Robbie began bug bounty hunting only three years ago. It started slowly, but after discovering 8000+ unsecure S3 buckets and leaving notes advising their owners to secure them, he was featured on the BBC and the rest is history.
Even with his automated system consisting of eight Raspberry Pi’s and two VPS’s, Robbie still has to find clever tactics for discovering and reporting bugs first. Today he’ll be giving us a glimpse into his methodology and the tools he uses to catch ‘em all!
#ProTip 1: Fingerprinting tools and techniques
I use the Inception and Wappalyzer tools in my scans to ensure I’m finding the precise technology or files I wish to exploit. Inception is really handy as you can make your own custom fingerprints which will be of use to you later. You can also perform exploits with it, and confirm the exploit has worked by matching it with a response from the server. I use Wappalyzer to ensure I have a vast amount of fingerprints for systems I would not normally attack. This way, when I learn of a new exploit I can check my list to see what systems I’ve found, and then attack them.
Adobe Experience Manager can be truly valuable for hackers and bug bounty hunters. AEM is a good system to have lots of fingerprints for; it suffers from multiple issues — from RCE SSRF to default credentials to information leaks and bad configurations — an absolute gold mine for our purposes here.
You always need to be prepared for when a good CVE drops, to be the first to get the bounty. I have my own automation system of 8 Raspberry Pi’s connected to a database server. They will look at all my targets and then connect them to many different APIs, including SecurityTrails, to obtain any potentially new subdomains. Then, I’ll run Inception and Wappalyzer over the newly added domains and subdomains, and that way I’ll have a database of all the software and websites involved, so if a new CVE does drop I should have a fingerprint there.
- CT logs
I use these tools for recon purposes to make sure I’m not missing things. Everyone tends to use certificate transparency logs but I use them in addition to SecurityTrails and BinaryEdge, which do brute forcing on the back end to get the right permutations for subdomains.
#ProTip 2: Learn about CVEs by following bug bounty accounts on Twitter
Anytime you see a CVE online, especially on Twitter, you’ll see it has a link to the author and that comes in handy: you’ll know to keep an eye on that author and the technology they’re talking about. They’re sure to report on more CVEs in the future, and you can be the first to catch them before they become public.
Recently there was a CVE for Pulse Secure VPN. Alyssa Herrera messaged me, saying that she has the Proof of Concept, and I was able to exploit a number of VPNs with it. The exploit wasn’t public at the time, and gave everyone who had it a big advantage on the bug bounty side of things. It led to credentials being leaked in plain text — and was extremely bad for any company that was running it.
#ProTip 3: AWS Metadata API
Whenever you find an SSRF, you want to escalate this as much as possible to show impact. I always try to get to the AWS metadata endpoint as there are two endpoints that will give you the biggest impact.
The first is the IAM role security credentials endpoint, http://169.254.169.254/latest/meta-data/iam/security-credentials/
By hitting this endpoint you’ll get the temporary credential to use with the AWS api. I personally use Pacu or ScoutSuite to check the permissions of the IAM role. A lot of IAM roles are configured badly and allow access to EC2 instances or RDS or S3 buckets. All of these are bad and will leak private data.Another fun endpoint is http://169.254.169.254/latest/user-data
If the system is a Kubernetes server, you’ll generally have the certificates you need to compromise the cluster and gain full control. I myself have been able to compromise multiple Kubernetes clusters this way, and gained full control.
#ProTip 4: Robbie’s starred Github projects
Check for specific endpoint on large number of hosts and report if the endpoint contains a certain string in response.
Check whether a subdomain can be taken over, and take over that subdomain by providing the flag -takeover
Take a list of domains and probe for working HTTP and HTTPS servers
#ProTip 5: Minimize false positives using MIME types
Whenever you’re scanning for something, you need to make sure there are minimal false positives. A lot of times, when people do their fingerprinting they merely bruteforce using a big list and get either a site that responds “200” to everything, or an error page that will cause a false positive. So what I do is make sure there’s more than one thing that confirms I’m reaching the exact thing I’m searching for.
To reduce false positives, I ensure I find something unique to fingerprint the system against, and match a number of strings or headers to know for certain it’s what I’m after.
Depending on what you’re actually hitting, make sure that the content of the file is what you’re looking for. For example, the SSH keys are in plain text, so depending on the keyword in the response, pay attention to hitting the right MIME type at all times. A lot of websites will respond to anything, which can cause a false positive; along with an incorrect MIME type you can easily wind up on a page you don’t want.
We hope you’ve enjoyed learning about these creative ways of fingerprinting for bug bounty hunting, and that Robbie has inspired you to find your own clever solutions for catching bugs first. Find Robbie on Twitter to stay current with all his newest research!
ProTips is an ongoing series where industry experts share their methodologies and cutting-edge tips on how you can sharpen your own cybersecurity skills. If you have suggestions on who you’d like to see featured in ProTips, or you think you’re the right person for this series, we look forward to hearing from you! Send us an email at [email protected]