bug bounties with bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a...
TRANSCRIPT
![Page 1: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/1.jpg)
Bug Bounties With BashTomNomNom
![Page 2: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/2.jpg)
Me● Security Researcher @ Detectify● @TomNomNom online● Mediocre bug hunter● This is adapted from a workshop at BSides Leeds
![Page 3: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/3.jpg)
Obligatory Disclaimer● The Computer Misuse Act (or your country's equivalent) is serious business● Don’t do things unless you have explicit permission● I am not your supervisor
![Page 4: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/4.jpg)
Bash● Bash is a shell● A shell wraps the kernel so you can launch processes● ...it’s a botany metaphor!● There are other shells…
○ zsh○ fish○ ksh○ explorer.exe…
● I like bash :)
![Page 5: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/5.jpg)
Bug Bounties and Bash?● Why not?● There are many purpose-made security tools that nearly do what you want● Sometimes you just have to make tools
![Page 6: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/6.jpg)
Y u no gui?● GUIs are nice● They provide better discoverability● But if they don’t support your use case you’re SOOL (:
![Page 7: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/7.jpg)
Bash Basics● This is the bit where I run some commands in a terminal and you all say
“oooh!” and “aaah!” like you’re impressed.● ...seriously, I could really use the ego boost.
![Page 8: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/8.jpg)
Some Core Utils● grep - search for patterns in files or stdin● sed - edit the input stream● awk - general purpose text-processing language● cat - concatenate files● find - list files recursively and apply filters● sort - sort the lines from stdin● uniq - remove duplicate lines from stdin● xargs - run a command using each line from stdin as an argument● tee - copy stdin to a file and to the screen
![Page 9: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/9.jpg)
IO Streams● A linux process has three standard streams:
○ stdin (file descriptor 0)○ stdout (file descriptor 1)○ stderr (file descriptor 2)
● stdin defaults to your keyboard● stdout and stderr default to your screen● You can redirect the standard streams
○ ‘< file’ connects a file to stdin○ ‘> file’ redirects stdout to a file○ ‘2> file’ redirects stderr to a file○ ‘&> file’ redirects stdout and stderr to a file○ ‘2>&1’ redirects stderr to stdout!
● Demo time...
![Page 10: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/10.jpg)
Subshell Tricks● <(cmd) - returns the output of ‘cmd’ as a file descriptor
○ Handy if you want to diff the output of two commands…○ diff <(cmd-one) <(cmd-two)
● $(cmd) - returns the output text of ‘cmd’○ Handy if you want to store the command output in a variable○ myvar=$(cmd)
![Page 11: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/11.jpg)
Enumerating Subdomains● We could use external services
○ hackertarget.com○ crt.sh○ certspotter.com
● But it’s nice to complement that with good-old brute force● You will need:
○ A target○ A wordlist○ Bash :)
![Page 12: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/12.jpg)
Does it resolve? Only humans know for sure
![Page 13: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/13.jpg)
Enter Exit Codes
![Page 14: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/14.jpg)
Conditionals
![Page 15: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/15.jpg)
Demo Time● Yay! Demo time!
![Page 16: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/16.jpg)
Command Oriented Programming
![Page 17: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/17.jpg)
Tidying It Up A Little
![Page 18: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/18.jpg)
Loops
![Page 19: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/19.jpg)
More Demo Time● I love demo time (:
![Page 20: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/20.jpg)
Looping Over stdin
![Page 21: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/21.jpg)
Putting It Together
![Page 22: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/22.jpg)
If you liked it you shoulda put a .sh on it
![Page 23: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/23.jpg)
I Like It Generic
![Page 24: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/24.jpg)
Permissions
![Page 25: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/25.jpg)
Dangling CNAMEs
![Page 26: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/26.jpg)
The Plan● Check subdomains for CNAME records● Check if those CNAMEs resolve● ...profit?● Demo time :)
![Page 27: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/27.jpg)
Getting the CNAMEs
![Page 28: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/28.jpg)
Incase That Demo Went Badly...
![Page 29: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/29.jpg)
Fetch All The Things● Having lots of targets to look at can be overwhelming● Dddddddemo time
![Page 30: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/30.jpg)
A Thing To Fetch All The Things
![Page 31: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/31.jpg)
Finding Things In The Output
![Page 32: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/32.jpg)
Some Things To Grep For● Titles● Server headers● Known ‘subdomain takeover’ strings● URLs (and then go and fetch the URLs!)
○ JavaScript files are nice (:
● Secrets● Error messages● File upload forms● Interesting Base64 encoded strings ;)
○ (eyJ|YTo|Tzo|PD[89])
● Demo time, obv.
![Page 33: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/33.jpg)
When In Doubt: Use Your Eyes● Deeeeeeeemo time● It’s demo time● Time for a demo● I like demos :)
![Page 34: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/34.jpg)
Speeding Things Up● Pipes give you some parallelisation for free
○ It’s not enough though, is it?
● xargs can run things in parallel…● Let’s speed up our subdomain brute-forcer● What time is it?
○ It’s demo time.
![Page 35: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/35.jpg)
A Bit Of A Mess
![Page 36: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/36.jpg)
A Little Cleaner
![Page 37: Bug Bounties With Bash - tomnomnom.com · uniq - remove duplicate lines from stdin xargs - run a command using each line from stdin as an argument tee - copy stdin to a file and to](https://reader033.vdocument.in/reader033/viewer/2022051806/5ffeae65a97d1e1d5d0b4e01/html5/thumbnails/37.jpg)
Bits And Bobs● Use dtach for long-running tasks● vim is a major part of my workflow● When things get complex, consider a different language…
○ I like Go :)○ Check out meg, comb, unfurl, waybackurls, gf, httprobe, concurl...