Advanced Recon

---

extended web app security You can hack faster if you have two people on one keyboard.

Note on ethics •

This course will teach both attacker and defender mindsets

•

UNSW hosting this course is an extremely important step forward.

•

We expect a high standard of professionalism from you, meaning: • Respect the property of others and the university • Always abide by the law and university regulations • Be considerate of others to ensure everyone has an equal learning experience • Always check that you have written permission before performing a security test on a system

If you are unsure about anything ask one of the course staff!

lecture-outline • Pre-lecture bountyhunting • Public dumpster hunting • Better techniques for domain brute forcing • #faster tooling • Domain fingerprinting • Pre-exploit searching

Post-notes on 6443 lecture ● Asset Discovery Defence ○

Good reading: Google Beyond Corp (https://cloud.google.com/beyondcorp/)

Newsroom.uber.com extended ● Live bounty time.

Public dumpster hunting ● It's one thing to use dnsdumpster to tell you everything ● It's another thing to be even lazier. ● Expand your searching through Google Dorking. ○ ○

Pastebin.com Specific unique domain queries

DEMO

Resources just found: ● http://ns398967.ip-37-59-43.eu/united.com/report/report_page_ 3.html ● https://bugbounty.xsses.rocks/

Better Techniques for dns recon ● Pre-compute your wordlists - Pre-altdns your wordlists ● Make better wordlists ○ ○ ○

https://pentester.io/commonspeak-bigquery-wordlists/ Farm alexa top 1m Perform heuristic analysis (common words/combinations) ■

Rank combinations

● Expand your wordlist as you hack more

#faster tooling • You’re only as fast at recon as your fastest tools • Benchmark your tools when you use them • DNS brute forcing • Fierce • Dnsenum • Gobuster • Zdns • massdns

• Directory brute forcing • Gobuster • Dirbuster • dirsearch

Aside: fuck perl and cpanm.

DEMO ● Benchmarking speeds ● I’m not providing the stats. Exercise for the reader

Other notes on tooling ● Note subtle differences. ○ ○ ○

fierce/dnsenum try to do AXFR Usually impossible now a days Probably a waste of time

● Zdns may arbitrarily miss results ○

But performance speed up may warrant running it 2+ times in the same time gobuster/others take

● Faster internet is better brute forcing.

Domain Fingerprinting ● Do some recon on domains you find. ○ ○ ○

Auto-scrape the pages for more hosts Scrape headers for cookies Dirbuster a little bit ■

We’re doing bounties. They won’t mind

● Don’t DDOS the box. ○ ○ ○

Apparently that annoys people. Tl;dr one aws box is unlikely to DDOS, but if you use 10. They might yell at you. Benchmark it for yourself. Setup an NGINX box on an aws ec2 micro, and try and take it down.

Fingerprinting ext ● Search for default directories/files ○

Compile a list. (LMGTFY/Collaboration opportunities)

● Use this to expand your understanding of their infrastructure ○ ○ ○ ○

If their domains are structured like Signup.na.target.com Try signup.eu.target.com structure/pre-permute your domain list to have more like this

● If they’re using jenkins, and they codename it like jnkn.eu.target.com ○

Then consider permuting your DNS list to have less vowels.

Pre-exploit searching ● If you find a drupal instance. ○ ○

Fingerprint the drupal version Hunt for some CVE’s

● Catch any low hanging fruit. ○

Before having to dive into actual appsec

Other notes ● Get some good music playlists to hack to. It makes you hack faster ● (https://open.spotify.com/user/minight/playlist/2quv7VpuLKRy8c9 eBIEoKc?si=PgL4DB8TQ1SUo-eYdDZ0QQ) ● Be weary of computation time/statespace explosion ○ ○

The previous suggestions will give you n^3 statespace explosion if you’re not careful. (n wordlist size, m permutation corpus, t permutation method) Curate your subdomain list as you go. (don’t just randomly download shit)

● Automate everything. ○ ○

./hack target.com Sms you the findings.

Q&A