Read on Twitter
😱 I watched @GodfatherOrwa 's insightful talk "The Power of Shodan - Leveraging Shodan for Critical Vulnerabilities" at @NahamSec 's #NahamCon2023 and have condensed the ~25 minute talk for you to read in 2 minutes.
Here's some interesting bug bounty tips and tricks ⬇️
Here's some interesting bug bounty tips and tricks ⬇️
1. To find all information related to *.target.*, you first need to identify the organization's name. You can do this by clicking the lock icon -> connection is secure -> certificate is valid.
This is wrt Brave/Chrome, there will something similar for those using Firefox.
This is wrt Brave/Chrome, there will something similar for those using Firefox.
2. Use this dork to find all information related to *.target.*
3. If you are targeting a specific TLD such as *.target.com, then use this dork as shown below.
4. Hunting on a huge domain will give you loads of results. To filter unnecessary results like say "Invalid URL", use this dork.
5. You can check all http titles and other info related to the target at "Facet Analysis". Say if you've found pages with "302 Found" in title when filtering with http.title and want to look at these IPs only, use this dork.
6. Tip: Sometimes domain names will not be accessible, but their corresponding IPs found in shodan will give you live pages. In such scenarios dork for this domain name in Google, Bing, URLScan, Web Archive and more.
7. If you have got lot of cached entries for the target domain, check manually if some directory is accessible. Try to understand what sort of error you are getting when accessing certain pages and guess the web server used. Then you can do content discovery on the page.
8. As a free user in Shodan, you'll have access to only two pages, hence remember to filter unwanted results and look into the ones you need only. Use the "-" character to filter unwanted results. Look at point 4 for example.
9. You can also use status codes like 302, 200, 403 in the dork to find pages corresponding to that. It's interesting to look at pages with 403.
10. Sometimes you can bypass WAF by accessing the IP of the page rather than the domain name. Once you've an IP without WAF, fuzz intelligently.
11. If you have a windows app domain like IIS Web Server Page, then dork for more results on this domain in Bing for better results.
If you've found this thread informative:
1. Follow me @thebinarybot to see more such quality content in your feed 🚀
2. RT the tweet below to share this thread with your audience - sharing is caring ☘️
1. Follow me @thebinarybot to see more such quality content in your feed 🚀
2. RT the tweet below to share this thread with your audience - sharing is caring ☘️
https://twitter.com/973520902343180288/status/1670836343281270787
@GodfatherOrwa @NahamSec Hey!
If you are looking to clear OSCP this year then make sure to grab a copy of the OSCP Notion Template that I launched.
Practice, check items of list, pass OSCP!
Find your copy here: thebinarybot.gumroad.com/l/oscplist
If you are looking to clear OSCP this year then make sure to grab a copy of the OSCP Notion Template that I launched.
Practice, check items of list, pass OSCP!
Find your copy here: thebinarybot.gumroad.com/l/oscplist
• • •
Missing some Tweet in this thread? You can try to
force a refresh
