Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Bug Bounties
Cén scéal?
Who am I?
Ciarán McNally
What do I do?
• Freelance Security Consulting
• Bug Bounties
• Security Research
• Recently signe...
What are Bug Bounties?
• Many organisations offer cash rewards to researchers for responsibly
disclosing security issues o...
Advantages of Bug Bounties
For security consultants, students, hobbyists or enthusiasts…
• Perfect to pad out your CV with...
Advantages of Bug Bounties
For organisations…
• You can still choose who, how and where you want the testing performed.
• ...
Responsible Disclosure Platforms
• Register as a researcher
• Larger scoped programs means easier to
find bugs.
• Public d...
Advice for getting started
• The older programs with smaller applications are likely to have less obvious
issues, focus on...
Penetration Testing Methodology
• Information Gathering, Network Reconnaissance & OSINT
• Probing, Active Scanning, Vulner...
Penetration Testing Methodology
• Information Gathering, Network Reconnaissance & OSINT
• Probing, Active Scanning, Vulner...
Bug Bounty Information Gathering
Regular Techniques:
• Google Searches
• Subdomain Brute Forcing
• AXFR DNS Transfers
• Sc...
Bug Bounty Information Gathering
• Bug Bounty Programs are often much wider in scope.
• The scope is often defined by some...
Recon Tips
• Find as many of the organisation
owned services or servers as you can.
• Reconnaissance and information
gathe...
Bug Bounty Information Gathering
“Think Bigger” Attacker Techniques:
• Lookup Organisation ASNs
• Retrieve ALL their IP ra...
Bug Bounty Information Gathering
“Think Bigger” Attacker Techniques:
• The couple of hundred target hosts you
found before...
Other Techniques:
• scans.io data has scans of the whole internet,
http/https, ssl certs and reverse DNS.
• Import them in...
Bug Bounty Vulnerability Scanning
Regular Techniques:
• Scanning Tools
• Custom Scripts
Recommended Tools:
• Nmap, Masscan...
• 99.99% of bounty programs disallow heavy scanning. Learn
how to effectively throttle your tools if you do opt for mass
s...
Bug Bounty Vulnerability Scanning
“Think Bigger” Attacker Techniques
• I developed my own threaded scanning tool
dubbed “s...
Bug Bounty Vulnerability Scanning
• This is a very powerful technique.
• Once a vulnerability is identified, It can now
be...
Bug Bounty Penetration Testing
• I combined this scanning technique with a regular
penetration testing methodology against...
Bug Bounty Penetration Testing
Password of
“000000”
Out of Scope!
Bug Bounty Penetration Testing
More Tips:
• You only get rewarded if you are first to find and report an issue. So report ...
Thank you!
ciaran@securit.ie Twitter.com/@ciaranmak
Próximo SlideShare
Cargando en…5
×

de

Bug bounties - cén scéal? Slide 1 Bug bounties - cén scéal? Slide 2 Bug bounties - cén scéal? Slide 3 Bug bounties - cén scéal? Slide 4 Bug bounties - cén scéal? Slide 5 Bug bounties - cén scéal? Slide 6 Bug bounties - cén scéal? Slide 7 Bug bounties - cén scéal? Slide 8 Bug bounties - cén scéal? Slide 9 Bug bounties - cén scéal? Slide 10 Bug bounties - cén scéal? Slide 11 Bug bounties - cén scéal? Slide 12 Bug bounties - cén scéal? Slide 13 Bug bounties - cén scéal? Slide 14 Bug bounties - cén scéal? Slide 15 Bug bounties - cén scéal? Slide 16 Bug bounties - cén scéal? Slide 17 Bug bounties - cén scéal? Slide 18 Bug bounties - cén scéal? Slide 19 Bug bounties - cén scéal? Slide 20 Bug bounties - cén scéal? Slide 21 Bug bounties - cén scéal? Slide 22 Bug bounties - cén scéal? Slide 23 Bug bounties - cén scéal? Slide 24
Próximo SlideShare
Questionnaire results
Siguiente

3 recomendaciones

Compartir

Bug bounties - cén scéal?

Daggercon 20min Presentation

Libros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo

Audiolibros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo

Bug bounties - cén scéal?

  1. 1. Bug Bounties Cén scéal?
  2. 2. Who am I? Ciarán McNally What do I do? • Freelance Security Consulting • Bug Bounties • Security Research • Recently signed as a contracted remote Application Security Engineer with Why Care? • Top 50 on two of the worlds largest Responsible Disclosure Platforms. ciaran@securit.ie www.securit.ie twitter.com/@ciaranmak
  3. 3. What are Bug Bounties? • Many organisations offer cash rewards to researchers for responsibly disclosing security issues or vulnerabilities. • There are well defined rules of engagement, known as “responsible disclosure policies” that outline what is acceptable. • In other words, READ THE SCOPE for each program.
  4. 4. Advantages of Bug Bounties For security consultants, students, hobbyists or enthusiasts… • Perfect to pad out your CV with real demonstrable experience. • It pays extremely well when your skill starts increasing. • There is an excellent global community to learn from. • Learn to distinguish and pursue the bugs that matter first. • They encourage you to think more like a blackhat which will make you a better whitehat
  5. 5. Advantages of Bug Bounties For organisations… • You can still choose who, how and where you want the testing performed. • You only pay for the vulnerabilities found. • It is more community driven and gives you more of a community presence. • A larger number of security experts are looking at your applications. • It’s an additional layer of security! (Who needs that right?)
  6. 6. Responsible Disclosure Platforms • Register as a researcher • Larger scoped programs means easier to find bugs. • Public disclosure of some issues that may help others learn. • “Internet bug bounty” • Vendor responses differ greatly • Higher reward ceiling! • Register as a researcher • Very researcher focused and encourage skill growth with good feedback. • Very large variety of programs: web app, mobile & desktop apps, flex (2 week – 1 Month). • Excellent private bounty programs. • Almost 20,000 researchers and an active community. • Encourages finding critical issues with additional rewards.
  7. 7. Advice for getting started • The older programs with smaller applications are likely to have less obvious issues, focus on the newer or larger programs until you get confident. • Review the public bugs for the program. Lookup blog posts. • Soon after you start building your score or reputation you will start being invited to private programs. Less people with access = more rewards for you.
  8. 8. Penetration Testing Methodology • Information Gathering, Network Reconnaissance & OSINT • Probing, Active Scanning, Vulnerability Scanning & Analysis • Exploitation, Leveraging Vulnerabilities & Verification • Reporting and Communication of issues
  9. 9. Penetration Testing Methodology • Information Gathering, Network Reconnaissance & OSINT • Probing, Active Scanning, Vulnerability Scanning & Analysis • Exploitation, Leveraging Vulnerabilities & Verification • Reporting and Communication of issues
  10. 10. Bug Bounty Information Gathering Regular Techniques: • Google Searches • Subdomain Brute Forcing • AXFR DNS Transfers • Scanning IP Range • Reverse DNS lookups • Web DNS tools • whois lookups Recommended Tools: • dig • subbrute • Recon-ng • gitrob • Resources:  scans.io  dnsdumpster.com
  11. 11. Bug Bounty Information Gathering • Bug Bounty Programs are often much wider in scope. • The scope is often defined by something like the following: *.twitter.com, *.yahoo.com …. • Many are “All company owned, branded or acquisition sites” • I want to demonstrate alternative approaches I have used to tackle this.
  12. 12. Recon Tips • Find as many of the organisation owned services or servers as you can. • Reconnaissance and information gathering is by far the most important step. • Companies often use subdomain formats. Find them.
  13. 13. Bug Bounty Information Gathering “Think Bigger” Attacker Techniques: • Lookup Organisation ASNs • Retrieve ALL their IP ranges.
  14. 14. Bug Bounty Information Gathering “Think Bigger” Attacker Techniques: • The couple of hundred target hosts you found before with regular techniques… Just became potentially a couple of hundred thousand.
  15. 15. Other Techniques: • scans.io data has scans of the whole internet, http/https, ssl certs and reverse DNS. • Import them into Elasticsearch with Kibana for Information Gathering or profiling your target. Bug Bounty Information Gathering
  16. 16. Bug Bounty Vulnerability Scanning Regular Techniques: • Scanning Tools • Custom Scripts Recommended Tools: • Nmap, Masscan, Zmap… • Nessus, OpenVAS… • Burp, Arachni, Appscan… • Curl • Dirs3arch & Dirb • SQLmap • THC-hydra • Metasploit
  17. 17. • 99.99% of bounty programs disallow heavy scanning. Learn how to effectively throttle your tools if you do opt for mass scanning. • Organisations running bounties are well capable of running their own scanners. DO NOT report “low” or “potential” rated scanner vulnerabilities. Bug Bounty Vulnerability Scanning
  18. 18. Bug Bounty Vulnerability Scanning “Think Bigger” Attacker Techniques • I developed my own threaded scanning tool dubbed “scantastic” in February. • https://github.com/maK-/scantastic-tool • It dumps masscan network scans and directory brute-forcing scans into elasticsearch. • Ideas contributed by @nnwakelam
  19. 19. Bug Bounty Vulnerability Scanning • This is a very powerful technique. • Once a vulnerability is identified, It can now be scanned for across all services. • You can also scan for common known vulnerable files and filter the results.
  20. 20. Bug Bounty Penetration Testing • I combined this scanning technique with a regular penetration testing methodology against Adobe’s Responsible Disclosure Program in recent Months. • Within 24 hours of testing I managed to report 66 Vulnerabilities. I am currently #1 on the Adobe program as a result.
  21. 21. Bug Bounty Penetration Testing
  22. 22. Password of “000000” Out of Scope!
  23. 23. Bug Bounty Penetration Testing More Tips: • You only get rewarded if you are first to find and report an issue. So report first, then update later if you escalate the vulnerability further. • Expect duplicates • Always go as far as you can with what you find. The reward could double. • Keep an eye on #bugbounty, #infosec or #bugcrowd regularly on Twitter, there is a large community always posting there. Plenty of excellent tips and blog posts.
  24. 24. Thank you! ciaran@securit.ie Twitter.com/@ciaranmak
  • seuosoaphorn

    Jun. 27, 2016
  • tarunsindhav3

    Apr. 1, 2016
  • MinhTrietPhamTran

    Oct. 19, 2015

Daggercon 20min Presentation

Vistas

Total de vistas

2.297

En Slideshare

0

De embebidos

0

Número de embebidos

821

Acciones

Descargas

0

Compartidos

0

Comentarios

0

Me gusta

3

×