Connect with me on twitter: https://twitter.com/@initroott

Quick intro to enumerating a specific target’s digital footprint. I take no responsibility for your use of the below, please always have permission before you engage a specific target.

The below walkthrough explains a simple enumeration of a domain. For this we’ll focus on Tesla.

The basics

For this specific target we can assume that our main target is Tesla.com.

Enumeration, specifically domain enumeration can be performed in several ways. I really like the article of Patrik Hudak, refer here https://0xpatrik.com/asset-discovery/.

The two important notes here are vertical and horizontal enumeration. …


My Twitter handle: https://twitter.com/initroott

Be sure to follow my blog at https://governit.co.uk

This would most definitely go out to my most tedious XSS attempts yet. I’ve started with Burp for a good enumeration. I set out my target scope using advance scope control and the host-name as “company.”.

Image for post
Image for post

I then browse the application slowly one for one, specifically I look for parameters that gets reflected. Once I suspect reflection I make use of the Intruder tab to Actively scan defined insertion points. Note that I also clear insertion points for cookies etc. I only focus on the URL parameters now.


Follow on twitter: https://twitter.com/initroott

I did a quick view at a major infrastructure client. Given their modern web-design I couldn't find any reflective injection points.
I’ve let it go for a while and found myself dealing with one of their earlier versions and immediately note that the hosted site is much more outdated than their recent counterparts.

I set out scoping the application using Burp and found a reflective spot. This could lead to a type Stored XSS on the user machine as you’re adding into the container.

Wouldn’t have been able to identify the endpoint if I haven't played with the application functionality. …


UPDATE: I’ve included results from some other AV solutions.

Follow on twitter: https://twitter.com/initroott

Be sure to follow my blog at https://governit.co.uk

I’ve recently converted my sturdy Raspberry Pi Zero W to a bad USB using the P4wnP1 image and toolkit created my mame82. The ultimate goal was to run a remote command shell while evading the latest version of Symantec SEP with full protection enabled. Its easy to run a remote shell by creating your own payload, however the advance features available in Symantec makes it difficult to execute as the SONAR and IPS detection techniques are powerful. You can go far by encrypting the payload and delivery as Symantec will be unable to anaylse it. …


Follow on twitter: https://twitter.com/initroott

Image for post
Image for post

I’ve recently completed my OSCP exam and thought good of sharing the methodology I’ve compiled from various sources. I’ve taken at least 30 days of lab time and so far this is one of the most challenging and rewarding exams.

I’ve used OneNote during my exam, however, recently ported my methodology to SwiftnessX (https://github.com/ehrishirajsharma/SwiftnessX), a brilliant tool for penetration testers. The methodology will be released as part of the upcoming SwiftnessX version as part of the standard libraries.

I’ve included a screenshot of SwiftnessX just to show how amazing it is.


Follow on twitter: https://twitter.com/initroott

Be sure to follow my blog at https://governit.co.uk

Image for post
Image for post

In this article I’ll be providing a basic walkthrough of how to setup an Arm64/Aarch64 device such as the Rock64 as a secure Wifi AP with Pi-Hole DNS and an IDS. I’ve also added a SIEM solution by using Graylog.

The purpose of the setup is to provide a secure and monitored wireless access point for devices in your home network. Unfortunately, Pfsense is not wholly compatible with the Arm64 architecture yet.

The endgoal

Once you’ve completed the setup, you’ll have a secure wireless access point with an ad-blocking DNS and intrusion detection system for connected devices. …


Introduction

During my evening bug hunting, I stumbled upon an insecure access control vulnerability in a large e-commerce retailer (claims to have couple of hundred million users) that allowed me to register myself as a supplier without an invitation code.

I’ll walk through discovering the vulnerability, however, keep the company anonymous as they currently do not run a public bug bounty program and I’m disclosing the vulnerability following the openbugbounty rules.

Discovery

I usually start my bug hunting by enumerating the domain name using OWASP Amass (https://github.com/OWASP/Amass) and the Chinese version of Shodan e.g. https://fofa.so/.

OWASP Amass offers a lot in enumerating subdomains as it scrapes data sources, brute forces recursively, crawls web archives and performs DNS sweeping. Some of the most known sources is included e.g. Threatcrowd, VirusTotal, Riddler, CertSpotter, FindSubDomains, Entrust, crt.sh to name a few… A simple command line, shown below, can be very fruitful. …

About

Frans Hendrik Botes

OSCP, CISM, CISA, CRISC

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store