Maik Ro

Maik Ro



Day 4⃣5⃣ Let us define a Bug Bounty methodology together How to hack - step by step:

Offensive Ethical Hacking is divided in 5 stages typically: 1. Reconnaissance 2. Enumeration & Scanning 3. Exploitation / gaining Access 4. maintaining Access / Post Exploitation 5. clean-up

Which of those are interesting for Bug Bounty? All of them BUT typically maintaining access does not play a huge role and is often replaced by "Escalation" by professional Bug Hunter They for example find a XSS and will try to chain & escalate the impact to maximize the bounty

We start with Recon - or Reconnaissance Typically after you have chosen a target you want to find all the possible assets 1. domains (/ 2. subdomains (e.g. 3. additional assets (e.g. Acquisitions)

Most newbies start with 2. then maybe go to 1. ...but skip 3. BUT NOT YOU! You can do the following: - find acquisitions (crunchbase, google, linkedin, social media) - find the company ASN - Autonomous System Number (use

Then you search for all the IPs belonging to the ASNs (/ google) Now you have a list of IPs / domains Add reverse WHOIS sources - a reverse WHOIS looks for IPs/Domains that belong to a company - (/

You have an even bigger List of Domains / IPs now And another one - add information to your list. More Domains added to your target-list. Now comes a reverse IP lookup to check all the domains hosted by an IP (e.g.

You have a looooong list of Domains. What do you do with it? CRITICAL: VALIDATE! Make sure that the domains on that list are in scope and really belong to the organization you are targeting. You dont want to hack away and get an unfriendly letter from lawyers.

List validated (only unique values: sort -u target_domains.txt > unique_target_domains.txt ). Domains validated. Scope validated. check, check, check ✅✅✅ You can also do the following google-fu we learned yesterday: ”(c) 2022 Target, Inc.” inurl:target

You use the privacy policy data / copyright / terms of service text and find more domains with google You might also try bing/baidu and other search engines Now there is two more steps you can take:

You find the google-analytics / other analytics service ID - this is a unique identifier that typically is shared between the sub-companies - how to find it? / source code analysis -> CTRL+F (HTML/JS) 💜🏴‍☠️

Last but not least use e.g. You can wait for shodan's famous sales to get an account for ~$5 at least once a year - go follow them and find out: @shodanhq

Whats next - Subdomain enumeration. TOMORROW! click the follow button @maikroservice if you want to be notified and liked todays content - every day I post a thread about cyber security topics October - Bug Bounty November - Blue Team December - Job Hunting / Career advice

@threadreaderapp unroll

Follow us on Twitter

to be informed of the latest developments and updates!

You can easily use to @tivitikothread bot for create more readable thread!
Donate 💲

You can keep this app free of charge by supporting 😊

for server charges...