What Should You Do After Recon?!

NahamSec
6 Feb 202314:46

Summary

TLDRThis video script delves into the post-reconnaissance phase of hacking, emphasizing the importance of understanding one's hacking style. It outlines two primary approaches: terminal-focused hacking, involving tool usage and endpoint fuzzing, and application-focused hacking, which entails deep-diving into application functionalities. The speaker advocates for a balanced approach, combining automation for tedious tasks with manual exploration to uncover vulnerabilities. The script also advises on using tools like Nuclei for template creation and Httpx for light information gathering, and discusses strategies for prioritizing targets based on response codes and titles, ultimately aiming to enhance the hacker's efficiency and effectiveness in identifying and exploiting vulnerabilities.

Takeaways

  • πŸ€” The next steps in hacking after Recon depend on your personal style and approach to hacking.
  • πŸ’¬ Engage with the community by sharing your hacking style in comments or subscribing to the channel for more content.
  • πŸ› οΈ Recon is not a replacement for hacking; manual approaches are often necessary to find vulnerabilities.
  • πŸ” Two common hacking approaches are: 1) Terminal-based hacking, focusing on tool usage and endpoint discovery, and 2) Application-based hacking, which involves deep diving into application functionalities.
  • πŸ”„ It's beneficial to combine both approaches to hacking, automating tedious tasks while manually exploring applications for vulnerabilities.
  • πŸ“ After Recon, use light vulnerability scanning with tools like Nuclei, but customize templates to avoid common defaults and reduce false positives.
  • πŸ”Ž Perform light information gathering to quickly understand an organization's infrastructure, prioritizing assets based on response codes and titles.
  • πŸ“ˆ Prioritization of targets is crucial; focus on applications with valuable keywords in their titles, such as 'dashboard' or 'login'.
  • 🚫 Error codes like 400 and 403 are not reasons to give up; they present opportunities for further exploration and potential vulnerabilities.
  • πŸ“Š Use tools like httpx to gather information and prioritize assets systematically, but also understand the value of manual analysis for a deeper insight.

Q & A

  • What is the main question people often ask after conducting reconnaissance in hacking?

    -The main question people often ask is what they should do after completing their reconnaissance phase in hacking.

  • What does the speaker suggest is crucial in determining what to do after reconnaissance?

    -The speaker suggests that one's own hacking style and approach are crucial in determining what to do after reconnaissance.

  • What are the two common approaches to hacking mentioned in the script?

    -The two common approaches to hacking mentioned are: 1) Preferring to be in a terminal, running tools and fuzzing endpoints, and 2) Wanting to sit down and thoroughly explore an entire application's functionality.

  • What is the speaker's personal approach to automation in hacking?

    -The speaker's personal approach to automation is to use it for efficiency, automating tedious tasks, and not relying solely on it for finding vulnerabilities.

  • Why does the speaker suggest not solely relying on default templates in tools like Nuclei?

    -The speaker suggests not relying on default templates because they are commonly used by many, which can lead to less unique and potentially less effective reconnaissance.

  • What is 'light information gathering' as described in the script?

    -Light information gathering refers to quickly assessing assets using tools like httpx to gather information such as response size, response code, and titles to prioritize targets.

  • How does the speaker recommend using response codes to prioritize targets during reconnaissance?

    -The speaker recommends prioritizing targets by focusing on 200 OK responses for active applications, 300 ranges for redirects (especially single sign-on pages), 400 ranges for authorization-required pages, and 404 errors which might hide accessible resources.

  • What is the significance of the 300 range response codes in the context of hacking?

    -The 300 range response codes signify redirects, which can indicate the presence of single sign-on pages or other authorized resources, potentially leading to more valuable data if vulnerabilities are found.

  • What does the speaker suggest doing when encountering a 404 response code during reconnaissance?

    -When encountering a 404 response code, the speaker suggests using keywords from the subdomain or error page to guess and Brute Force possible routes or endpoints that might be hidden.

  • How does the speaker recommend prioritizing assets after information gathering?

    -The speaker recommends prioritizing assets by manually or automatically sorting through the results from tools like httpx, focusing on titles and response codes to identify the most valuable targets.

Outlines

00:00

πŸ€” What to Do After Recon?

The speaker addresses a frequently asked question about what actions to take after completing Recon. They emphasize that the answer depends on the individual's hacking style and approach. The speaker encourages viewers to explore their style and shares that hacking can involve manual or automated processes, both of which have their merits. The importance of not relying solely on automation for vulnerability discovery is highlighted, as manual approaches can yield valuable findings.

05:02

πŸ” The Importance of Manual vs Automated Hacking

In this section, the speaker contrasts two approaches to hacking: manual fuzzing and automated processes. While automation is efficient for repetitive tasks, they stress the importance of manual intervention in discovering deeper vulnerabilities, especially in applications with logins and complex functionality. The speaker shares their own approach of balancing automation with manual investigation, particularly in web applications with user authentication and different privilege levels.

10:06

🧩 How to Approach Targets After Recon

The speaker provides actionable advice on how to handle targets after Recon. They recommend using nuclear templates but advise against relying solely on default options, as many hackers use them. Instead, they suggest customizing templates based on past vulnerabilities and creating fingerprints for specific assets like Jira or Jenkins. The speaker explains that using nuclei to automate discovery and gather leads can be an effective way to identify potential vulnerabilities.

πŸ“Š Light Information Gathering and Prioritization

This section introduces the concept of light information gathering using tools like httpx to gather critical data points, such as response codes, titles, and response sizes, which help prioritize assets. The speaker highlights the value of quickly understanding an organization's infrastructure and explains how these elements help in narrowing down the focus to critical applications and vulnerabilities. They also touch on the significance of combining information gathering with prioritization to streamline hacking efforts.

πŸ“‘ Dealing with HTTP Response Codes: 200, 300, 400 Ranges

The speaker delves into different HTTP response codes and their implications for hackers. For instance, a 200 response means an application is accessible, and its title can offer clues for further investigation. Redirects (300) may signal sensitive data behind authentication barriers, while 400 series codes like 401 and 403 imply authorization issues. The speaker emphasizes how these codes present opportunities to explore deeper, using brute force or other techniques to bypass restrictions and uncover vulnerabilities.

πŸ§‘β€πŸ’» Overcoming HTTP 403 and 404 Errors

In this section, the speaker encourages hackers not to give up when faced with 403 or 404 errors, as these can often be bypassed. They share strategies for brute-forcing and exploring directories to gain access to hidden or restricted areas. Techniques like adding slashes or using specific patterns for bypassing these blocks are discussed, and the speaker highlights the importance of persistence in uncovering hidden resources even when the server indicates 'Forbidden' or 'Not Found.'

πŸ“ Prioritizing Targets Based on Response Data

The speaker wraps up by discussing how to prioritize targets after gathering HTTP response data. They suggest focusing on response codes and keywords within titles to identify the most valuable assets. By filtering through the data for keywords like 'dashboard,' 'login,' and 'admin,' hackers can quickly locate critical applications. The speaker also touches on looking for specific internal tools, such as Jenkins or GitHub, to find valuable vulnerabilities. This prioritization strategy helps streamline the hacking process.

🎯 Final Thoughts on Recon and Target Prioritization

In the closing remarks, the speaker reinforces the importance of manually prioritizing targets and understanding an organization's infrastructure, rather than relying solely on automated tools. They reflect on how manual processes in the early days helped them gain experience and insight into large infrastructures. The speaker advises hackers to use a mix of tools and manual investigation to thoroughly analyze an organization's assets and maximize their hacking efforts.

Mindmap

Keywords

πŸ’‘Recon

Reconnaissance, often shortened to 'Recon', is the act of gathering information about a target before launching an attack. In the context of the video, it is the first step in the hacking process, where the hacker collects data about the target's infrastructure, systems, and potential vulnerabilities. The script mentions that what one should do after Recon depends on their hacking style, indicating that Recon is a foundational step that informs subsequent actions.

πŸ’‘Hacking Style

This term refers to the personal approach or methodology a hacker uses when conducting their operations. The video emphasizes the importance of understanding one's own hacking style, as it influences the strategies and techniques employed post-Reconnaissance. The script encourages viewers to reflect on whether they prefer a more automated, tool-driven approach or a manual, in-depth analysis of applications and systems.

πŸ’‘Automation

Automation in the context of the video refers to the use of tools and scripts to perform repetitive tasks, such as scanning for vulnerabilities or conducting reconnaissance. The speaker clarifies that while automation can increase efficiency, it should not replace the need for manual analysis and the discovery of vulnerabilities through hands-on methods like fuzzing and manual exploration of web applications.

πŸ’‘Fuzzing

Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to a program to see how it handles the input. In the video, fuzzing is mentioned as a manual approach to finding vulnerabilities by testing endpoints with various inputs to uncover potential weaknesses in the system.

πŸ’‘Manual Approach

A manual approach in hacking involves the hacker personally interacting with systems and applications to identify vulnerabilities. The video suggests that while automation has its place, manual approaches are crucial for in-depth analysis and discovering complex bugs that automated tools might miss, particularly in applications with logins and varied functionalities.

πŸ’‘Nuclei Templates

Nuclei is an open-source project that uses YAML-based templates to automate the process of vulnerability detection. The script mentions that relying solely on default Nuclei templates may not be effective, as they are widely used and may not uncover unique vulnerabilities. Instead, the speaker recommends creating custom templates based on past findings to fingerprint and identify specific vulnerabilities more effectively.

πŸ’‘Information Gathering

Information gathering is a critical phase in hacking where the hacker collects as much data as possible about the target to identify potential attack vectors. The video discusses 'light information gathering' as a quick method to understand the target's infrastructure using tools like httpx, which checks response sizes, codes, and titles to prioritize assets for further investigation.

πŸ’‘HTTP Status Codes

HTTP status codes are standard responses that indicate whether a specific HTTP request has been successfully completed. In the video, the speaker discusses the significance of various status codes (200, 300, 400, 404) in the context of Reconnaissance. Each code provides clues about the state of the target application or resource, guiding the hacker on whether to proceed with further analysis or attempt to bypass restrictions.

πŸ’‘Prioritization

Prioritization in hacking refers to the process of ranking targets or assets based on their potential value or vulnerability. The video script emphasizes the importance of prioritizing targets after Reconnaissance, suggesting methods like filtering for specific HTTP status codes or keywords in titles to focus on the most promising avenues for further exploitation.

πŸ’‘Brute Forcing

Brute forcing is a trial-and-error method used to obtain information such as a password by systematically trying every possible combination. The video mentions brute forcing as a technique to attempt unauthorized access to resources, especially when faced with 401 (unauthorized) or 403 (forbidden) HTTP status codes, suggesting that it can be a way to bypass restrictions and access hidden resources.

Highlights

The most common question asked is what to do after Recon in hacking.

The answer to what to do post-Recon depends on the individual's hacking style.

Readers are encouraged to comment on their style of hacking.

Hacking approaches are influenced by personal preferences and methodologies.

A misconception is that automation can replace manual hacking efforts.

Manual approaches are often more effective for finding vulnerabilities.

Automation is best used for efficient and repetitive tasks.

Two common hacking approaches are discussed: terminal-based and application-based.

Terminal-based hackers focus on tool usage and endpoint discovery.

Application-based hackers delve into application functionalities and interactions.

The speaker personally prefers a mix of both approaches.

Light vulnerability fingerprinting with tools like Nuclei is recommended.

Custom Nuclei templates can help identify specific application vulnerabilities.

Light information gathering with tools like httpx is essential for asset prioritization.

Response codes, titles, and sizes from httpx are valuable for asset analysis.

200 OK response codes indicate a live application that requires further investigation.

300 range responses suggest redirects that might lead to valuable assets.

400 range responses, including 404 errors, can be puzzles that lead to hidden assets.

Prioritizing targets based on response data is crucial for efficient hacking.

The speaker emphasizes the importance of manual analysis for a deeper understanding of infrastructure.

A combination of tools and manual methods is suggested for a comprehensive approach to hacking.

Transcripts

play00:00

believe it or not one of the most common

play00:02

questions that I still get asked to this

play00:04

day is what should I do after Recon

play00:07

honestly the answer to that question

play00:09

fully relies on you and how you're going

play00:12

to react to what I'm going to ask you

play00:14

next what is your style of hacking and

play00:18

it's okay if you don't have an answer to

play00:19

that if you do do me a favor drop me a

play00:22

comment let me know what your style of

play00:23

hacking is if you don't that's okay

play00:26

hopefully I'm gonna help you figure that

play00:28

out can I get an understanding of how

play00:30

you want to proceed with hacking what is

play00:33

your approach and eventually that will

play00:34

help you figure out what to do after

play00:37

you're done with your recon before we

play00:38

jump into that though do me a favor if

play00:40

you haven't already hit that subscribe

play00:42

button subscribe to the channel if you

play00:43

come into homie if you want to support

play00:45

it there's also subscription-based

play00:46

memberships please do that join it it

play00:49

will help me run this Channel and help

play00:51

me make more content all right let's

play00:53

talk about what you should do after

play00:55

Recon before we do it I gotta address a

play00:57

few things first is that a lot of

play00:59

hackers think that Automation and Recon

play01:02

is a replacement for hacking and finding

play01:06

vulnerabilities and honestly that's not

play01:08

the case because a lot of the good

play01:09

research that I have seen have been done

play01:11

through manual approaches by fuzzing

play01:14

things manually going through burp

play01:15

Street going through workflows of

play01:16

websites and finding those good ones and

play01:20

that's not to say that you can't do that

play01:21

with an automated approach you can find

play01:23

really cool stuff if you automate that

play01:25

work but again my approach to automation

play01:28

is to be efficient to automate those

play01:30

tasks that are very tedious and I don't

play01:31

want to keep doing over and over and

play01:33

relying on my tools to get those tasks

play01:36

done and earlier in the video I asked

play01:37

you what is your style of hacking and I

play01:39

told you it's okay if you don't know the

play01:40

answer but I'm going to try and kind of

play01:44

help you figure that out well there's

play01:46

two approaches when it comes down to

play01:47

hacking there is the approach of always

play01:50

wanting to be in a terminal those are

play01:51

the people that run a lot of tools that

play01:53

includes fuzzing for endpoints and

play01:55

finding those endpoints and looking for

play01:56

parameters fuzzing through them and

play01:59

looking for endpoints that's a very very

play02:01

boring way of doing it a lot of it could

play02:05

be automated but again I personally

play02:07

think you're going to lose out on a lot

play02:08

of bugs especially with applications

play02:11

that have logins in front of them and

play02:13

then those applications when you log

play02:14

into it has a lot of functionalities

play02:16

like using interaction maybe they have

play02:18

it back in API that you need to

play02:19

authenticate to and so on which brings

play02:22

me to my second approach of wanting to

play02:24

sit down and rip an entire application

play02:27

apart based on your knowledge of the

play02:29

application that comes with browsing the

play02:32

site seeing what functionality it has

play02:34

seeing what the application is supposed

play02:35

to do what it's not supposed to do we're

play02:37

looking at different user rules trying

play02:39

to provest your account and so on up to

play02:42

now we've just kind of talked about the

play02:43

two different approaches those are the

play02:44

two that I think are very common and to

play02:47

be honest I kind of do both because I

play02:50

like to automate some things and I'll

play02:51

tell you what those mean I like to

play02:54

automate some of the things that I do

play02:55

while in parallel I'm actually looking

play02:58

for applications that are are big in

play03:01

functionality that I could log into I

play03:03

could register test out all the

play03:05

functionalities available to me and then

play03:07

do a little bit of a dive into the

play03:09

JavaScript files and look for different

play03:10

endpoints that may be available to

play03:12

admins other users with different

play03:14

Privileges and so on so those are the

play03:17

two different approaches again I like to

play03:19

do both that's up to you can do one you

play03:21

can do the other drop me a comment let

play03:22

me know which one do you think is for

play03:24

you but again there is no right or wrong

play03:26

answer you can pick either one now that

play03:28

we know what the two approaches are we

play03:31

need to kind of figure out what to do

play03:32

next so here's what I do and this is my

play03:34

recommendation to you as well if I were

play03:36

in your shoes this is how you should

play03:38

approach your targets one do some light

play03:41

nuclear templating don't rely on those

play03:43

default nuclear templates just because

play03:44

if you're running those nuclear

play03:46

templates so is everybody else you're

play03:48

not the only person doing it there are a

play03:50

ton of people running the same templates

play03:52

but instead you should be looking for

play03:54

different vulnerabilities that you have

play03:56

found in the past and ways to

play03:58

fingerprint for them and automate it and

play04:00

it's not just necessarily using nuclear

play04:02

for bugs but you can also use nuclei to

play04:05

create a template that could identify

play04:07

leads we can identify what the

play04:09

application is so for example if you

play04:11

know that jira has a ton of

play04:13

vulnerabilities right an actual

play04:15

fingerprint for jira if there is one

play04:17

already improve it make sure there's no

play04:19

false positives to help you flag certain

play04:21

assets with a certain application like

play04:23

jira Jenkins and so on and that's how

play04:25

you leverage nuclei to find assets that

play04:28

could potentially have vulnerabilities

play04:29

and be an extreme value to you so that's

play04:31

my approach to using nuclear I also go

play04:33

as far as finding an endpoint that I

play04:36

found a different pen test let's say a

play04:38

good example of that would be maybe a

play04:40

Swagger I run a bunch of different

play04:42

fingerprints a bunch of different

play04:44

endpoints for it I look for them across

play04:46

the entire organization or any other

play04:48

organization that I could you know I'm

play04:50

hacking on you can also do that with a

play04:52

lot of different things again just the

play04:53

nuclear thing is a rabbit hole maybe

play04:55

I'll make another video on it let me

play04:56

know if that's what you want in the

play04:57

comments if I get enough requests maybe

play04:59

I'll make in video on how I use nuclear

play05:02

the second thing you want to do is what

play05:04

I call light information gathering this

play05:06

should be done very quickly you can do

play05:08

some poor scan with it but you can use a

play05:10

tool like httpx and leverage it to look

play05:12

for information like the response size

play05:14

Response Code and the title those are

play05:17

the three things that I look for that is

play05:20

extremely valuable to me to prioritize

play05:22

my assets and then I'm going to combine

play05:23

the two obviously with prioritization

play05:25

and information gathering because they

play05:26

go hand in hand but you want to find a

play05:28

way to get an overview of an entire

play05:31

organization's infrastructure without

play05:33

looking at them one by one and obviously

play05:35

you can do screenshots too those are a

play05:37

great way to do them I think screenshots

play05:39

may take you longer but again that's

play05:41

completely up to you you can do either

play05:42

one I used to do screenshots I switch

play05:44

over from screenshots to getting actual

play05:46

text because I can grip through it and I

play05:48

can find different assets let's break it

play05:50

down let's understand what this means

play05:51

important one but also confusing one is

play05:53

the 200 okay so this one pretty much

play05:56

tells you hey there is an application

play05:59

here there is something being served

play06:01

here but you just have to figure out

play06:03

what it is and that is why we rely on

play06:05

titles so if something comes like as 200

play06:07

we look at the title and if the title

play06:09

says something like dashboard add

play06:11

register application customer whatever

play06:14

keywords are valuable to you and you

play06:16

pick up some of these keywords the more

play06:17

you hack it becomes easier to identify

play06:19

them when you look at the title you go

play06:21

okay because this word is in there

play06:22

there's probably some sort of a login

play06:24

okay I log in I gotta log out whatever

play06:26

that is and get access to it and

play06:28

obviously there's times when you have a

play06:29

200 there's no title or there's a fake

play06:32

title and a white page you can you know

play06:34

you can look through those and use a

play06:36

response size to make sure you filter

play06:38

through them and then use the approach

play06:40

for the the next things I'm going to

play06:42

talk to you about when this happens so

play06:44

when you see a white page you should do

play06:46

the same thing as the error codes for

play06:49

400s and 300 that we're going to talk

play06:52

about later on so so far we talked about

play06:54

the 200 okay that's probably the most

play06:56

common one this is the one that you

play06:59

should look at if your objective as a

play07:01

hacker after you have done Recon is to

play07:04

look for applications you want to hack

play07:06

on so that means if you don't want to

play07:08

spend your entire time in a terminal

play07:10

this is a good place for you to start

play07:11

forget about the rest focus on these

play07:14

applications go register rip them apart

play07:16

and see if you can't find any

play07:18

vulnerabilities next one is the 300

play07:20

ranges these are your redirects that

play07:23

means that the specific website is

play07:25

redirecting you to another page another

play07:28

website sometimes the most common one

play07:30

that I see is a single sign-on like an

play07:32

October One login which indicates that

play07:35

hey this is supposed to be only

play07:37

accessible with people that are

play07:39

authorized within the organization or

play07:41

their partners and those are very fun

play07:44

because

play07:45

if you find a vulnerability there's

play07:47

probably better data behind this thing

play07:49

and that's why they're getting it of

play07:50

course just because there is a redirect

play07:52

it doesn't mean that you can't access

play07:54

these resources you can do some

play07:56

directory brute forcing again if you

play07:58

love to be in a terminal all day you

play08:00

should eat this up you should enjoy this

play08:01

part but you can Brute Force for it

play08:03

sometimes before they redirect you they

play08:05

send you to an index page you can see

play08:07

the Dom and from that Dom you can pull

play08:08

the JavaScript files and you can look

play08:10

through them and sometimes give you

play08:12

paths and endpoints that they use and

play08:14

you can probably access them without

play08:15

being authorized you kind of you can

play08:17

look for bypasses and that kind of

play08:18

things so again just because there's a

play08:20

300 redirect doesn't mean that you

play08:22

shouldn't try to Brute Force find a way

play08:25

to bypass the login or even better go

play08:28

look how you can register as a partner

play08:30

and get access to these things this is a

play08:33

really good one maybe I'll make a whole

play08:34

video on it again but a lot of times

play08:36

it's companies with their ssos they make

play08:38

a mistake and they don't actually make

play08:41

the permissions right so anybody with

play08:43

any account that has SSO login could

play08:46

access anything across the entire

play08:47

infrastructure so keep that in mind a

play08:49

login page should not be a reason for

play08:51

you to give up and move on to the next

play08:53

Target and then you have your 400 ranges

play08:56

arguably this is probably the most fun

play08:58

you can have with Recon because it

play09:00

becomes like a puzzle you want to kind

play09:03

of understand where to go what is on

play09:05

this application how do I find it it

play09:08

becomes a guessing game because the 400

play09:10

ranges either mean that you don't have

play09:12

access to it you need to be authorized

play09:14

or a 404 nothing is on this page and in

play09:19

most cases that is a lie so the 401 is

play09:22

your unauthorized a lot of times it

play09:24

means you have to have access to it the

play09:26

best way to approach this is finding a

play09:29

way to log in to another application and

play09:31

seeing if the session carries over I've

play09:33

done that a few times sometimes that

play09:35

happens sometimes there's an error that

play09:36

happens they make mistakes so a session

play09:39

from the other app or another API

play09:40

carries over and it gives you access so

play09:43

this is also some of the 300 just

play09:45

because there's an authorization there

play09:46

just because an HD password pops up it

play09:49

doesn't mean that you shouldn't brute

play09:51

forceful files or find ways to bypass

play09:54

them again and a lot of ways you can

play09:55

also guess for these passwords so if

play09:57

it's a HD password try admin admin admin

play10:00

password

play10:01

admin 2023 different variations and see

play10:05

if it gives you access sometimes it does

play10:07

sometimes it doesn't but it's always

play10:09

worth a try then you have your 403 403

play10:11

means hey there is something here but I

play10:14

refuse to show it to you and that should

play10:16

be a challenge for you to find a way to

play10:18

get access and do exactly what is

play10:20

preventing you from doing seeing the

play10:22

resources behind that page similarly to

play10:25

401 you can also Brute Force here you

play10:27

can try different things for example if

play10:29

you're on a tomcat you can try different

play10:32

slash patterns you can put a bunch of

play10:33

slashes see if it bypasses that you can

play10:36

do a semicolon slash it's a bunch of

play10:38

different tricks there's a bunch of good

play10:39

talks on these so when you see a 403 in

play10:42

your mind you should automatically go

play10:43

challenge accepted you don't want to

play10:45

show me what's on here I'm gonna figure

play10:47

it out and the best way to do it is

play10:49

contextualizing your attack or your

play10:51

directory brute forcing I did a whole

play10:53

video on it go watch it but the whole

play10:55

point is contextualize it use the right

play10:58

word list understand what that asset is

play11:00

like and Brute Force until you find

play11:02

something and 404 is the last one that I

play11:05

want to cover for this video this one is

play11:07

very interesting because

play11:10

it means that nothing was found but yet

play11:13

a lot of times I find things on these

play11:15

websites just like outside the entire

play11:17

video an error a 404 403 401 or 300 it

play11:22

never means a reason for you to give up

play11:23

but the 404 is a nice approach because a

play11:26

lot of times when I see a 404 page uh

play11:29

it's usually a keyword or what's on the

play11:32

subdomain itself that gives away the

play11:35

answer to that so example is if I see

play11:37

API then I'm not going to Brute Force

play11:39

for JSP files I'm going to focus on

play11:41

finding API route files and just slowly

play11:44

going after API routes find maybe a

play11:46

Swagger Json file finding a yaml that

play11:49

could give me the specs to this API and

play11:52

then just taking it from there and of

play11:54

course you know when you see the

play11:55

application I'm in there it's like XYZ

play11:57

Dash API the XYZ should be in the

play12:00

process of guessing the folder the app

play12:03

name the API name while you're doing

play12:05

your testing and the last thing I talked

play12:06

about was prioritizing your targets I

play12:09

kind of touched on this but a lot of

play12:11

times you should be able to grip through

play12:14

your entire data set so you find your

play12:16

assets you use your subdomain finder you

play12:19

get a list of assets you run it through

play12:21

httpx httpx gives you a list of all the

play12:23

available assets their title their

play12:26

response code and response size then you

play12:28

should either automate this or manually

play12:30

go through a result and grip for

play12:32

specific things so grab for all the 200

play12:35

ones first and when the 200 comes back

play12:37

look at the titles grip for things like

play12:39

dashboard look for ads customers login

play12:43

obviously if you have you know a website

play12:45

like IBM that has thousands of assets

play12:47

this is going to take a lot longer but

play12:49

then after that move on to what comes

play12:51

podcast 404 see which ones have the

play12:53

keyword API in them which ones have the

play12:55

keyword app in them and that sort of

play12:57

stuff but I take it a step further and I

play12:59

look for things like Dev internal Corp

play13:02

or even keywords like Ci that indicate

play13:06

tools that are being leveraged in the

play13:08

continuous development and integration

play13:10

so those are your Jenkins it could be

play13:12

GitHub GitHub whatever so look for these

play13:14

applications with the keywords and

play13:16

prioritize them as well all of these

play13:18

come with years of experience the more

play13:20

you do this the more you learn but it

play13:22

doesn't hurt to approach this entire

play13:24

method manually to get a better

play13:27

understanding of hey how do I prioritize

play13:29

assets based on a result of httpx and

play13:33

not rely on just on nuclear where I

play13:35

could miss things so I'll wrap it up

play13:36

with just telling you that I did a lot

play13:38

of these in the early days manually

play13:39

because I want to understand what does a

play13:41

large infrastructure look like and how

play13:44

do I prioritize my work what do I pick

play13:46

to hack on and that sort of stuff but

play13:48

that is how I approach a large

play13:49

organization it's depending on using

play13:52

nuclear honestly I don't use a lot of

play13:54

nuclees sometimes I do I like to use

play13:55

make because I have a set of endpoints

play13:58

based on that Target that I usually run

play14:00

across the entire infra then I use httpx

play14:02

that's to get some light information

play14:04

gathering get some response codes

play14:06

respond types that sort of stuff and I

play14:08

do that to have an overview of the

play14:09

antenna application and then last but

play14:11

not least we prioritize our entire asset

play14:14

list and take it from there so that's it

play14:16

that is how I approach our Target I

play14:18

really hope this helps and I really hope

play14:19

you enjoyed this video do me a favor

play14:21

drop me a comment and tell me what kind

play14:24

of hacker are you and do you want to

play14:26

just spend your time in a terminal or

play14:28

would you rather just go after an

play14:30

application and break it apart and look

play14:33

for votes alright see you in the next

play14:35

video

play14:45

thank you

Browse More Related Video

Red Team: RedTeaming VS PenTesting

Google HACKING (use google search to HACK!)

Fuzzing XSS Sanitizers for Fun and Profit | Tom Anthony

Simple Penetration Testing Tutorial for Beginners!

5 Cyber Security Projects You Need on Your CV Now

Ψ£Ω†Ψ§ Ω…ΩƒΨͺشف Ψ«ΨΊΨ±Ψ§Ψͺ...

Rate This
β˜…
β˜…
β˜…
β˜…
β˜…

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
Hacking StrategiesPost-Recon TacticsCybersecurityVulnerability AssessmentManual ResearchAutomation ToolsHacker InsightsInformation GatheringAsset PrioritizationSecurity Analysis