We_D Pentesting Blog

Subdomain Enumeration  Subdomain enumeration is a critical aspect of robust cybersecurity practices. By employing effective tools and techniques, professionals can enhance their ability to identify potential vulnerabilities and uncover valuable information. In this article, we will explore recommended tools and methodologies for subdomain enumeration to optimize your security efforts. Knockpy, an exceptional subdomain enumeration tool, provides valuable insights into response codes and server details. To leverage its capabilities, execute the following command using Python3: python3 knockpy example.com While encountering response codes such as 404 or 403 may initially appear discouraging, it is crucial to thoroughly investigate these subdomains. Hidden within these seemingly unremarkable sites, valuable discoveries may await. For comprehensive subdomain enumeration, we highly recommend the utilization of "assetfinder." This powerful tool can be executed using the following co

Bug bounty hunting requires a comprehensive toolkit to uncover vulnerabilities and secure web applications. In this blog post, we will explore the top 20 tools and binaries that can supercharge your bug bounty efforts. These powerful tools cover a wide range of functionalities, from web vulnerability scanning to subdomain enumeration and source code analysis. We will focus on how these tools can be leveraged to optimize your bug bounty workflow, with specific examples targeting the domain *.example.com. Let's dive in! A virtual machine (.ova) file where almost all bug bounty tools are installed; specially burpsuite pro with license :) OS: Kali-Linux Version: 2022.1 Download link: https://drive.google.com/file/d/1Tkj3jKOvL7M08zG5JGVoqhZh50VMyM3X/view File size: 6 GB Installed top 20 tools and binaries [1]burpsuite professional [2]zaproxy [3]crlfuzz [4]ffuf [5]kite [6]dalfox [7]nuclei [8]rustscan [9]sqlmap [10]nmap [11]waybackurls [12]subfinder [13]xsstrike [14]nosqlmap [15]gitdu

BloodHound  BloodHound is a tool designed for offensive security and is widely used in Red Teaming exercises. It can help identify privileged access paths in an Active Directory (AD) environment and is a powerful tool for finding potential attack vectors. In this practical writing, we will go through the basics of how to use BloodHound and demonstrate some of its features. First, let's start by installing the BloodHound tool. BloodHound is built to run on Windows, so it is recommended to install it on a Windows machine. The latest version of BloodHound can be downloaded from the official GitHub repository. After downloading and extracting the files, you should install the Neo4j database and set up the BloodHound client. Once BloodHound is installed, the first step is to gather data from the Active Directory environment. To do this, we need to run the BloodHound Ingestor on a machine that is part of the domain. The Ingestor is a PowerShell script that collects data from the AD envir

As a hacker, your reconnaissance process is critical for finding vulnerabilities in your target's infrastructure. However, the traditional recon process can be time-consuming and repetitive. In this blog post, we will show you how to automate your recon process and discover more vulnerabilities using tools like Xray, Nuclei, and Cent. The traditional recon process involves finding subdomains, getting live subs, and testing them for vulnerabilities. To make the process more efficient, we recommend using tools like Subfinder, Assetfinder, Amass, Github-subdomains, and Sublist3r. Here is an example script to help you get started subfinder -d $1 -silent | anew /root/$1/subs.txt assetfinder -subs-only $1 | anew /root/$1/subs.txt amass enum -passive -d $1 | anew /root/$1/subs.txt python sublist3r.py -d $1| anew /root/$1/subs.txt github-subdomains -t <github token> -d $1 | anew /root/$1/subs.txt Once you have the subdomains, you need to check for open ports and get live hosts using

Broken access control vulnerabilities can pose a significant threat to a web application's security. Such vulnerabilities allow unauthorized users to access restricted resources, circumventing the standard security procedures. By exploiting these vulnerabilities, attackers can gain access to sensitive information or systems, resulting in data breaches or other serious security incidents. One of the common ways to prevent unauthorized access is by returning a 403 forbidden response for sensitive endpoints such as .htaccess or config.php. The HTTP 403 Forbidden response status code indicates that the server understands the request but refuses to authorize it. However, if the access control mechanism applied is weak, attackers can bypass the security controls and gain access to restricted resources. In a recent discovery of an IoT service delivery platform, the researcher used directory enumeration with dirbuster wordlists and found a /console endpoint that returned a 403 response. Th

Linux is a powerful operating system with a vast array of tools and utilities available to users. These tools make Linux an attractive option for system administrators, developers, and power users who require a flexible and customizable environment. In this article, we will look at some essential Linux tools and utilities that can help you manage your system more efficiently. Rsync Rsync is a popular command-line utility that is used for file synchronization and data backup. It allows users to copy files and directories to a destination, similar to the cp command, but with some added features. One of the key benefits of using Rsync is that it allows you to copy files to remote locations, making it an excellent choice for backup purposes. Example usage : $ rsync -vap --ignore-existing <source_file> <destination_file> Key flags: v = verbose r = recursive p = preserve permissions g = group o = owner a = archive --progress = progress bar Mkpasswd Mkpasswd is a simple but useful

As a bug bounty hunter, I'm always looking for ways to improve my recon process to find unique vulnerabilities. Recently, I discovered a critical subdomain takeover vulnerability using a custom bash script and a lesser-known tool called SecretFinder. In this blog post, I'll share my experience and the technical details of the vulnerability. My recon process started with subdomain enumeration using popular tools like Amass and Subfinder. I also used crt.sh to find subdomains that were recently added or updated. After I had a list of subdomains, I used HTTPX to check which subdomains were live. Next, I ran Nuclei and FFUF to identify potential vulnerabilities. While these tools are great for finding low-hanging fruits like exposed Git repositories, I didn't find anything critical using them. So, I decided to use SecretFinder, a tool that searches for sensitive files and directories in web applications. While SecretFinder often yields false positives, I ran it on a

Emerging trends and technologies are continuously shaping the future of cybersecurity. Here are some areas that are worth exploring: Artificial intelligence (AI) and Machine Learning (ML): AI and ML have become increasingly important in cybersecurity as they help in detecting and responding to threats in real-time. AI and ML can analyze massive amounts of data, including network traffic and user behavior, to identify patterns and anomalies that may indicate a cyber attack. Cloud Security: With more organizations migrating to the cloud, securing cloud environments has become a top priority. This includes not only securing data stored in the cloud but also securing the cloud infrastructure itself. Many cloud providers now offer built-in security tools and services to help organizations protect their data and systems. Internet of Things (IoT) Security: As more devices become connected to the internet, the risk of cyber attacks on these devices increases. IoT security involves sec

Bug bounty programs are a popular way for companies to identify and fix security vulnerabilities in their software and systems. These programs reward ethical hackers for finding and reporting vulnerabilities, helping to improve the overall security posture of the organization. However, not all vulnerabilities are created equal. In this article, we will explore the most common vulnerabilities found in bug bounty programs. Cross-Site Scripting (XSS) Cross-Site Scripting, or XSS, is a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. This can lead to theft of sensitive information, hijacking of user sessions, and even full site takeover. XSS vulnerabilities are commonly found in web applications, and are typically caused by insufficient input validation or output encoding. Cross-Site Request Forgery (CSRF) Cross-Site Request Forgery, or CSRF, is a vulnerability that allows attackers to trick users into executing unwanted actions on

Burp Suite Community Edition is a popular web application security testing tool that offers a wide range of features and functions. In this guide, we will explore some of the more advanced techniques and tips for using Burp Suite in bug hunting. Burp Macros: Burp Macros allow you to automate repetitive tasks and workflows in Burp Suite. This feature is particularly useful for testing complex web applications that require extensive user interactions. You can use macros to perform tasks such as logging in, submitting forms, and navigating through a web application. Macros can be created by recording your actions in the Proxy tab or by manually creating and editing them. To create a macro, follow these steps: Step 1: Open the target web application in your browser and navigate to the page that you want to test. Step 2: Go to the Proxy tab in Burp Suite and click on the "Intercept" button to intercept the request. Step 3: Perform the required actions in the web applicat