HACKER RECON #1 - WGET, CURL, EXIFTOOL, DIG, HOST

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

ah go live going live right i guess bettina you're gonna have to tell me uh if you can see everything awesome and i guess you might have to come over here so i can see the uh the screen too it is a little bit laggy though it is not the fastest can you hear on the ipad all right let me um well i guess uh well i'll get started thanks for being patient i've got everyone um yeah i uh i appreciate all the support and i can't see the comments right now um but uh you know we got this got this up and running and what we'll do is uh we'll kick this off um and you know what i'm going to actually unplug a monitor bettina can you unplug one of these monitors that way it can just stop the the lag just this one yeah i think yeah okay cool um all right well i hopefully this will stop the lag um it sucks i mean we've got a gigabit ethernet connection here and uh yet it's super super slow streaming so uh we'll do our best to um to you know get all the information out there if it's super super bad and we're kind of um just crawling then uh we'll set up a different live uh maybe on twitch um and uh and see if that'll work better um tomorrow so i i will rely on my wife to read me the comments and um and you know we'll have to continue if if it's too laggy all right so um thanks for everybody joining the class and um this is one of many classes that we're going to have and so is it really bad okay hold on he did get rid of 1080p available yes hold on no people are saying there's no there's no lag hmm does anybody know how to switch to 1080p that's in the uh in the audience let's see uh okay okay so yes one second hold on i can change the output one second okay so the resolution should be [Music] changing oh the bit right yeah one second it's a video does anybody know a good bit rate to uh to change it to this is clearly not my specialty okay video output is currently active please don't okay hold on i think i can okay hopefully that fixed it okay three thousand six thousand all right got it okay cool thanks for the help everyone all right i'm going to now switch yeah one second i can't let's see so we should see a terminal now it's lag it's lagging is the audio lagging i think there's a buffer though yeah it's just the buffer sorry guys trying to get this i was using elgato um for streaming and that didn't work if the recording quality is set to save as stream okay okay i you know what let's just see what happens okay all right um so uh we'll start by um talking about specific things specific tools that um that are really something that we should get to know better than we we usually know them so i know that i asked you all to install wget curl and fish and home brew package manager so uh what's that yes yes yes thanks oh let's see if that's good enough better okay all right so i asked you just to install fish because this is going to help us complete the commands that uh that we're wanting we can that we're going to send um you know just to even initiate a recon i'm going to start by something simple though um you know in your terminal uh you have a command and it's called host and what that's going to do is it's going to give us um the several things actually it can do a little bit easier here let's say host at t.com all right now the two main ip addresses for atnt.com and are going to be visible the two main public ip addresses and the mail exchange servers um are going to be visible to us as well now i know this may seem very basic right but say that we just want to get the ip address of a site very quickly right this is one way to do it um the dig is another um another dig sorry so dig is another command that um that we definitely want to use uh to get more information so let me actually not go so complex let's just dig um att.com and then now when we dig at t.com uh we're gonna start we start to see the um you know the name servers here in the uh at the top and then we start seeing the ip addresses for these name servers so we can actually see correlation we can see 144.160.36.42 and we can see again yes is the same a records here and here right but it's not giving us like as much information as we want um and this is where we're gonna start digging into um you know to to get honestly just to get more information about what uh you know what are the subdomains within the site um how can we um how can we see the link backs um within the site are are the links inside of uh code comments um you know a lot of these things are um are not too hard to find it's just we may not be searching for the right things uh i'm gonna give you an example so if say we're gonna dig at t.com right but let's just say we want to get the mx records okay so this is what we had um previously so when we did so we did a host right we have the mail exchange records and then we have the a records for this host address right but say we want to specifically query for the mail exchange records which is here right now that's interesting right so what we need to do is we need to start digging into all right what is this and like what is this endpoint like what can we query this okay so now it starts leading us down a rabbit hole so we have another endpoint so from this mail exchange server we have another a record that points us to this you know to this ip address and then we start just seeing all these other name servers here okay and so clearly you know we're trying to find out like well who's even who's hosting the mail exchange servers okay now if you haven't used showden this is a good time to to get to know showdown now what you're going to see is uh the ip address that we that we were looking at just a second ago right which is this mail exchange server for at t we're able to get that a record now we want to find some public information about this a record and we can see that uh it does have um port 25 open all right we can see where it's hosted login oh no wrong membership okay hold on let's go back here okay so when we start going into digging deeper into these mail exchange records then we start to see um there's there's a lot of endpoints uh for these me for this mail exchange service and it just keeps going and going and going but what's interesting is that let's go back to see our endpoint that we have here and we can see that this endpoint right here is the same a record and it points back to the ip address and it does have port 25 open now again this is very basic stuff so we haven't learned too much yet like there's just there's there's a lot of different rabbit holes that we can go down but um but what we are understanding is there's all these different connections uh that at t has um and so what i'm going to do is i'm going to do it i'm going to do a curl request on a tnt let's run that again now so we can see that this just looks like a mess right like we're pulling literally the index of att.com um and it's it's it's like way too much to to go through um finding link backs some endpoints maybe maybe a cdn is somewhere but it's just kind of ridiculous to you know to parse through it so um the tools that i made actually help so we're going to stick with atnt okay so what we're going to do is we're going to get all the urls from a page now what you'll be able to see here is that just on att.com now we found some interesting stuff right um you know we found uh some you know some endpoints that i guess without you know writing code would just take forever to to uh to get to um but we can see now see att.com forward slash ecm s you know um and then we've got it seems like this is where they're holding um they're holding some uh jpegs pngs maybe um and we can see with of course the scripts which is normal um and but what's interesting even even in this is that this endpoint right here you know like what is this endpoint and of course it looks like they're using a third-party service for their for their api which is something that if you start looking into what is initially what like know your target right this is this is the point of recon what is the first thing um that stands out that's a little strange okay um you know even this metrics this is interesting right and uh so if you're doing a bug bounding you're trying to find out you know what is smetrix.et.com and we get nothing from it right we get nothing but it's interesting because it's still something that came up so let's just see we know that it exists right um but for some reason we can't actually uh see what's on the page so let's actually see what i'm gonna do a yes s matt tricks dot att.com okay so what i've just done here with curl is i checked to see which um you know what is you know how long it takes for the uh for the dns to resolve and to actually have a connection this is super important because although we don't see anything right so so imagine this is exactly what you would do like so if we're going to inspect user inspector tool and we're going to go to the network and just reload it we should see the times that it takes to actually actually load the page okay we do have you can see the headers we can see the cookies now initially i wouldn't spend too much time on this um because it seems like you know i'd have to dig too you know pretty deep in order to find something um you know on this specific endpoint but uh you know what what the point is is that the same thing that's in this in in this um inspector tool on in chrome we do the same thing in in the command line now why is this important okay um i mentioned that i was i was doing a uh i was doing a bounty for um ah yes sorry sorry sorry i'm actually gonna just take myself off a video actually oops yeah okay i should be gone now because it's not important to see me um okay so oh so we'll go back um so i mentioned that i wrote a program that actually checks for um for apache range header denial of service and in order to have a full uh denial of service we need to be able to see what the time is from the beginning and to the end of uh you know of the exploit and and i wrote this entire thing in curl on purpose okay so i'm going to load up i'm going to load up the the code and of course i haven't committed it or push it to the repository but see if i can make this bigger so this entire payload uh is sent by using curl now um what i'm gonna do is i'm actually gonna show um i'm gonna show exactly you know what what i was what it was doing um with this and and i'm gonna i'm gonna exploit uh um i'm gonna exploit a program that uh oh well uh let's see how it goes um but i want you all to see this live and it happening in real time okay uh this is uh again the the whole point that i'm talking about is is again curl right get you and then this is actually the latest um the latest curl uh request that i'm making um specifically so um we don't have to deal with all of these different metrics here it just gives us one metric oops let me go back okay so let's use this um this end point let's call it just an endpoint we're not going to talk about who it is what it is anything right we're going to use that now it takes 0.6 seconds to actually load this endpoint now i'm going to run it again and now we're getting 0.26 and 0.25 and it should be very consistent okay and there can be some anomalies there because this is redirecting um and so that may give us something that's a little um you know a little bit of something strange but it should be like you know every third request or the server is probably correcting itself now right so we're pretty consistent minus this right now uh i'm going to open up a i'm going to open up a virtual machine and i'm going to actually run this exploit um oops switch accounts and you're gonna see how powerful curl is um and this is this is this is my my point um that i'm just trying to to um to get through to everyone is if we can use curl and wget properly oh no i'm gonna get locked out of my own my own cloud no i was actually setting this up for everyone later so that we can you can test this cloud and i'll make the um i'll make this bigger for you here we go okay so i'm i'm i'm in ubuntu a machine inside of a virtual machine that i've made which will be i'm making this anyone that signed up for the class will have their own instance and they'll be able to um you know test uh all my applications like i mentioned before in the twitter you'll be able to test this out on your own so all the siphon tools and and anything else that i make will be here so that you don't actually have to um you know you provision your own devices uh or machines that is okay um so i ran this exploit here um and what i'm gonna do is i'm actually i'm gonna run i'm gonna run it for you right now um what i'm doing right here is uh i'm running this exploit 200 times now what i'm doing is so i'm requesting just a little bits of information at a time which is this is how this is what this exploit is this is you know apache uh range um you know exploit is is um it's a denial of services to constantly be asking to download the rest of that part essentially right so we're we're grabbing just a little bit of that um we're grabbing just a little bit of that that content you know downloading a little bit of that content it's a partial uh download and um so just like we so we do a curl request for to download a pdf okay um and again this is still on curl and it will stay on curl and wget and a couple other tools in this session but when i'm going to run this exploit you're going to see what happens i'm actually going to show you i'm going to let it run so i'm again running it 200 times and you're going to see that this this server starts getting slower and slower and slower and slower and now if we ran it two thousand times or we ran it you know five thousand times on 500 computers then at that point right i mean good luck you know saving that server i mean you have to find the vulnerability right uh in order to um you know to to stop you to stop the uh stop the exploit let me so as you can see here um the request that i'm sending is actually requesting just partial uh content and so so the response code is um 206 okay and so i'm actually just request to the content range so the range of of the information that i actually want to pull down is specific it truly is a range of of of numbers so um now now this is uh this is very important to to understand because imagine so what if we're trying to uh if you ever had if you started downloading a file and and it and it stopped and and you come back and say well it didn't finish you would see uh well click here to resume right but how is that happening right how is it that you can actually resume that file and this is what the exploit is doing okay it's resuming that file because the server thinks that hey you haven't finished downloading that file so you can keep you can keep coming back um and and downloading that little bit but you keep requesting just a tiny bit of that of that content tiny bit of that resource and you can extend that out imagine i think my wife explained it best was it's like you're downloading like one pixel at a time and you can and you know if you're talking about like 20 megapixels then you take that pixel and then you can even slice that down even more right and take that pixel and get the fractions of that pixel and the fractions of that right and all this is done with curl so if we can actually query a server and and and say uh you know are you protecting your your content to the extent that you um you know you can actually um either you redirect this um this request you block this request um you you shouldn't be able to query a server like this you shouldn't be able to download content like this because what happens is again you overload the server with requests that that causes a denial of service and then that's just one denial of service now we can go into uh a ddos if we have multiple machines running this you know running this script so hopefully i can size this back down okay i don't know what happened to okay all right all right so so the script was done now i saved the output okay and uh you can see that this is the range and of course uh the date so this is uh range dos three okay then what we're going to do is we're going to actually cat that okay you can see that everything started out okay started out you know 0.2 seconds response 0.30 seconds response and then we start getting worse all the way up to 5.9 seconds response just from sending a curl request that's it right so five seconds is the you know i mean even at this at this point i mean we're talking if we go back over here to the to the um i think i i think i took that away let's see yeah all right so now even at this point you can see because i it's still trying to recover um it looks like it's now back to normal but just a single request but now i mean there's something happening here so you can actually see 1.76 seconds when before it was just a little bit off but something's definitely happening um and and again so actually on the server side we need to figure out is there some sort of uh um uh you know inode that needs to be flushed uh from this that you know is there um you know intrusion detection system or intrusion prevention system um deploying agents and that could actually be you know what's um causing the um you know causing everything to to slow down but the point again that i'm trying to make is the final request that we've sent is five seconds for to load a page all right now that's that's a big deal um and there's quite a bit of um there's there's a lot of sites that that have this that have this uh issue and um again i i can't wait to actually i think i'm probably going to post it later on um but the custom range that i that i wrote is um it's actually very simple so again the tools that are built into linux are are really great so uh again i know this is about recon and it's all gonna flow together and uh so if we the the seq command is a sequence so if we want to create a sequence of numbers or sequence of letters even and to send an exploit right um this is a great way to do it so what i've done is i wrote this wrote this uh one liner that actually creates 4 500 sequences all right so let's just say the range so the range i'm taking the number five and i want to take from from the number five to uh you know 4500 range of of data request i want to download data from that that range um that number range so i wrote the code to create this range so um you know there's uh there's one thing when it comes to recon they're looking at what other people have done is really important right so um looking at other bug bounties that have been won or um you know is really there's nothing wrong with it right the the publicly disclosed ones and i was reading i was reading this this hacker's um um bug bounty uh that he was wanting it took him a while to prove this out and i thought you know what i can do this better um i can i can make this faster and uh you know i can put this out for everyone to use and um let me see if i can find that um that hacker so that you can you can see this as a reference so let's see hacker one let's do hacker one apache range okay yeah so i believe this is the one i was reading um and that was uh i was i was actually i was i was impressed um and i saw i saw the range that they were um that they were using and but see the the thing is is it was too slow um and and it the range needed to be extended now i'm not saying this is not a um clearly it is a valid disclosed issue um but uh again this is hard-coded okay nothing wrong with it right this was a proof of concept but my goal is to put something out that um you know is is not going to be hard-coded uh in this sense now of course the user agents um and uh you know the headers you know um we can make those dynamic and and i actually put in the code that um you know i want to make sure uh that future um let's see yes so i need to make an array with the different user agents um and to send the payload um but this was this was you know i want to always be very honest with everyone like um you know all the code that i write is 100 original 100 but there's nothing wrong with getting your inspiration that's why github github exists anyways getting some inspiration from someone that's done something right okay now this code um clearly it took them a whole quite a while um to uh you know to get this disclosed and from when it was reported and um but but again and and i don't know if uh it doesn't say how much uh they they want if anything really but this is something that is very uh tough to to prove out and i think that it's because the programs that we have out there don't do a good job on on showing you how to do a proof of concept okay so with that said we can actually see hopefully that'll download so we can actually see the output results so yes it towards uh towards the end of the exploit uh it started getting pretty bad in terms of how long it was taking for that um for that server uh response and then um or server uh request and response which is exactly what we were seeing on my end uh with with you know the code that i wrote so uh but again the this is this is um something to to understand and note um that you know this is all done with curl now uh so this exploit wasn't done with curl i wrote mine in curl with with a crow request um and uh but but it can be done you know many different ways that's what i'm saying with when it's uh you know when you're inspired by something um you may think about it in a different way and and you can write it you know because maybe you're familiar with it right but yeah this this doesn't use curl at all but again all right let's go back into um so oh and then again in this uh the last you know comment that i put in here is uh future uh predictions you know based on um you know based on the data that's that's coming out from from the uh from the um from this exploit so um i i believe that that i th that i mean server admins and and network admins think that they have this covered but the fact is that you can always request information from a site and there's i believe that we're still missing something um when it comes to um to securing how we can actually request the information all right let's go back um go back here now i'm just gonna see it into a desktop and i'm going to make a directory and we're going to do it hack recon cd into the directory and we're going to pull some things down okay say so generally right let's just take uh gosh i think oh good rx i'm yeah they're their public program on hacker one let's let's pull things this pull everything down on um on goodrx so well let's see what we can actually pull down so um this is just a really easy command with a w get so we're going to do w get minus m and then we're just going to put the url in in quotes um so that we can oh that's forbidden let's actually see well that's good if it's forbidden good for them okay well that's good all right let's do uh yahoo or you know let's let's do netflix okay so um i guess a lot of people have stopped this you these kinds of requests but uh we can do things a little bit differently um sometimes well let's just see what we got in here so uh what happens when we do a wget um is it actually creates the directory of of the um of the domain so of course i'm using fish so i don't actually have to cd into anything i could just type in the name of the folder and it'll get me in and uh gave us an index and a robot so let's cat the index and see what's oh okay so there's a lot in there oops let's cat the robot and see what's in there okay so all right well this this is interesting all right so we've got um so for netflix the says disallow now this is always super interesting all right um disallow what i mean from indexing right so don't index any of this and um i love these i really really like these um these robots because um you know we can we can actually go to these uh these endpoints i believe so let's just try even in a browser okay so this redirected us twice which is interesting and it sent us to a not secured connection so i know some programs won't allow these kind of submissions but yeah just uh if they do allow that these types of submissions then you can actually report this as a vulnerability because they don't have a secured secured https connection now they're going to say well this is just an rss feed and and you know the rss feed doesn't have to be secured but that's you know really poor practice and then they're going to say well poor practice isn't a bug and there's people going to argue with you but look this should not it's netflix and they don't have a secured endpoint okay this is not good all right the um oh uh the user agent okay yeah okay let me open up another tab okay so let's uh see if siphon tools can get past could rx's block and we did get something yeah so uh yeah we siphon tools is using a user agent when it's pulling down um content and so yes we that's that's a good that was a good uh point out so you can get past these these initial w get blocks but yes this is actually this is actually using wget um siphon tools is using wget to pull down all the subdomains and data and everything uh you know associated to to the to horrible story about goodrx was the first vulnerability i ever submitted was to goodrx it was a critical vulnerability and it was and it was approved it was validated but goodrx said yeah we knew about this before we joined the hacker one program and so they they gave me a pat on the back um and they gave me uh seven points i think for a critical vulnerability and i thought at the time i'm like i'm done this is crazy like they're stealing my bugs but uh it turns out that you know it uh there's nothing you can do about it and i don't know if they were they were not but it five months later the vulnerability still wasn't fixed so um that's a that's really interesting okay so all right we're we're still again all about the recon now there's a lot of information being pulled down so uh simple w get right but um you know we're using we use a user agent as someone suggested um and now we can actually pull down you know the files that um that that we couldn't um you know we couldn't access uh before now uh it's a good thing to understand you know headless versus versus a head that that's really really important um even even if you're trying to do like xss uh vulnerabilities you definitely uh it's gonna be i don't i think someone has actually done a headless xss attack um and that i can't i remember reading it somewhere which was really really interesting but i think i think they were using phantom js to actually do it but anyway okay let's let's check to see what we find on goodrx actually here um and i actually saw something come through i love pdfs pdfs are full of good good good information okay um and uh so one of the things when when we're we're looking at recon so all right let's actually go to um let's go to the directory where and here let's open up goodrx actually let me open it up in the terminal so you can see it larger i'm going to kill the the the the application just so we can jump into see what we find oops if you have not downloaded the siphon tools it is i do recommend you do that all right so uh some things you know are there there's a couple things mainly nothing really investors um you know but let's just see what's um see what we get looks like a couple things so you just i use the tree command um i like doing using the tree um we can actually see if we do do this again for everyone so a tree so uh brew search tree and uh it's a really nice way of seeing things um in uh from from what you've um you know what you've pulled down um that's really really useful all right and so again using the brew command so you would do brew install tree of course since i already have it installed it's going to say you know reinstall but it's also the good thing about this is if for some reason do i have it installed or do i not it's going to update all of the uh all of the um what is it yeah right right okay so so let me okay so a more structured uh process when i'm starting to hunt on a target um with for recon okay let me let me give you so i i there was a an interview that i did with um a security um startup the other the other day and i specifically told them that i do recon um [Music] and then finally submit my bugs on the third day which is true i i i pull everything down and i read everything inside as you can see here like uh and i think can make this but you know what i'm just going to show you my logs i'm going to show you i i know it doesn't seem um i don't i don't like to use vulnerability scanners much only because uh they tend to give lots of false positives um so here's i'm going to show you the logs so if you want to see like the the latest um or or even just a few of the logs so we can um you can sort by the the date even but but uh so let's go with um tick tock right um tick tock uh government um end points car gurus that was that was a recent one um chime so even yeah so uh place your sony playstation um there is um techcrunch stripe this is the first thing that i do right like echo b i pull everything down and i mean this i really mean this because if we can't understand what we have then then we we're going to be just attacking a target that's just going to block us right i mean even if we're in a passive mode i mean we've got to be changing our ip addresses so much but what is it that we're actually targeting okay i'm going to give you example um with let's just see what was let's look at um okay uh well let's do uh switch switches here techcrunch i mean let's see what tick tock has okay it may not seem like much but but this is the thing there is a lot in in here okay and then how do we how do we find that right so this looks like it's about pages okay uh there's like directory or business directory um there's some creators directory it seems like mainly specific languages and it just doesn't seem like there's anything here but [Music] sfk right and we want to just pull every single string from this directory now i'm going to i'm going to give you an example um actually i'm going to do it not the strings out so i'm going to do it um so if we do and i'll show you how to install this after i run this but all right so now um all that crap that you saw um i'm just dumping everything right i'm dumping everything and this is people may say this is ridiculous this is so crazy but it's not crazy when i find something in these strings and they i get a 600 payout because somebody left a um you know a document opened it's editable to the entire world um but you know someone may you know criticize the fact that i'm literally dumping every single string in the directory that i just pulled now what am i looking for api only one instance key nothing in there there's uh looks like now uh of course https that is always something that uh is super important to look for um and we're looking for things that that are not like weird endpoints right um and again that's why siphon tools exist because you know i wrote the program that actually does this for me right so that it will actually just get rid of all the um this manual searching okay um but what's interesting even is is like if we say we have like a javascript uh file that uh um you know what i'm actually gonna you know i'm not gonna use we're gonna stop with the tick tock i'm just gonna give you a real life real world um that actually i posted in twitter the other day and there was kind of a back and forth on is this actually um you know valid but uh right i'm gonna open so try hack me okay and we're gonna find this okay so i so you can see here this is part of the logs of the recon and this particular um file now this is not a bug bounty right it's just my own curiosity all right now so when i pulled down try hackme then i i found all these uh of course these endpoints and uh and that's where i was able to find a lot of information inside of of these endpoints so you brew install sfk right so sfk is it's a they call it like a swiss army knife but what it's able to do is it will actually help you parse through uh parse through data okay so if you're looking for a specific string in an entire directory like the one that i i i have is just like i mean you know you don't want to go manually one by one so you're looking for just a particular string um api right um maybe we're trying to look for that this is where you know in in this you know i would just say api all right let me and there's a lot and again this is the messy side of things but now we start to see uh some you know some some endpoints here and this is the part that may be frustrating to a lot of people okay it's um well why is it taking you so long to find something you have to be good at at a few things right now this is really interesting right here username password so you know this is um this is it looks like it's in a scenario like they're talking about brute forcing um you know is probably one of their um you know it's one of their their challenges right you can see um here right that looks like they're just using a uh you know using curl actually which is interesting um and looks like you they're you know deploying a specific you know virtual machine um and and then they're you know what's the answer for this uh you know what's the answer for this um you know question you know how they do uh with with try hack me um i mean to a point where if you just curled their entire site all the answers live inside of the um of the of the curl request that you're sending for that specific page because they're using ajax and uh it's all there now we're not trying to cheat on a test right that's not the point someone saying something but but um but that's the thing is inside of all of this um it's kind of a joke honestly right it's it's like well all the answers are inside of the code but we want to look but i get it it's a disservice to you if you're just cheating and looking at the code and finding the answers right but um the point that i i'm going to make here is all right so uh the end point so we did we can see let me clear this out what i was able to find inside of of of tryhackme.com where api endpoints that should not be um available because they and their information should not be available because they are private okay oh it should say private or see false free to use yes free to use okay so free to use and free to use false okay and these are all these uh so these are um specific um try hackme um ids and codes that are not free to use and uh you know had kind of a little bit of an argument with with someone not an argument really just discussion and twitter of them saying well this is this should be we should be able to see information you know we should be able to see restricted information now i'm going to show you right now um what i'm talking about so let's just do um burp suite which is my which is my example um so this code burp suite and the id so this burp suite is is a paid program on uh tryhackme okay is it free to use that's false it is not free to use so the argument that i was making and this was all from pulling down so i pulled down try hack me and i read through the code and i noticed that the way that they were they were malforming their api endpoints and they were not securing their api endpoints okay now so anyone can argue with me on this and be happy to do so but here's the point that i'm making so this endpoint was um something that i formed on my own um because i found this because i found this in the documentation so the room details not the documentation i'm sorry and the in the strings once i killed that but um hold on let me get back so this and i'm going to show you if you haven't seen the video on twitter yet i'm going to show you live right now okay these are the room details now i'm going to bring it up in the terminal i'm going to do a curl request again all right now what's the big deal okay um so let's let's actually i'm actually going to show you in a browser tryhackme.com and let me do incognito so i'm not signed in okay so not logged in as you can see all right but um let's just say i want to uh um i'm just browsing around and i want to learn about you know the burp suite so let's um go to i want to see where did i go to find that activities and i believe all rooms right here and then i'm going to type in burp and so this burp suite right here learn how to use the burp suite not signed in right there's 426 public rooms and this is a private room because whenever i click on it it redirects me it says the burp suite room is for subscribers only now we can see that worldwide there are 584 000 learners right and 426 public rooms except our burp suite is private all right and inside of the burp suite we can see that three there are 35 178 people have signed up for uh for this burp suite and that's you know at ten dollars a month um you know the there's the argument that was made was well what's the big deal it's i can see how many users are in there that's not the point right the point is is that because i pulled down every the tryhackme.com i was able to find inside of the code the malformed api and then i was able to actually form my own queries with the api right so it was a kind of a two-step process and it's just it something that didn't look right to me and then at this point right so we can see um you know this how many viewers you know how many registered users and then so i can even do another query and uh okay so that one doesn't exist let's see yeah hollow live spelled that wrong okay so this was a recent this is a recent uh program that that they launched okay now um it is a private program okay and um you can see that there's the free user account there's seven free users and minus one subscriber i don't know what that means maybe somebody left right they said i wanted my money back this is horrible or whatever it is and the actual creator of holo live room messaged me on twitter and said well you didn't you know you don't have any information this is you know this is uh it's whatever it's it's dumb this is stupid information that who cares about it okay because the private room now let's try to actually go to um so this is the you know hollow live um banner which you should be able to see it's actually this find hollow live all right so this is hollow so there's holo and then there's hollow live right so there's a difference so um if we go if we do over here rooms forward slash hollow or room i'm sorry okay it says the owner has made this room private okay so then room hello live redirects for subscriber only all right so let's go check out hollow see what happens just just hollow not hollow live rumors that owners made this room private um so we we can't see the information um about this room um but we can see the information about hollow live which is um private room as well really interesting stuff going on here again just curl that's it just curl and and this is again there's a lot of there's a lot of vulnerabilities out there like this right um and uh it may not be what you're looking for like i'm sometimes people just like tell me the answer what's the answer how do i get there but over time you're going to start realizing and you're not start noticing um that yeah this doesn't seem right okay i can tell you when i first started on hacker one i mean there was just you know i submitted that one vulnerability but there was uh i mean i think i had negative points even negative points on things and um you know there's you know i wish i could show you um i think i can actually maybe show you the reputation points um i'm not sure actually i don't want to get kicked out but but the point is look submit okay submit if you think something is off who cares if you're going to get negative points to begin with right you're going to learn that what you're going to learn you know what you're submitting is maybe not a vulnerability right or maybe you'll get lucky and then there is a vulnerability because this is interesting so there's the debate on twitter about this like is it okay to see private information by running a crow request you know because the api is not secured now there's many people that say this is not okay and i think it's not okay right and i made the point that if a google classroom full of students um you know children if you could query that google classroom that's private and figure out how many students are in that classroom is that okay my answer is no it's not okay to see how many students are in a classroom right how many how many if you're all over the world honestly i mean school shootings how many bullets do you need right you know how many kids are in that classroom that there's so much you know evil in the world that um we're saying it's not okay to know how many people are in your classroom it's not okay to know how many people are in your program if it's private if it's not supposed to be out in the public and and make the argument right when it comes to hacker one actually i made so much of an argument for something i actually i got a zoom call from uh from one of the heads of of security on hacker one and uh i wasn't letting letting a bug down i would not i would not let it let it go um and they finally conceded and it's like you know what this is one of those things it's like uh they called it a functional bug it's really strange all right so gosh i think we can go on this forever um but right curl right we're gonna pull um we're gonna actually pull up a pdf and i actually have one right here let's use the let's use the military for this one okay so curl uh minus uh capital o so that's gonna uh you know pull down a file all right let's just i love these pdfs and then ls l ltr it's going to give us the latest the latest thing that we just downloaded so at the very bottom you're going to see that army pdf now all right so what did we find in this pdf okay now this pdf is um i believe let's see okay so this pdf um is approved for public release um and the distribution is is unlimited so um these kinds of things are so the there's lots of leaking in things that are uh lots of documents that are leaking right um but the author of this document this is where it gets interesting right um there's generally you know you know one designated person that makes these kinds of of documents okay and um and they're designated to this so this person this author if we look them up we're going to find who they are and then a lot of other documents they've made okay and you'll see here that's another pdf all right now this one's unclassified and you can see where i'm going with this right this one's unclassified this one is unclassified right okay now uh it just keeps going right it really um and this one should not be there just straight up like this should not guys this when you see unclassified fau means unclassified for official use only this is a live vulnerability right straight from reconning a pdf live 100 live so this is the document that uh um you know outlined specifically um what uh two all these different uh looks like bases uh military bases um and um yeah so this is not good it is a controlled document uh you can see here um this is uh something that um yeah if anyone if anybody wants to report it you can report it right you can report this and uh it is it's valid uh this is a valid vulnerability um but there is a lot there's there's a lot um and again like i said like i mentioned the person there's specific people that write these documents again the same person that wrote that wrote this document wrote the last one and the problem is is is that uh um there's just pages and pages and pages of it okay um if you can find stuff like this like you can find this uh look it looks like this one's actually more similar or recent um these are the kinds of things that we we want to report though we want to report these we these things should not be out in the public um they have to be taken down um but again all because of looking for looking at the xf data so brew install exif tool okay and um you can even see how many pages that pdf is it's 41 pages um and so this is actually upgrading my exif tool it looks like i'm a version behind but this exif tool will look at information from and i'll show you again is anybody saying anything bettina bettina anybody saying anything um let's see someone said it's leaking from uh wordpress yeah let's see um i mean you can drill down right i think i think someone was mentioning so well it doesn't matter because it's uh maybe wordpress and whatever um so look when you're doing recon site military so now if you're looking for specific things um just here site military and then just the same name that you put in then now you have a super valid vulnerability um again this one was unclassified but you know the the dod is only going to accept accept dot mil addresses and uh but and there's there's a lot of things the other things too it are you'll find let's see let's type in quotes and you'll want to use duckduckgo because google filters out a lot of things anyways but just uh let's look like yeah there's there's quite a bit so i mean you'll get it i mean you won't hit every single time um but for example if you do classified i think was it was an unclassified fo document now you've learned something about what kind of documents shouldn't be out there and specifically in the military right so let's just go to duckduckgo and end points right so endpoints that shouldn't be available says this information is approved for unclassified fouo data right now if you can exploit these things in the department of defense that's a big deal that's a really really big deal and those are everywhere and all because you found um so space force this and it says the classification of this uh it says you need to actually uh you know have so the security cred level of the site is unclassified fluo right so um you're accessing government site you're not authorized to use it right now this is kind of one of those things it's like i want to get in you know i want to i want to jump in this site but you've learned so much just by looking at someone's name you learned what document should not be out there um and uh you know there's you know there's so many things and again some people say again your department of defense is a way to learn fine right but if this is what you want to do and learn fine but att is another good place right um i got a bounty from a t uh can't remember how much it was but i did and uh i mean a t us government doesn't matter everyone has vulnerability so it's what you prefer i think it's interesting these kinds of things because you know i was able to find a lot of information about ufos uaps i was able to find a lot of information about propulsion systems lots of stuff that that was you know just floating around before the ufo uap stuff came out so it's whatever you're looking for okay so let's continue this part and i don't know how long we've been going um but uh i i i want to make sure that uh i guess uh we this is just kind of like a think of it like like a little bit of a teaser right you've learned a couple of new um commands i'm gonna put these into the classroom um and we'll have another uh we'll have another class next week and this we're going to go through specific things and uh and for the class but the power of curl the power of wget and and then combined with these other tools they're super super important to know i'm going to actually jump into another we're going to go to dod or no sorry it's department department of defense let's see oh yeah defense.gov okay now i'm gonna look at the photos the photo gallery they look nice right um the thing with photos is that photos tell a really big um story right uh lots of of things they say so much about uh you know not only the you know the situation right but um about the people that took the photos their rankings phone numbers things like that and let's just pick one all right we're going to copy the link address we're going to curl the photo nope nope sorry i need to okay full image sorry go back copy link address okay so we just pulled down that photo all right so what do we know about the information from uh from the photo yeah it's a lot more information than um than is described in the photo so this says marines cross a rope bridge during training at the jungle warfare center that's what it says and then this one says the us marines with 3rd battalion 2nd marine regiment currently attached to the department over the bridge during the yeah and it keeps going and go and it says uh yeah it says a lot all right and it's now jungle warfare training center a unit deployment program the endurance course right that is not here that's not here you know um now this is unclassified alright so this will this is not a vulnerability right except you will see a lot of these photos that don't say unclassified and they give phone numbers let's see yeah and here we can so you can see there's a lot of information look um transmission reference right look this is stuff that's that it's really interesting information we've got um here is the um an email address from you know that's clearly not here um and yeah it really just keeps going um and i believe so again primary country primary location name state providence it gets really really detailed when it comes to these things and um all because you took a photo and again it starts at the top and a lot of times you'll find you'll find phone numbers that's when it gets really crazy i've actually called the phone numbers um and and spoken to people you know some really high ranking people i mean i i got the phone number for um to to someone in the white house i called them i thought this can't be real no way it absolutely was real i got their phone i called them i spoke with them um and uh and so we took care of that issue but this is a lot of information right this is why you want to learn recon you wanna and and people may not think about this they may not think it's valid why are you spending the time on this because everything that we put out is full of information and information right they're using an apple computer right and uh what do you learn from this right the whole the name of the game is about like finding the information um you know that's not supposed to be there right can you get access to information in a way that nobody else can and what i'm actually going to do is i'm going to actually run the same i'm going to run the same tool minus b that's binary data all right now there's that information that's hidden inside of the information which is hidden inside like the information that's hidden inside of the pictures okay and um that is is where we get to get to understand a lot more um than than we should right now looks all jumbled up and stuff right now but uh yes there's there's there's that information inside of the information the metadata of the metadata which is be really really um you know dangerous to to a lot of people i'm talking coordinates right coordinates that are hidden inside of pictures that will tell where that where that regimen is because they took a picture those coordinates stay in there you've heard it before people you know twitter scrubs it the united states government for some reason does not scrub it right and i'm not saying that this is you know going to be you know you're going to get that bug bounty or you're going to get a bounty or you're going to even get a bug validated i'm saying there are a lot um but you have to look through it and then you we've got to write the code to automate your life i'm going to leave you with a teaser now one thing you don't want to search through google this is ridiculous right so bring google to your terminal do you want to look for classified documents do you want to look for pictures with information do you want to look for end points that you can access that are not authenticated bring google to you right this is google in a terminal and so you and there's a there's a an application open source application called googler and we can actually initiate any query we want to so let's just say hacker1 so we end up pulling up um information about hacker1 so what i did was i took this program that somebody um that somebody made um and uh and i built on it in in in a crazy way i i really built on it um to make sure that my ip wasn't getting blocked um and i automated all a lot of my searches um you know it's for for google for duckduckgo for being mega and so i took that open source project and i made it crazy and i will post that open source project but i do suggest people go look for this open source project and i believe you can actually so if actually if we push number four let's say number four it's gonna actually open up number four and it'll open up that page using number five it's gonna open up number five okay and this is let's see it's brew search googler yes so brew install googler right so this is why um yeah i i wanted you all to install brew um just that in itself is going to help you um research right you can pipe your outputs right nobody wants to go through google searches and and look for you know you know end points or even um right nobody wants to do that but but the thing is is people neglect the fact that all these things are out in the open right uh you know for here's you know you know i suddenly i'm going to give you one more example and so let's do okay it's a wordpress site right who cares no one cares it's a wordpress site except 18 t still uses wordpress sites so let's attack the wordpress site because we can find a wordpress site from att oh it's updated so wp scan if we want to scan a wordpress site and uh and this one uh you can you know you need an api token mine's visible i don't care honestly um if it is but this is actually gonna show you where the vulnerabilities for this wordpress site okay now let's scroll up and we can see some interesting headers so it looks like their xml our pc is enabled which is not good um and the and it says it's 100 confidence that this is available and it says if you if you go to rapid seven why you should not have this enabled right so it says post requests only so we got we're gonna send a post request you know so so let's see this is a simple curl request let's see there's a video so they teach you oh i don't know okay so it says you know how do you test for this this xml rpc co-request well here it is and they wrote it in bash and force written in bash with curl so you got to understand again the power of curl and i'll post this link in the um in the class but anyone that says that this is just ridiculous um is is they follow what follow what you believe only right and no one can if you get good information from what i'm telling you i'm glad if you don't then you know maybe it's not for you but hopefully you'll get information great information again curl requests this is what runs the internet honestly it's what runs the internet everyone uses them and bash right bash is is going to um be the easiest thing um to to write to start and and and learn from this we'll go back to this to these vulnerabilities and it says the external cron job um is enabled and uh and then you can see that um you know what kind of theme they're using and then from that theme of course then you can look at the vulnerabilities inside of that theme and um and and again this is strictly recon okay if there was and i have had many many validated bugs on wordpress actually a lot actually and it looks as though see it's as interesting entries it looks like so it's talking about uh okay so request not logged message you're not currently logged in this is not good right it's because this just means we can send requests um you know to this again this is wordpress people can say what they want about it we're not doing our ces today right we're not but um but we are showing you know introduction to what recon can look like recon we're going to have you know these classes frequently and you're going to learn specifics about these classes i mean specifics about these recons right um you know what can what can you do when like we'll have a targeted wordpress um uh day you know uh what does this mean even right what is what does that look like you know how do we um how do we exploit these things with wordpress right how do we how do we take over an entire wordpress site you know um so with that uh i'll leave you all um this was again a teaser i hope that you oh let me tell you how so so brew search wp scan so you can see um yes install wp scan so brew install uh well brew follow the instructions so if you want to install so brew install wp scan it's going to actually tell you to probably tap actually you know you can just brew install wp scan i hope that you guys got a lot of good information from it i look forward to um you know a uh a very specific and structured class next week and i'll put that um you know the entire essential the syllabus will be there for next week and we're going to go through modules right so we're going to go through attacking just with curl recon just with curl and and properly writing code in bash with curl so we're going to have a we're going to have a week just with curl it'll be about a two hour session for um you know writing the code the last part and then at the beginning we're going to have a very targeted space so that's all for now thank you guys and uh i appreciate the support

Info

Channel: Jonathan Scott

Views: 3,442

Rating: 4.9074073 out of 5

Keywords: hacking, bug bounty, hacking tools, hacker, hack, vulnerability testing, philosophy, american hacker, red team, hackerone, best hacker, top hacker, top 5 hackers, top 10 hackers, wget, curl, bug hunter, vulnerability scanner, macos hack tools, ubuntu hacks, hacking tips, hack tips, bug bounty tips, exiftool, metadata, hidden data, subdomains, pii, personal information hack, social engineering hack, hacking tutorials, hacking school, hacking class, jonathan scott, jonathandata1

Id: mp99cmzSWcw

Channel Id: undefined

Length: 105min 29sec (6329 seconds)

Published: Wed Aug 04 2021