My Methodology In Recon And Find Bugs & My Methodology In Hunting Using Phone

3 years ago 313

BOOK THIS SPACE FOR AD

ARTICLE AD

My DM Full in messages I cant answer for all this messages
and as I try all the time help all , not ignore anyone, new hunter , old hunter

so all my messages its was about
what is your methodology ?
how you recon ?
I don't have PC can I hunt Using my phone?
can you teach me recon ?
Etc….
so here I will try answer all this

I very much hope that this writing will be a main reference for all friends
And everyone here can take help from here and get some money

ِِِA: My Methodology In Recon And Find Bugs

B:My Methodology In Hunting Using Phone

C: Tools and P1 reports send it with these tools and POCs

If This Write Up Without Example Then It’s Not Helpful

For Me I Like To Work On Open And Big Scope So Here Will Be Our Example

FACEBOOK

as lot of hunters here know about me that I am not good in coding don’t know how write scripts so in my recon gather the information manually

Burp Open , Terminal Open , Good Scanner For me I use Acunetix

start collect all the related domains and start my testing in interesting domains How?Find a trade name on Facebook tread name Facebook Inc.

=========>

so visit https://crt.sh/ enter the tread name Facebook Inc. and Search Not all the time the tread name end with Inc. sometimes LLC , Corporation , etc..

Shodan

ssl:”trade name”

ssl:”Facebook Inc.”

Collect some interesting domains and now check for live by add 200

ssl:”Facebook Inc.” 200
Ssl.cert.subject.CN:"domain.com" 200

and save interring IPs in List to Scan and Testing and checking I usually send them to Acunetix or nuclei or both

https://securitytrails.com/ Cool website to gather the information , domains , dns , ips , sub domains

For example here about 4k domains for Facebook

GitHub Dorking to Find Interesting Domains

On Google program name github you can found lot of repos belong to program

example of dorking for domains and cool things

org:facebookresearch https://
org:facebookresearch http://
org:facebookresearch ldap
org:facebookresearch ftp
org:facebookresearch sftp
org:facebookresearch host:
org:facebookresearch loginnow i have some interesting domains and Ips so after that i start collect the sub domains for this cool and fast tool its amass

ammas command

amass enum -passive -norecursive -noalts -df domains.txt -o subdomains.txt

now Send this subdomains.txtin two directions HTTPX Tool & Nmap

for httpx command

cat subdomains.txt | httpx -o live-subdomains.txt

Nmap i run it on VPS because take lot time

nmap -sV -iL subdomains.txt -oN scaned-port.txt --script=vulnsend all this live subs , Ips to Scan and back after one or tow days to check if here some cool finds and bugsafter that i start Looked for 403 subs and start Fuzzing to Find some Cool EndPoints

you can use for that Dirserch , FFUF ,

For me if i work on little subs i send that to Burp ===> Spider this Host ===> while Spider working

1 visit github dorking for these sub domain "sub.domain.com" if here any link will move to Spider

2 Visit Google site:sub.domain.com also if here any link will move to Spider

3 Visit web.archive

https://web.archive.org/cdx/search/cdx?url=*.sub.domain.com&fl=original&collapse=urlkey

also if here any link will move to Spider

4 Fuzz On Spider to do that send the host to Intruder ===> add WordList ===> Start Attack

you can also on Intruder give a Payload list and Start attack on some parameters SQL,SSTI,SSRF,LFI,XSS,Etc..

any cool end do an active Scan

add Parameters list for Param Miner also to check on hidden parameters on burpwhile all of this runs i dorking on Github for some finds

check the Apk program on MOBSF tool for bugs, interesting leaks , domains will add about install on part C

We have an old saying: He who does not thank people does not thank God

lot of this tips i’ve learned from HackerX007 very smart man helpful man

https://twitter.com/XHackerx007

Everyone knows it’s not possible to share everything I’ve learned here in single write up so I have provided shortcuts here that help everyone

lot of messages came to me

how I use leaks on GitHub like SFTP, FTP , MySQL , SMTP , amazon access key and secret key

NOTE For New Hunters : if any leak on GitHub Contains Host like=localhost , 127.0.0.1 , 192.168.*.* Don't report it

SFTP , FTP , SCP , Amazon S3 you can check them using WinSCP on windows

download link https://winscp.net/eng/download.php

SMTP

i check STMP CREDS all the time from here https://www.smtper.net/

3 month ago GitHub SMTP report send it to OPPO program 430$

MySQL not all the time work but for testingmysql -u USER -p -h Host ===>
password=Amazon access key and Secret KeyAws-CLI AWS-CLI DOCS
Installation :sudo apt-get install awscli===>
configuration: aws configure===>
AWS Access Key ID [****************N6KA]: AKIA
AWS Secret Access Key [****************4oJC]: uNyiu8Lv
Default region name [region name]: region name
Default output format [None]:===>
POC: aws sts get-caller-identity

FOR Testing SSTI and tplmap tool

git clone https://github.com/epinna/tplmap.git
./tplmap.py -u "domain.com/?parameter=SSTI*"

Facebook bounty SSTI to RCE

lot from us found these git config file but dont check the git files

steps here

git clone https://github.com/internetwache/GitTools.git
cd GitTools/Dumper
./gitdumper.sh https://domain.com/.git/ outputfoldarafter download end it cd outputfoldar
===>
git status
===>
git checkout -- .ls and check the files cat file

Fount lot of MySQL Credentials & WordPress Credentials in php files

about 6 P1 reports $$$

aem service testing

git clone https://github.com/0ang3el/aem-hacker.git
cd aem_hacker
pip install -r requirements.txt

with these command you can get sometimes SSRF , Sensitive Information , XSS , RCE

sudo python3 aem_hacker.py -u https://domain.com/ --host your.burpcollaborator.net

also if you find AEM Login panel

User:anonymous
Pass:anonymous

about 15 P1 , 5 P2 reports bounty $$$-$$$$

For Springboot testing

all the time check these ends

datahub/actuator/heapdump
datahub/heapdump
actuator/heapdump
heapdump

if you can download the heapdump

Download the Eclipse Memory Analyzer from here https://www.eclipse.org/mat/after downloading, run the MemoryAnalyzer.exe and open the Heapdump file downloadedafter opening the Heapdmp file click on Dominator viewstart search will find lot of database credentials

3 P1 reports $$$

for easy install

docker pull opensecurity/mobile-security-framework-mobsf===>docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

check the java files for Hardcoded Credentials

3 P1 reports , 2 P3 reports

Lot Lot of Etc….

but as I said it’s not possible to share everything I’ve learned here in single write up so I have provided shortcuts here that help everyone

others write ups