Some tips on common approaches to identifying areas of interest.
There are a growing number of Bug bounty or vulnerability reward schemes online this first post will be some tips on common approaches to identifying areas of interest.
I'm going to use Bugcrowd as my main example, but in the name of fairness here are a few other Bug Bounty/Vulnerability reward programs:
there are more but, these are the big one's similar deliverables different models.
If you look at Bugcrowds list 'The List' you can see a list of all the publicly known (by bugcrowd) available Bug bounties that you can participate in, these are not members of the Bugcrowd program but just a list for you to go hack and be rewarded
If you have worked in security for a while you appreciate automation or in-fact worked in IT for a while, you see the value as long as it's meaningful
Meaningful automation #1 Let's make that List a meaningful list for discovery
curl https://bugcrowd.com/list-of-bug-bounty-programs/ | grep 'data-label=' | cut -d '"' -f6 | cut -d '/' -f1,2,3 | sort | uniq > uris.tgts.lst && cat uris.tgts.lst | cut -d '/' -f3 > domains.tgts.lst
this will leave you with two files,
domains.tgts.lst In the
uris.tgts.lst file you will have web addresses, this means they begin with
https:// this is useful for automating web crawlers or attacking with automated tools for web application mapping,discovery and low hanging fruit, we'll get to that later, the second file you now have is
domains.tgts.lst this is simply the domains that allow for hunting so if you wanted to do deep reconnaissance for ASN Identification, subdomains enumeration, port scans we'll get to that later too.
Sam (Snoopy) was crying because I didn't mention Bugsheet (a website he goes on to not win money or t-shirts
so here is the bugsheet version
Meaningful Automation #2 enumeration via ASN's (Autonomous System Numbers)
you will need a copy of nMap installed for this, if you don't have nMap installed, go check it out... you're welcome.
Autonomous System numbers (ASN) ...
ASN Number = lots of IP Addresses associated with a company
If we look up a companies AS Number we will get a pretty accurate reflection of their online estate.
I use bgp.he.net to find companies ASN's ...
By using this nmap script we can get nmap to do some heavy lifting in terms of host and service discovery 'company wide'
nmap --script targets-asn --script-args targets-asn.asn=17012 > paypal.asn2ip.cleanme.txt
Starting Nmap 7.00 ( https://nmap.org ) at 2016-01-15 07:38 GMT Pre-scan script results: | targets-asn: | 17012 | 126.96.36.199/24 | 188.8.131.52/24 | 184.108.40.206/24 | 220.127.116.11/24 | 18.104.22.168/24 | 22.214.171.124/24 | 126.96.36.199/22 | 188.8.131.52/24 | 184.108.40.206/22 | 220.127.116.11/22 | 18.104.22.168/24 | 22.214.171.124/22 | 126.96.36.199/24 | 188.8.131.52/22 | 184.108.40.206/24 | 220.127.116.11/24 | 18.104.22.168/24 | 22.214.171.124/24 |_ 126.96.36.199/20
wicked, clean up the output and save it with a meaningful name have a nice
back to nMap...
there are a few things you can try from here if you want to go H.A.M then you might use the following:
nmap -p- -sV -iL paypal.target -oX paypal.allports.xml this will scan all tcp ports on all addresses in the paypal.target file you just prepared it will give you as much information about the services it finds as it can and save them to a nice xml file it will take a while, if you have an external box i'd recommend throwing it in a screen session and learning Mandarin while it scans, if you want to take the approach of common ports (rather than an absolute view of what IS open (at the time of scanning) you can ditch the -p- flag and replace it with -p80,443,8080 and what other ports you might care about ... for example:
nmap -p80,443,8443,8080,8088,8010 -sV -iL paypal.target -oX paypal.common.web.ports.xml --open or what not
This will only return you open ports on IP Addresses, you will have to use your geekbrain to figure out what domains are associated with what IP addresses if that's important, but it's probably not.
more nMap discovery options: https://nmap.org/nsedoc/categories/discovery.html
Once we have the ASN we have obtained a reasonably informed list of the $targets online landscape. cool. once you have listed all your open ports you can see what might be worth moving to the next layer of discovery, such as Dirbuster/goBuster spidering and those web layer phases before you attHack
Hopefully, this post will give you an insight into enumerating targets, primarily as a Bug-hunter, this information will also assist in other areas of your IT Security Career or operations.