan right here the wp scan Dash help and it will tell us all of the different flags and everything that we are able to use and one thing that I can never remember what it actually looks like is this right here is the dash dash plug-in detection so what we will do is we'll type in WP scan dash dash URL HTTP slash and then we're going to go tenant.htb and then this Dash e right here is going to tell it that we want to check all of the plugins I sometimes call it all ports out of habit but I think it's all plugins so we can actually just look if we scroll up we're going to enumerate all plugins right here and we want to use the dash dash and then we want plugins Dash detection and then we want to use aggressive and then you can do a dash o if you want to save this in an in a file I pretty much never do that I'll just open a new tab and come back sometimes I'll have a whole bunch of tabs open up here and it's not always that helpful so it will flag things like this and tell you that a version is out of date and I told you this in the last video but I especially am really bad with WP scan because you get a lot of information but you should read all the way through all of this I remember doing a CTF about six months ago and I ran a WP scan and I just like skimmed through it and I ended up missing a vulnerability that gave me remote code execution and I wasted several hours of my time enumerating when I should have just read the entire scan so make sure you read the entire scan when you run one it might take you a little bit of extra time but it will always be worth it because it will give you information even if you think it might not be helpful like right here it doesn't flag this but it might be worth going out and checking this version 5.6 it's insecure on this specific release and you can go and check this these different version numbers and this might take a little while because we're running the aggressive but that is okay so this is a WP scan you're going to want to run this whenever you come across WordPress web applications it is going to be your friend you're going to use it regularly throughout your penetration testing career especially in the world of CTS and always remember read the output in this video we're going to cover how to choose a bug Bounty program for you to attack one of the first things you have to do is figure out a Target that you want to start doing your recon on and sometimes people can become Paralyzed by analyzing all the different targets and trying to figure out which one they want to attack first and so I want to try and help you figure out how to narrow down your options and then specifically choose one and then start your recon process with so before we jump into this a too far I kind of wanted to give you a little bit of encouragement and I'm not really a Star Wars fan but I came across this quote a really long time ago and I found it to be really helpful and it says you want to know the difference between the master and the beginner the master has failed more times than the beginner has even tried and I think this is really helpful when trying to figure out how these top hackers are finding so many bugs and so many other people are struggling it is because they have dedicated a lot of time to specific platforms and to learning in this craft and so we just have to keep moving forward every day and you'll be getting better we might get you down you know what you got to do I don't want to know what you got to do just keep swimming just keep swimming just keep swimming swimming what do we do we swim so I decided to add and just keep moving forward to a t-shirt recently because it really does show the perseverance that you have to have in the field of cyber security so let's go ahead and take a look at hacker one and narrow down some potential targets and I'm going to show you my process for doing this let's go ahead and jump into it so here we are on hacker one and one of the first things I like to do is come in to the hackers and then we need to go to the directory so that we can start looking for different programs and now I like to click launch date and I like to sort by the date I want to go from the newest first accidentally clicked it one too many times and I actually believe you had to be logged out of hacker one to have this feature work so if you're logged in go ahead and log out and then you can look through here and then once you have them all sorted out one of my favorite things to do is open them up and look at the scope I like to see how big the scope is and make sure that there is a really large scope because one of my get personal and biggest struggles is I will open up a program and I'll get started and then in 20 minutes I find myself out of scope and this can be a problem so I really like to have large Scopes it also means you have a lot larger attack surface and there's going to be a lot more diversity in where different bug bounty hunters have been looking and testing and so you're more likely to find a bug so let's go ahead and scroll through some of these and let's look at some of the Scopes maybe we can look at this link tree I have actually never looked at this but you can scroll down and look to see how large their scope is and it seems like they have a pretty large scope and then you need to make sure you stay away from these specific ones and so make sure when you are searching for a Target that it has a large scope and one of the second things you should search for is something that you're really familiar with so I've noticed that there can be a lot of like currency trading programs on here and I'm not familiar with a lot of the online currency Trading programs so that's something that I'm going to just avoid but maybe you're into shopping and you're like I want to check out fossil I want to see what kind of scope they have and you can come in here and read about it maybe you're really into gaming and I'm pretty sure here's GameStop there are quite a few game style programs on here and you can go ahead and attack those I'm pretty sure PlayStation is on here GameStop is on here and if you're familiar with those websites already those are going to be something you're going to want to attack because you're going to already know how the web app functions and what should be happening when you click on different links or log in and so pick a program that you personally are familiar with and are already interested in and a sub point to this is pick a program that you're really interested in because you are going to be interested in clicking through the website seeing what's happening what products there are and maybe you'll be interested in looking at the products and it's going to help you figure out how the website functions just because you're going to be a normal user and there's going to be things on the website that you want to look at and click through and check out the functionality but you're also really interested in what they have to sell this is going to to really help in keeping your interest and so pick a program that you're familiar with or one that offers some kind of service that you're really interested in or products that they're selling that you would be a potential buyer of now the reason I told you to sort the programs by date is because the newer the program the less likely they are going to have already been tested by a bunch of different penetration testers or bug brownie hunters and this is really going to help you land a vulnerability before anyone else because the web application just hasn't been picked over as much as the older programs and a another tip to this and is really popular and probably really common knowledge is to choose a program that is unpaid so you can come down to one of these unpaid programs and hack on one of those because the top hackers are going to be going after the programs that offer rewards and financial gain because they're doing this for a living and if you're just trying to get that first bug then you can go for the unpaid programs and then also the newest unpaid program and the last tip is kind of an ocent tip and I think this is is really going to help you in your ability to find bugs based on what the developers are posting so go on to all the social medias and follow the developers that work for a specific company so if I was going to come over here to mongodb I'd want to find the developers that work for mongodb on Twitter find their GitHub Pages follow them on any social media that I can because developers will often brag about the different software that they're using and they're implementing into different projects and then lastly they're going to be pushing their new code to GitHub and if you are following them on GitHub you can go and check out the code that they have published before anyone else and see if you can find any vulnerabilities within there or maybe they have pushed some sensitive information to GitHub that they otherwise shouldn't have and so following the developers is going to be really helpful and and one last thing the developers will often do is when they launch a new subdomain or a new area of the web application that wasn't previously launched they'll often post about it and they'll tell you what is going on on that specific page and following the developers is one of my last tips in trying to choose a program if there are a lot of developers that you have the opportunity to follow on a specific program this is going to help you be one of the first ones to find new pages as well as code that is being pushed to GitHub thanks for watching

Info

Channel: Ryan John

Views: 32,255

Rating: undefined out of 5

Keywords:

Id: 27s49iO4J4k

Channel Id: undefined

Length: 96min 26sec (5786 seconds)

Published: Sun Sep 25 2022