Presentation Material
Abstract
Recon is an important phase in Penetration Testing. But wait, not everyone does that because everyone’s busy filling forms with values <script>alert(1);</script>
. Effective recon can often give you access to assets/boxes that are less commonly found by regular penetration testers. Internet is one of the best ways to find such hosts/assets. There are a bunch of tools available on the internet which can help researchers to get access to such boxes. Is reverse-IP really useful? Is dnsdumpster the only site that can give list of sub-domains? What if I told you there are many different ways which combined together can give you effective results.
What if I told you I have got access to many dev/test boxes which should not have been public facing. In this talk, the speaker will demonstrate few effective techniques using which researchers/pen testers can do better information gathering. The speaker would also share many stories which allowed him to earn some bounties using these recon techniques. This techniques might also be useful to red teams/incident response teams to identify rogue devices in their organisation which are often missed out during normal penetration testing. These might not be “best practices” but are definitely “good practices” and “nice to know” things while doing Penetration Testing. Plus, the speaker will not just use presentation but will try to pray demo gods for some luck. Definitely some direct and key take aways to most attendees after the talk.
AI Generated Summarymay contain errors
Here’s a summarized version of the content:
The speaker discusses the importance of reconnaissance (recon) in penetration testing and red teaming. They recommend using tools such as Link Finder, , Nahum Check, and Zed Piano to find vulnerabilities in JavaScript files and identify potential entry points for attacks. The goal is to move beyond finding SQL injection and command injection on login pages and instead discover other areas of vulnerability.
The speaker also demos a tool called Hostiles, which can be used to brute-force subdomains and identify potential subdomain takeovers. They emphasize the importance of doing recon on one’s own organization before engaging in bug bounty hunting.
Additionally, the speaker recommends following experts in the field, such as Nahum Check and Jason Haddix, and learning from their research and tools. They also encourage open-sourcing any new automation and recon ideas that may arise.
Finally, the speaker answers a question about attacking targets behind Cloudflare or other security services, but declines to provide an answer due to lack of expertise in that area, instead recommending a YouTube video by Pete Peter on S3 buckets and cloud fetcher.