codingo_ Shares His Recon Approach Using SecurityTrails, FDNS, Whoxy and more!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] real nice [Music] counterclockwise that you is foreign [Music] one drop on your lips oh [Music] [Music] is [Music] yo man what a fail i came in hot today i forgot to turn my webcam but yo what is up chat how is everybody doing today hold on one sec as you all know i'm a little bit behind today there we go much better now i can see my face all right listen my bad today i thought i could run my errands before i go live and i did the beat drop i did everything right and then i forgot to turn my camera on this is going to go on youtube i'm not gonna i'm not gonna live this one down thank you so much for that sub mercy you know it's been a while i haven't seen in a while mouse glove thank you so much i appreciate you for both of you guys for those uh time service all right listen i have a jam packed schedule today for you guys not for me i mean my day's busy but it's not about me it's about you guys today i have my good buddy codingo michael joining me in just a minute here and we are going to talk about a few data sources and we're going to compare them from what i understand i don't know exactly what's going on i'm leaving it up to codingo to help us out we're going to figure it out together but let's see how this is going to go before we do as always if you're watching this on youtube you want to come watch me live i'm online every sunday unless i go on vacation every sunday i'm live around 11 30 a.m pacific time and thank you for that hype train guys thank you so much solo i appreciate you sup for eight months all right so i'm up every sunday at 11 30 a.m pacific time and i bring on a guest the chat picks the target of our uh stream so if you want to be a part of this you have a target you can come and throw it in the chat so speaking of which throw your targets this is the time right now chad if you want us to find if you want us to run it against a target give them to me in chat right now type them up throw them in there i'm going to put up a poll and we're going to do some recon and see what we find so this is your chance throw them in the chat who do you want us to see who do you want us to go after this time we've done uh department of defense we have done snapchat we have done shopify um so give us a big target someone that has a lot of assets so we can look at it online and see how it goes mh thank you so much ox prototype thank you so much for the tier one sub i appreciate you so much all right throw them in the chat this is your chance right now through through man i can't talk today throw in those i can see venmo facebook google i like venmo uh red bull instagram gm uk government tesla bit finder why bit defender i mean red bull verizon media hi oh joe how you doing red bull red bull tesla flip card what the [ __ ] is flip card all right so i see a lot of paypal and venmo so we'll do this we're gonna go do a poll hold on um we're gonna do a poll and we will do well i'll wait actually so from what i see so far i see a lot of paypal hold on who should we hack on all right so we have paypal slash venmo i saw tesla i saw red bull um who else hold on i gotta open up my chat real quick i can't see chad anymore all right give me some more chat who else i did tesla i put tesla red bull paypal and vemo together um netflix isn't too bad i'll do netflix um no verizon media not because i don't want to do recon but just i feel like we've done so much of it and i'll put facebook and ig together okay those are the only choices for today all right votes are up if you would like to vote you have five minutes starting now and i'm going to jump over and bring our guest for the day coding go to the stream tick tick isn't that big i agree tick-tock is unfortunately it's it's it's big but it's not massive i don't think i think but i don't know we'll see all right let's go and bring on our guest hello hello how you doing man yeah good so not too bad so i understand it's okay is it super early for you or is it super late uh today 4 30. usually around there so not too bad wow this guy uh damn you're a machine man i got that a lot holy crap cause you were messaging me earlier and i was like uh did he move to the us somehow like what happened yeah that's i was there a lot um pre-covered but uh yeah definitely lifetime different yeah it feels like a lifetime thing it's only a year ago yeah it's crazy to think a year ago yeah about a year ago was i was headed to san francisco tomorrow would be i would head to san francisco for b-sides rsa and b-sides yeah yeah yeah yeah i was i was there for that uh yeah all right well we won't make a sat today how are you doing otherwise man outside of not being able to travel and you know missing friends and co-workers how are you doing no i'm good it's uh um yeah i'm excited for this i think it'll be good i've got some stuff prepped so all right give us a spell what are we what are we looking at today um i so i want to touch a bit more on security trails i think patrick did a really good job on that so i'm not going to go into surface browser which is the the query engine they've got okay um but something i've been wanting to do for a while and the suspicion i have i thought i would just work on this um is the comparison between the 500 a month and if the 50 a month api uh security trails yeah this is on security trails okay so there's different tiers of the apis i'll break down as we get into it like the what each tier does um because the 500 a month api is one i used for a couple of years i got a lot of success out of um yeah however right there's another one yeah correct okay well i think yeah i don't think you get too much extra viability out of that because you get reverse who is from the 500 um but because it's so expensive i want to also cover another service called woxy which does the same thing at a cheaper price point so it's another it is it is different data um worth comparing both we can save recon into independent files as we go into a comparison at the end um because i haven't actually done this comparison i've always just i've learnt a lot on security trails also ingested waxy and i've never gone and checked like how could each of them independently and i suspect walks is pretty good for the price point to for a lot of people to make use of um then we can throw in um i've got a subdomain takeover tool that i've finished that we can flick public today and talk about have a play with because i haven't given it a run out anyway yet so that'd be fun and with that one we've got data so so far it looks like netflix today is on the the 80s it's the one i can't do i tr i i triage it so i can't i can't do netflix you can't do anything you're not making money from it right like can you still do the data comparison that's i mean i get the part that you triage on i don't want to push it but if you're not finding any vault we're just doing subdomain enumeration and we can how about this we can release it on it on twitter so people could use if you can't release the data and you're out of the hot waters maybe uh i don't know do i call casey we can just get him approved really quick give give casey a 6 a.m phone call all right what have we got what have we got second venmo and paypal are a second all right chad i need you same yeah all right chad i need you to start voting for venmo so we don't wreck this [Laughter] everybody go vote for paypal right now use your channel points uh let's do paypal instead what's up justin how you doing bud all right we'll do so people ask venmo i put paypal venmo together but i assume since we're going to do uh who is data then we can look at paypal and then we can find more venmo stuff and then we can dig into venmo itself yeah correct yeah because we'll do um yeah yeah so we'll cover dom link and some other stuff that'll cross cool boundaries that'll that'll be good so well it looks like paypal won i appreciate that saves me uh says we have enough all right figure that one out in post all right well that works um let's jump into it chat we're gonna look at paypal with codingo um again so we're gonna look at different tiers of security trials and we are going to see what we can find all right let me grab you use 20k points for that jesus dude thank you i appreciate the i appreciate the the channel points but all right i'll bring up it's terminal all right chad let me switch over so you guys could see what's going on um i have to move myself so you can invisible hold on let me see if i can do this properly um there we go i think that's much better nope why can't i hide this bar that's annoying nope don't want to pin you want to pin this one instead i just want to show you somewhere but man i really don't like the layouts on this thing uh let's do sidebar maybe there we go i just have you in the corner this way okay it's kind of visible kind of not really oops let me try it one more time just to see if i can change the layout to put you somewhere else spotlight nope sidebar um man i don't oh no that doesn't work i'm on your face yeah i'm going to move myself to this i want people to see you also because of what you're doing always let's see this is where we do things live chat this is why i do things live [Music] and i'm gonna move me down so you can be visible and everything you're gonna be doing is going to be i'm gonna put myself back here somewhere on the bottom right there just keep in mind that most of the stuff that you have is going to be not seen if it goes to the bottom of the screen yep yeah i've got it on the left so i can just make sure i don't cut everything off cool let's get to it all right so first things first let's bring up chat let me know if you see the screen properly let me know if you can see us and hear us i think you can still hear us properly but let us know if you can see everything on the screen and we'll get going all right so we'll start with trails because it's the best one so um i do i will add at the end of this um surface browser data for paypal because i saw um this was covered previously i don't want to go too much into surface surface browser called let's get pricing surface discovery or surface browser surface browser so that's the the query engine the new stuff they've got you can it's pretty awesome but what i want to cover today is the api so most people when they use a mass or subfinder and they set up their keys they'll set up a free key yeah and they miss a couple of key value points the key one is this one this reverse dns searching um which isn't in the 50 a month so there's who is history in 50 a month but professional which is the one myself and i know a few other people have made use of have uh has rather reverse who is and who is searching so i want to see if there's a difference between this 50 a month or 500 a month that would justify it so i've got uh keys for both so we can query both um i just have to remember which project it's in okay cool so this is micro sub so versus doing this in subfiner mass and using a source directly we can do this in microsubs which is basically a library i'm starting a repository i'm starting to build to allow you to access services directly so you can test similar to what we're doing here you can run an experiment and say okay i want to understand how good is showdown if i'm using my showdown key um you know what kind of results am i getting am i getting value paying for that versus paying for virus title way back archive to work out where you should distribute because there's a lot of benefit in buying keys and buying the right keys um and then the other side of this i'm trying to make libraries here that people can bring into their other projects so if you're wrapping up recon you can bring in independent sources if you want to so before we jump into it could you do me a favor and um command control plus plus on the font a little bit how's that there we go perfect and then let's clear it out i'm going to try and move me again because i feel like people are going to not like the fact that um because i'm right under your uh yeah put myself a little bit more over here there we go this way your screen's open okay we'll make it work this time cool so we're doing paypal yeah so let's before we do that i probably just hang on i'll do a below it to make this easier yeah anytime you want me to take you off the screen i can just switch over to just let me know if you want to check it make sure your keys are there or whatever okay let's make a folder first just to recap what we're doing we're going to look at paypal through security trails but our focus is mostly around their api versus doing the web browser stuff okay yeah and i'll i'll add the other data later i think if you've got surface browser so surface browser the reason we're kind of starting here it's another 500 a month on top of everything so you've got your api at 500 a month then you've got surface browser 500 a month so it's a pretty big sting um and so it's worth seeing you know what can you get from the api is that maybe enough for what you're doing versus wanting surface browser because people at different stages of their hunting will have different budgets to apply to this right absolutely um which is why we'll cover waxy as well and we're attack h all right so first things first we'll go this is a pre-compiled go binary just for trials okay is this an open source [Music] yeah so this is i'll put it on the screen it is and it is um so this is micro sub so it's a work in progress uh on github at the moment let's there we go um and i'm slowly adding sources so i've got i don't have waxy in here yet i realize today i need to come back and add waxy so i'll cover how to use dom link to use this instead of using something incomplete okay um but i'm adding go c plus plus and python for every single source that i can so you can come in pick the language you're familiar with and experiment essentially okay so the goal isn't to replace a mass or sub-finder you should definitely still make use of those tools the goal is for understanding what's happening you know under the hood with your sources it's important to you know know which sources do what so which i hope today kind of highlights a bit so we'll start with paypal.com and we can come back and we can rerun this when we get subdomains and such um and config let me just i'll paste in my 50 and if you haven't used t i'm sure t's come up here before but if you haven't used t t allows you to still receive the results of a binary in the terminal but then also write it out to a file at the same time so this is the well i cannot type past the microphone it's really annoying and now all these lives do go on youtube they go on a little bit later than usual but eventually they make their way up to youtube i'm still a few weeks behind but it's also because i take breaks and i want to give you guys content from when i'm away but they will definitely be on youtube you can re-watch these and look at them again on youtube later on so we'll go via http pro or something else later so one thing to keep in mind with a lot of these sources you get a lot of sources that are no longer working same with rapid 7d and s walks will be the same so usually what i like to do is write everything out and then we'll cat star pass it through http probe and get just the resolving assets so we'll create a separate file do you prefer http probe versus what's the other one httpx uh well i haven't really dug into httpx yet so it's kind of a force of habit um it's worth doing it like it could be better i just don't know at the moment and of course it's i know sorry i patched that that is not a key leaking on the screen yeah i forgot i [Laughter] was about to just technically difficult to take us offline i did i did it you can see i'm i'm forked off the main bridge i did patch that out before okay all right so we've if someone grabs that good luck um so now we'll go the same again but we're going to use the 500 api so we've got the 50 we've got the 500 give me a favor can you add a word count at the end of the command just so we can also get a count maybe or we can do it at the end right because if you do that then i don't yeah we'll go yeah we'll do it again okay yeah also not a key reporter crowd that [Laughter] it's not a real key chat let's behave come on it's a quick not reproducible um all right so we'll go i'll just open underneath so we'll go to the word count so you can see now the 50 for example i didn't actually set up a free key i really should have done that has 2174 and the 500 2004 actually is less so that's interesting so it's i'm not sure if see this is where i need time to look into that and i'll i'll try and get an answer before we publish this i mean i anticipate there's going to be more accuracy in the 500 due to that yeah i was going to say either like not it's either older data or they probably have looked at it to see if there's any debt records i don't think they would do that though right it could just be that there's better attribution happening because you've got reverse who is you've got who is history can we do a diff i didn't actually let someone chat saying can we do a dev to see like what's the difference between the two that's interesting to see what's really missing out on the two right it does look like it's better accuracy actually because these are a long tail like they're very very long domains okay i haven't hacked on paypal so i don't know a lot about their asset space to be honest yeah i feel like the stage ones wouldn't that's interesting anyways where i test up here i shouldn't be accessible right so they've probably done a better job of giving you cleaner data on the file okay the the good thing about trials is they're in um bug burning for a few other places too they're pretty good at answering these questions so if you were like hey what's up with this so i can probably get a pretty clear answer on what's happening there um german if you're watching and you're in here can you let us know because he might even bet us he might be watching so who knows right that's it if you are watching let us know what we did here but all right so so we did the two on the 500 and you did one on the 50 one okay so let's then we can compare with dns grip as well so i've got a dns graph set up so we can add another source and we can compare rapid7 data to trails data then keep in mind rapid 7 does have a lot less accuracy to it in my experience um it's better to um and we could also recursively run some stuff with rapid 7 that's a bit better so there's two ways that you can use the rapid the dns script database you can go for a domain so you can go to paypal.com or you can search just top level so we can just jam general data and they probably wouldn't do that with something like paypal because there's so many sub domains that people set up with paypal in the name and you'll just get a lot of garbage data it's better to do that with something a little bit more um specific so i'm going to forget my man files so we'll close this so paypal.com and let's see config.json and t2 sorry i'm trying to make that not cut off but it's probably going to a few times um so uh if you're not familiar with dns crap dns crap is a project on github i'll bring that up real quick while that runs because that will take away who is dns go by that's by sam right yeah okay yeah it's a really neat so uh rapid seven dns data set is really really good one uh uh hang on i'll drag that out i'll i'll bring up rapid7 too it's worth covering um why you can see though this will be a lot less accurate trails gives you um very actionable data do you use rapid7 regularly yourself uh i do i've i think it's staled over the years i think it's still good and i do find assets there i don't find elsewhere i've poked around red bull recently and found some stuff in there that surprisingly wasn't in other places largely because uh with dns grep i'm searching um less for both target spaces so it can help you to find you know um like employee websites that are stood up for single events and things like that that don't have tight attribution back to the main asset set where trails does very tight attribution it'll be through whois data or acquisitions or something like that so it can be useful to find things that you're not going to find otherwise it's a question of time is it worth the time the same if you're it when you're deeper into a target i think so if you're doing your first pass probably less so i mean there's the effort the update was two days ago so it seems like they're regularly scanning because it says in the corner last updated so you can get quicker updates with a researcher account so i've got a i'm not logged in at the moment but i do have a researcher account so i tend to get every two days regardless so so i'm getting very quick data and it's worth applying for that um with a good reason so yeah yeah this is partially why we did recon that that rapid sevens um yeah yeah because it's i mean it's good it's good data but i want a daily data or even like on demand data yeah and you want to actually like a lot of this is not you need to resolve everything and you lose a bit of a bit of time in that whereas i imagine recon dev is doing it better we could scan the cloud in under two hours that's epic that's really the entire internet in like eight hours i think nine hours entire ipv4 i'd love to see you and trails on a call talking about this because i've spoken to security trails about how they're doing it and it's just fascinating yeah i used to be clear i'm not this is not me plugging recon i use security trails i use rapid seven i even use sam irby's thing and then i use recon dot dev i go to recon dot dev because it's the most like um current data but it doesn't mean it has all the data for me it's just it's most recent data that i can get out of it especially on like a tuesday when people are spending out projects and on a thursday friday when they're doing more stuff definitely or like um end of quarters are good i find you get a lot of stuff where it's like employee events and things like that so yeah so we've got um rapid seven you can download it but it's 20 gigs it's text flat file data it's not very easy to consume um so ob sam's made this project dns grep that essentially um pre-builds a binary search tree of the data and it's got an experimental it's called experimental but it's been around in experimental for a long time has an api endpoint here that you can run on your server um or you can consume the ones he's got he's yeah he's got a line yeah like a hundred gigahertz a month he's pushing through that too it's pretty wild um like props to him for running it publicly because i think he's he could have stopped at the github project but he's still standing up instances for people that's pretty awesome so i agree so if we go uh back to the i should just shortcut that hey um could you zoom in just a few more please thank you right yeah so there's 4063 but if we go through um http pro we'll see that come way down which is worth doing i think just to highlight do you think this is also like unique or is this not unique well i don't know this is where i i want to do more work comparing so that's part of why i started building micro subs um ultimately so this um so adam foster i've been talking to he's doing a blog entry at the moment on comparing these keys i've been doing this myself too i want to put a video at some point showing different value of different sources um because i'm i don't think it's fully understood and i don't fully have the answers to that which i don't know where i'd even get them without doing the research so yeah i was just curious to see if you if you do a cat for dns scrap dot txt and do a short you is it gonna change the account for it or not but let's just go ahead and run it through oh yeah okay so we can just do um yeah it does down to so we do should we write it out we'll write it out that's what yeah that's why i was doing it with cat if you do if you do it yeah you'd write it out differently yeah true and then just pipe it oh i didn't drop it actually no just do it do a cat yeah and then do a sort you and then w account for it i always do it in um infants we can ah this is what i don't this is why i don't use vim chat this is for example i'm kidding uh no no i didn't drop it okay cool so it's the same amount that's impressive okay yeah i imagine dns grep probably cut it in that case yeah it probably has that in there without actually digging into it i don't know but um yeah interesting okay so where else do we want to add a sauce uh we should probably do waxy now so okay um waxy will be a little different so this is waxy it's a sketchy sketchy looking website for a domain source um but part of why i want to cover waxy is because like trails is good but it's expensive reverse who is and who is history is really where the strength of that's coming in so it's good to have alternatives to play with so um you can see like the price point here is pretty good so i think i've put in like 40 bucks 20 just ahead of this so 20 into domain who is and 20 into reverse who is um and it's pretty easy api to consume i haven't added it to microsoft yet so i'll cover a project called dom link uh by i think vi security wrote it i should let me let me check that um yeah there we go so device security made this it is broken at the moment there's a pull request here to resolve it so you should go for uh this version by woot and set that up um just because the current one it's not using the api properly does it seem to have changed an output source and it's breaking um i didn't dig too far into the wire there ahead of this i just realized it wasn't working so chad if anyone got the link it's uh v y security if you want to drop it in the chat yep i'll just put it here for a minute as well uh which one was it i did not i don't know i just didn't caps it off all right so let me pull up notes because i haven't used this tool very much i've usually written bloxy indirectly and you can okay so as a fun project if you wanted to maximize values use dom link as a base to automate using woxy recursively so you it's a bit of a manual process to do this out of the out of the box but uh there's value in exploring how they've actually implemented it or how he's implemented it so paypal.com i think there's an output flag here we'll see uh well let's just uh whoops now there is an output cool all right slash uh we'll just call this block c dot text probably isn't going to have domains in it we might have to do some cleanup i don't actually know what the output's like a little out of my depth on this tool i haven't used it enough to absolutely fail yeah it's so cool to see it live you know yeah just i figured that i had no power last night and that's when i was gonna dig into this so it was uh yeah it's all good man we can dig into live we have a little bit of time that's it so what does um so personally for yourself when you're doing your bug bounty hunting what are um the tools that not tools well actually what tools do you rely on like what is in your toolbit like five of them that you would use regularly contours not just content or asset discovery like what is your your go-to tools right now so the kind of frustrating answer there is a lot of it's my own stuff at the moment so i've been uh because i've been hunting as much in this role i've been rewriting and cleaning up my tool kit yeah um prepping for it so i'll show a couple of things that i'm using i'll try and flick public what i'm using today except for the dns brute forcer because it's still um fairly new broken-ish yeah well i want to fork uh dns cool which i'll show you today is a dns word list creation tool so it's a wordless tool specifically catered for subdomain wordless um i want to fork that into dns brute force to have it all in one tool so you could pipe in your results do your permutations and your brute forcing all in one tool um so that basically what this is doing when you run this it's going over the waxy api and it's worth actually running in verbose mode uh for one principle reason when your api keys exhaust there's no feedback if you don't have verbose mode running in this that was one gotcha i had because i didn't realize my keys ran out until i checked device that makes sense so so it'll give you a prompt there's two there's two keys so the one key there's two different credit types on the key um so you use the same key but the two credit types are reverse who is and who is um history so so assuming that's attributable to paypal which is because they yeah so we shouldn't use it so that's that's a hard one right because like they used to be part of ebay they made a big deal about not being a part of the ebay anymore so i wonder yeah i just want to check because it might still be on paypal.com because it has to have got this from somewhere so what's strange although i could have got it from who is history so that could be what's going on too because this could have been there for three years ago right yeah correct yeah no it's still there it's still the tech email which is going to be frustrating no that's paypal that's people yeah yeah so it's not so we don't want to use that so what's really cool about this tool is it's going through the who is history of this domain to look for other emails to see if you want to also search that on who is history yeah so it can be like say ebay still existed in paypal and you wanted then to find attributions of ebay it's going to do that so if we said yes here it would find other domains that are using hostmaster ebay.com as well as host master at paypal.com and give you a more complete set so unless you creep out your who is history which is semi-automatable but you can see in this case like this if you automated it you might end up with a false positive so we'll say no we do want to search host master at paypal.com that's a [ __ ] yeah i remind that one yeah so what it'll do it'll search and i could be wrong on this this is how i've used block c so i'm assuming it's doing it this way it's going to search all of the attributions of domains with this now in reverse who is and who is and then it'll look for other emails in there reverse who is history to see if we can bring those into scope as well and we can creep this out further i mean this is really helpful for like a company like grinds and media or google right when they go through their history email addresses and just pull i had a i had a ton of success on verizon media doing this and looking for like i i found a ton of sub domain takeovers and it's hard to find subdomain takeovers in there these days um this was two years ago which it was still difficult at that point i feel so um just because it's not something that a lot of people were using then i think more people use reverse who is now and who is history now but i don't think woxy is really fully something people jump to immediately because as i could be wrong about this i don't think that waxy is in the mass yet um i don't know i could ask um we can ask i'm sure i can um we can push jeff to uh it's worth it i couldn't i'll probably try and do it uh so we probably jeff is really good at implementing things quick ooh what is that sent out paper what s-i-n-t-l would stand for is what i want to know security is it security intel no i can't be so it's let's look it up let's do it who is on let me see if i can i don't want to open up my terminal and okay i can open up mine without taking over yours yeah i'm interested to see what that domain is i've never seen sintl paypal but they match that was last updated today i know that who is it it was okay never mind yeah yeah no i didn't hit it get a match maybe it doesn't resolve oh my bad um yeah that's interesting i almost want to bring it into scope just to see what else we get because we can always just cut out things later as well yeah i wanted to see where they're posted to gtldservers.net yeah that one looks like a little bit sketchy i wonder who owns it though i wanna this is where it's worth if you implement waxy writing your own tool with a bit more verbosity so you could see how that was attributed as well because that's one thing i do find a bit frustrating here is we don't actually know what that stemmed from right which doesn't allow us to really understand um you know what's behind it well how about this i just did a who is on venmo to see who it's not registered that's interesting yeah i mean venmo is host master at paypal.com so i'll just skip it dude even there even acquisitions are yeah it's just that i think it's a fault that's not for sure that is one of their domains but it's not an email so we can just skip it right well we so the reason you check it if it's one of their domains it's going to go reverse history looking for other emails or other points of attribution so if it is one of those domains we want to include it let me check i'm doing a who is on it uh it is there so it's also admin email it's hostmaster.paypal.com so yeah yes this is really good this is interesting how it's doing this yeah it's a cool tool and i don't think it's had a lot of a lot of attention um but it's a good like quick barrier of entry to using woxy um so you do need a key for it i pre-configured obviously because stream of course yes see i don't know paypal space i really it's usually usually everything paypal dash is there so it's in their scope everything paypal dash star is there yeah let me i should bring it up it's theirs too i looked at it it's theirs every time a domain pops up i literally just type it in on my left side so i can help you out a little bit too i have paypal dash written down just so i can type it in and help you out being a yeah i mean i'd probably be usually google talking around this as well looking at yeah cool um that's for sure there's you know looking for write-ups and things like that as well it's uh yeah my favorite go-to for like passive recon is looking at um open disclosed phones on hacker one like when you go to approach yeah yeah go look at reports and grab the domains someone should write that into a freaking tool at a post from disclose reports on activity if you're watching this and you want to write a tool i will donate twenty dollars to you to write this go to hacker massage program slash activity read every report for that company and pull domains out i'll i mean i'll i'll i'll match that if someone wants to throw a source in micro subs so if you make it 50 bucks yeah yeah so we'll just go to the dashes we'll bring them in because it's i mean paypal's one of these where it also gets interesting because you can get similar to netflix and others where people stand up their own domains around it they're false positives but uh this is looking not too bad largely because it's using who is so my question is is this going to pull every domain or is it the ones that it's not sure if it belongs to paypal because most of these are pretty much looking back at the same uh who is email right so why is it just i'm trying to understand why is it really based on domain not the email address if we said yesterday yeah so the reason it does the domain is it's then doing reverse whois history on that as well so it's finding domains that are associated with that email and then it's asking if you want to recursively run the same checks so so we're basically going through recursive loop at the moment and it does use quite a few queries so um 20 queries gets you a really long way for an asset space like you can do multiple assets with that but you need more than that if you're doing verizon media for example right of course so like you can you can still consume it i mean for his history's sake how much have i spent on this um well you look chat let us know what you think of this so far um i think waxy seems to be a good place when we come when i come back to doing actually some streaming and recon we can implement it in our day-to-day just to have something that pretty much pulls domains for a company and then indexing it and uh using it later on what do you think i've i've used about 500 bucks on this over time it's actually cheaper than i thought that's not too bad and that's doing a pretty wide blast yeah that's pretty big that's theirs too for sure yep yeah cool yeah again just to be clear right now what we're doing is we're going after paypal paypal has a pretty wide pretty wide scope but doesn't mean everything they own is in scope of their program but things like paypal prepaid objects gifts community anything paypal dash seems to be in their scope as well which is really really helpful right because i've always wondered with one of the things that i did with recon dot dev because we can do wild cards was always doing paypal dash percent sign dot percent signing which is cool don't get me wrong like it does the job but this is a little bit better it's less ghetto i feel like so there's different ways of doing it but this is very helpful to you know have a tool do it for you yeah is there a way of just giving it y for all of it i wonder yeah so that's what i was saying when you script it so um the real power i think here is going over dominant looking at the implementation and then writing it into your own tool um which maybe i should i did that with hack luke so i'll chat to hack luke and see if we can publish that because i don't think he'd have a problem with that but i'll have to check when he's up because you can automate to a point but then the other side of doing that is you will get some false positives so like ebay you know um so you it's good for your like source data and then just before you hack on something checking scope yeah so and the other side of this like attribution is important and it i feel like getting better information about attribution is important like we would want to know how this was found if we didn't know paypal dash was in scope we'd want to know how it was found as well right so that if we did find a report and we could tie it back to the defined scope so do you use um do you use farsight i haven't actually it's trails waxy rapid seven and then you know i've i've inserted sh and stuff like i paid for a lot of the main main ones but i'd say the ones that i've paid for that i think gave me the most benefit was probably trails for sure and then woxy as a secondary and trails because it doesn't paginate you would blow credits pretty quick um a good pro tip there if you have the 500 a month subscription is you can email their support and they'll give you the data so like verizon media for example um you would blow your whole monthly credit on that with a 500 a month plan but if you email them they'll send it and you explain why like you they're really good i would just email them say hey i'm doing big bounty hunting i want all of vcm um and they just sent it back to me and that's good you know yeah well otherwise otherwise it gives you monthly credits on it and you're paying a lot for it so there's a there's a benefit to having the higher tier subscription because you can't do that if you're on the free api so yeah someone in chat saying far starts like 10k here um it is it's pricey i don't know if i like your data to be honest there's some really cool stuff you can do with their api um i personally i used to be a big fan but then you see some of these other ones that are cheaper and they do a better job of giving you data then you kind of question if you want to stick to it or not right yeah i mean that's trails was always worth it to me waxy was always worth it to me and i think boxy if if you were starting out i wouldn't jump to trails if you're not like i would start with waxy because you can like this is twenty dollars above you the trails was 500. so honestly even going rapid seven route for free if you're just starting out wouldn't be about it yeah but if you have the twenty dollars now you know you if you if you wanna if you have the extra cash of saying i wanna give up a weekend of going out to drink or ordering food for twenty dollars for a month of credit then absolutely do it because it's not that expensive x.com is that them probably not that's really interesting though but i wonder why from one of these so one of these domains has um maybe they had it at one point uh that's good daddy no interesting oh probably a uc mel or something right or uh yeah that's right or they've yeah probably just um who is masking they've just used to be owned by them really no chances exactly home used to be mine what was do you know what they were using it for so that's that's where the reverse who is history comes in right which is really useful why would you change the name right that's so much cooler online back bank by musk fricker pain at home in march 1999 holy crap that's so much cooler i'm disappointed boston yeah that's not paypal's not a better name imagine just typing x.com forever yeah x.com easy that's like a mad flex just one letter elon still owns x.com that's really dope okay oh we should have had it it was with godaddy screw doing anything to do with godaddy um even though they're just the registrar but yeah right uh yeah okay this is what this one's included yeah so it is a bit slower than i expected i probably should have pre-done some of this that's good yeah we can run some other stuff but that happens so we can do something else while it's doing i think it's going to take a while yeah so much paypal stuff i wonder what it's actually um let me see what our uptime is we've been live for 50 minutes almost time dude holy crap okay let's start comparing them a little bit yeah so that's pretty high i mean what i really want to do is get uh each of these we'll go through http probe so we'll start with um trails 50. okay right there we go uh and we'll just t so we can you're gonna give it any concurrencies oh it's only a couple thousand though yeah it's not too bad um we'll just keep call it yeah i feel like x.com will be used for spacex for sure yeah yeah that makes more sense cool i should put that through word count too we can always i can always come back and run this after and we can call that too if it's going to take too long so it looks like it's a good place to do so if you're going after a bigger organization like verizon media google facebook whatever right it's a good place to go to voxy pull every domain from that do the reversed historic data from it and then feed it to security trials or whatever other data source certainly if you don't want to pay for security checks so sh whatever um pulling domains from it and going there i haven't done it but i reckon you could make a fork of this using trails as well because it's basically just you it's what is leveraging is the reverse who is in the who is history which if you have the 500 a month you can make use of so if you there would there would be value i think in forking this to use trials for this absolutely yeah a bridge between the two be really cool yeah yeah there's definitely room there to uh expand upon it but the base idea is awesome right like just allowing you to essentially feed and and process as you go does uh trails not offer historic data on who is they do but i believe only if you're paying for the higher let's probably oh so it's more and more okay that's smart yeah finding hacker's gonna hack find a cheaper way of getting that data and then going back to them um so you can see historical who is searching oh yeah no it's on the 50. i know i'm sorry yeah it's on i've reversed dns yeah oh the reverse yeah yeah so do we have to pay 500 a month but i mean you're saving 450 by not doing that right yeah i think the data's whoop there we go that's an interesting one we crashed out hopefully i had streamed to the file as we went i checked that before so okay that's good so this is why i use t everywhere because a a lot of tools still that we have don't stream data and then when they crash you end up losing it but we have a list of the domains above it at least it gave us a good um understanding of how it works let's just so if you're interested if you're watching this chat you're interested in doing this with waxy um that tool was by vi security vui security go through the github repo pull it put your boxy api came there by the way uh michael your api keys leaked um oh really yep i just switched trials no for waxing and the stream fantastic yeah i hit your screen right now you're not on screen anymore but so it's it's very cool though right you go and pull data more and more and you just uh use the you get a foundation of what domains they own when it comes to a company like paypal and you can start once you have that data of every domain date on especially if it's in scope but google for example this is really really cool to go do it on google i'm sure you're going to need like more than 20 to do it on google but you know more of the story is you get a list of everything they own and then you start looking at okay i want to start looking at this acquisition or i want to use this whatever weird domain that i found or whatever it was um so it's a really really cool tool i'm going to bring you back on there we go yeah i'm cleaning the i'm cycling the key i put you back on but i just want to make sure you knew about that no that's good i appreciate that it's um i was so careful with all that building a vm and everything no it was a stack trace that came out of the the error that came up from the oh fantastic all right so now what we're doing is we're going after the uh the results from the 50 security trails output and the 500 one and we're running http probe on it and then we're writing it out but it looks like there's already like api-3t that wasn't on the above one that's in here m.paypal wasn't in the 51 that's in here yeah unless it's sorted separately or differently well they cut i don't know if they stream in the same order too that'd be interesting oh that key is gone too so people are saying https http pro they're the same tool i feel like yeah i need to look into it i haven't actually poked around httpx but um it's on the list of i don't know i just i get habitual with some of this stuff so um it's on chat crunchbase kind of uh i don't think crunchbase is very good i think trials is done um like looking at surface browser um acquisitions it in my opinion is such a richer data source in crunchbase i've started to question the value of french but i think crunchbase isn't really a good place for domain it's a business right like it's a business yeah it's just acquisitions and it lets you see what acquisitions have happened which is a good point to find you know more domain space to look at but i think there's better ways to get that data so it's very expensive too crunchbase isn't it i don't actually know what it costs yeah countries i think it's a good place for just business ideas not it's not so much for hacking versus or security or something like that right there was a time where everyone needs to say to use it i think haddocks was a big fan of it doesn't have to be a big big ah yeah yeah yeah so it's i mean it's actually not that expensive it's 29 a month you guys are trolling today everyone's like https would have been finished by now i didn't i didn't bump threads and stuff though i should you guys play too much yeah we'll just we'll just run these and then we'll clean it up we don't need to do everything i'll show um the duke concept then first so my question for you dude do you have a budget for your monthly data sets that you pay for yeah so i i actually kept pretty much yeah i have a pretty big budget for this stuff um and so a lot of my hunting i put into paypal and i just i kept a lot there and particularly likely because u.s australian dollar is pretty bad i've just hoarded us dollars there um and i would reinvest a lot either in that or another thing like a lot of the pentester lab giveaways came from um just bounty bunny just it's uh it i call it the discretionary fund if i see something where i'm like oh i just want to play with that or i want to like before this i could go and get a 50 a month as well as have the 500 a month there to have a comparison to play with um worth noting the 500 a month you can negotiate a yearly amount you don't have to pay 500 a month so if you email trails you don't know if you can only do it in december um but they do an end of year promotion and you can essentially get the whole year's credit instead of paying 500. i don't remember how much cheaper it was though that's uh i have a keyframe security i just haven't i haven't hacked in so long that's just sitting there now yeah i mean it's i'm not doing it as much lately i'm mostly writing stuff at the moment that's why i'm not using http pro versus http x um when i was most active http probe was all we had um so it's you know it's changing but which is good i will i'll go through we'll just run these two and then i'll go although there's two thousand and maybe we stop them we just come back to it so i might just take the domains we've got okay um because t streams so we've got these already i'll finish this recon this afternoon before we publish anything so it's complete um just so we can so what's next you have all these domains what do you do next uh so next i would permutate them for brut so i'd go to dns brute forcing next and so i would take so these sources are good but mostly sources there's more you can find if you dns brute force i think this is one of the main areas that people miss out and before i do that i'd permutate them so i'll do a simple version of what do you use for um i i have my own tool for that so i have um i'm surprised no one's commented on me using opt and not properly structuring my head i've got such a bad habit of still doing it years later um so i'll just pull i'll do a simple one so dns cool it's on this one's on github okay uh um is binary okay so this one's on github it's uh work i did with sajeeb and luke when we were hunting a lot um to allow you to do different things so you can permutate the input of domains to different approaches so for example i have word lists with um aws hosts so every aws is like us1 us west o2 there's a couple of programs that are private that i can't discuss but i'm sure people watching this will have a reference point where that pops up in uh the domain name so you can see like there'll be domain dash us easter one dot so on and so forth so by permutating it and then checking the rest of it i can see you know what is um are there other regions hosting different content essentially okay and so i can and then i have other things you know such as like in here you'll see um there's sets so there's the aws zones for example that's not up to date you'll need to refresh that if you do it but you can that's basically what i'm saying is if there was this dot paypal.com i can run a set with dns cool and generate the rest of them to check and just see you know is there is there another region worth looking at um likewise i have non-production hosts so if there's a you know is there a qa dot a dev dot a development dot um giving me different things to check so it's quite useful for that so we'll do we'll do a simple example just for time's sake um and i'll i'll expand on this later but so you've got your list uh let's just say we'll grab the resolving one um [Music] we'll prepend it with sets non-production posts we'll just prepend it oh i don't actually i won't use the set i'll just get dev oh why is this doing it to me i can't remember what i'm doing this is where being tired is horrible ah sorry it's pre-painted list list sets not production let's host all right so you can see it just does oh it's because i didn't clean it up first which we should do in yeah you can just grip out of it too yeah so that's it the amender you can see the essence of what it's doing so what we can do is we'll clean it up first so we'll go documents paypal all right so so now we'll start at the end so we'll go remove the https yeah p slash slash and we'll say one two g i think that'll i love how you do the one two i have to do it in my head every time too and with twenty five i know i know cool all right so now we can do this all right so you can see it'll do a variety of permutations not just dot it'll also do like dash or it'll put it right before it because you never know how that's going to appear right yeah um i would normally save this output and then re-http probe or re-test or just brute force with this so my goal uh is essentially to take this and expand upon it i'll show you i'll show fast sub actually so this is not released um so fast sub is same again all right this project not being released is a little bit more clunky so this is a dns brute force so in c plus plus essentially i don't like mass dns i think it's slow i think it doesn't do things the right way um and this is a way of doing that i think a little bit better and i've just been really reserved on release it because it's in the plus bus and i'm self-conscious about it fair enough you know yeah it's probably got a heap of stuff that people be like oh i can ask you if you run this the other thing i've got a good resolver list there's a project on github that because i'm going to use that here so vortex and i wrote this project called dns validator which makes a dns resolver list so you shouldn't use eight eight eight eight if you sub domain brute forcing for example so uh you just run it you install it you run it and you i mean you'd obviously want to look through the help to see but i'll let it run to show the essence of what it's doing it ingests a large 30-ish k list of um dns hosts creates baselines with cloud flare and google and then you can see like this one's got poisoning so fun fact about a lot of those lists of dns um a lot of those resolvers that you find on those public lists actually have a lot of things in them that intentionally poison results for spam and otherwise and it gets really interesting in that so the area is actually that it's come back with something so um it gets really interesting in that a lot of those don't poison 100 of the time they might poison for an hour a day so running dns validator in a cron job allows you to come up with a clean list for example so like for example here let's just what can i get i have 10 000 results so i can yeah and they're all clean so they're um the vortex has ran a cron job for ages and he kindly sent me this the other day because my cron job had stopped working so um i blew away the box that it was on without licking the box on there i hate doing that hey it's i've done that more than once um so essentially it allows you to maintain this list so you should never run dns validator once you should iterate it because every time you run it you should yeah yeah every time like you just pass the same list in it'll continue to refine your list i mean there's ten thousand there if it cuts two every time you still got a lot of longevity there um it's just that it's worth having a clean list um and it's it's frustrating how many bad dns resolvers are out there so if we then take that list so we go resolver resolvers right so we can take that into here and i also have and this is worth doing for i'm just gonna close that all right i also have see i hate doing things live videos are much easier i don't know how to do that you use it afterwards enabled and it's not toggling with okay all right let me keep doing that too every time i control c too oh there we go it's just the buffers stuffing up or i'm an idiot and don't know what it's doing it's probably that it's something to do with terminator um so i have my own word list and so a whole variety of ways that i've generated this uh so i've got my aws zones for example poc passwords is just 50 wrong passwords so when i was a pen tester you've often got to do you know password checking i can quickly do it that way uh exercise fuzzing i don't think xss from a fuzzing technique is very good i tend to mix it in but i think exercise should still not be tested that way uh coupon codes is a fun one i don't think a lot of people explore but you can brute force coupon codes sometimes and find some like easy wins from testing um really i should say it's it's mostly there because as a pen tester i had to test for that i don't tend to do it on bounties because and then the one that we can cover after is impactful files so i scraped um a lot of write-ups on on hacker one and i've merged in my own stuff over time i pulled um for different projects types uh the top items on github to find what i believe are the most impactful files that i want to test with so i would do a first blast with that and then come through and do my others i do have detectify and some other wordless in here probably should remove that before this but as a cool trick that is ethically questionable and you have to decide where you align on this i put logging on subdomain takeovers so then i can see what wordless other people are using which has allowed me to refine my own lists and my own techniques um that's one where i think it's a bit of a gray area so yeah and for people asking for the list the list is something that give me benefit i intentionally don't publish this i the main reason i highlight this is to highlight the value in crafting your own word list for giving you more more leveraged impact um yeah so we can go wordless um also if you're looking for a wordless you know i scream this every time start with cyclists that's a base oh yeah definitely start with cyclists jadex malik and um danny mizer that is they've done a really good work a really good job of that and they maintain it really well it's actually um my first point of call when i find a new technology is to see if there's a cyclist for it so if i'm on something and i figure out django i'll go see if there's a django word list and i'll run that um [Music] just because you know you never know what else is going to be there so should you i guess the essence you should the hacklix dumpster diving um is a project hack luke and i did together where we merged a ton of log data and we cleaned it up into something useful um so it's a really good a really good pass i really should have cleaned that repair before this yeah it's all good dude yes asset note word list i haven't dug into that since it was published um but anything shubs touches is gold so i've looked at the jsp and php files it's been very very helpful i highly recommend it too it doesn't help it doesn't hurt to have multiple sources right like combine them clean them up use them to your advantage it doesn't have to be a one sort of wordlist so just just one more time before we wrap this up what is the subdomain boot for short what is that in the end ah far sub so that's not yet published no i'm saying what what's in that file is what i'm trying to say oh okay well well it'll it'll show anyway wouldn't it um like what's the description for it it's just a series of common subdomains to brute force got it okay so it's doing this again to me i need to work out what that is after this because i'm really embarrassed that i don't know what i did and what it's doing um paypal so let's just go resolving because we don't want to brute force a ton of other domains and it'll essentially just brute force out so yeah so no extra data so we after we permutated everything sorry after we ran the brute force short we didn't find extra subdomains off the back of that so a little frustrating but that's essentially so i'm going to publish this at some point um i want to merge this and dns cool together so i want dns cool that you can essentially just do all of that in one big hit so you could pass your word list do your permutations and just do everything in one big whack um and i think when it's at that point then i'll release it so um would it help if we just did no that wouldn't help to see if we could give it a fake list of like paypal root sub domains and trying to some but it wouldn't make sense cause probably i'll probably move to i really want to show duke while we got time okay so i will let me flick this public while we're doing it um i'm gonna push you off the screen if you don't mind just in case i give you some yeah that's the time to do whatever you got all right so so far we talked about pulling data from different sources we kind of compare them but because it's such a massive um target it makes it a little bit more time-consuming to get all the data we want but still it's cool to see like you know if you wanted to pay 500 a month to security charles you could have gotten this data for who is but instead you're paying 50 bucks you're saving 450 dollars you take 20 of that go to waxy get the same data and you just build a bridge between the two and um later on you can use tools like [Music] tools that are resolving subdomains in this case what codinga was using was his own tool but there are a ton of open source projects that you can use um like mass dns was one of them you can resolve create permutations sub domain brute force each environment and look for more data so there's a ton of different ways of finding all this data it just comes down to works what works best for you i personally don't do a lot of this especially if i'm looking at a target passively i don't stick to a target anymore for longer than a few weeks or a few months maybe and i don't dig in that deep but i know a lot of hackers who are going after big targets like tesla netflix ryzen media this is where it becomes really really helpful because you may be spending three weeks to find a phone but you find an rce on this really really weird domain and it pays you 15 20k right so it's worth the investment but it just comes down to what your style of hacking is and what you're looking after i'm taking a step back personally from recon i'm i've realized that because i do recon on sundays i've gone burnt out on doing recon on my targets that i hack on so now i just pick single apps and break them apart i don't even do bug money do pen test so i'm really focused so i'm not losing my base skill sets of hacking because i'm spending so much time on recon i was talking to this one like years ago i was talking to geekboy and he said you know us recon guys go down the rabbit hole of recon and we forget that there's also web apps to test we try to find those like test folders and weird files and we forget our actual application to test and that's something that i remind myself regularly um let's put code angle back on screen yeah i double click on that actually i guess the the thing to highlight and you'll see it through the toolkit i've got is i tend to uh so i just saw faster being asked for in chat too it's not actually public yet it will be um the the way i used to hack is to basically grab a program and just stick to it and just get to know the team get to know how i could create impact like if i if i spent time escalating an xss to an account takeover i can now reuse that on every subdomain takeover to make it higher impact every xss that i've got once you've got those payloads or that understanding you can really leverage in um and i i've got a lot more value doing that versus mass spray recon yeah so which is also like when you're paying for these keys and things like that i you still mix in other programs to make the maximum of your your key credits but i used to always have like my favorite um which i can't talk about because it's public but there's one that i did nine p ones on an old program just going deep um with tricks like this so it's pretty helpful it's just uh you gotta realize like early on is it worth investing all that time and effort to do all this when you haven't been following your first bug yeah exactly very very true um what i'll cover is i'll cover this because this is kind of on the same thinking of picking a program and really understanding it so dukes uh i've flipped it public now um there isn't a binary in releases yet i'll go through and i'll add that later there is build instructions if you have um a bit of a c plus understanding you'll know about boost you can get boost from the kali stretch boost repository uh apps repository i can't remember but you can also you don't have to set up boost this way if you don't want to i believe this won't work on kali very cleanly actually because of the pathing um but you can get it through apt if you want an easier path so you could go uh install install boost then do cmag cmake and make and skip a lot of the other stuff ahead of it now you will need to get clone submodules there so i'll expand on that later this isn't i i decided on saturday this would be a good place to release it fully prepped for that um so the concept of duke one thing that's frustrated me for a while one thing i wanted to solve is the way we think about um tracking assets and tracking subdomain takeovers so subject subover malik's takeover all of those they're really really good but they use prescribed lists of checking for specific subdomain takeovers and because of that you miss any sort of edge case um if it's not an s3 bucket or something all of those edge cases get missed and there's different ways that have solved this um i'm trying to remember there is one that would show you dangling dns without it but the the essence of what i've built here is a tool to allow you to track the state of domains so and i'll elaborate there if we go all right so if we run dukes we pass our old resolvers list and then actually we can just the easiest way to show this sorry i'm just thinking yeah we can do this uh it may break on me i hope not it's uh we are lives if it does happen we'll fix it later so bearing in mind i just flicked this public uh why is it still ah there you go every time i cat all right let's it's really embarrassing that eh all right documents engagements uh paypal wasn't it yep all right so we'll pipe it in we'll go to dukes we'll do it live rock bot thank you for that stuff and drop now thank you so much for that twitch prime sub i appreciate it so much is duke like dnsx i don't think so i haven't played let me have a look at dnsx i think mike there's something in the chat asking about it what's the play no ah it's got the same foundation but i actually did look at this project because i want to mimic and i'll obviously actually i want to mimic how they get rid of wild cards there's some really slick code in there for that so i did look no it's not it this is different this is a new this is a new idea i think someone can correct me if i'm wrong um but i believe it's a new idea all right so what it's doing at the moment ah no no no no no that was wrong i always forget my that's using a lot of tools due to it it happens i'm getting tired how would you just how would you describe duked uh let me let me just show you the output let me re-run one that i did it'll actually be quicker to rerun that so what duke will do it'll run and it'll capture into a json file let's all right so what it'll do is it'll run and i ran this on bug crowds assets space for context it'll run it'll capture the domain all of the dns information around it and the contact link content length and it'll save it into a json file right so you can then rerun this at any point and it'll tell you differences so things that have changed so you can go cat and it takes standard in for example um i need to clean my flags up which is most of it and it'll re uh it's file type as negative f1 uh because with standard in you can't pick up the file type you do need to specify okay so standard in just streams the output you can't actually pick this up as far as i know you can't pick up but it's jason easily on it i could be wrong about that without building a ton of wireframe i don't want to so what it's going to do is take the previous job that i ran re-run it and then see if there's any differences so the benefit there if you're tracking paypal right you've tracked 2000 domains in paypal you save a duke file and so just the name for interest there's a guy if you want to give him a bit of a let me bring it up because i have asked him that if i can name it after this i want to give perspective so there's a conference in brisbane called krakicon really awesome conference um duke runs the ctf and one year he put all this work into the ctf and the dns didn't work and so because duke's pro primary idea behind it i added the content length and other areas later the primary idea behind it was to track dns state changes so the idea is if somebody changes the cname it's going to let you know or if it goes dangling it's going to let you know so if something changes about it you want to know so if you know dev.2021.paypal.com cname changed and it became live this will let you know because you would if you've captured it before so you capture you can see it saves a date on it so i can rerun this in two days and it'll say okay you know acid infra treated by credit.com cname change to this and it'll essentially let me track state changes between it so i'll create a duke file for paypal it'll take a while to run okay um but it'll also allow you to this this whole thing again filter you you can defer http request to the end as well if you prefer there's a couple of different reasons you'll want to do as you get into it you can filter different drifts in content length so content length being the size of your http response and this is where i have to do more work on this because with wildcard events and dynamic pages there's still some false positives coming back not enough to have justified not releasing um but you can say when you rerun it show me content links that have changed more than a thousand for example and one of the yeah well it also makes sense for sub domain takeovers because sometimes things don't go dangling they still return a 200 response but it's the default page so like i think shopify used to do this they had like a default one so you could say okay if the old content length shifts by more than a thousand i want to know about it so i can investigate it so that'll help you find subdomain takeover cases where the dns hasn't gone to a dangling state because the service has added that defense of hosting a default page and instead of giving it a prescribed list of subdomain takeovers it's highlighting what should i dig into and what should i look into so it's essentially a local way of storing the state of your domain space so you can say look i'm tracking paypal i want to track all of the dns responses in the flat file database all of the content links so i can rerun it at any time and i can come back and get it so very cool i think there's a cool idea is this um is this published already i published it today so i haven't i'm going to do a video on how to make better use of it i'm still building it but i've made it public today because i didn't think it would be fair to present that as an idea and not do it i think others will make this idea better i think the idea is good but i could see project discovery finding an even better way of doing it um so i wouldn't be surprised i wouldn't be offended either um i wouldn't be surprised to see this idea grow but the principal idea is instead of um instead of just tracking subject and sub over and just looking for stub domains and having to continually expand your database storing it and growing it and and finding new subnet takeover types like there might be one in a thousand subdomain takeover you find because it tracks the content length and you found a default page so i think it's a better idea um and that's not to say the old ideas were bad we needed them at the time it's just it's it's innovation i mean yeah yeah of course yeah cool and someone will take this and find a better thing again for sure like it's it's a good starting point but i do think there's a lot of strength in expanding upon it like i've got filter by content length there must be other ways to filter that i haven't thought of in here like i've thought about adding you know different searches you could do in the content like for copyright flags or just having a regex search and things like that so the the expansion to here for example would be to pass in a secondary database of regular expressions you want to search in the content like whilst it runs because you're already pulling the request things like that and i think it's you know um thinking deeper about what you're crawling not just looking for oh we've got domains let's look for subdomain takeovers with a prescribed check so one last night on duke someone said it looked like it might be private on github um someone said it may be looking private i'm not sure i'll probably i thought it was just a hotel sorry sorry sorry sorry i do do you play chess probably sorry i played poker for living for seven years yeah we talked about that um poker is harder than chess fight me no no i was gonna say i would play poker but i don't have the setup for it but maybe we should do that it's also not legal in either of our countries to play poker online for money anymore no no we're just going to say the friendly match what i do is i play chess with the viewers afterwards that's why i ask a few players i can't invite you to play chess but i feel like poker i know how to play but i don't i'm having played a strategic game i know i would be terrible um cool well chat give it up for coding this was really helpful um there was some really good stuff out there like the permutation and dns stuff that you were doing is really really cool it's good to see some tools come out of it the link for duke is in the chat now but that's it this was another episode of live recon with codingo check out the tools a video for this would go up later any last minutes any advice jokes puns word of wisdom that you want to share with us uh i'll put it i'll put some subs in we'll do we'll make it a sub race i love doing these i appreciate it it's uh one sec and make sure you guys uh go on twitter and follow uh codingo he's gonna be releasing some of these tools um there are some pentester lab links that he just dropped in the chat if you want to grab them click them out and make sure you claim them thank you for that awesome and yeah i will i will check out httpx otherwise i'm just going to get back i will make sure to look at that one today yeah make sure you follow him on twitter and you also have a youtube channel that i know you release videos on regularly so make sure you head over to youtube uh look them up i'll also link everything in the description of the video for when we go on um youtube awesome thank you very much awesome thank you so much chat give it up for coding i appreciate you man i look forward to see more of your work yeah we'll see you thank you very much bye right back all right that was it um we're not stuck in a loop i was saying bye to codingo i'm i'm working on some cool stuff for you guys give me a break all right listen as much as i want to play chess we played a lot of chess yesterday i don't really i don't have the capacity of doing chess i'll be back online tomorrow um maybe we'll play well maybe we can monday chess day i don't know we'll figure it out but i want to do go let me let me take a step back i do want to go and rate someone because i feel like when i play chess we don't um keep a lot of our viewers to go and rate somebody else so bear with me don't leave let's go support a new streamer um tell them what's up and support them so what we're gonna do is we are going to jump into someone's stream what i need from you all is to represent as loud as you can okay i want to tell you how loud hold on when we go into this new room for this raid i want you to scream in the homies with our emotes as loud as this as loud as this lady all right we're going to go on the represent show him who we are we're going to support him give him a follow make sure you hang out and show him some love let's get some other people recognized it's a it's beautiful to see hacking becoming a part of any community twitch streaming anything it's cool to see us um being here as a part of the streaming community so let's go ahead and uh raid i love you all thank you so much for hanging out with me this was really really awesome you guys rock i can't be thankful enough to have uh such a good community and everybody being so supportive i appreciate the crap of all the crap out of you guys i will be back again tomorrow for another stream i have the day off tomorrow um so if time permits and i finish all my projects in time today and tomorrow then i will be back live tomorrow at the same time take care i will talk to you all tomorrow peace [Music] you

Info

Channel: Nahamsec

Views: 6,375

Rating: undefined out of 5

Keywords: bug bounty, recon, hacking, ctf, oscp, STOKfredrik, thecybermentor, defcon, tryhackme, metasploit, zseano, bug bounty methedolgy, bug bounty hunting, pentest, red team, nahamsec, nahamcon, bug hunter, hacker, hackerone, bugcrowd, synack, owasp, owasp top 10

Id: NYG6cwL7xi4

Channel Id: undefined

Length: 92min 31sec (5551 seconds)

Published: Thu Jun 17 2021