I hope you all are having a good time scoring huge bounties ;) and not to mention that it does motivate me looking at people scoring bounties to stop procrastinating and get along with other hackers.
To be honest I’ve been a script kiddie for a long time and just randomly copy-pasting payload here and there but never even tried to understand the technology itself.
Changing to dev mode helped me a lot in understanding concepts better and during that time I realized how payloads made sense. In the meantime I noticed many people mentioning shodan and other platforms such as censys, binaryedge, and ZoomEye as their go-to tool and I wondered how people find those hidden assets as most of the majority out there are already aware of them. It turns out that the secret lies in how you search for patterns and how good you know about your target. Technologies and tools are available to all of you out there but it totally depends on how you use it.
On my initial stage of learning, I always used to search for a pattern such as “site.com” and that was it and I hoped that some Jenkins instance would popup because I believed I had good luck :P but that is totally not true.
Results were fine but not up to my expectation because most of the company have a security team making guidelines which make our job as a hacker a bit tedious. So I started learning (researching) about how could I make my recon much better and efficient.
The first step I always head to is searching for SSL Certificates on Shodan.io. There are a lot of filters available for shodan which can be used to filter out the junk from the result. One such filter would be ssl:”target” which would search SSL Certificate for the string target within SSL certificates.
For demonstration, we will be searching for SSL certificates for Paypal.
As you can see shodan have searched certificates under the name Paypal and not to mention we can see too much junk such as access denied which is because of Akamai but we can filter them out as well by adding 200 which is a status code in our search query so our query would look like ssl:”paypal” 200.
You can also negative search for specific content you don’t wish to search for by append — in our query followed by the pattern.
I’m not sure why but I have a keen interest looking after the resources hosted on Amazon AWS. To make my search more efficient I use org:”Amazon” ssl:”target”
Another particular search pattern I look after is looking into the HTML source for some specific content and shodan makes our job easy by introducing filter for the same “html”.
I learned that copyright footer is always presented in the application so I always look after that and maybe something pops out.
Search query should look something like html:”Pattern”.
Also not to forget that it helped me a lot finding assets after a particular technology. For example, for searching Jenkins instance I tend to use html:”Dashboard Jenkins” or something similar. Many people would argue to rather use http.component:”jenkins” which search for specific technology or component but I rather prefer my own way.
I mentioned making sure you note about everything you noticed about your targets and look after those on these platforms and I also noticed a few odd things while hunting Private program.
I noticed that some asset was using firstname.lastname@example.org in their certificate. So I looked after those in one of these Hacker Friendly platforms and did found some Kube instances open which I reported to them responsively.
Later on, I noticed that many application engineers use the staging environment to develop either a new feature or something they have been working on. So I started to look after something like ssl:”company development” and I later found out a Django application which was left open to the public.
Also in the same process, I discovered a few Ruby on Rails (ROR) application running under dev mode but at that moment of time no particular exploits were public (as per my knowledge) so I saved them in my notes and a few days later I messaged my good friend Harsh Jaiswal about it and later found a rails application vulnerable to RCE.
There is no such secret tool which would find all the secret/hidden assets but it is rather up to you and your observation skills. If you wish to try rather new things which are not under your Bug Bounty methodology. Don’t be afraid of trying new things and make sure you maintain notes for whatever you discover.