⚠️ Giveaway ⚠️
Want to learn modern reconnaissance and hacking skills?
Join The Bug Hunter's Methodology Cohort 5!
October 2nd, 3rd, 4th -
Like and retweet this post for a chance to win a free seat! Five winners will be announced on Sept 1st!
A 13 year old coded a botnet control framework that utilizes pastebin and github for control of hosts in red teaming…
This makes the hacker in me so hopeful.
Check out pastebomb when it’s dropped!
🧵A hackers guide to FINDING cybersecurity jobs🧵
Many people know of the normal ways to look for jobs like LinkedIn & Indeed... but we're hackers!
Today I'm going to share with you my top places/tips for finding your next gig.
🚨Retweet, follow, & like for more! 🚨
1/
👮 Hacking into several Prisons 👮
Here's how I did it (legally), and what I learned along the way!
A thread for security testers and cyber security pros
🧵👇
Another long (hacker) story thread 🧵
= Stealing checks worth millions & pwning a bank =
Here’s how I did it, so you can learn.
I was once contracted to do a penetration test on a bank…
Like, retweet, and follow for more hacker stories!
(1/x)
A thread🧵
💸Secrets of automation-kings in bug bounty💸
Finding 1day (or 1month) web exploits that haven't made their into scanners yet can make you big money.
Read more to understand where and how to get an edge in this area!
🚨Retweet, follow, & like for more! 🚨
1/x
I have a real problem with hacker elitism.
I dislike the term script kiddie.
This job does not make you better than anyone.
Taking pride in a thing you do for a career, that also happens to be fun , is a privilege.
please, participate positively in the community. <3
My personal GPT for offensive security, SecGPT. Been working on it for a while now.
I use it like i have a peer in a chair next to me, asking questions to learn and bounce ideas off of.
Enjoy:
(a LONG thread) 🧵
Inspired by
@infosec_au
&
@hacker_
here's one of my fun hacker stories:
= The complete compromise of a password manager company =
Here's how I did it (so you can learn):
I was given the project to pentest a password manager company: *.redacted.com
(1/16)
Friday will be my last day
@Bugcrowd
. It's been a wonderful ride the past 4 years. I'm so thankful for the opportunity and the epic people there. Next up, I'll be taking the Head of Security and Risk Management role
@Ubisoft
& marrying my passion for games and security!🕹️🤓
Excited to announce that
@codingo_
and I are currently working on “The Bug Hunter’s Methodology” book. The book will focus on cutting edge web red team, pentester, and bug bounty topics. Tools, methods, automation, and no BS.
4/8/22
#bugbountydiary
#bugbountytips
Everyone is sick in the house but I had some running scans I needed to check up on.
I found a SQL injection bug on a blog.
Here's how I did it, so you can learn...
👇
🚨Like, retweet, & follow for more hacker tips!🚨
1/x
🧙♀️ CISO Story Time
This is not exaggeration.
I have a good friend. He's a CISO of a multinational organization in the technology sector. We talk often.
Market trends, sales, and business regulations had the business decide to open an facility in China.
a 🧵 👇
- Run all your subdomain tools
- uniq them
- Pass that list to: "amass enum -nf domains.txt" to insert them into the amass database.
Then track new findings each day via:
amass track -d | grep "Found"
#bugbountytips
#bugbountytip
thanks
@jeff_foley
Ok fam. I’m giving away TWO free tickets to my course which takes place in two/three weeks.
All you have to do to win is like, retweet this tweet, and reply with “!”
I’ll pick winners next week!
If you haven’t seen my course, check out the link!
Are you new or getting started in pentesting?
Is it hard to come by AD environments to practice on except when on an engagement?
Check out:
Game of Active Directory (GOAD): A vulnerable Active Directory environment for penetration testing practice.
(link below)
== Trademark and Copyright Recon ==
How to find assets no other bug hunters have found.
One of my simple "secrets" for years.
Little automation exists for it.
💸💸💸
a thread🧵
🚨follow, retweet, & like for more hacker tips!🚨
1/x
🥽 The Anti-Recon Recon Thread 🥽
Recon is important, but some people hate it. I get it.
When you're in the zone & ready to pounce on a target, you just want to start hacking.
Want the best of both worlds? Quick/complete recon, WITH great coverage?
(a long thread)
🧵⬇️
Just so people know, I'm not crazy...
On the left, Burp 1.7 after spidering JUST and setting a scope rule for "tesla"
On the right Burp 2023, with Incy Wincy crawler ON (via fastest config)
Same configs.
* 2023 Burp took 1.5 hours for the crawl
*
🧵Another hacker story thread! 🧵
== The Medical Alert Hack ==
Not too long ago I put a whole city on high alert during a security assessment. A tale of caution. 💀
Read along to learn my approach & mistakes!
🚨Retweet, follow, & like for more hacker stories! 🚨
1/x
👇🏼
🧵A Practice Target SUPER Thread🧵
Offensive Security People!
Want to take your theory to live targets?
Need some resume filler?
Just want to keep fresh and practice?
Here's a thread of my favorite practice targets to recommend.
🚨Retweet, follow, & like for more! 🚨
1/
When you look up your target's ASN you'll find their ipv4 & ipv6 ranges.
Here's a one-liner to request all the webserver's SSL certificates and parse them for NEW TLD's, domains, and subdomains.
#bugbountytips
Hey
@Shopify
@Hacker0x01
...
I have had two bug hunters come to me and tell me horror stories about your bug bounty lately.
Valid bugs being exploited and you coming out saying... "oh we had planned on fixing that... no impact"
That is NOT the bug bounty contract. If there
🤖 WebSecGPT - Your AI security buddy
Hacking an API or JS framework?
Don't have a swagger file or struggling to understand the app?
Wanna quickly identify all js sinks?
Meet WebSecGPT
(a thread ) 👇
My
#nahamcon2022
Keynote recording is out!
The Bug Hunter's Methodology: Application Analysis v1
Learn my tips, tricks, & tools for web pentesting or bug bounty. Thanks Ben (
@NahamSec
) & NahamCon!
🚨Retweet, follow, & like for more hacker content! 🚨
Bypass Url Parser by
@TheLaluka
Checking the source, I can confirm many of these methods have worked for me in the past. Including a string of auth bypasses for $30k on a bounty platform.
Excited to test tool instead of doing it all manually 🤩
🔍 My ultimate workflow for simple and easy JavaScript Analysis
⚡️ Comprehensive JavaScript analysis in offensive security, appsec testing, and red teaming wins.
Often you can find juicy hidden endpoints, parameters, & domains buried JS!
A thread 🧵 1/x
👇
I have a friend who has been tasked with conducting DDoS testing (approved as part of a red teaming exercise).
I suggested because it's what malicious actors are using in conjunction with freshly purchased SOCKS proxies.
Do you know of any other tools
💪 Code Literacy is a Super Power for Hackers 💪
(and Security Literacy is a super power for devs)
Knowing how vulnerabilities are mitigated makes you a 10x engineer (sec or dev)
Check out this thread for some of my fav
🔥FREE🔥
resources. ⬇️
(Also send me more!)
I started in helpdesk with very little comsci background, then *heard* pentesting was a thing you could make a career. I begged, borrowed, ++ to learn everything I could about it. You can do it too. I promise.
Happy holidays hackers. Especially newbies out there. Keep grinding.
I've dropped my 403 bypass tampers on
@DanielMiessler
,
@g0tmi1k
, and I's project SecLists this afternoon.
I have found many bugs with these tricks.
Enjoy 🫶✌️🤫
🧵Another new hacker story thread! 🧵
== The 100 Million Person Data Disclosure ==
That time I hacked a whole country by accident!
🚨Retweet, follow, & like for more hacker stories! 🚨
1/x
👇
⭐ Recon Tip
Reverse DNS (rDNS) leverages PTR and DNS queries to find domains among your target's IPs.
@hakluke
has an excellent tool for this called Hakrevdns!
Workflow?
1) Get ASN
2) prips {ASN IP RANGE} | hakrevdns
⏰ Want a one-liner that notifies you of any fresh domains (if they come up) to you each hour?
#3
⬇️
> screen
> subfinder -silent -d {target}.com -o {target}
> while true; do subfinder -silent -dL {target} -all -nW | anew {target} | notify; sleep 3600; done
= Infosec super-thread =
A big part of my presos is tools/resources I like for offensive security & bug hunting.
Here's a thread of "PRINT" resources cited in the Bug Hunter's Methodology Application Analysis v1
a 🧵
#bugbountytips
#Pentesting
1/x
🧵Another hacker story thread!🧵
=== Penetrating a Porn Site ===
How I hacked access to the most sensitive areas of a porn site using only low severity vulnerabilities.
Here's how I did it...
👇
🚨follow, retweet, & like for more hacker stories!🚨
1/x
- a FREE Arizona State University curriculum for computer security and hacking.
Run by my friend
@Zardus
and crew, former
@defcon
ctf winners and runners
🔍 There have been hundreds of thousands of FOSS vuln check rules created.
👍 While
@pdnuclei
(by default) has a great many, there exists a project to gather over 119 repos of Nuclei checks/templates.
➕ That's over 30,000 additional checks.
A thread/tip for hackers/defenders/organizations. 🧵
⚠️A commonly found vulnerability for organizations is credentials leaked on Github.⚠️
Sometimes this can be from the organization's OWN code repositories on GitHub, but...
🚨follow, retweet, & like for more tips!🚨
1/x 👇
MGM gaming floor makes 1-1.3 million a day.
65% of the gaming floor is down.
That’s conservatively 650k/d, plus IP loss, ransom payment, legal fees, recovery, fines, overtime, & PR loss. Plus the hotel is impacted as well.
guessing that bug bounty + security budget isn’t
🐻 Hacking a Search / Cloud Company 🐻
I once took over a MAJOR foreign search/cloud company.
I had full access to every employees email & full source code for all their apps.
Here's how it did it (legally)… ⬇️🧵
🧵Full-Time Bug Bounty Hunter thread 🧵
I'm looking for people to jump in and give me their perspectives. This is all speculative and in US hyper inflated markets.
A Sr/Principle Security Tester in the US can command $150-200k salary in big markets (SFO, LA, NY).
👇1/x
The next level of automation in recon is targeted content discovery / directory bruteforcing for CVE's ++. Want a good start on these fingerprints/ templates? They exist!
Web Pentesting / Bounty Tip:
Some people like using a command-line spider for gathering endpoints. Katana is one of these security focused spiders:
When using katana:
1) use "-headless" as modern CDN WAFs block many command-line spiders.
2) use
On last night's stream we did an overview of all the great "targets" and resources newbies can learn hacking on. It was super fun! Most of it came from my appsec bootcamp which I mentioned briefly.
Will upload the video to YouTube tomorrow =)
Jeez, there were a lot of hacker Twitter peeps throwing hate at each other, and the weekend is not even over.
You know what’s really cool? Being kind, supportive, and not gatekeeping.
That’s fucking RAD.
I know it's common sense but remember when parsing JS for endpoints/files:
/ = Root directory
. = This location
.. = Up a directory
./ = Current directory
../ = Parent of current directory
../../ = Two directories backwards
#bugbountytips
?
Want a free training on AWS Security?
@Kloudleinc
is GIVING away a free one on taught by
@riyazwalikar
A 7.5 hour AWS Security Masterclass including...
PSA if new: Alongside
@PentesterLab
&
@WebSecAcademy
, you should all be checking out
@sambowne
's courses. Free & online.
Web Hacking:
Incident Response:
and find all the others scrolling down:
If you didn't know or just missed it
@portswigger
maintains a configurable XSS cheatsheet for web security testers here:
It includes features to build payloads with exactly what you need, and has written context around injections!
I use it often. Enjoy!
Analysis of 18,000+ parameters reveals *File inclusion/Path Traversal & Server Side Request Forgery* most often take place within these parameters.
Check out
@swagnetow
& mine's
@Burp_Suite
extension HUNT to alert whenever it sees 1 of these params.
The next cohort of "The Bug Hunter's Methodology Live" will be:
US: March 2nd-3rd
EU: March 9th-10th
Repost, like, and reply for a chance at a free seat!
New in v2.5 - More Burp, more JS analysis, more IDOR/MFLAC!
I’ve been leading Ubisoft’s security team for the last 4 years.
It has been an epic adventure & I have learned so much along the way. I have truly worked with some great people.
It is, however, time for me to move on. I will depart Jan 2.
Stay tuned for what’s next 🫡
Being a hacker has little to with your job.
It's in your blood, your soul— it's a way of thinking. It's curiosity, creativity, and challenging norms.
It's a relentless pursuit of knowledge, it's embracing the unconventional.
Whatever you do today, bring the hacker mindset.
CISO & Security Exec friends:
Shit is changing. You can be held accountable for risk decisions.
Cover yourself with your contract, document everything, build into your yearly cost a legal stipend, build into your contract fixed/immutable severance package.
Just my 2c ✌️
Statistical analysis of 18,000+ applications reveals *SQL Injection* most often takes place in these parameters.
Check out
@swagnetow
and mine's
@Burp_Suite
extension HUNT to alert whenever Burp sees one of these params, & gives advice to manually test.
Taking a break from bounty and social media for a while. Prob a month or two.
Been pretty dark since defcon, I think I burned myself out 🥱
Stay safe everyone
❤️
Simple but impactful tip for content discovery. Always use the subdomain as a path. Often it is the root of the application
#bugbountytips
#bugbountytip
:
try:
and then do content discovery
Hey friends. Sorry I’ve been so incognito recently. Julia (my wife) had some serious health issues the last few months that culminated in emergency surgery last week. Looks like we are out of the woods now but in recovery mode for a few more weeks. Love you all.
🛹 AwsScrape:
My GO script to monitor AWS IP ranges & alert when it sees a keyword in SSL certificate data (CN, O, OU)
I have found many "ephemeral", dev, & misconfigured hosts monitoring the cloud space like this. Slow but powerful.
Enjoy!
#bugbountytips
🧵 1/x
Starting from almost scratch. Testing Environment:
DO Ubuntu VPS, 2 vCPUs. 4GB mem / 60GB Disk, ($20/mo)
This works for most general tasks. In most VPS intensive tasks (content discovery, fuzzing, etc) memory is your bottleneck.
Exploring parameter fuzzing?
Use ffuf via .ffufrc config file or command line, custom, FUZZ keyword.
Get a general param list by me,
@DanielMiessler
, and
@albinowax
:
and the debug list by me &
@G0LDEN_infosec
:
Enjoy!
So… I just finished my 1st
@Hacker0x01
Live Hacking event & I’m heading into another with
@Bugcrowd
As a program owner, hacker, & security leader… I have thoughts!
Read along for some spicy bounty takes.
🚨 Like, follow, & retweet for more security content 🚨
a 🧵
1/x
OWASP WrongSecrets
A hands-on game packed with real-life examples of improper secrets management in software.
Includes 41 challenges to enhance your understanding of leaked secrets and can help you practice with the tools needed to detect them!
Ooh I like this game!
In a similiar "regex github" style...
SSRF:
/file_get_contents\(.*\$_GET|curl_exec\(.*\$_GET/
/(subprocess|exec|spawn|system).*chrome.*--headless/
WIP