🔍

Recon Methodology in Bug Bounty and Red Teaming

Jun 27, 2024

Lecture on Recon Methodology in Bug Bounty and Red Teaming

Introduction

  • Speaker Location & Setup: Presenting from a hotel in Colorado, apologies for any Wi-Fi issues.
  • Reason for Travel: Speaker's son's birthday.
  • Lecture Focus: Recon methodology in both bug bounty and red team activities.
  • Speaker Background: Transitioned from exclusive bug bounty hunting to a hybrid role including red teaming.

Major Themes

  • Recon Methodology: Continuous update and refinement to emulate real adversaries.
  • Audience: Bug Bounty hunters, red teamers, penetration testers.
  • Presentation Outline: Topics covering asset discovery, ASN tracking, scoping, cloud reconnaissance, new tools and methodologies.

Recon Methodology Overview

  • Full Day One Course Outline: Introduction to recon, scoping, ASN tracking, Showdown, acquisitions, cloud reverse WHOIS, linked analysis, new red team-specific updates.
  • Focus Areas: Critical aspects of reconnaissance and new tools.

Autonomous System Numbers (ASN)

  • Objective: Identify all assets of a company, including IP spaces and domains.
  • Tools and Techniques:
    1. Hurricane Electric's BGP Data: Use to find ASN and their IP prefixes.
    2. Manual Verification: Avoid automation to prevent inaccurate results.
    3. ASN Map and Nabu: Tools for finding and port scanning IP ranges.
    4. Full Workflow: Command examples for manual IP and port scanning.

Cloud Reconnaissance

  • Purpose: Identify company assets hosted in the cloud, particularly for companies without their own IP space.
  • Key Tools and Techniques:
    1. SSL Certificate Analysis: Using Cloud Recon to scrape and parse cloud IP ranges for certificate data.
    2. Command Line Workflow: Utilize bash scripts for parsing SSL data to find domains and subdomains.
    3. Hack IP to Host: Uses SSL certificates and reverse DNS lookup for deeper asset discovery.

Advanced Recon Using Showdown

  • Purpose: Passive information gathering without alerting the target.
  • Key Tools and Techniques:
    1. Showdown Queries and Dorks: Utilize Showdown search syntax effectively.
    2. Karma V2 Tool: Showdown API wrapped tool for auto Recon, outputs potential vulnerable targets.
    3. Show SubGo: Effective for subdomain enumeration.
    4. Inspiration for Dorks: Staying updated via online resources and Twitter.

Additional Points

  • Tool Discussion: Compared standalone tools with integrated ones for better specialized functionality.
  • Combination of Manual and Automated Methods: Importance of manual checking along with automated Recon steps.

Extensions and Automation

  • Browser Extensions:
    1. Bulk URL Opener: For efficient subdomain testing.
    2. BuiltWith and Wappalyzer: Identify front-end technologies.
  • Burp Suite Extensions:
    1. Gap by xnl-hacker: For parsing JavaScript.
    2. JS Beautifier: For prettifying and analyzing complex JS.

Q&A

during Q&A session:

  • PowerPoint Availability: Will provide slides post-lecture.
  • Prioritizing Manual vs Automated Tests: Describing when to switch from automated scripts to manual penetration testing.
  • General Advice: Utilize specialized tools for specific tasks, stay updated with new tools and techniques.

Full transcript