Add to collection(s) Add to saved
  1. No category
Uploaded by T Hub

My personal hacking log during the learning process

advertisement 
HACKING WEB APPS
installing OWASP JUICE SHOP.
I need to first install docker on my virtual machine - KALI
Follow the instructions above to install docker.
Then search for “OWSAP JUICE SHOP on google to install the juice shop locally
on your machine using docker”
To run the juice shop, open cmd and type
sudo docker run -p 3000:3000 bkimminich/juice-shop
Then type http://localhost:3000 to access the app
1/66
To Access the Score-board : go to http://localhost:3000/#/score-board
BURPSUITE WEB APP TESTING
There are three stages of testing web apps;
1. Unauthenticated stage - not logged in / unauthneticated.
- try navigating the website and try to login using credential stuffing, forgot
your password, default admin credential testing
2. User tier
- login as user without admin privileges
3. Admin tier
2/66
-get access to admin panels and what users can't see.
SQL INJECTION
SQL INJECTION VERBS
SELECT -retrieve
INSERT - add
DELETE - remove
UPDATE - modify
DROP - delete table
UNION - combine
Other extra terms;
WHERE - sorts data based on specific condition
AND/OR/NOT - sorts data based on multiple conditions
ORDER BY - sorts data on ascending/descending order
Special Characters;
‘ and ’' - string delimiters
--, /* and # - comment delimiters
% and * - wildcards
; - ends a statement
HOW TO DEFEND AGAINST SQLi
1. parameterizing statements
2. Sanitizing input
Understanding
Input : test
SQL - SELECT * FROM Users WHERE email ='test';
Attack : test'
SQL - SELECT * FROM Users WHERE email ='test'';
The additional quote makes the sql query endless hence causing a sqlite error
Attack : test' OR 1=1; -SQL - SELECT * FROM Users WHERE email ='test' OR 1=1; --';
- the first quote closes the input then the CONDITION OR 1=1(which is true)
3/66
then end the query and the “--” comments out the rest of the code
note: the requests you send in the burpsuite repeater are actually sent to the
application server; Wow, that's cool.
The repeater shows me a lot of information
BLIND SQL INJECTION - this is where we can't see the sql error.
We use sleep(5) to check if the web server will follow the command.
The goal is to first find where the app is prone to SQL injection and then
modify the sql command query to exploit the vulnerability.
SOLVING SQL ATTACK on Jims Account;
First we got jim's email from the product reviews and then modified the sql
input to ; jim@juice-shop.com'-so the first quote(') closes the email and the (--) comment out the rest of the
query
SELECT * FROM Users WHERE email='jim@juice-shop.com'-And since jim's email is accurate, it will login us as jim. DONE
BLIND SQL CHALLENGE - Database schema
use a sql injection to get the entire db schema.
Go to the products page because products are kept in the database and try sql
injection on the product search bar, use burp suite to see behind the scenes
BROKEN AUTH
How can I get access to this application?
1. credential stuffing
2. bruteforce attak
3. defauly, weak, well known passwords
4. ineffective forgot password
5. plain text or weakly hashed passwords
6. missing MFA
7. exposes session IDS in URL
8. doesnt rotate session IDs after successful login
9. doesnt properly invalidate session IDs
HOW TO TEST FOR BROKEN AUTH.
- try username enumeration
4/66
SENSITIVE DATA EXPOSURE
It is simply data in plain clear text.
1. Is any data transmitted in clear text over protocols like HTTP, FTP and
SMTP.
2. Are there any old or weak cryptographic algos used ?
3. Are default crypto keys in use, weak crypto keys generated, re-used ?
4. Is encryption enforced?
5. Does the user agent not verify if the received server certificate is valid?
Go to securityheaders.com to search the website for the headers list and check
for what's missing
use nmap to check for the level of encryption on the website
nmap --script=ssl-enum-ciphers -p 443 tesla.com
check for security headers and ciphers when making a report for a web app
testing client
XML External Entities
XXE ATTACK
- it attacks systems that parse XML input
Attacks include DOS, local file disclosure, remote code execution and much
more.
Basically create a malicious XML code and upload it as a file into the front
end of the website.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE gift [
<!ENTITY from “Daniel&Angel”>
]>
<gift>
<To>Frank</To>
<From>&from;</From>
<Item>Pokemon Cards</Item>
</gift>
Search of xxe payloads on google
File upload features can be very devastating if not maintained well.
5/66
How to protect against XXE?
Disable DTD's/External entities
BROKEN ACCESS CONTROL
It's as simple as a user gets access to where they shouldn't.
Insecure Direct Object Reference - IDOR
How can I get access ?
1. Bypassing access control checks by modifying the URL, internal application
state or HTML Page or simply using a custom API attack tool.
2. Allowing the primary key to be changed to another's users record, permitting
viewiing or editing someone else's account
3. Privilege elevation; acting as a user without being logged in or acting as
an admin when logged in as a user.
4. Metadata manipulation such as replaying or tamepring with JSON web token or
cookie
5. CORS Misconfiguration allows unauthorized API access
6. Force browsing to authenticated pages as an unauthenticated user or to
privileged pages as a standard user. Accessing API with missing access controls
for POST, PUT and DELETE.
SECURITY MISCONFIG
CROSS-SITE SCRIPTING (XXS)
Three types of XSS
1. Reflected
2. Stored/Persistent
3. DOM
keylogging, dos, stealing cookies, defacing websites.
DOM Based XSS explained;
source - the location where the malicious input is introduced(this is where my
malicious input goes)
sink - the location where the malicious input is executed (this is where my
malicious input is executed)
DOM based XSS is the least I am going to see because it requires social
engineering. its usually reflected and stored that are common.
HOW TO CARRY OUT XSS?
6/66
inspect any elements that allow input
STORED XSS
-say there is a comment section and you can use xxs to steal the admin's cookie
and login as the administrator
CLAS
traceroute 8.8.8.8
Get to nmap.
nmap gives me a lot of details about the network.
-flat network
-subnetted network
scanme.nmap.org
when pentesting, we agree on the rules of engagement.
RULES OF ENGAGEMENT
-white box (all information is given)
-black box(i am given nothing)
-grey box (given some information)
We need to agree on the scope of attack.
ENUMERATION
check
check
check
check
-
whois
dnsdumpster
nslookup.io
whois easycounter
use many options to make sure you have the right target.
install wappalyzer to detect technologies running on a platform.
ssh - banner grabbing, bruteforcing
http nping-echo
Elite
BURPSUITE WALKTHROUGH
This is a walkthrough through the features of Burpsuite and how they can be
7/66
used in testing webapps.
Target - anything and everything that has gone through my proxy
Adding to Scope - this helps to narrow down my target webapp
When performing bug bounties, you are given a scope to focus on. This is where
the Scope feature helps.
I can even exclude the websites not in the scope.
Crawl - scan through the website to find the robots.txt to scroll through the
website like a spider crawler
Intercept tool- This intercepts requests in the webapp from the client side
before they are sent to the web server.
Repeater - This allows us to modify the requests and send them to the server
while getting a raw output
Intruder - It allows us to do password spraying attacks. It allows us to make a
lot of requests in a short period of time.
Decoder & Encoder - can encode or decode any data I receive from the intercept.
Extender feature - its the burpstore extension where we can get more tools that
do extensive checks and operations. Most of them come with the Pro edition.
The Pro version is far more better when doing this professionally.
#KeepLearning.
WEP APP TESTING SERIES
Ep1: ENUMERATION
Pentesting Techniques; Information Gathering, Scanning, Enumeration,
Exploitation, Maintaining access and cleanup
Tools: Burpsuite (Pro), Nikto, Dirbuster, curl, sublist3r, nmap and soo much
more
Attaks: OWSAP Top 10 e.g Injection, Broken AUth, XXS, XXE etc
Bug bounty Programs;
bugcrowd.com
hackerone.com
synack.com/red-team
guru99.com/bug-bounty-programs
Education;
elearningsecurity.com/course/web application penetration testing
portswigger.net/web-security
giac.org/certification/web-application-penetration-tester-gwapt
Amazon web app hackers handbook
Use the OWASP TESTING GUIDE CHECKLIST to get insight on the methodology and
8/66
tools to use when doing a pentest to ensure you don't miss anything.
Bug-bounties are public sourced bug huntings where you are paid to hack
websits.
Enumeration is very important;
THE FIVE STEPS OF HACKING
1. Reconnaissance ; passive & active
stage one is passive; only gather public information from google
stage two is active; this is where we scan the webapp directly
What are we looking for?
subdomains, interesting files on the web, whois for target confirmation, check
breach credential dumps for passwords
2. Scanning and Enumeration
- using burpsuite, nmap, nkito
- looking for vulnerabilities and enumerate the information we gather.
The best penetration testers are the ones who can enumerate, have good patience
and are willing to dig deep when nothing is on the surface.
3. Gaining Access/Exploitation
-user/admin account
-running a Remote Command Execution
4. Maintaining Access
5. Covering tracks
-deleting logs
RECONNAISSANCE;
Target validation; making sure the target we have is in the right scope.
tools---WHOIS, nslookup, dnsrecon
Finding Subdomains;
tools---Google Fu, dig, Nmap, Sublist3r, Bluto, crt.sh etc
look for those subdomains that aren't supposed to be accessed by the public
Fingerprinting;
tools---Nmap, Wappalyzer, WhatWeb, BuiltWith(passive), NetCat
Data Breaches;
tools---HaveIBeenPwned
TASKL We have been asked to gather info about a company irobot.com. Let's take
a look at some info gathering tools and see what useful info we come up with.
Download sublist3r from github
9/66
then we run a command in terminal
python sublist3r -d domain.com
10/66
the -d stands for domain
11/66
12/66
Now let's try using crt.sh
IIf you are wondering, the % stands for wildcard meaning give me eeverything
This also gives some info about their internal network
Now let's get to burpsuite;
But first, Let's learn HTTP Requests;
HTTP operates as a request-response protocol, where a client sends a request to
a server, and the server responds with the requested information.
1. GET:
Purpose: Used to request data from a specified resource.
Data in Request: Parameters can be included in the URL (query string).
Idempotent: Yes (repeating the same request multiple times has the same effect
as making it once).
Example:
GET /example/resource?id=123 HTTP/1.1
13/66
Host: www.example.com
2. POST:
Purpose: Used to submit data to be processed to a specified resource.
Data in Request: Included in the request body.
Idempotent: No (repeating the same request may have different effects).
Example:
POST /example/resource HTTP/1.1
Host: www.example.com
key1=value1&key2=value2
3. PUT:
Purpose: Used to update a resource or create a new resource if it doesn't
exist.
Data in Request: Included in the request body.
Idempotent: Yes.
Example:
PUT /example/resource/123 HTTP/1.1
Host: www.example.com
Updated data...
4. PATCH:
Purpose: Partially update a resource.
Data in Request: Includes only the changes to the resource, not the entire
resource.
Idempotent: No.
Example:
PATCH /example/resource/123 HTTP/1.1
Host: www.example.com
{ "key1": "new value" }
5. DELETE:
Purpose: Used to request the removal of a resource.
Data in Request: Not common, as it may be unsafe to include sensitive data in
the URL.
Idempotent: Yes.
Example:
DELETE /example/resource/123 HTTP/1.1
Host: www.example.com
6. HEAD:
Purpose: Similar to GET but without the response body, used to retrieve the
headers for a resource.
Data in Request: Similar to GET.
Idempotent: Yes.
Example:
14/66
HEAD /example/resource HTTP/1.1
Host: www.example.com
7. OPTIONS:
Purpose: Used to describe the communication options for the target resource.
Data in Request: Not common, often used without a request body.
Idempotent: Yes.
Example:
OPTIONS /example/resource HTTP/1.1
Host: www.example.com
8. TRACE:
Purpose: Used for diagnostic purposes to trace the route to the server.
Data in Request: Echoes the received request, allowing the client to see what
changes or additions have been made by intermediate servers.
Idempotent: Yes.
TRACE /example/resource HTTP/1.1
Host: www.example.com
9. CONNECT:
Purpose: Used to establish a network connection to a resource (usually a secure
tunnel).
Data in Request: Not common.
Idempotent: No.
Example:
CONNECT www.example.com:443 HTTP/1.1
BURPSUITE
15/66
sUsing advanced scope tool with regex
.*\.test\.com$
repleace test with the domain name like isbatuniversity and com with
ac.ug(domain extension)
Go to securityheaders.com to check for headers in case of pentesting but it is
a very low finding.
-Install Wappalyzer to help identify a website.
It helps us look into the technologies the website is built with.
16/66
the server it runs on/ This can help us find vulnerabilities in line with the
server and exploit the website.
Search for the vulnerabilities of all the technologies used in the website.
--BuiltWith can also get the job done
--weleakinfo.com
--hunter.io
This searches for all emails connected to the domain
You can use this info from the emails to initiate a spray attack.
Use linkedin to find potential credentials from the emails you get.
SCANNING AGAINST THE WEBSITE: ACTIVE RECON
1.Nikto; Nikto is very identifiable by any WAF- Webapp Firewall
This is a vuln scanner. It shows the IP, SSL info, Server & header information.
It checks to see if any web frameworks are vulnerable to what we are scanning
against.
Command: nikto -h domain (-h stands for host)
17/66
2.Nmap;
Scanning for SSL and ciphers
Command; nmap -p 443 --script=ssl-enum-ciphers domain/ip
-p stands for port, 443 stands for https , the script's purpose is to enumerate
the ssl ciphers.
18/66
Ciphers are incredibly hard to exploit but this is good for pen-testing.
19/66
nmap -p80,443 -A -T4 13.126.37.195
-p80,443: This option specifies the ports to be scanned. In this case, it is
scanning ports 80 and 443. Port 80 is commonly used for HTTP, and port 443 is
commonly used for HTTPS.
-A: This option enables aggressive scanning. It includes various additional
scanning and probing techniques to gather more information about the target.
This includes version detection, script scanning, and OS detection.
-T4: This option sets the timing template to aggressive. It controls the speed
of the scan. In this case, it sets the timing to be faster (T4). The timing
templates range from T0 (Paranoid) to T5 (Insane), with T4 being a good balance
between speed and reliability.
13.126.37.195: This is the target IP address that Nmap will scan.
20/66
We have to be careful with active scans
The best way to crawl is to manually map the website.
HOMEWORK;
--Enumerate the Juiceshop
21/66
Ep2. ENUMERATION PART 2
Topics;
Enumeration - What did we find in our app? How does Burp Suite Pro fair?
Inspection - Why is it important
XSS - Reflected vs DOM? stored to come later
Code Manipulation/UI Bypassing - How can we alter code into our favor?
check the robot.txt file on the webapp. These shows us what we should not go
to. this is our first target
use Inspect Element to see what's happening in the background.
Go to debugger and pretty the javascript
Cross site scripiting;
its basically malicious code injection;
-steal cookies
-take over sessions
-keylogging
-inject beef hooks
DOM based XSS
Fuzz every input I can find
Mitigation;
-encoding to mitigate XSS attacks
-filtering to get rid of any coding parameters
-validation - completely eliminate script tags from entering the server
-sanitization - a combination of the above
Cookies; add secure flags to my cookies to prevent cookies from being observed
Ep3. XSS, SQL Injection & Broken Access Control
XSS: Sanitization bypass
Broken Access Control: OWASAP #5
SQLi: The basics!
Plus some other cool stuff
Checkout xxesser
VIEW ANOTHER USER'S SHOPPING CART
Add a product to the cart and view the cart page in the Inspector; Navigate to
storage and check the session storage
22/66
UPLOAD AN UNWANTED FILE IN UPLOAD INPUT
We shall upload an XML Payload. These can be used to steal passwords
Search for XML payloads on github. Those cheatsheets will help.
SQL INJECTION;
Easy to avoid but still happens quite often.
Login with admin account without using sql injection
We already have the admin email admin@juice-sh.op
23/66
Right click and Send To Intruder
Under positions, highlight the password we used and click Add Variable; This is
the variable that will change against the email used in the bruteforce.
24/66
Then go to the Payloads tab and get a list from Seclists github to paste in.
25/66
Below is how we shall get the payload list
Intruder is slow on burp free edition and so We shall do a proof of concept
26/66
How do we find a successful password?
Through status codes- 200 means OK. This doesn't work all the time
The length will be longer than the rest
Live Web Hacking Practice
This is a live hacking exercise on a website:
First, let's nikto the website to start our enumeration process.
nikto -h domain
27/66
28/66
We need to validate our target scope and make sure we are attacking the right
website or server.
Run whois on the domain.
whois domain
29/66
30/66
Check securityheaders.com to see the check
The next step is to fingerprint the website: Basically finding what
infrastructure the website runs on;
There are many ways to do this;
1. Nmap
nmap -A -p 80, 443 ip address
31/66
3. Wappalyzer
32/66
You can also use whatweb in kali
whatweb -v forexbullsacademy.com
33/66
34/66
You can also use netcat
nc forexbullsacademy.com 443
The next step is enumerating all the subdomains.
You can use sublist3r, I have already a cherry node talking about how that
works
Juice Shop Challenges Solved
Hacking OWASP’s Juice Shop Pt. 8: Missing Encoding
In the challenge, that particular picture doesn't load and when I used the
inspector tool to find out why. I compared it to the other picture urls and
seen that there were # which are not part of url encoding. So I used a url
encoding tool at https://www.eso.org/~ndelmott/url_encode.html to find what #
stands for and simply replaced it.
Hacking OWASP’s Juice Shop Pt. 11:
Outdated Whitelist
TCM PRACTICAL BUG BOUNTY COURSE
35/66
Introduction
Introductory sections;
1. Introduction
2. Web application security intro
3. Before we attack
4. Lab build
5. Web App Technologies
Recon & Info Gathering
1. Technology Fingerprinting
2. Directory Enumeration
3. BruteForce Attacks
4. Subdomain Enumeration
5. Burpsuite Overview
Attacks
1. Authentication and Authorization
2. Brute-force, MFA, IDORs etc
3. Injection Attacks
4. LFI/RFI, SQLi, XSS, SSTL, Command Injection, XXE, File Uploads etc
5. Other Common Attacks like CSRF, SSRF, Subdomain takeovers etc
Wrapping Up
1. Reporting
2. Evasion techniques
3. Closing topics
Web Application Security
Importance Of Web App Security
1.
2.
3.
4.
5.
6.
7.
8.
Data protection
Maintaining customer trust
Legal and regulatory compliance
Preventing Business Disruption
Protecting Brand Reputation
Preventing Financial Loss
Avoiding Ip Theft (Intellectual Property - IP)
Preventing Identity Theft
36/66
Web App Security Standards & Best Practices
WEB SECURITY BEST PRACTICES;
1. Regular patching/Updates
2. Least Privilege
3. Secure coding (Input validation & sanitization)
4. Secure data storage
5. MFA
6. Logging and monitoring
7. User training
8. And so much more
WEB SECURITY STANDARDS;
Research and learn more on weaknesses from the sites below as you do your bugbounties. Look up blogs and write-ups on these attacks and how they are pulled
off.
1. Owasp Top 10 - https://owasp.org/Top10
2. Common Weakness Enumeration - https://cwe.mitre.org/index.html
3. CWE Top 25 - https://www.sans.org/top25-software-errors
Bug Bounty Hunting Vs Penetration Test
1. Impact is everything - Bug bounty
2. Partial(bug bounty) Vs Whole Application (Pentest)
3. Compliance (Pentest)
NON-IMPACT FINDINGS; - PENTEST CENTERED
1. Weak password policy
2. No Lockout policy
3. Unlimited login attempts
4. User Account Enumeration
5. Out-Of-Date Software
6. Cookies(Flags, expiration etc)
7. Ciphers
8. Certificates
To check for security headers on a site , visit securityheaders.com
37/66
To check the certificates, visit https://www.ssllabs.com/ssltest/
Phases Of A Web App Pentest
ENGAGEMENT STEPS;
1. Statement Of Work
A long form of a quoatation and payment terms that needs to be signed
How many pages are on the website, what is the website, how many roles
on the site.
38/66
Master Service Agreement
This lays out the rules as the vendor client relationship
Who is liable if something occurs, liability during hacking the
production systems incase of disruptions.
Incase of court, what's the process?
This has to be signed before we move to other stages
2. Rules Of Engagement Signed
This basically lays out what we can and cannot do during engagement.
What times, dates we will be testing?
The roles and responsibilities between us the pentesting company and
the client's team
Who is the Client Point Of Contact ? CPOC
Who is the Pentesting Point Of Contact?
Outline the test dates and the status updates via a team channel like
slack or telegram.
What's the scope of the test? Check for the wildcards. If there are
wildcards, you can go to subdomains too. If not, then focus on the domain you
have been given only.
Indicate when we shall stop testing
Shall we maintain access to the website?
Indicate the project closure
Indicate Out Of Scope attacks like DDOS or social engineering attacks
Add a disclaimer note at the bottom
---You cannot begin your pentest unless the ROE is signed.
3. Verify The Scope; Use whois to confirm the IP address
4. Pentest Occurs
The web app pentest last usually a week because you need to make sure
that there is no stone left unturned.
5. Report Written and Delivered
6. Client Debrief
7. Retesting (If Necessary)
Before We Attack
Understanding Scope, Ethics, Code Of Conduct
Scope;
This defines the range of assets that the organisation is explicitly
inviting security researchers to find vulnerabilities.
Out Of Scope;
This refers to the assets that are explicitly off-limits for security
researchers participating in the bug bounty program.
39/66
Why is scope important?
1. Legal and ethical boundaries
2. Resource allocation
3. Practical reasons
4. Fairness
Can you Submit Out Of Scope bugs?
1. Most of the time, triage will reject submissions
2. If there is a clear business impact, it can be helpful
3. No bounty will be awared for out-of-scope submissions
Duplicate bugs
- Organizations only award the bounty to the initial reporter
-Knowingly reporting a duplicate report is unethical
Structural Issues
- One fix, one reward
-If multiple fixes are required, it's not a duplicate
-Ask yourself whether the fix for the first report would have fixed the others?
Community Code Of Conduct
-Disclosure terms
-Collaboration
-Asking for updates
-Out of scope submissions
-Use of illegal or cracked software
-Out of bound communication
-Hoarding of vulnerabilities
40/66
-Data exposure and PII
-Third party services
-Intrusive testing
-Pivoting
-Behavioural guidelines
-Sanctions
-Right to appeal
-Responsivle disclosure while restricted
-International laws and sanctions list validations
-Your tax and financial obligations
Common Scoping Mistakes
Scoping Mistakes;
1. Not thoroughly reading the scope before testing
2. Not strictly following the scope
3. Misunderstanding the importance of scope
4. Reviewing asset scope, while forgetting bug scope
5. Assuming all subdomains are in-scope
6. Not verifying if third-party services are in scope
7. Improperly configuring tools to adhere to scope
8. Reporting out of scope findings
Commonly Out Of Scope Vulnerabilities;
1. Physical attacks
2. Social Engineering
3. Denial of service (DoS)
4. Outdated software
5. Missing headers/cookie flags
6. Brute-forcing credentials
7. Username enumeration
8. Fingerprinting
9. Theoretical attacks
10. Leaked credentials
First look at the rules of engagement of the bug bounty
Installing VMWare/VirtualBox
Complete
41/66
Installing Linux
Install pimp my kali tool
Click the first github link - https://github.com/Dewalt-arch/pimpmykali
Clone the git repo
Head over to kali terminal and clone the git repo in the opt directory
42/66
Access the pimpmykali directory using cd command
Then ls to see the contents
Run sudo ./pimpmykali.sh
43/66
44/66
45/66
Type N to install the tools.
This took more than 30 minutes but its done hopefully.
46/66
47/66
Lab Installation
Type sudo apt update
sudo apt upgrade
48/66
49/66
Then type sudo apt install docker.io
Then type sudo apt install docker-compose
Access the zip file shared in TCM dashboard - https://cdn.fs.teachablecdn.com/
iaWfH4NrRp20zLOd3xLr
Unzip the file - unzip bugbounty-v1.1.zip
Web App Technologies
Web Technologies
HTML - the skeleton of a website
CSS - describing the representation of a doc written in HTML
Javascript - makes web pages interactive and dynamic. It also helps stage
server-side on node applications in nodejs.
front-end attacks can also be done in JS
Server side (ops on website where its hosted - data storage, retrieval and
processing)
Client side (In the browser and on the user's device)
-Load balances
-CDNS
-WAFs
Do 20 minutes a day in programming websites - The Odin Project or Freecodecamp.
HTTP & DNS
HTTP is a request response protocol.
HTTP Methods;
1. GET
2. POST
3. PUT
4. DELETE
Response codes;
100 - Informational
200 - Successful
50/66
300 - Redirection
400 - Client errors
500 - Server errors
HTTP is stateless meaning that each request from the client is treated as a
stand-alone request with no memories of prior requests. That's why cookies are
used to remember users
DNS- Domain Name System
It is heirachial and decentralized system that translates human readable domain
names to IP Addresses.
1. top level domain
2. second level domain
3. subdomain
DNS Records;
they provide info about domains
A record - maps domain name to IPV4
MX record - specifies the mail server for a domain
CNAME - creates an alias for a domain name
Reconnaissance and Information Gathering
Fingerprinting Web Technologies
We need to dig deep and find assets that not many people are looking at.
Focus on the responsible disclosure programs in the beginning stages because
there is not so much competition.
This helps them know that it's a bug bounty hunter testing their application
and not a malicious hacker.
51/66
Read through the Rules Of Engagement
How To Identify Website Technologies.
Visit https://builtwith.com
Focus on the methodology and not the tools specifically.
Install Wappalyzer extension as another alternative
This helps us understand;
52/66
1. What
2. What
3. What
And how
architecture are they using
stacks are they using
tools are they using
can we abuse these to attack the website.
Let's say they are using Microsoft IIS, we can use specific vulnerabilities
based on microsoft.
Same thing like linux, we can uses php extensions.
In Kali, Use curl -I https://azena.com
Notice there is a HTTP 300 meaning we are being redirected to another page.
Contrast this with the one below
53/66
https://forexbullsacademy gives us a HTTP 200 meaning we are accessing the real
site.
Now to follow the redirect in the first instance we need to add -L to our curl
command
curl -I -L https://azena.com
54/66
55/66
We
1.
2.
3.
are looking at;
the server the website is running
security headers
different tags
You can also use https://securityheaders.com for a nice clean version.
Use nmap
nmap -p443 -A azena.com
nmap -p80,443 -A azena.com
Nmap is good for scanning particular ports and not the website overall.
Usually when you are hit by AmazonS3 or cloudfront, then you are not hitting
the main website. Likely being redirected.
Directory Enumeration & Brute Forcing
Basically, looking at directories of website while using word-lists to search
for other directories.
First Tool : Directory bruteforcing
sudo apt install ffuf to install the tool
ffuf --help
Fuzz Faster U Fool
We are trying to fuzz an endpoint using a wordlist
Syntax
navigate to the wordlists directory
56/66
head to the dirbuster list
We are going to utilize the 2.3 medium.txt
ffuf attack syntax
I am having issues with the ffuf tool
Dirb Tool
Command: dirb https://forexbullsacademy.com
We can also test for specific file extensions
Command: dirb https://forexbullsacademy.com/ -X .html (test files with .html
extension
We can also specify our custom wordlist
Command: dirb https://forexbullsacademy.com/ wordlistdirectory
57/66
Dirbuster Tool
This is an inbuilt tool.
Command: dirbuster&
58/66
Subdomain Enumeration
.com - Top level domain
azena.com - second level domain
dev.azena.com - subdomain
In bug bounty hunting, the deeper I dig, the better off I am.
Tools:
Google Search
Command site:azena.com -www -store
site:azena.com filetype: pdf password
59/66
CRT.SH - https://crt.sh/
Command: %.azena.com
SUBFINDER
sudo apt install subfinder
subfinder -d azena.com
60/66
61/66
To output the list into a file
subfinder -d azena.com -o azenasubdomains
ASSET FINDER
Command: assetfinder azena.com
62/66
To specifically grep out azena.com Use the command below
assetfinder azena.com | grep azena.com | sort -u > azena.txt
63/66
AMASS;
Command: amass enum - d azena.com > azena3.txt
GOWITNESS: This tool helps us verify valid subdomains
64/66
Below is the screenshots generated by gowitness
65/66
As you can see, I had created a directory named azenapics and then I ran the
command in there, hence the shots were placed there.
Burp Suite Overview
66/66
Related documents
The benefits of exercise and The dangers of lack of exercise
The benefits of exercise and The dangers of lack of exercise
605 tree obstacle course
605 tree obstacle course
Activity 2
Activity 2
Untitled document
Untitled document
CC 102 - LECTURE QUIZ 1 - L1 and L2
CC 102 - LECTURE QUIZ 1 - L1 and L2
Cylo
Cylo
isitvivid
isitvivid
HL
HL
Download
advertisement