e e e e e e [Music] [Music] [Music] e [Music] for e e [Music] get over man [Music] good morning and welcome back to doing a series of live stream not full-time doing live streams anymore but welcome back for those of you who are new welcome if it's your first time uh you're in for a treat for those of you that have watched the Recon streams in the past welcome back thank you for always as always for being here I really appreciate it let me know if you guys could hear in the uh chat I know my voice is a little raspy um kind of currently going through a little bit of a sore throat but I can still talk so we should be good to go but let me know if you can see me you can hear me I'm gonna try and fix my camera this is not a streaming camera but we're gonna make it work uh for those of you who are new uh in asking questions I'm gonna ask I'm G to answer a couple of questions first if you see me looking to the left is because that's where my chat is and you guys are right here so I'm just monitoring the chat but for those of you are going to ask questions number one question is what are the guests the guests come on tomorrow and Tuesday so if you want to look and hang out with me and Justin AKA Runner raater tomorrow he'll be live same time as today and if you're looking for Stoke Stoke will be our last guest for this three-day stream that we're doing on Tuesday being the last day and this is just for me um to kind of see if I want to go back to streaming if I wanna uh come back and do this regularly figure out what day works for me what day doesn't how often I want to do it and so on if you are looking for the VOD and if you want to watch this later on your own um this will be available on YouTube a week from today so if you want to watch it it will be available for those of you who are who are um subscribers or if you are a Nomi on YouTube you have access to this immediately but for those of you who want to watch it later it would be available the following week because I'm going to go on break I won't have content coming out that following weekend I got to keep you guys engaged on my YouTube channel so it'll be posted on YouTube uh whatever day was uh broadcasted the next week same day it's going to come out uh at the same day so look out for that on my uh YouTube channel if you want to watch it later um I know there's a couple of comments around uh the target yes in a couple of seconds I'm going to say hey let's pick a public Target on Buck roud or ha one let's look at some Recon data I kind of want to show you the data that we have if you haven't watched the video from Wednesday or no not Wednesday tomorrow the video comes out tomorrow actually go watch tomorrow's video so you kind of get a gist of it when you're online tomorrow when the video comes out on YouTube go watch it you're gonna get a sneak preview of the video today before the video goes out and we're going to look at some of this data that I already have with the trickest platform uh and then one last request if you are watching this please keep the chat to English I have a zero tolerance for the chat not being in English so I'm GNA I've given you some warnings already but if you don't uh keep that I will have to ban you and put you on timeout and if you throw a question in there please do it once uh I try to keep up with my chat as much as I can please don't spam the chat I will also have to remove you if you do that just so because I want to make sure I um answer everyone's question so if you drop a question in there and I don't answer give it a sec I will get to it and make sure I respond to you in just uh the time that I can all right so someone's asking is this a 3-day series only coning Recon part or testing two it's a mix of both um but I can do the exploitation part publicly on a live stream there was if you guys remember my last stream that we did on a Target here we found a really cool bug and somebody sniped me someone nerd sniped me and reported it and um that was a really bad bug too so for those reasons we are going to avoid we're going to try and avoid vulnerabilities on this public stream but what I'm going to do eventually is um as you guys have seen I've updated the course so if you want to purchase the course and support the Channel please do it uh but the course has some perks that are going to get released in the future you'll get them to see I think we're going to do some of those test things there because one uh I can't do it publicly and B I honestly don't have the the time that I used to have back in the day when I was streaming like three four times a week but this is a good start for us I am going to try and stream more and more um on YouTube or maybe not on YouTube I don't like streaming on YouTube but I think I'm going to start eventually streaming more on um twitch again go back to full-time streaming on Twitch for maybe a day or two of the week maybe do a Thursday Friday stream that when we hang out and do some and solve some ttfs because I missed an aspect of it so that's that all right um so who are the ogs that have watched these before um I want to see some of the people that have watched my streams before what should we do chat the people that know what happens on these streams I know St blazing you're here crunch is in here I see I think my twitch chat is my OG chat um this kind of also why I want to go go back to Twitch so I don't know maybe this week we'll s stick to YouTube and twitch but I think I'm going to switch to uh twitch as full time so for those of you that don't know what's happening I am going to in the next couple of seconds say I'm just going to say it now chat drop me a Target that we should look at drop me a Target in the chat um let me know what you want to do as far as the company that we're going to look at is uh someone says don't go to you don't go on Twitch unfortunately I don't like the chat on YouTube when I used to do both YouTube and twitch I would just ignore the YouTube chat and I feel kind of rude doing it um uh so I just I don't I don't like streaming on YouTube to be honest twitch seems to be more fun and my and the audience that I have on um on twitch the crowd and Community I have on Twitch is just phenomenal man I love the the community I build on Twitch but we'll see maybe I'll do both and prioritize twitch more all right uh I see a lot of people saying BMW booking Dell Dell has a lot Dell Google not doing Google AT&T seems like an interesting one dell Netflix FIS DOD more AT&T someone trolling I'm not even going to bother with that FIS Reddit Circle AT&T I feel like I see all right so here's our option chat ready I'm gonna give you guys let me just make sure my data works on this one sec I'm gonna keep posting the keep posting your um your Targets in the chat I'm going to try something really quick because we already have scanned most of these targets so we can do more we can do more than um let me see that would be a good one okay so I have data already what do you guys think with chat okay if you people that are down to do dell drop me a one in the chat if you want to watch Dell drop me a one in the chat so I know how many of you guys want to do dell I see the million ones coming in from the Sim person I can do a twitch PLL because I'm also on YouTube Mr muddy pants that's why I'm doing uh the chat thing instead all right how about this today we'll do dell because there's a lot of you guys asking for Dell and then tomorrow actually let me see if I can do poll online to let's see if I can find a poll online free poll maker is it free I gotta sign up yeah I guess okay we're going to do poll today we're going to do poll we're going to do dell today cuz a lot of you guys asked for it I already have data on Dell that's pretty decent so let's jump into it I think that would be the way to go I can do Amazon because I don't think uh Recon approach on Amazon is the right thing to do especially with Amazon having Amazon AWS as a subdomain or AWS on Amazon I don't want to do Amazon it's just it's a separately slope also I think if you're hack on Amazon the main app is a better place to spend your time than Recon all right anybody here have any vulnerabilities on um Dell already all right so I'm G to share the screen we're g to go over here there we go this one there we go perfect all right so um for those of you guys want to watch this this is free this is in partnership with the amazing team at trickest we are organizing a scan of these targets it is already available so if you want to just sign up you go to uh trick.io you sign up for an account click on here go to Solutions go to public and click on the public data that they have and you can get access to this data in a number of different ways if you want to do DNS stuff you have access to DNS stuff if you want to get access to just HTTP records under web server information there's also the uh web server for this one you guys wanted to look look at um the data from Dell so we're going to do host name is dell.com and see what comes up oh it's not host name it is host it's also not host hold on let me refresh this data it is go away it's URL there we go so we're going to say URL has I've never hacked on Dell so if you guys know anything interesting about D please let me know uh this is not a sponsor sham I did not do any exchange of money for this at all it is something that we've worked on with them this is a free data you can access this for free you don't have to pay for this this is 100% for free you're not paying for any of this at all it just we partnered together and uh if you look at my five-week program we did the scan for a couple of programs now we've scanned the entire bug Bounty ecosystem with it so stop jumping to there this is sponsored uh it's not it's not a sponsorship it's a partnership because there's a lot of data and a lot of times when I used to do these streams people would ask me for my data afterwards and this is like the easiest way uh to share that data so if you guys want to use it is completely free uh you can also get access to this so if you want to find a bug while we're hacking we can do this together so the thing that I like about this is we have all these domains that we can use there is about a good 1,800 um domains that we can use with this the problem becomes where do we focus on I think a good approach would be once let's clean up this data um let's see we'll keep the data I don't care about the content type I'm just going to remove some of these data so we can also see a um I want to remove can I remove these content type there we go oh I gotta do the whole thing again okay okay so we're going to do I want to see the URL what data do we care about do we care about the I think the final URL would be a good to have at the end oh we could do Port because I want to see what port have scan on these uh and my data I mean just you know stuff that you would get with like an httpx or like stack and stuff like that I'm going to do the title because I think title will be interesting for us to take a look at oh add title I wish I could minimize some of these though like drag it and then we'll do a Content um the Response Code uh is there another there was one here let's see oh there we go status status code is what we want okay so this is what we have I'm going to sort by title to see if anything comes up really quick okay there we go so now we can actually search this data for whatever we please and then I have my uh box right here that it's downloading a oh it's actually done nice okay so I have um can you see this chat yeah you can okay so if you want to do brute forcing we can Brute Force stuff I'm using the outet note word list for this so if you guys want to follow along that's where you can get your hands on the word list uh it's just asset note word list you can look it up and here zoomed in cool so all right let's look at some titles uh I want to try and avoid um finding obvious phones but what are we looking for titles maybe login apps I'm going to give you guys an advice on how to um look for bugs on these uh let me see title has uh maybe there's no login for these really nothing with login okay engine eggs there's one uh let's see what this looks like okay okay this is accurate okay cool what I want to do is so some I thinks the title is honestly a lot of you guys are um a lot of you guys look for a lot of um like Recon stuff and I don't like doing that I don't want to do full automation for these I think we should look at this data and kind of understand what like assets we hack on so obviously I don't want to VMware stuff I'm just GNA do and um title doesn't equal to VMware can I do this maybe uh does anything cool to VMware VMware is that how I spell VMware so we can filter for those hopefully this works there we go okay H have to do the whole thing I don't want to see VMware Horizon so I'm going to do that that gets rid of those um the stuff that are cool to me is the sign on ones than you oh [ __ ] OG stream we're gonna stream uh spill coffee all over again all right um if I I wish secb was here you would remember those but for if you guys remember the coffee streams were fun put it here but the things that look interesting to me is stuff like well not this one login for example so if I go to this asset right here there's something in front of login this one obviously requires us to do uh an Azure but we can also see if there's anything cached on here U look at home reset password is like this it's a modile what if we can do something like maybe um I don't think we're going to have a login or register on here but my favorite thing recently with a lot of the bug bandings that I've done and I've been hacking on recently I've been hacking a lot of public programs somebody called me out not too long ago saying hey order to try and see how hard it is to hack on public programs and this is why this concept or this idea has came back so a lot of things that I like to do is look for applications like this one that allow you to uh sign in and stuff like that so those are the ones that you going going have the most success with I'm want to play some music for you guys quick [Music] um the ones that you're going to get out of because one this it's a little bit harder to find game I'm sure but when you find something like a lot of people like 0% of you guys [Music] because a lot of times is mic is cutting out let me turn let me turn the music off here that's why okay let me know if that fixes it your mic is getting good bad are we good okay so I think it's the music that I was playing okay so a lot of a lot of the things that I see with a lot of bug bounty hunters as I was saying about this is a lot of you give up here um you don't look for a way in just because the UI doesn't show a a login right so you know one of the things I suggest doing sometimes with this is uh it's looking to see if you can sign up or abuse the forgot password I don't want to do this on stream but the other thing is let me see if I have short scan here I do have short scan okay this looks like it's a um Windows Server so we're going to do a curl really quick and see what comes out with curl when we do the Dashi it's going to dump the headers here so if this is a Windows Server it would give us a IIs server uh it doesn't it would give us an indication that it is Ias the only reason why I think this may be a Windows machine is because when I do view Source this icon right here is a very much Windows like application so I'm just going to feed it to short scan I could be wrong I I'm more likely wrong but going to give it to short scan short scan is a Windows um box scan if it works how explain it is so is is 10 it is um it may be vulnerable let's see oh it did say is and I missed it okay um so the short skin is a vulnerability that looks at okay this one it wasn't vulnerable it looks at like the first four to is it one two three four uh first letters of the file name and if it exists it tells you hey I found this you know and you can enumerate based on that um I want to find a live example so I can explain it better um but this is something that I would do so with this one uh I'm just going to call out things you guys could watch and do it up on your own and hopefully you find some stuff but this will probably ask us for a Dell email address so this probably would need us this would probably require us to know a username or a vendor to see how this works I'm not going to do that but there are ways you can do this really easy ways honestly so that's one that I would check but let's go next we have a lot of asset we can look at I am going to do some uh root forcing o demo at domain okay I got to try that now someone said demo at domain let me let me do this I like that actually give me one sec let me let me live Recon okay I'm going to make a profile for live Recon so I can put stuff right here and you guys so we can have the data um what site was that it was the pmj right it was something pmj there we go so let's try demo I don't think demo is g to work because it seems like it's a I going to love that if it works we couldn't find your Emil the one one of the easy ways to do is just find someone's using first name and last try it out but this flow is a good place to check um but we're going to come back we're going to go back to this uh for people asking again if this will be available on vods yes it will be available a week after it's been streamed so if you're watching this today it will be available maybe today next week no no I gota keep I gota keep it uh consistent next week will be available okay I'm going on vacation starting Tuesday and you guys won't getting any new content from me so I'm going to kind of resurf for some of my old content while I'm out also if you've been subscribing on Twitch shout outs to you I really appreciate it I'm gonna pull it up really quick so I can give you a shout out really quick God I can't log into my twitch let me log in really quick because I know a lot of you guys support the channel and I want to make sure I give you guys a shout out I am also going to try and figure out my rig and bring back obs streaming and not this janky um stream I got I got to get a new pc that's not for gaming we had a hype train going on Ox crunch thank you so much man I appreciate you uh TMP camber shout outs to you thank you so much thank you for the Bitties crunch I really appreciate it big thank you to you man I really appreciate it thank you and psycho 4 thank you so much I appreciate it guys thank you so much let's go all right so back to it um let's look at for more login things um so okay a couple other things like these ones that are four or four let's address these for now I'm going to do and um title is equal to 404 or it has a RX for 404 okay these ones don't give up I love looking at these by the way so something like this what I would do is go into here uh let me find a good word list really quick uh automated oh [ __ ] there's a lot of them in here um wait I have I have this one no no no hold on I have this one I'm going to use the one for all so we're going to do an F we're going to use the one list this is by um uh Recon for the win uh Des Dex to I can't I can't think of their name off the stream but whoever wrote the uh the tool that's from their repository it's a pretty good one I've been using it with some of my other ones um um yeah sorry the camera dies on me sometimes I G to take the camera off for now um yeah I'm not a unfortunately for you guys I'm no longer a full-time streamer so my camera goes out I don't have a rig for it e e the Cy camera there we go so now we can see no my mic is working I'm just not talking chat I'm I'm just waiting for this to go through okay so now we can see this is still going uh oh this is Office 365 maybe it's a bad idea to go for it but a lot of times with also chat I would recommend going and digging into them so um we're going to do it right here let's see what this looks like oh it's an a Tom capat too nice okay I don't mind that let's see so I like doing this see right here the difference is if you go to this nothing shows up right B2B it's a B2B whatever no way to guess this URL for it right I mean also looks like this one doesn't work either though but that is a great way to find results of people sharing their um content from this so look like there's a production portal for B2B visibility it's been removed it looks like where' it go there we go there it is so one of the things that I recommend doing is looking for these in uh on Google a lot of people don't do this for some reason I don't know why you guys give up but and then you can see if I don't think this is going to be valid but and also if you think about it it's also pre-production um server but also this gives us like other like sites to look at it is G what is this website so this one is Dell I'm assuming this is something somebody else operates with them yeah I mean you're not so I'm doing this request I'm not threading it really high you can also drop the threads if you want to but yeah you can you can do that many requests you might get blocked from the W if they have one um because there's also not a user agent on this so we may be missing stuff again this is for more entertainment and like educational purposes but if you're doing this for yourself you should for sure set a US user agents so um look at where your user agent is on your machine throw it on there and then um you can also lower the threads if you want to I don't like random agent I don't know why uh that's also a option you can do this I don't like it but that's an option honestly I can't find it yes that's an option um but the thing that I was saying about this is I don't know what G this uh gxs is but you can see this is just you know trying this one time take this URL throwing it in uh Google and seeing things coming up you can do this with all of them um it's just something that I've gotone in the habit of doing especially if something like stands out to me like this says something infra right so I'm going to go to it comes back with nothing I want to look for it and see what comes up so it looks like some other companies have found this let's see what bgp tools has on this nothing but it's a really good one to look for stuff like that honestly you should keep that as a this should be something you guys do on a um as a habit oops that make sense all right um for what Bing purposes should we not include a custom header yes you should um does d require that because if they do whoops I'll keep that in mind for next one but also I'm not okay so also to be fair I'm not sending any payloads I'm just browsing stuff so also to be fair yes El thank you so much for the re uh resub with Prim thank you so much I appreciate it thank you thank you thank you okay so that's one option of things to do with these assets I give you 404 oh no did I close asset no there there we go okay so that's one option to do things with the 404 but I'm going to just remove these and say I don't want to see this that has 404 in them uh hopefully removes it because it's not Rex can I do not Rex let me see does it support that oh it does hell yeah okay so now we even have a better focus on these applications um so let's see what else is on here I'm going to just look at this data if you guys have uh this open actually does anybody have this open you can let me know in the chat if you're looking at this data with me if you are let me know um like what you find on here because I'm curious to see if you guys find something interesting too so I love to go that lass and jira uh where' it go shoot let's see oh my God why do I keep copying this this is what I want okay does this redirect no I don't have any of my mods in here do I I do not I'm G update that channel real quick hacking they call hacking I want to say bug Bounty so we don't get banned all right there we go and we are updated okay so no you're one of the wait you're not a mod on here that's a thing uh crunch somehow you managed to get a mod on Discord but not on here so there we go so um let's at more of these this is um if you're not sure with alasin I think there's got to be an atlassian let's see if hack Trix has anything on this I change that for your crunch by the way so if you don't know about hacking jira stuff one of them is there's a lot of misconfigurations around jira um I don't know if they have them actually let's do hackro one then hackro one uh jira exposed side is ha one.com so a lot of times people post these on here um there's a lot of routes I don't do these anymore I know a lot of people that are really good at it um let's see if we can find anything there's like a there's um there's a couple of sections out there so you can hit and uh once you hit these end points on J it could also um leave more of the information for example about this target I don't know if it's a good idea to do this let's see if browse Works uh it doesn't so the there's a browse there also like a dashboard you can hit I haven't done this in years I to log into hak to pull those but uh when it comes down to Jon atasan products a lot of times there's Mi configurations this is a really good place to you know as in this I mean hacker one has really good data on this stuff I would look for those two so that's just J itself not something that I do anymore a lot of my stuff is I look for like I literally sit here for a couple of minutes looking at content or um assets that are in here and then finding one that I want to hack on let's see what this virtual rack is let's see okay let's see let's see what what we find on here analytics what does this do the changes something yes it does what is a request that it sends let me change stuff in here so if I refresh okay let's go back and try this again what is the request that it sends when I push this button is it a post request to get request to this was that the original site we're on yeah it is Del Solutions this doesn't seem to have anything as far as like data goes but it doesn't mean that there's no doesn't mean that there is no vulnerability on here what is the setting that Json uh garbage okay what of the things so a lot of people that you guys that are new one of the things that I've always done it's a good habit to get to is also have this open when you browse so like right off the B I can see the Javascript file for this um doesn't have an API call I can see immediately let's see if we can do this maybe there's an about is there a post anywhere nope path is that no um so I have this open so I can see what happens in the background I don't think this site is going to have too much for us to look at all these Json files are kind of sus but there's nothing in them okay let's see what this 404 looks like and let's do a curl to see what the site looks like too so we're going to do curl eye and put that on there and um wpn gen so it's wait is this a WordPress site it is a WordPress S I didn't see that okay well um I hate WordPress sites so for WordPress sites a lot of you guys watching for WordPress there's so much you can do with WordPress the first thing is looking at all of the different um looking at all the different um themes and looking at the different plugins they use you can use something like WP scan to scan this I hate doing that I just hate hacking on WordPress but that I know a lot of people do so this one there's a plugin called WP Smo it uh readme.txt maybe MD no a lot of times they leave that behind there we go okay so we can see what the we can see immediately what this is so we can see the version of this is this so if I look up smos at WordPress vulnerabilities if there is one which it looks like word WordPress Smosh has a vulnerability right here she has to patch stack also one of our former Noam con uh sponsors it looks like there's something here lazy load image Optimizer images world has something on it too also shout outs to them they've been a big part of the channel so this is where you start looking for vulnerabilities if you don't want to use something like um if you don't want to look for something like U um WP scan you can literally go to read me. TX you have all these different plug and sometimes they're dumb enough to leave this uh open but not here apparently is there uploads maybe let's see uploads no okay um also the other thing is if you have a good PHP word list I wonder if um the word list from asset node has a good one let's see word lless data um is there a PHP one let's see PHP oops oh because it's automated I go to autom in and then we look at PHP so now a lot of good PHP ones that you can use so there's one very recent we can uh try out so we can go the URL is this um the other thing that I recommend doing a lot of times is what am I missing F of oh not you it's w if you have a good oh nope not doing that if you have a good um work word list that has dot files and like configuration files it's a good one maybe if you have a good one for config files a lot of times people have the uh WP config like. back uh open sometimes you can also look for those that's just War person on a in a nutshell let's get some like um stuff that we can find out it's juicier than this maybe we can do um let's see stuff that have a redirect so I'm going to look at the stuff that has a status and status code is equal to 301 we'll start with 301 for now nothing 302 oops 302 all right so these are the ones that are redirecting and we can see where it gets redirected to sometimes it's redirected to its own thing which is half of these pretty much but let's see what they redirect you when you open them but also the lot of them is like Regional right it's like the same thing so that thing may be that interesting here but the thing that I look for a lot of times that are um 300s or like 302 301 is they redirect to a login a lot of times so you can see they're going to like a login page they're going to [Music] a um sign up page of some sort like that those are really really cool to look at I wonder if it can just do three and see know nothing comes up oh let's see that's 300 like that 30 that doesn't work um oh it's greater than 300 maybe let's see ah doesn't work okay but I look for um I can I usually look for um the 300s because they're really really cool and the redo re are the one that I care about to see where they end up going all right chat what else we're looking at give me some ideas do we want to look at on this data also while I have you guys here while I have everybody here uh there is a large number of you guys watching on YouTube if you're watching this on YouTube I need you to go right here on the YouTube channel and the chat just hit that like right 194 it would help get more people involved in watching this just click on that let's get to like 225 so more and more people see this there there's a lot of you guys watching on YouTube so if all of you guys actually click that it'll be a giant number are the 356 out of watching okay so we can also look at headers yes we can do and header uh somebody wants to see said cookie let's see if uh we find anything I want to see why you want to see said cookie I want to hear this up said cookie that cookie I can do EX attention on this is not a Google thing so is it si like this there we go oh okay I see what you're doing there so it's kind of like finding other logins too it also helps us find that so also Mis can get oh because it sets a cookie right away when you log in okay that's inter okay let's look at it oops and holy crap you guys went from 196 to 266 from that from the likees so I appreciate thank you so much chat all right so let's see what Global customer portal transaction okay I can I could get behind that let's see what this is but this goes to SFS so you check for a status um what's the point of it though I don't get it okay let's see what happens here in the background there's uh the dash slui looks H there's nothing in it see what's interesting is when you go to this it takes you to it goes to a log in you see that chat and then is it just authenticating us already is that why what if I do 200 instead of 300 ah okay let's see if we can um let's see if we can Brute Force just really quick I'm going to start at the root level of this and then I'm going to do one word list that I have I'm going to make it just vanilla wait this will also help us prevent from finding garbage on but let's see um let me see what camper is telling me sometimes there's misc conf I saw that but the said maybe you can see more oh so you take that value if it's set and then you try to authenticate it again even if it like redirects you what the hell is that that can't be a real file but it gives us a different error though oh this is cells Force oh okay well I am not touching this this is a celles force okay well we'll try another one I don't want to do Salesforce stuff because one it's we not going after salesforce's infrastructure um I don't want to do that yes the posting is also very very valid but one of the things that I do um there's an L on Final yeah but I mean either way I don't want to touch that with this because um it's WordPress and I mean we can hit XML yeah it's the same thing I don't want to touch it because it's not a and they may say it's out of scope and then I don't want to make people gy yeah so the post method thing I agree um but I did a lot more on API than anything else um let's do one more ass I want to see what's on these let's see uh let's see what this is has prod in it let's see I'm going to go to it too right hold on here we go so you go to this it sends you to an employee or partner login wait hold on want to see what wait wait wait wait this is what I want so remember when I was talking about redirects let's look at anything that redirects to this so I'm going to go in here I'm going to open up another one of these uh can you tell me what you're looking the networking tab yes give me one second I'm going to show that to you one second the networking tab is just a habit that I have it's just force of habit I have it here open so I can see what the calls are being made so I can see like if I go here it's making this authorization uh if I want to test for um example put open redirect for this I can see it on the right hand side without having to use burp sued if you look um I don't even have burp seat open right now so it helps I have both right but um but let's look at this really quick so we're looking at the data here and I'm going to say I want to look for headers I have location the location header which is redirecting is set to this we don't have to even put location we can just put header has this keyboard in it oh probably come up so let's see so there's a couple of them that have this website that is redirecting it we can look at the headers for but it doesn't matter but if we go to it more than likely it will redirect us it doesn't what the hell so one of the thing the reason why I do that chat is um if you look at anything that has behind it is behind an SSO like maybe it's behind One login maybe behind their own version of a SLE right like this one what I do is I look for those websites because that indicates that that website is supposed to be only accessible to an internal user or maybe it's a partner or it requires login maybe sometimes the SSO is available to you that's a good way to enumerate um login required websites does that make sense uh this is not going to find anything I'm just going to leave it what does this look like what does this look like let's see if anything redirects to Dell identity let's see let's see if that theory that we just talked about with the redirects also works like yes I would love to show that to you guys no it's a bummer okay um employees and vendors you can also create an account so this is really should we chat what do we do do we create an account and try it out bug Bounty the H SEC whoops test um I wonder if it's going to let me just create one without one number so we're going to do that test gmail.com love it okay maybe I could do test plus one it's going to require us to verify ourselves okay let's make it real one let me make a real one real quick uh someone ask if the data on here is available to other people yes it is available for free you can search one for free as well uh let me just quickly log in here let's see what we get access to I am just making an account on off stream chat hopefully I got an account I haven't gotten a code just yet then don't want to send this to a chat they don't want to get a send it's not working all right I'm going to try one more time if it doesn't work if it doesn't work it's not meant to be let's see in my spam folder nothing okay there we go there it is oh it took it a long minute to get here so we got to give it a sec chat another account one sec the link for the Recon that there just trick.io all you have to do is just go log in here I'm G put in this twitch chat that you asked but you have to log in that's about it you get access to it for free okay give me one sec chat I'm waiting for this account to come in and we should be good to go one of these sign up submit forms I want to know see while we wait o this is a different form though see how chat I want to make another account off stream for this one too just to try it and the funny thing is I just made a same email account on this website this is wwwp I wonder if oh this is also going to ask us for OTP okay the TP takes forever to come in I feel like I'm not sure why I've have not gone it yet I'm just going to give it a sec while we wait we're going to keep looking at this though but the funny thing is neither one of these sites look to see if the email exists so I'm assuming that they're just different databases and different sites I'm not sure I'm only also hiding this because my email is in there so it will come up on the stream as soon as they send me a freaking OTP that's so annoying dude all right let me see if this works let's see if we can bypass OTP nope okay one of them came in me okay the other one just came in they're very behind for their OTP though holy crap okay please don't dox me okay they ask you a lot of uh questions I'm just going to Bam submit okay so what was the site that we're looking at that sent us to this it was this one right let's see now if we can access this site so even though this site may not be Meant For Us chat let me see again this may be something that they don't want us to have access to because we signed up what the [ __ ] because we signed up wait a second if I go to this so when you go to an unregistered it goes to this right when you're not registered it goes to that if you go to it when you're register it doesn't show you anything do I have Wayback URLs in here oops do this Echo do I have wayb back UR on this host no get all urls no do I have way back okay let's install way back URL because I think this is interesting anyone caught on to what I was talking about way back URL when you are not registered it sends you to a login page or sorry not a login page what hold on uh so when you're not logged oh no I removed my entire go folder I don't even have go on here okay hold on okay so we're going to do this this way I just want to see if way back URL is going to have anything on this when I when I was unlogged in and I went to this site it was sending us to register because it was looking at um whether or not we have any cookies set but when you hit it with authenticated ah nothing when you hit an authenticated it shows you this which is kind of strange if you ask me let's see what the preview for this looks like that is a bit strange no all right let's see this is where kaido comes into play Let's see going to do this one we're going to go to scope we're going to go to intercept we're g to I can't do it on this one hold on I got to do a different browser okay let me see I want to see if I can figure this out let me log into this one too really quick chat one sec I'm going to explain my thoughts really quick one sec okay so now that we are logged in if I refresh this is there going to be any cookie headers so if I remove this then what happens let's see that's a really big uh cookie header too remove it no okay so if you remove it and send the request it sends you to this if you follow the redirect it goes to this and then it sends you back to log in right so what I want to do here now is I want to go into using F on this site and we're going to say set a cookie header cookie is let me see yeah so we're going to do cookie is this which is huge and see if it finds anything now that we authenticate I'm going to try and see what the chat has been saying one sec chat sorry all right let me see uh kaido seems with burp no I'm just using kaido my uh proxy is called burp uh it's Che update this public data set every day with new data sets they don't do it every day but they do it often I'm not sure how often though where those automated word list generator from they are from the asset note word list so all you have to type in is asset note word list and it will come up so I don't think this is going to find us anything um the reason why I added a header is if you go to this this is us authenticated to the website this is me unauthenticated to this website if you're not authenticated it sends you to dell.com it says Hey either sign up for an account or sign in right this is unauthenticated but if you are authenticated like this browser when you go to this website it brings you to to um here and it says hey uh there's nothing for you to be looking at I think there is something on this website that we don't know what the the route is for it so if I look for it either I can't find it so I think there is something on here because the behavior of the on off and authentication are very very different does that make sense um motivation I think that's what you you asked no that's uh I see you were the person to ask that does that make sense so it just looks interesting because there is a check happening here and based on that check it is showing us different content and I really wish there was something we can find on here because I don't know honestly I don't know what's checking for it because just the behavior on this is just really weird maybe what if we go to as what's as let's see yeah it should by default send us to that right but anyhow that's uh another option that things to look at but now we have an account though now we at least have an account to um play on this site let me try one more see if this OTP works all right I'm waiting for another OTP on this other site I don't think it's going to send us anything um the other option with a lot of these sites also chat is something that I didn't try was um looking and seeing if we can sign up for an account by the at dell.com for example and see how that behaves also thank you so much Jing I really appreciate all the the love and the de beats thank you so much I really appreciate thank you thank you uh the Recon streams I'm not sure if I'm going to do them as often as I used to but this is a attempt to see if I want to go back to it and if I want to um if I want to do more of these more than likely I'm going to do go more for these but we'll see okay do you have any bug Bounty live courses no I have a bug Bounty course that may have some uh live stuff but I just can't discuss the that just yet but if you want to sign up for the course there would be there should be a link somewhere in the chat so my main goal is to find sign up Pages because that gives me just an understanding of um that site has functionality that has per user functionality that could be behind an API it could be user data it could be um there's a reason why it's behind login right so I look for those all right I'm going to take a bite of my food that's been sitting here for a minute give me one sec you guys want some food ASMR okay what else we looking at chat sorry I don't want to like be loud in the mic while I eat that's also interesting it's big on though I can't buy pass that but it's interesting that it say hold on no ear it was something else nonell user maybe oh love this create an account all right let's do it okay chat somebody do this and somebody do this tell me if you find something interesting on here so this site allows you to log in D user goes through Ping Identity if you do Nell user it lets you sign up I'm G to see if my other email account works if it does we'll try it out if not somebody should try it and see what you guys find there's a lot of good leads on this so I hope people are um yeah it's another account just not the same one as we signed up earlier so I hope a lot of you guys are um looking at these holy crap I see a couple of the members are in here what's up Sebastian what's up Mark how you doing all right let's go into we haven't gotten past the first page just just chat we've just only had one pages so far want I say um also and title is not Global protect hate those I'm looking for um for ASA just a test we're doing a white Recon right now so yeah I'm looking for just um we're doing a white Recon right now to find asset that could be interesting I'm just calling out what I would do for those of you that actually listen to what I have to say somebody just some of you I know watch this for entertainment which is completely fine and some of you there's a small number of you guys that watch this for vulnerabilities so I'm doing call outs of what I would do if I was testing these sites okay we don't need this one okay so let's see what else is on here we got a couple we got a good like hour left and yes everyone asking that if this is going to be uh available yes it will be available a week from today if you want to watch it later so let's see what else is on here so the test Vault stuff we don't care Side official Del Brazil let's go to the next one and also keep in mind this is all mostly sites are behind login let me see if we can do browse maybe no no doesn't let us okay just keep remember this we are just looking for stuff that could be behind the login right now oh I Windows let's try it let's see if short scan works here let's do a short scan why connection oh did I get banned oh no okay no it's not just me okay I thought maybe I got banned oh we can do uh let's get the headers for I what do you think chat should we do that nothing with I really oh wait there we go took it a while okay let's look at some of these and see what these have keep copying the wrong thing o vulnerable too perfect let's goodbye to this while this scans this is where it gets really really hard to figure out what these are what could be what could be here chat okay sorry CH I'm done eating I starving well thanks motivation getting fatter and fatter that's uh very rich anyways so there's a couple of interesting things here like it says enter enterp which is probably Enterprise right I was missing a Enterprise I missed a letter for it enter Enterprise oops right yeah short scan is a public tool um we don't know what these are they're probably something Enterprise though right like Enterprise something [Music] um this is what gets really hard with these to figure out what these file names are I wish there was historic data on these let's see what comes up with a quick I get our URL Maybe yeah I didn't think so okay A little Qui quick Google search nope so the three here means there's like three files that they all start with Enterprise something and that could be like Enterprise login ASP for example aspx whatever right Enterprise login it could be Enterprise something but we don't know what these files are and then there's also this that's like uh let's do this LM what give me 20 list 20 words that start with this these are letters exactly no no bro is LM stupid I am guessing for a word it has to start with the following is LM stupid oh me it's not English this is us though eray yeah I watch is about the website now no it's still up there's no one's taking it down it's still here what if we do like something on GitHub erase Nam space no it can't be it's a c though erase with a it's a c okay let's go to the next one but I want to that was a good example to look at right like we can see how this works I was talking about this earlier what does that even mean though whoever just sent that in the chat all let me try it I mean it doesn't hurt but it's also supposed to be us though which doesn't make sense wait your letters don't match this so erase and no that doesn't match ten sha doesn't match all right so let's take a at another example let's see so we did um which one was this P whatever let's do this one o FTP rule what is that oh that's probably a f something but yeah oh it goes through here though okay let's try on this let's see what this gives us I'm assuming this is not supposed to be anything this I got my host okay that's GNA isn't going to work on this one let's do this yes this tool people that were asking it is a public tool we can download it um IR sdl is the original author of The vulnerability has a cool white paper on it you can check it out so you can see it's found this it guesss like hey this is supposed to be aspet client and it's this system it Knows by default this is what the system web is and it's just uh recursively looking at it too let's do a couple of more of these let's do this production compliant one short scan let if it's vulnerable usually when it takes a while it means it's not erasing let me try it what was that website that we're doing what was it chat what site was that one let me open it up again is this it yeah erase send is that yeah that didn't work maybe aspx or ASP no yeah it's G to be hard to guess those it's fun when it's like an API or it's like a zip file and things like that it makes it so much more like complicated too let's scan a couple more of these before we hop off chat let's see let me go to page one and we started there okay so we're starting here there we go this can't be this can't can't be vulnerable right short scan how does the think this is oh wait header is IIs let's try it again okay so in theory this should be I right it is is 10 um I don't think it we want over but let's try it usually I haven't seen a lot of is T be vulnerable there's a couple more what are we looking at chat this API maybe short scan come on I think the I 10s are going to be tough the test Vault was interesting what is the is on this damn D is really on top of the how updated their stuff is huh let Too Short scan let me try this I don't think is 10 is going to be going let's see though I'm gonna kind of uh give you guys one last warning to keep the chat into in English or I would have to remove you so just going to give you a fair warning now okay uh let's a couple more maybe we can do like I me see let's see what is8 comes up I don't think there's a way to download them you can use their API I'm sure you can get some stuff out of the API though I don't think you just flat out download it okay let's try this one this one looks a little bit older so chance of being vul is a little bit higher but we'll see yeah there we go um see let's see what comes up with this uh let me just try something really quick English or Spanish I know exactly what you're going with I we're not playing that game I'm G to put your on timeout just for one minute to you so let's see what comes up see this now this one is interesting right because if we go to this oh my God where am I going okay this is interesting on a multiple different level first of all we go to this why is it going to Ford this is the Ford website on Dell if you hit it it goes to multiple domains but look at this it's finding all this different possibility of files which also makes me think maybe this is wrong because let's see what it does when you do 404 okay so 404 these are all valid fils potentially this is a nightmare to figure out chat is there an L for there is that why no I think it's got to be false positives right I think this has to be a false POS this is way way way too much stuff coming back I'm going to stop this it feels kind of weird but this oh because I mean there's two different things with this too because one is like it goes to an SSO and then two it is also a Ford asset but let me try another one this all Ford websites too which is weird Okay so we have an wait wait we can we can test this out because it says O Come on o login ASP was there anything with o in here no but I also wonder if that last one would have had the same thing so it was this this o let me just copy this there we go whoops o login ASX no um let's try this one I don't think it would be a good idea to do anything with these because they they look like they're very similar to each other too I'm not looking for any vulnerabilities I'm just finding IAS websites that could be vulnerable to the ti trick like guess it's the first four digits or the first four letters of the file name and just seeing what we find okay nothing on this one and we're doing all this using the trickest data that I have already let's see what else we we can try a couple more I really enjoy using shorts honestly um I found some really really cool stuff with shorts scan I can't lie the couple times I've got lucky though like you have to get lucky and I said lucky with like you have to get um it is luck to be honest you have to get lucky to find out what those words are so like this one is like Global what you know global. ASP is a global connect. ASP for example like it could be a number of different file names right so you got to do like you got to brge force for This Global file or this one is it formal what formal formal like so it's it's just um it gu it gets really hard to figure out what this is you can do a fuzz with like your word list and see what this Global comes with um let's see if anything comes up with this no um not a not a specific one no but I mean you can just I'm looking at is8 you can do I6 s you find some of those it's wild to look at you know I 607 on the internet but right now we're looking at eight because I know um I don't think it's an is9 is there let's try it the 10 is the one that I've never seen really be vulnerable we can just look for is and the header name and find them and there's a lot of them that are IIs but so this is like an example of it if I do this one I'm willing to bet it's not vulnerable this is is10 I'm pretty sure it's not going to be vulnerable but it looks interesting what is MVM what's in the source of this nothing in here too MVM is there a site we look at this MVM magic mavic nothing is 8.5 is tough we're can look at is8 oh we just looked at is8 yeah it is tough um but you can you can do stuff like this with it right all right let's do one more thing if I got to help off what else we looking for chat do they have anything like GitHub maybe let's see do we have any like anything with get in it like get Hub get lab with that MVM one would have to like brood Force for it to be honest right it's uh mvm.com it's just going to become hard to look for things on it without any content uhbe devices device no [Music] management what do you mean it's not working for you o this is Confluence and then what is this one dell CRM and it looks like a very weird website let's see all right we'll do this one as the last one for the stream chat one more thing I know there's a lot of you guys watching here if you're new to the channel welcome please make sure you do drop me a follow or you subscribe to the channel to Help Me Grow the Channel please okay so this is also a Windows machine it looks like uh let's do a short scan I don't think it's going to get us anything but we're going to do it anyways if this works we're going to take down the stream nope I can't read any of this well let's see move to the forgot password function lock with CR blah blah blah interesting I still don't understand can I read any of oh it's all an image so I can't even translate it dude what this site looks really old like designed something in the 90s that oh because it's aead you got to hop in mod VC when you on our Discord open up Discord hold up go what are you guys up to also yeah if you're not on Discord you should you guys should definitely be on Discord oh I see I see what you're saying active maybe next time maybe tomorrow we all Havey will come on live and uh help me out okay uh chat what do you think of today's stream so far where's everybody let me see there we go what do you guys think of the stream do we bring him back can I go back to my other camera maybe no it doesn't work there we go I'm back with a nice camera what do we think chat cool stream what's up sour monkey how you doing man is this going to help you guys find bugs it's fun to watch back of my side always very helpful okay one last thing chat I think I'm going to wrap this up I need you to do me a favor though if you haven't watched any recent videos go on to the channel uh if you have watched this video then thank you if you haven't go drop it go drop it a like uh if you're watching the stream please hit that like it would help us a lot um if you haven't already done this also do me a favor just go onto this video it's my last video It's called hacking Lodge Cor there we go um do me a favor go hit the like on this video Drop It a comment let me know you're watching this uh and let me know if you can hear me still mic went off I can't I can hear myself what chat mic yeah okay cool um yeah so give us a like drop me a comment I would really appreciate it uh I'm going to be back again tomorrow uh same setup as today I'm going to be live with Justin AKA rator he's going to be our guest and we're going to do some streaming he's going to show me what Recon data he's going to look at as a bug Bounty Hunter and someone that doesn't do a lot of Recon he does a Recon but you know he's not a white Recon guy uh someone's asking for a Recon course not a Recon course uh here is the website for um the bug Bounty course if you guys want to purchase it you can use the code uh update 50 off if you want to buy it here is the code for it again remember if you guys want to access that data also it is 100% free so that data that I showed you guys it's all free you can all use it um you can do whatever you want with it as long as you are a bug Bounty Hunter okay so if you are looking for the VA for this it will be available um next week at some point okay so if you want to watch this later come back and watch it then all right that's it chat thank you again for being here I really appreciate it this was fun it's been a very long time since we've done one of these so maybe we'll make this a weekly thing I'm not sure I don't know if it'll always be Recon but we'll do something fun and uh maybe we bring back the um the streams for a bit at least for summertime I can bring him back all right that's it peace what's up [Music] brother e