Bug-hunting: Discovery.

Some tips on common approaches to identifying areas of interest.

There are a growing number of Bug bounty or vulnerability reward schemes online this first post will be some tips on common approaches to identifying areas of interest.

I'm going to use Bugcrowd as my main example, but in the name of fairness here are a few other Bug Bounty/Vulnerability reward programs:

  • h1 | not a great response time
  • Synack| Invite Only, Cream of the crop
  • Cobalt.io| not too bad

there are more but, these are the big one's similar deliverables different models.

If you look at Bugcrowds list 'The List' you can see a list of all the publicly known (by bugcrowd) available Bug bounties that you can participate in, these are not members of the Bugcrowd program but just a list for you to go hack and be rewarded

If you have worked in security for a while you appreciate automation or in-fact worked in IT for a while, you see the value as long as it's meaningful

Meaningful automation #1 Let's make that List a meaningful list for discovery

curl https://bugcrowd.com/list-of-bug-bounty-programs/ | grep 'data-label=' | cut -d '"' -f6 | cut -d '/' -f1,2,3 | sort | uniq > uris.tgts.lst && cat uris.tgts.lst | cut -d '/' -f3 > domains.tgts.lst this will leave you with two files, uris.tgts.lst and domains.tgts.lst In the uris.tgts.lst file you will have web addresses, this means they begin with http:// or https:// this is useful for automating web crawlers or attacking with automated tools for web application mapping,discovery and low hanging fruit, we'll get to that later, the second file you now have is domains.tgts.lst this is simply the domains that allow for hunting so if you wanted to do deep reconnaissance for ASN Identification, subdomains enumeration, port scans we'll get to that later too.

Sam (Snoopy) was crying because I didn't mention Bugsheet (a website he goes on to not win money or t-shirts

so here is the bugsheet version

curl http://bugsheet.com/directory | grep 'a href="'| cut -d'"' -f2 | cut -d '/' -f1,2,3 | sed '/mailto:/d'| sort | uniq | sed '/javascript:/d'|sed '/tel:/d'| sed '/[email protected]/d' > Bugsheet.target.uri.lst && cat Bugsheet.target.uri.lst | cut -d'/' -f3 > Bugsheet.domains.lst


Meaningful Automation #2 enumeration via ASN's (Autonomous System Numbers)

you will need a copy of nMap installed for this, if you don't have nMap installed, go check it out... you're welcome.

Autonomous System numbers (ASN) ...
ASN Number = lots of IP Addresses associated with a company

If we look up a companies AS Number we will get a pretty accurate reflection of their online estate.
I use bgp.he.net to find companies ASN's ...

By using this nmap script we can get nmap to do some heavy lifting in terms of host and service discovery 'company wide'
nmap --script targets-asn --script-args targets-asn.asn=17012 > paypal.asn2ip.cleanme.txt

Starting Nmap 7.00 ( https://nmap.org ) at 2016-01-15 07:38 GMT
Pre-scan script results:
| targets-asn: 
|   17012
|     64.4.244.0/24
|     64.4.245.0/24
|     64.4.246.0/24
|     64.4.247.0/24
|     64.4.248.0/24
|     64.4.249.0/24
|     64.4.248.0/22
|     66.211.169.0/24
|     66.211.168.0/22
|     173.0.80.0/22
|     173.0.84.0/24
|     173.0.84.0/22
|     173.0.88.0/24
|     173.0.88.0/22
|     173.0.92.0/24
|     173.0.93.0/24
|     173.0.94.0/24
|     173.0.95.0/24
|_    173.0.80.0/20

wicked, clean up the output and save it with a meaningful name have a nice paypal.$date.target file
back to nMap...
there are a few things you can try from here if you want to go H.A.M then you might use the following:

nmap -p- -sV -iL paypal.target -oX paypal.allports.xml this will scan all tcp ports on all addresses in the paypal.target file you just prepared it will give you as much information about the services it finds as it can and save them to a nice xml file it will take a while, if you have an external box i'd recommend throwing it in a screen session and learning Mandarin while it scans, if you want to take the approach of common ports (rather than an absolute view of what IS open (at the time of scanning) you can ditch the -p- flag and replace it with -p80,443,8080 and what other ports you might care about ... for example: nmap -p80,443,8443,8080,8088,8010 -sV -iL paypal.target -oX paypal.common.web.ports.xml --open or what not

This will only return you open ports on IP Addresses, you will have to use your geekbrain to figure out what domains are associated with what IP addresses if that's important, but it's probably not.

more nMap discovery options: https://nmap.org/nsedoc/categories/discovery.html

Once we have the ASN we have obtained a reasonably informed list of the $targets online landscape. cool. once you have listed all your open ports you can see what might be worth moving to the next layer of discovery, such as Dirbuster/goBuster spidering and those web layer phases before you attHack

https://nmap.org/download.html
https://github.com/OJ/gobuster
https://www.owasp.org/index.php/Category:OWASPDirBusterProject
https://github.com/fuzzdb-project/fuzzdb
https://www.elevenpaths.com/labstools/foca/index.html

Takeaway

Hopefully, this post will give you an insight into enumerating targets, primarily as a Bug-hunter, this information will also assist in other areas of your IT Security Career or operations.