Day 3️⃣ 3️⃣

What is the one thing that separates newbie bug hunters from the professionals - let me tell you

It’s persistence. The tools and ideas that for example @Jhaddix shows is his talks are far beyond the level I thought someone would use for Bug Bounty.

There was one Technique that blew my mind 🤯

It is scraping cloud provider IP ranges (proactively and recurring)

Imagine you are hacking on a program and you want to check which assets they have.

I assume at least 99% of what’s running on the web now is hosted by Cloud Providers (AWS, Azure, GCP, Digital Ocean etc)

The big brain idea was - lets just test all their IP ranges, these are limited after all (IPv4 space).

Another important factor is https - it requires a certificate and that has a name attached to it - the domain it is for.

Ok now what?

Hackers check if an application is running on port 443 of the IP address they scan - This is the port used for https

They then compare the name of the certificate with their current target and if there is a match - BOOM!

They might have found a development server that was open to the internet but was not associated with a url - so technically the developers assumed no one would find it.

But elite bug bounty hunters do.

And they automate the detection!

@erbbysam and @daehee shared talks about details and Sam even wrote a service for it - tls.bufferover.run/dns?q=.defcon.…

- Talk: github.com/erbbysam/Hunti…)
Another tool that is used is: sslscrape → github.com/cheetz/sslScra…

🤯🤯🤯

I hope you learned something today - feel free to follow me for more insights during #30DaysOfBugBounty

#bugbounty #hacking #bugbountytips