This document discusses Information Of Everything (IoE) and the importance of information for success as a bug hunter and penetration tester. It provides tips on bug bounty hunting and penetration testing, noting they involve a time constraint. It introduces the Sudomy tool for automated reconnaissance and subdomain enumeration. Sudomy utilizes both active and passive techniques to efficiently gather subdomain information, resolve IPs, check for duplicates, scan ports, and more. Comparisons are made to other enumeration tools and the benefits of Sudomy's customized workflow are discussed.
4. You Are
Not Alone
Who become a bug hunter is just not you , so you
must to work harder and smarter than others
5. Reconnaissance
consists of techniques that involve
adversaries actively or passively
gathering information that can be
used to support targeting
MITRE ATT&CK (TA0043)
[ rəˈkänəsəns ]
6. RECONNAISSANCE
Data collection by
interacting directly with the
target /.victim
Active Reconnaissance
The opposite of active
reconnaissance, which means
we do not interact directly
with the target/victim
Passive Reconnaisance
METHODE
7. 1
But if we do RECON, it can help us to increase the
chances of finding the vulnerability / SECURITY
ISSUE
RECON =! SECURITY ISSUE
2
Best way to perform recon is to use a hybrid
approach by combining manual and automated
processes
RECON =! MANUAL APPROACH
3
If we can perform a recon in the right workflow
you can save a lot of time
RECON =! TIME CONSUMING
RECON FACT
[fækt]
8. PROBLEM & QUESTION
METHODOLOGY/WORKFLOW
Should we to use a methodology or
workflow that exist on internet?
BOUNTY TIPS 1 LINER
it's that enough if we just copy and paste one
liners command which we obtain through
bug bounty tips from twitter?
RESOURCES IS EVERYTHING ?
should we to use much of resource?
combine all of engine/tools recon on
internet?
Are You Solving the Right Problem?
9. N O T A L W A Y S A B O U T R E S O U R C E S , I T S A B O U T
R E S O U R C E F U L L N E S S
the ability to find quick and clever ways to overcome difficulties.
re·source·ful·ness
10. MAKE YOUR OWN
The best way to make the recon process more
optimal is to create your recon workflow and
automation tool by making the best use of resources
T O O L S A N D W O R F K L O W R E C O N
11. Here we will talk sharing about recon workflow, tools, point of view & some ideas.
Maybe that will help you to increase the effectiveness when doing pentest & bug hunting.
TOOLS
RECON WORKFLOW
12. SU OMY v1.2
Sudomy is a subdomain enumeration tool to collect subdomains
and analyzing domains performing automated reconnaissance. This
tool can also be used for OSINT (Open-source intelligence)
activities.
S u b d o m a i n E n u m e r a t i o n & A n a l y s i s
13. Information Systems Security Assessment Framework
Sudomy was built to complement the tools needed by the bug hunter & pentester
following the rules of The Information Systems Security Assessment Framework (ISSAF)
by applying two techniques active and passive
14. I am still care with open source and i want to
share it with you guys, so we can collaborate
We Care About Open Source
Making processes more effective
and efficient is essential
WHY YOU BUILD THIS (?)
We Care About Community We Care About Doing What’s Right
Simplify activities in gathering information and
completing the tools needed by the pentester/Bug hunter
16. How this different than
S u b l i s t 3 r & S u b f i n d e r
Sublist3r is a python tool designed to enumerate subdomains of websites
using OSINT (Open-source intelligence)
subfinder is a subdomain discovery tool that discovers valid subdomains for
websites by using passive online sources
17. Minimize More Resources When Use Third-Party Sites
By evaluating and selecting the good third-party sites/resources, so the enumeration process
can be optimized.
SUD MY
18. Sudomy does not use third party resources such as
Google, Baidu, Ask Yahoo and Bing. Because the results
obtained from these third-party resources are not optimal
and there are also other factors such as being hampered
by the captcha
RESOURCES
YahooGoogleBingBaiduAsk
0
COMPARISON
5
8
SecurityTrails
35
20. Tota ls Resou rc es Tr ea ds/M u lt ipr ocess Rea ls Times Resu lts
Sudomy 22 Engine Multiprocessing 0m7.724s 662 subdomains
Subfinder 35 Engine Concurency (Threads 200) 0m7.844s 615 subdomains
Sublister 11 Engine Multithreads (Threads 200) 0m12.434s 94 Subdomains
Domain : Tiket.com
1- Target
Name: Ubuntu
Version: 16.04.7 LTS (Xenial Xerus)
Model name: Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
CPU & Core(s): 8
3- Materials
2- Connection Speed
Server: E2C AWS
Download: 945.02 Mbit/s
Upload: 914.69 Mbit/s
RESOURCES
COMPARISON
R e q u i r e m e n t s
24. BUT GO IS POWERFULL & FASTER
Exactly, im agree with you.
Use go programming language is quite effective for doing a lot of work simultaneously or we can
say with concurrency. For example in tools subfinder, here subfinder is still classified as very fast
for collecting subdomains by utilizing quite a lot of resources
Especially if the resources used have been optimized (?)
25. M a y b e I n t h e f u t u r e , s u d o m y w i l l u s e g o l a n g .
When I have free time, if you want to contributes its open to pull requests
FREE TIME
26. BAD
IMPLEMENATION
This tool uses a lot of subdomain enumeration tools like Sublist3r, enumall, knock,
subbrute, massdns ,recon-ng, ammass, subfinder. For informations , resource shodan
used by tools subfinder, ammass, recon-ng. So this tools will collect subdomains using
shodan service in 3x repetitions which results are the same
27. Information is your key to success
when you become Bug hunter and
Penetration tester
KEY
But, did you hear reNgine (?)
reNgine is an automated reconnaissance framework meant information gathering
during penetration testing of web applications.
28. Subdomain Enumeration
Resolver IP
Duplicates
Port Scanning
reNgine Capabilities
W o r k f l o w a u t o m a t e d P o r t s c a n
Collecting subdomain from tools subfinder,
sublist3r, recon-ng andm ore
resolve the collected subdomains
to IP addresses,
Sorting and remove
duplicates IP
Perform active
scanning using nababu
29. SU OMY
S u d o m y p e r f o r m a c t i v e & p a s s i v e p o r t s c a n
Port scanning with top-ports using
nmap from domain list
Collecting/Scraping open port
from 3rd party (Default::Shodan),
For right now just using Shodan
[Future::Censys,Zoomeye]
30. Subdomain Enumeration
Resolver IP
Duplicates
Cloudfare
Sudomy Capabilities
W o r k f l o w a u t o m a t e d P o r t s c a n
Collecting subdomain from tools subfinder,
sublist3r, recon-ng andm ore
resolve the collected subdomains
to IP addresses,
Sorting and remove
duplicates IP
Check an IP is Owned
by Cloudflare
Port Scanning
Perform active
scanning using nababu
31. rEngine
Subdomain
Enumeration Tools
reNgine Capabilities
W o r k f l o w a u t o m a t e d C o l l e c t e d H i d d e n E n d p o i n t / U R L s
RAW DATA
EXTRACT & COLLECINT
SUBDOMAIN
Tools Fetch
Hidden Enpoint/URL
Using Resources: Commoncrawl,waybackurl, urlscanio alienvault
Subfinder
Ammass
Gau
Hakrawler
Using Resources: Commoncrawl,waybackurl, urlscanio alienvault
RAW DATA EXTRACT & COLLECINT
ENDPOINT/URLs
32. Sudomy Capabilities
W o r k f l o w a u t o m a t e d C o l l e c t e d H i d d e n E n d p o i n t / U R L s
Sudomy Using Resources: Commoncrawl,waybackurl, urlscanio alienvault
RAW DATA
EXTRACT & COLLECINT
SUBDOMAIN
EXTRACT & COLLECINT
ENDPOINT/URLs
33. - $
/ lifetime
Free
Validation Subdomain
HTTP Check [ status code, title, content ]
Subdomain Screenshots
Detection Virtualhost
Identify technologies
COMMERCIAL VS NON-COMMERCIAL
IS THE SAME WITH AS FINDOMAIN?
59$
/ Mo
Premium/VIP
Webhook alerts
Validation Subdomain
HTTP Check [ status code, title, content ]
Subdomain Screenshots
Detection Virtualhost
Identify technologies
Webhook alerts
Sudomy
Findomain
is a complete reconnaissance
solution for enterprises and
cybersecurity specialists that
uses cutting edge
technology, able to send
alerts about new
subdomains, their HTTP
status, HTTP content size,
HTTP content type & more
is a subdomain
enumeration tool to collect
subdomains and analyzing
domains performing
automated reconnaissance.
This tool can also be used
for OSINT (Open-source
intelligence) activities.
34. Detection urls, ports, title, content-length, status-
code, response-body probbing.
Detection HTTP
Information
More
Feature Sudomy
Test the list of collected subdomains and probe for
working http or https servers. This feature uses a third-
party tool, httprobe.
Subdomain
Validation
35. Perform to check subdomain is vulnerable to subdomain
takeover
Testing Subdomain
TakeOver
Performed active and
passive port scanning
.Sudomy will resolve the collected subdomains to IP
addresses, then classify them if several subdomains resolve to
single IP address.
The Ability To Detect
Virtualhost
Active : Port scanning with top-ports using nmap from domain list
Passive Collecting/Scraping open port from 3rd party
(Default using Shodan),
36. Taking Screenshots of subdomains default using gowitness or
you can choice another screenshot tools like webscreeenshot
Website Screenshot
Collecting Juicy
URL/Endpoint/Path
Identify technologies on website from subdomain list like
getting information about category, application, version.
Identify technologies on
website
Collecting Juicy URL. Parameter, interesting path
(api|.git|admin|etc), document (doc|pdf), javascript (js|node) and
more
37. Generate and make report output in HTML & CSV format
Making Report
Sending notifications to a
slack channel
Webhook
Alert
Generate & make wordlist based on collecting url resources
(wayback,urlscan,commoncrawl. To make that, we Extract All the
paramater and path from our domain recon
Generate Wordlist
38. Installation
Sudomy is currently extended with the following tools. Instructions on how to install
& use the application are linked below.
2- Dependencies
pip install -r requirements.txt
1- Download Sudomy
git clone --recursive
https://github.com/screetsec/
Sudomy.git
3- Package
• apt-get update
• apt-get install jq nmap phantomjs npm chromium parallel
• npm i -g wappalyzer wscat
4- Post Installation
API Key is needed before querying on some
third-party sites, The API key setting can be
done in sudomy.api file
39. Sudomy: Usage
To use all 22 Sources and Probe for working http or https
servers:
root@kali:~ sudomy –d tiket.com
USE ALL RESOURCES/ENGINE
To use one or more source:
root@kali:~ sudomy –d tiket.com –s spyse, securitytrails
40. Sudomy: Usage
To use all plugins: testing host status, http/https status
code, subdomain takeover and screenshots.
Nmap,Gobuster,wappalyzer and wscat Not Included.
root@kali:~ sudomy –d tiket.com –pS –sC –sS
TO USE ONE OR MORE PLUGINS
Plugin resolving ip & virtualhostPlugin check http status code
EXAMPLE LOOK
42. HTML Report Sample
The sudomy application has been equipped with a reporting system with HTML
and CSV output format that makes it easy for Cyber Security researchers and /
or analyst
To create report in HTML Format:
• sudomy --all -d hackerone.com --html
43. SU OMY
Sudomy -d tiket.com -dP -eP -rS -cF -pS -tO -gW --httpx --dnsprobe -aI webanalyze --slack -sS
Run the best arguments to collect subdomains and analyze by
doing automatic recon
45. So What’s The Point (?)
You didn;t have to write things from scratch every time
Optimizing what you have, whether you're making something new or just thinking about how to do something better
46. Thank You
Thank you for idsecconf, darknetdiaries for the
awesome picsart and you for the the attention
redteamlab.id screetsec screetsec edomaland screetsec@gmail.com