My Methodology In Recon And Find Bugs & My Methodology In Hunting Using Phone
#Dears Hunters
My DM Full in messages I cant answer for all this messages
and as I try all the time help all , not ignore anyone, new hunter , old hunterso all my messages its was about
what is your methodology ?
how you recon ?
I don't have PC can I hunt Using my phone?
can you teach me recon ?
Etc….
so here I will try answer all thisI very much hope that this writing will be a main reference for all friends
And everyone here can take help from here and get some money
I Will Present Here:
ِِِA: My Methodology In Recon And Find Bugs
B:My Methodology In Hunting Using Phone
C: Tools and P1 reports send it with these tools and POCs
ِِِA: My Methodology In Recon And Find Bugs
If This Write Up Without Example Then It’s Not Helpful
For Me I Like To Work On Open And Big Scope So Here Will Be Our Example
as lot of hunters here know about me that I am not good in coding don’t know how write scripts so in my recon gather the information manually
Burp Open , Terminal Open , Good Scanner For me I use Acunetix
- start collect all the related domains and start my testing in interesting domains How?
- Find a trade name on Facebook tread name
Facebook Inc.
=========>
so visit https://crt.sh/ enter the tread name Facebook Inc. and Search Not all the time the tread name end with Inc. sometimes LLC , Corporation , etc..
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Shodan
ssl:”trade name”
ssl:”Facebook Inc.”
Collect some interesting domains and now check for live by add 200
ssl:”Facebook Inc.” 200
Ssl.cert.subject.CN:"domain.com" 200and save interring IPs in List to Scan and Testing and checking I usually send them to Acunetix or nuclei or both
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
https://securitytrails.com/ Cool website to gather the information , domains , dns , ips , sub domains
For example here about 4k domains for Facebook
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
GitHub Dorking to Find Interesting Domains
On Google program name github you can found lot of repos belong to program
example of dorking for domains and cool things
org:facebookresearch https://
org:facebookresearch http://
org:facebookresearch ldap
org:facebookresearch ftp
org:facebookresearch sftp
org:facebookresearch host:
org:facebookresearch login-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
- now i have some interesting domains and Ips so after that i start collect the sub domains for this cool and fast tool its amass
ammas command
amass enum -passive -norecursive -noalts -df domains.txt -o subdomains.txtnow Send this subdomains.txtin two directions HTTPX Tool & Nmap
for httpx command
cat subdomains.txt | httpx -o live-subdomains.txtNmap i run it on VPS because take lot time
nmap -sV -iL subdomains.txt -oN scaned-port.txt --script=vuln- send all this live subs , Ips to Scan and back after one or tow days to check if here some cool finds and bugs
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
- after that i start Looked for
403subs and start Fuzzing to Find some Cool EndPoints
you can use for that Dirserch , FFUF ,
For me if i work on little subs i send that to Burp ===> Spider this Host ===> while Spider working
1 visit github dorking for these sub domain "sub.domain.com" if here any link will move to Spider
2 Visit Google site:sub.domain.com also if here any link will move to Spider
3 Visit web.archive
https://web.archive.org/cdx/search/cdx?url=*.sub.domain.com&fl=original&collapse=urlkeyalso if here any link will move to Spider
4 Fuzz On Spider to do that send the host to Intruder ===> add WordList ===> Start Attack
- you can also on
Intrudergive aPayload listand Start attack on some parameters SQL,SSTI,SSRF,LFI,XSS,Etc..
any cool end do an active Scan
- add Parameters list for Param Miner also to check on hidden parameters on burp
- while all of this runs i dorking on Github for some finds
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
check the Apk program on MOBSF tool for bugs, interesting leaks , domains will add about install on part C
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
We have an old saying: He who does not thank people does not thank God
lot of this tips i’ve learned from HackerX007 very smart man helpful man
Everyone knows it’s not possible to share everything I’ve learned here in single write up so I have provided shortcuts here that help everyone
B: My Methodology In Hunting Using Phone
i’m not bug hunter as Full time because i have another job in that job there’s no PC or Laptop 3 day in week without using computer
so i hunt in this 3 days from my Iphone
What we can do on phone and what we cant
and
how ?
what we can do
Recon simple , Checking for Github Leaks will show how , and all the Terminal jops will show haw
whet we cant do
use burp &view page source
for who don’t know
I started in this road using my phone
found bugs on GitHub test and check and report from my phoneWhen I got my second reward I bought a laptop
So it is my job to help those who can’t afford to buy a laptop right now
- singup and login on phone browser on
GitHub - download
google cloud console appit’s available on Android and IOS and login in a Gmail account
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
for Github I specially monitor my Targets from my Phone
for example if you looking for 2 interesting domains for Facebook
fb.com
internalfb.com steps to check and monitor
fb.com open github on browser
"fb.com" password ===> change the sort to Recently indexed ===> on browser Options Add to Home Screen
"fb.com" secret ===> change the sort to Recently indexed ===> on browser Options Add to Home Screen
"internalfb.com" password ===> change the sort to Recently indexed ===> on browser Options Add to Home Screen
I have about 50 ready dorks for my targets like these i check on them everyday with a morning coffee
its a good trick because you found leaks before anyone for some data leaked , 90% from my GitHub leaked data reports its for data leaked 1-9 hours ago
I guarantee in this tip no dupl reports for you -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
For Terminal you can do that from you phone and get the tools on google cloud console app
Sorry The videos are not good results with the required quality, but their purpose is to convey the information in a clearer way
C: Tools and P1 reports send it with these tools and POCs
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
lot of messages came to me
how I use leaks on GitHub like SFTP, FTP , MySQL , SMTP , amazon access key and secret key
NOTE For New Hunters : if any leak on GitHub Contains Host like=localhost , 127.0.0.1 , 192.168.*.* Don't report it
SFTP , FTP , SCP , Amazon S3 you can check them using WinSCP on windows
download link https://winscp.net/eng/download.php
- SMTP
i check STMP CREDS all the time from here https://www.smtper.net/
3 month ago GitHub SMTP report send it to OPPO program 430$
- MySQL not all the time work but for testing
mysql -u USER -p -h Host ===>
password=- Amazon access key and Secret Key
Aws-CLI AWS-CLI DOCS
Installation :sudo apt-get install awscli===>
configuration: aws configure===>
AWS Access Key ID [****************N6KA]: AKIA
AWS Secret Access Key [****************4oJC]: uNyiu8Lv
Default region name [region name]: region name
Default output format [None]:===>
POC: aws sts get-caller-identity
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
FOR Testing SSTI and tplmap tool
git clone https://github.com/epinna/tplmap.git
./tplmap.py -u "domain.com/?parameter=SSTI*"Facebook bounty SSTI to RCE
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Domain.com/.git/config
lot from us found these git config file but dont check the git files
GitTools great tool
steps here
git clone https://github.com/internetwache/GitTools.git
cd GitTools/Dumper
./gitdumper.sh https://domain.com/.git/ outputfoldarafter download end it cd outputfoldar
===>
git status
===>
git checkout -- .ls and check the files cat file
Fount lot of MySQL Credentials & WordPress Credentials in php files
about 6 P1 reports $$$
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
AEM
aem service testing
git clone https://github.com/0ang3el/aem-hacker.git
cd aem_hacker
pip install -r requirements.txtwith these command you can get sometimes SSRF , Sensitive Information , XSS , RCE
sudo python3 aem_hacker.py -u https://domain.com/ --host your.burpcollaborator.netalso if you find AEM Login panel
User:anonymous
Pass:anonymousabout 15 P1 , 5 P2 reports bounty $$$-$$$$
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Springboot endpoints
For Springboot testing
all the time check these ends
datahub/actuator/heapdump
datahub/heapdump
actuator/heapdump
heapdumpif you can download the heapdump
Download the Eclipse Memory Analyzer from here https://www.eclipse.org/mat/after downloading, run the MemoryAnalyzer.exe and open the Heapdump file downloadedafter opening the Heapdmp file click on Dominator viewstart search will find lot of database credentials
3 P1 reports $$$
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
MOBSF For Mobile App testing
for easy install
docker pull opensecurity/mobile-security-framework-mobsf===>docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
check the java files for Hardcoded Credentials
3 P1 reports , 2 P3 reports
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Google Dorks and Recon
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Lot Lot of Etc….
but as I said it’s not possible to share everything I’ve learned here in single write up so I have provided shortcuts here that help everyone
others write ups
Hope everyone enjoyed reading here
Hope everyone can benefit from reading here
Hope everyone can make some money by learning from here
Hope everything Clear here if not ,Forgive my mistakes
Little brother:Orwa
