My Methodology In Recon And Find Bugs & My Methodology In Hunting Using Phone

Orwa Atyat
10 min readAug 19, 2021

#Dears Hunters

My DM Full in messages I cant answer for all this messages
and as I try all the time help all , not ignore anyone, new hunter , old hunter

so all my messages its was about
what is your methodology ?
how you recon ?
I don't have PC can I hunt Using my phone?
can you teach me recon ?
Etc….

so here I will try answer all this

I very much hope that this writing will be a main reference for all friends
And everyone here can take help from here and get some money

I Will Present Here:

ِِِA: My Methodology In Recon And Find Bugs

B:My Methodology In Hunting Using Phone

C: Tools and P1 reports send it with these tools and POCs

ِِِA: My Methodology In Recon And Find Bugs

If This Write Up Without Example Then It’s Not Helpful

For Me I Like To Work On Open And Big Scope So Here Will Be Our Example

FACEBOOK

as lot of hunters here know about me that I am not good in coding don’t know how write scripts so in my recon gather the information manually

Burp Open , Terminal Open , Good Scanner For me I use Acunetix

  • start collect all the related domains and start my testing in interesting domains How?
  • Find a trade name on Facebook tread name Facebook Inc.

=========>

so visit https://crt.sh/ enter the tread name Facebook Inc. and Search Not all the time the tread name end with Inc. sometimes LLC , Corporation , etc..

another way here also

https://crt.sh/?O=Domain name without .com

https://crt.sh/?O=Facebook

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

Shodan

ssl:”trade name”

ssl:”Facebook Inc.”

Collect some interesting domains and now check for live by add 200

ssl:”Facebook Inc.” 200
Ssl.cert.subject.CN:"domain.com" 200

and save interring IPs in List to Scan and Testing and checking I usually send them to Acunetix or nuclei or both

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

https://securitytrails.com/ Cool website to gather the information , domains , dns , ips , sub domains

For example here about 4k domains for Facebook

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

GitHub Dorking to Find Interesting Domains

On Google program name github you can found lot of repos belong to program

example of dorking for domains and cool things

org:facebookresearch https://
org:facebookresearch http://
org:facebookresearch ldap
org:facebookresearch ftp
org:facebookresearch sftp
org:facebookresearch host:
org:facebookresearch login

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

  • now i have some interesting domains and Ips so after that i start collect the sub domains for this cool and fast tool its amass

ammas command

 amass enum -passive -norecursive -noalts -df domains.txt -o subdomains.txt

now Send this subdomains.txtin two directions HTTPX Tool & Nmap

for httpx command

cat subdomains.txt | httpx -o live-subdomains.txt

Nmap i run it on VPS because take lot time

nmap -sV -iL subdomains.txt -oN scaned-port.txt --script=vuln
  • send all this live subs , Ips to Scan and back after one or tow days to check if here some cool finds and bugs

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

  • after that i start Looked for 403 subs and start Fuzzing to Find some Cool EndPoints

you can use for that Dirserch , FFUF ,

For me if i work on little subs i send that to Burp ===> Spider this Host ===> while Spider working

1 visit github dorking for these sub domain "sub.domain.com" if here any link will move to Spider

2 Visit Google site:sub.domain.com also if here any link will move to Spider

3 Visit web.archive

https://web.archive.org/cdx/search/cdx?url=*.sub.domain.com&fl=original&collapse=urlkey

also if here any link will move to Spider

4 Fuzz On Spider to do that send the host to Intruder ===> add WordList ===> Start Attack

  • you can also on Intruder give a Payload list and Start attack on some parameters SQL,SSTI,SSRF,LFI,XSS,Etc..

any cool end do an active Scan

  • add Parameters list for Param Miner also to check on hidden parameters on burp
  • while all of this runs i dorking on Github for some finds

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

check the Apk program on MOBSF tool for bugs, interesting leaks , domains will add about install on part C

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

We have an old saying: He who does not thank people does not thank God

lot of this tips i’ve learned from HackerX007 very smart man helpful man

https://twitter.com/XHackerx007

Everyone knows it’s not possible to share everything I’ve learned here in single write up so I have provided shortcuts here that help everyone

B: My Methodology In Hunting Using Phone

i’m not bug hunter as Full time because i have another job in that job there’s no PC or Laptop 3 day in week without using computer

so i hunt in this 3 days from my Iphone

What we can do on phone and what we cant
and
how ?

what we can do

Recon simple , Checking for Github Leaks will show how , and all the Terminal jops will show haw

whet we cant do

use burp &view page source

for who don’t know 
I started in this road using my phone
found bugs on GitHub test and check and report from my phone

When I got my second reward I bought a laptop

So it is my job to help those who can’t afford to buy a laptop right now

  • singup and login on phone browser on GitHub
  • download google cloud console app it’s available on Android and IOS and login in a Gmail account

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

for Github I specially monitor my Targets from my Phone

for example if you looking for 2 interesting domains for Facebook

fb.com
internalfb.com

steps to check and monitor

fb.com open github on browser

"fb.com" password ===> change the sort to Recently indexed ===> on browser Options Add to Home Screen

"fb.com" secret ===> change the sort to Recently indexed ===> on browser Options Add to Home Screen

"internalfb.com" password ===> change the sort to Recently indexed ===> on browser Options Add to Home Screen

I have about 50 ready dorks for my targets like these i check on them everyday with a morning coffee

its a good trick because you found leaks before anyone for some data leaked , 90% from my GitHub leaked data reports its for data leaked 1-9 hours ago
I guarantee in this tip no dupl reports for you

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

For Terminal you can do that from you phone and get the tools on google cloud console app

Sorry The videos are not good results with the required quality, but their purpose is to convey the information in a clearer way

C: Tools and P1 reports send it with these tools and POCs

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

lot of messages came to me

how I use leaks on GitHub like SFTP, FTP , MySQL , SMTP , amazon access key and secret key

NOTE For New Hunters : if any leak on GitHub Contains Host like=localhost , 127.0.0.1 , 192.168.*.* Don't report it

SFTP , FTP , SCP , Amazon S3 you can check them using WinSCP on windows

download link https://winscp.net/eng/download.php

  • SMTP

i check STMP CREDS all the time from here https://www.smtper.net/

3 month ago GitHub SMTP report send it to OPPO program 430$

  • MySQL not all the time work but for testing
mysql -u USER -p -h Host ===>
password=
  • Amazon access key and Secret Key
Aws-CLI AWS-CLI DOCS
Installation :sudo apt-get install awscli
===>
configuration: aws configure
===>
AWS Access Key ID [****************N6KA]: AKIA
AWS Secret Access Key [****************4oJC]: uNyiu8Lv
Default region name [region name]: region name
Default output format [None]:
===>
POC: aws sts get-caller-identity

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

FOR Testing SSTI and tplmap tool

git clone https://github.com/epinna/tplmap.git
./tplmap.py -u "domain.com/?parameter=SSTI*"

Facebook bounty SSTI to RCE

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

Domain.com/.git/config

lot from us found these git config file but dont check the git files

GitTools great tool

steps here

git clone https://github.com/internetwache/GitTools.git
cd GitTools/Dumper
./gitdumper.sh https://domain.com/.git/ outputfoldar
after download end it cd outputfoldar
===>
git status
===>
git checkout -- .
ls and check the files cat file

Fount lot of MySQL Credentials & WordPress Credentials in php files

about 6 P1 reports $$$

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

AEM

aem service testing

git clone https://github.com/0ang3el/aem-hacker.git
cd aem_hacker
pip install -r requirements.txt

with these command you can get sometimes SSRF , Sensitive Information , XSS , RCE

sudo python3 aem_hacker.py -u https://domain.com/ --host your.burpcollaborator.net

also if you find AEM Login panel

User:anonymous
Pass:anonymous

about 15 P1 , 5 P2 reports bounty $$$-$$$$

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

Springboot endpoints

For Springboot testing

all the time check these ends

datahub/actuator/heapdump
datahub/heapdump
actuator/heapdump
heapdump

if you can download the heapdump

Download the Eclipse Memory Analyzer from here https://www.eclipse.org/mat/after downloading, run the MemoryAnalyzer.exe and open the Heapdump file downloadedafter opening the Heapdmp file click on Dominator viewstart search will find lot of database credentials

3 P1 reports $$$

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

MOBSF For Mobile App testing

for easy install

docker pull opensecurity/mobile-security-framework-mobsf===>docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

check the java files for Hardcoded Credentials

3 P1 reports , 2 P3 reports

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

Google Dorks and Recon

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

Lot Lot of Etc….

but as I said it’s not possible to share everything I’ve learned here in single write up so I have provided shortcuts here that help everyone

others write ups

Hope everyone enjoyed reading here

Hope everyone can benefit from reading here

Hope everyone can make some money by learning from here

Hope everything Clear here if not ,Forgive my mistakes

Little brother:Orwa

--

--