Bounty Hunters' Guild A Bounty Hunter Blog

Recon Reckoning

On July 15, 2017 the bug bounty platform Bugcrowd hosted the virtual hacking conference LevelUp and included talks on a wide range of application security/bug bounty hunting topics from members of the bug bounty community. I was honored to be able participate and presented a talk entitled “How to Fail at Bug Bounty Hunting” (YouTube and Slides), which is a personal story of failures, lessons learned, and bug bounty hunting tips for busy professionals, part-time and beginning bug bounty hunters. This post is a companion to that presentation which allows for expansion and clarity on my personal resources, mobile setup and bug bounty recon script.

Resources:

Books:
Payload Lists
Criticality
Bounty Reports / Write-ups / Blogs
Test Applications / Capture the Flags
Online Recon
Tools
Miscellaneous

Mobile Set Up:

  1. iPhone with Blink Shell – mosh and ssh terminal emulator (does not require jailbreak!)

  2. DietPi - lightweight Debian OS for RaspberryPi

  3. Enable SSH

  4. Install Mosh - remote terminal application that allows roaming, supports intermittent connectivity
    • apt-get install mosh on Debian
  5. Port forwarding from you public IP address to your internal DietPi IP address
    • Public TCP port 22 to Private TCP port 22
    • Public UDP port 60000-60010 to Private UDP port 60000-60010
  6. Use a Dynamic DNS service or use owned domain names to point to your public IP address
  • Personally, I had a GoDaddy domain and used a script + cron job to interact with GoDaddy’s API
  1. Use the DietPi jumpbox to SSH into boxes on my internal network based on need

  2. Use tmux to multiplex and keep track virtual consoles

  3. Pure pwnage on the go!

PyBrute

The following script can be found at https://github.com/OrOneEqualsOne/Recon

Gist: Some terrible continually updated python code leveraging some awesome tools that I use for bug bounty reconnaissance.

PyBrute uses several subdomain enumeration tools and wordlists to create a unique list of subdmains that are passed to EyeWitness for reporting with categorized screenshots, server response headers and signature based default credential checking. (resources are saved to ./bin and output is saved to ./Output/PyBrute)

NOTE: This is an active recon – only perform on applications that you have permission to test against.

Tools leveraged:
Subdomain Enumeraton Tools:
  1. Sublist3r by Ahmed Aboul-Ela
  2. enumall by Jason Haddix
  3. Knock by Gianni Amato
  4. Subbrute by TheRook
  5. massdns by B. Blechschmidt
Reporting + Wordlists:
Usage
Example 1: python PyBrute.py -d example.com
Uses subdomain example.com with no brutefoce (Sublist3r enumall, Knock)

Example 2: python PyBrute.py -d example.com -b -p --vpn
Uses subdomain example.com with seclist subdomain list bruteforcing (massdns, subbrute, Sublist3r and enumall), adds ports 8443/8080 and checks if on VPN

Example 3: python PyBrute.py -d example.com -b --bruteall
Uses subdomain example.com with large-all.txt bruteforcing (massdns, subbrute, Sublist3r and enumall)

Example 4: python PyBrute.py -d example.com --quick
Uses subdomain example.com and only Sublist3r (+subbrute)

Note: --bruteall must be used with the -b flag
Options
  • –install/–upgrade : Both do the same function – install all prerequisite tools (Kali is a prerequisite AFAIK)
  • –vpn : Check if you are on VPN (update with your provider)
  • –quick : Use ONLY Sublis3r’s subdomain methods (+ subbrute)
  • –bruteall : Bruteforce with JHaddix All.txt List instead of SecList
  • -d : The domain you want to preform recon on
  • -b : Bruteforce with subbrute/massdns and SecList wordlist
  • -s n : Only HTTPs domains
  • -p : Add port 8080 for HTTP and 8443 for HTTPS
Updates
  • 07-15-2017: Updated to include error handling and updated reconnaissance techniques from Bugcrowd’s LevelUp Conference (including subbrute/masscan and subdomain lists) - influenced by Jason Haddix’s talk Bug Hunter’s Methodology 2.0

Confessions of a Bug Bounty Addict

My first foray into bug bounties came in early August 2015 at Def Con 23 in Las Vegas, Nevada (one of the country’s largest hacker conventions). One evening, I found myself in Bugcrowd’s Indigo Tower Suite at Bally’s amidst food, drinks, awesome swag (including cans of chocolate covered insects) and fanatical researchers. Additionally at Def Con 23 I attended Bugcrowd’s Director of Technical Operations, Jason Haddix’s talk entitled How to Shot Web, which as it turns out, became an incredible resource for me as a Penetration Tester.  

In December 2015, I registered for an account on Bugcrowd’s site and it was not until April 2016 when the Department of Defense and HackerOne collaborated on the Hack the Pentagon program that I seriously considered becoming a bug bounty hunter. Bug Bounty Hunter had a nice ring to it, as if I was being inducted into the Bounty Hunters’ Guild to pillage web applications for the highest bidder like an InfoSec Boba Fett. I registered for an account and waited a few weeks until the program was live. Unfortunately, being a bug bounty neophyte I made the grave mistake of not working on the program the second it went live and instead worked on it as free time allowed (days later). I struggled to find bugs in the program and the ones I did find were quickly identified as duplicates or as “informational only” lacking criticality. Alas, of my many failed attempts at submitting bugs, one was accepted. I received a monetary reward, a challenge coin commemorating my efforts (arguably of greater value than the money itself) and thus an addiction to bug bounty hunting was born.

Bug bounty platforms such as HackerOne and Bugcrowd provide incentives of monetary gains and gamification elements. The caveat of these platforms is bug bounties are first come, first serve, meaning the first hacker to report an issue is the only one rewarded. These rewards can be money and/or “kudos” or “points” to be used to gain leaderboard standings and ultimately, coveted private program invites. The downside of this first to find methodology is that it is not conducive for those of us who bounty on a purely part-time basis, say when free evenings and weekends allow. This allows full-time bug hunters to be more successful in newly announced programs and thus receive valuable private program invites.

As a married full-time security consultant with a considerable commute, free time is a commodity, so I strived to use the time I had effectively. I purchased Burp Suite Pro and set off with the goal earn enough to pay for the $350 software. I focused on public programs with large scopes, picked up the unofficial bug bounty Handbook: Web Hacking 101 by Peter Yaworski and then spent a couple of evenings a week glued to my computer. In July 2016, I received my first private program invite and got my first true taste of bug bounty success.

Though I am not (yet) mentioned on the various platforms’ top leaderboards, I am content with my bug bounty successes when compared to the free time I am able to devote to the cause. Today, I continue to be active on the HackerOne and Bugcrowd platforms, have since joined the elite Synack Red Team (only after surviving grueling interviews, written and practical assessments) and was even invited into the Cobalt Core program. I have also successfully submitted bug reports to several independent programs, most notably AT&T’s Bug Bounty Program where I was recently recognized as a Top 10 Researcher for 3Q2016.

Bug bounty programs provide an opportunity for monetary gain, but even more valuable is the opportunity for hackers to ethically and legally disclose vulnerabilities. Security researchers receive money, bragging rights and a chance to develop skills in a multitude of environments while system owners receive a penetration testing service while paying solely for results. Some companies argue that bug bounty programs encourage attacks on their system, though in reality unethical hackers target sites regardless of granted authority. This view is changing now more than ever as an increasing number of companies are turning to bug bounty programs to augment their internal security programs – even the Department of Defense recently published a program with the scope of the entire .mil top-level domain. It is becoming clear that bug bounty programs have a place in the future of information security. Admiral Piett was wrong, we need that scum.