Comprehensive Bug Hunting Toolkit for Cybersecurity Enthusiasts

 
 
 
 
 
                            
                            
IWCon W2022
IWCon W2022
              
              
Orwa GodFather
Orwa GodFather
 
IWCON
IWCON
 
Basic Recon
Tools
IWCon 2022 Tips ==> To Find Easy High/Critical Bugs
 
ABOUT ME
ABOUT ME
 
Orwa Atyat From Jordan
Orwa Atyat From Jordan
Full Time Bug Hunter
Full Time Bug Hunter
BugCrowd Full Rank : Top 100
BugCrowd Full Rank : Top 100
BugCrowd P1 Warrior Rank: Top 10
BugCrowd P1 Warrior Rank: Top 10
Completing Nearly 
Completing Nearly 
190 P1 
190 P1 
Report On BugCrowd
Report On BugCrowd
 
CVE-2022-21500 | CVE-2022-21567
 
BASIC RECON & TOOLS
BASIC RECON & TOOLS
 
Subdomain Enumerations
Subdomain Enumerations
https://crt.sh/?q=%25.target.com
https://crt.sh/?q=%25.target.com
https://securitytrails.com/list/apex_domain/target.com
https://securitytrails.com/list/apex_domain/target.com
https://www.shodan.io/search?query=Ssl.cert.subject.CN%3A%22t
https://www.shodan.io/search?query=Ssl.cert.subject.CN%3A%22t
arget.com%22
arget.com%22
Single Domain:
Single Domain:
amass enum -passive -norecursive -noalts –d domain .com -o  sub-
amass enum -passive -norecursive -noalts –d domain .com -o  sub-
list.txt
list.txt
Domains List:
Domains List:
amass enum -passive -norecursive -noalts -df domians.txt -o  subs-
amass enum -passive -norecursive -noalts -df domians.txt -o  subs-
list.txt
list.txt
 
SUBDOMAIN ENUMERATIONS TOOLS
SUBDOMAIN ENUMERATIONS TOOLS
 
 
GitHub - iamthefrogy/frogy
GitHub - iamthefrogy/frogy
 
GitHub - Cyber-Guy1/domainCollector
GitHub - Cyber-Guy1/domainCollector
 
https://gitlab.com/prawps/ohdns
https://gitlab.com/prawps/ohdns
 
 
After collecting everything remove the duplicate subs
After collecting everything remove the duplicate subs
cat full-subdomain-list.txt | sort -u > sub-list.txt
cat full-subdomain-list.txt | sort -u > sub-list.txt
 
BUG
BUG
CROWD
CROWD
 
Filter the subs with httpx
Filter the subs with httpx
cat sub-list.txt | httpx -o live-subs.txt
cat sub-list.txt | httpx -o live-subs.txt
 
Scan port top 1000 port or – Full ports with nabbu
Scan port top 1000 port or – Full ports with nabbu
 
naabu -list sub-list.txt -top-ports 1000 -exclude-ports 80,443,21,22,25 -o ports.txt
naabu -list sub-list.txt -top-ports 1000 -exclude-ports 80,443,21,22,25 -o ports.txt
naabu -list sub-list.txt -p -  -exclude-ports 80,443,21,22,25 -o ports.txt
naabu -list sub-list.txt -p -  -exclude-ports 80,443,21,22,25 -o ports.txt
 
screenshot
 
screenshot
 
screenshot
 
screenshot
 
screenshot
 
COLLECTING URLS ENDPOINTS
 
https://urlscan.io/search/#target.com
https://urlscan.io/search/#target.com
https://web.archive.org/cdx/search/cdx?url=*.target.com&fl=original&collapse=
https://web.archive.org/cdx/search/cdx?url=*.target.com&fl=original&collapse=
urlkey
urlkey
 
Google dorking
Google dorking
site:target.com
site:target.com
 
Bing dorking
Bing dorking
site:target.com
site:target.com
 
SEARCH FOR SOURCES/BACKUP FILES
 
Tip:
Tip:
orwa.iwcon.com
orwa.iwcon.com
orwa.iwcon.com/
orwa.iwcon.com/
orwa.zip - iwcon.zip – admin.zip – backup.zip
orwa.zip - iwcon.zip – admin.zip – backup.zip
orwa. iwcon.com/orwa/
orwa. iwcon.com/orwa/
orwa.zip - wicon.zip – admin.zip – backup.zip
orwa.zip - wicon.zip – admin.zip – backup.zip
orwa. iwcon.com/iwcon/
orwa. iwcon.com/iwcon/
orwa.zip - iwcon.zip – admin.zip – backup.zip
orwa.zip - iwcon.zip – admin.zip – backup.zip
orwa. iwcon.com/admin/
orwa. iwcon.com/admin/
orwa.zip - iwcon.zip – admin.zip – backup.zip
orwa.zip - iwcon.zip – admin.zip – backup.zip
 
https://github.com/musana/fuzzuli
https://github.com/musana/fuzzuli
for fuzzing on backups
for fuzzing on backups
 
ALL IN ONE
ALL IN ONE
 
https://offsec.tools/
 
TIPS/TRICKS
TIPS/TRICKS
 
Github…..
Github…..
Try Searching For Leakes On
Try Searching For Leakes On
gist.github.com
gist.github.com
Gitlab.com
Gitlab.com
 
Tip for finds more leaks and before anyone
Tip for finds more leaks and before anyone
Check your target 2 times per day
Check your target 2 times per day
To do that
To do that
Target.com password 
Target.com password 
 
 
Recently indexed 
Recently indexed 
 
 
Bookmark this tap
Bookmark this tap
[CTRL + D]
[CTRL + D]
 
TIPS/TRICKS
TIPS/TRICKS
 
S
S
e
e
a
a
r
r
c
c
h
h
 
 
F
F
o
o
r
r
 
 
P
P
I
I
I
I
 
 
(
(
P
e
r
s
o
n
a
l
 
I
d
e
n
t
i
f
i
a
b
l
e
 
I
n
f
o
r
m
a
t
i
o
n
)
 
O
n
 
G
o
o
g
l
e
L
e
a
k
e
d
 
C
r
e
d
e
n
t
i
a
l
s
 
O
n
 
G
o
o
g
l
e
In Google Sheets/Groups
In Google Sheets/Groups
 
site:docs.google.com/spreadsheets "company name“
site:groups.google.com "company name"
 
TIPS/TRICKS
TIPS/TRICKS
 
Create a Nuclui Templeate
Create a Nuclui Templeate
any bug you found create a template by that and test it on all programs scopes
any bug you found create a template by that and test it on all programs scopes
 
 
 Find Some Ends For Dead Host And Tested On The Same Live IP
 Find Some Ends For Dead Host And Tested On The Same Live IP
Example
Example
[176.001.X.XX] 
[176.001.X.XX] 
= 
= 
live
live
 its in ssl recorded to 
 its in ssl recorded to 
[orwa.iwcon.com] 
[orwa.iwcon.com] 
= 
= 
dead host
dead host
Collect endpoints for [
Collect endpoints for [
orwa.iwcon.com
orwa.iwcon.com
] and test that endpoints on [
] and test that endpoints on [
176.001.X.XX
176.001.X.XX
]
]
 
TIPS/TRICKS
TIPS/TRICKS
UNAUTHORIZED ACCESS
UNAUTHORIZED ACCESS
 
This example for critical bug I found it in FACEBOOK  via  Response Manipulation
This example for critical bug I found it in FACEBOOK  via  Response Manipulation
 
I Found In FaceBook (Instgram Employee Panel) So I Tried Normal Login It Was 
I Found In FaceBook (Instgram Employee Panel) So I Tried Normal Login It Was 
 302
 302
r
r
edirect to login page 
But
 
 
Content-Length of redirect response so big
 
 
S
ome 
P
laying 
W
ith 
B
urp 
M
atch 
A
nd 
R
eplace 
I Was 
A
ble 
T
o 
B
ypass Authentication And
T
aking 
A
ctions.
 
Tip Here:
If Response 302 With Very Big Content-Length
Try To Bypassed
 
Normal Response Was
Normal Response Was
HTTP/1.1 302 Found
Location: ../login/?redirect=//location/?5
 
Replaced To
HTTP/1.1 200 OK
 
And Deleted  Header 
Location: ../login/?redirect=//location/?5
Match And Replace
type: response header
match : HTTP/1.1 302 Found
replace: HTTP/1.1 200 ok
Match And Replace
type: response header
match : Location: ../login/?redirect=//location/?5
replace:
 
THANKS ALL
THANKS ALL
IWCON
IWCON
 
https://twitter.com/GodfatherOrwa
https://twitter.com/GodfatherOrwa
https://bugcrowd.com/OrwaGodfather
https://bugcrowd.com/OrwaGodfather
https://hackerone.com/mr-hakhak
https://hackerone.com/mr-hakhak
https://medium.com/@orwaatyat
https://medium.com/@orwaatyat
Slide Note
Embed
Share

Explore a detailed guide on bug hunting tools, techniques, and resources by expert bug hunter Orwa Atyat from Jordan. Learn valuable tips on finding high/critical bugs, conducting basic recon, subdomain enumerations, collecting URLs/endpoints, and searching for backup files. Enhance your cybersecurity skills with a curated collection of tools and tactics to bolster your bug hunting endeavors.


Uploaded on Mar 26, 2024 | 2 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. IWCon W2022 Orwa GodFather

  2. IWCON Basic Recon Tools IWCon Basic Recon Tools IWCon 2022 2022 Tips ==> To Find Easy High/Critical Bugs Tips ==> To Find Easy High/Critical Bugs

  3. ABOUT ME Orwa Atyat From Jordan Full Time Bug Hunter BugCrowd Full Rank : Top 100 BugCrowd P1 Warrior Rank: Top 10 Completing Nearly 190 P1 Report On BugCrowd CVE-2022-21500 | CVE-2022-21567

  4. BASIC RECON & TOOLS Subdomain Enumerations https://crt.sh/?q=%25.target.com https://securitytrails.com/list/apex_domain/target.com https://www.shodan.io/search?query=Ssl.cert.subject.CN%3A%22t arget.com%22 Single Domain: amass enum -passive -norecursive -noalts d domain .com -o sub- list.txt Domains List: amass enum -passive -norecursive -noalts -df domians.txt -o subs- list.txt

  5. SUBDOMAIN ENUMERATIONS TOOLS GitHub - iamthefrogy/frogy GitHub - Cyber-Guy1/domainCollector https://gitlab.com/prawps/ohdns After collecting everything remove the duplicate subs cat full-subdomain-list.txt | sort -u > sub-list.txt

  6. screenshot screenshot screenshot screenshot screenshot BUGCROWD Filter the subs with httpx cat sub-list.txt | httpx -o live-subs.txt Scan port top 1000 port or Full ports with nabbu naabu -list sub-list.txt -top-ports 1000 -exclude-ports 80,443,21,22,25 -o ports.txt naabu -list sub-list.txt -p - -exclude-ports 80,443,21,22,25 -o ports.txt

  7. COLLECTING URLS ENDPOINTS COLLECTING URLS ENDPOINTS https://urlscan.io/search/#target.com https://web.archive.org/cdx/search/cdx?url=*.target.com&fl=original&collapse= urlkey Google dorking site:target.com Bing dorking site:target.com

  8. SEARCH FOR SOURCES/BACKUP FILES SEARCH FOR SOURCES/BACKUP FILES Tip: orwa.iwcon.com orwa.iwcon.com/orwa.zip - iwcon.zip admin.zip backup.zip orwa. iwcon.com/orwa/orwa.zip - wicon.zip admin.zip backup.zip orwa. iwcon.com/iwcon/orwa.zip - iwcon.zip admin.zip backup.zip orwa. iwcon.com/admin/orwa.zip - iwcon.zip admin.zip backup.zip https://github.com/musana/fuzzuli for fuzzing on backups

  9. ALL IN ONE https://offsec.tools/

  10. TIPS/TRICKS Github .. Try Searching For Leakes On gist.github.com Gitlab.com Tip for finds more leaks and before anyone Check your target 2 times per day To do that Target.com password Recently indexed Bookmark this tap [CTRL + D]

  11. TIPS/TRICKS Search For PII (Personal Identifiable Information) On Google Leaked Credentials On Google In Google Sheets/Groups site:docs.google.com/spreadsheets "company name site:groups.google.com "company name"

  12. TIPS/TRICKS Create a Nuclui Templeate any bug you found create a template by that and test it on all programs scopes Find Some Ends For Dead Host And Tested On The Same Live IP Example [176.001.X.XX] = live its in ssl recorded to [orwa.iwcon.com] = dead host Collect endpoints for [orwa.iwcon.com] and test that endpoints on [176.001.X.XX]

  13. TIPS/TRICKS UNAUTHORIZED ACCESS This example for critical bug I found it in FACEBOOK via Response Manipulation Normal Response Was HTTP/1.1 302 Found Location: ../login/?redirect=//location/?5 I Found In FaceBook (Instgram Employee Panel) So I Tried Normal Login It Was 302 redirect to login page But But Content Content- -Length of redirect response so big Length of redirect response so big Replaced To Some Playing With Burp Match And Replace I Was Able To Bypass Authentication And Taking Actions. HTTP/1.1 200 OK And Deleted Header Location: ../login/?redirect=//location/?5 Match And Replace type: response header match : HTTP/1.1 302 Found replace: HTTP/1.1 200 ok Tip Here: If Response 302 With Very Big Content-Length Try To Bypassed Match And Replace type: response header match : Location: ../login/?redirect=//location/?5 replace:

  14. THANKS ALL IWCON https://twitter.com/GodfatherOrwa https://bugcrowd.com/OrwaGodfather https://hackerone.com/mr-hakhak https://medium.com/@orwaatyat

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#