What is the one thing that separates newbie bug hunters from the professionals - let me tell you
It’s persistence. The tools and ideas that for example @Jhaddix shows is his talks are far beyond the level I thought someone would use for Bug Bounty.
There was one Technique that blew my mind 🤯
It is scraping cloud provider IP ranges (proactively and recurring)
Imagine you are hacking on a program and you want to check which assets they have.
I assume at least 99% of what’s running on the web now is hosted by Cloud Providers (AWS, Azure, GCP, Digital Ocean etc)
The big brain idea was - lets just test all their IP ranges, these are limited after all (IPv4 space).
Another important factor is https - it requires a certificate and that has a name attached to it - the domain it is for.
Ok now what?
Hackers check if an application is running on port 443 of the IP address they scan - This is the port used for https
They then compare the name of the certificate with their current target and if there is a match - BOOM!
They might have found a development server that was open to the internet but was not associated with a url - so technically the developers assumed no one would find it.
Walkthrough 🚶🚶♀️🚶♂️ - What does all of this mean and why should I care?!
In the last post I shared the screenshot above with you ⬆️
& wanted to know what you would do if you see this after an alert was triggered when a new account logged into one of the machines in your company network
First up, what do you need to do as a SOC Analyst when you see a new alert?! 🚨🤨🔍
Brute Force attacks are very common lateral movement / initial access vectors because humans are inherently bad at remembering long complex passwords.
💡 What is the difference between brute-force, password spraying and credential stuffing?
Brute-Force - attackers use common usernames / password combos (e.g. root 4 linux & administrator 4 windows)
Password Spraying - one/few passwords against many accounts (internal/external)
Credential Stuffing - known credentials 4 computers that they did not yet compromise