Nahamsec interviews Todayisnew

Bug Bounty notes: distributed automation meets zen

Tags that this post has been filed under.

Table of contents

note that during these interviews I also moderate so quality may vary.

Profile 🐝

  • Eric
  • Highschool, great teachers
    • Got into coding
  • No college
  • No certificates or training
  • 42 years old
  • Inspiration/mentor Frans Rosen

Bug bounty 🐝

  • Started in 2015, just left a start up
  • Wanted to work from home
  • Didn’t have any money, was in cc debt
  • First bounty on Google
  • Found out about HackerOne
  • Doesn’t portscan currently
  • Hobbies
    • Halloween clown

Learning 🐝

  • Google
  • 14 hour days
  • Needed money
  • HackerOne hacktivity
  • Subreddit
  • Twitter
  • Subdomain takeover
    • Frans Rosen
    • Cloudfront run in loop
    • The more you can find the better

Automation 🐝

  • $5000 CAD p/m
  • 11.000 Programs
  • Automated his life same way as bug bounties, when to shower, eat lunch etc.
  • Anything he does a couple of times he automates
    • e.g. Report template submission
  • No structure, does what works
  • Stack
    • Golang (last 3 months)
    • Python
    • VB6
    • PHP
    • Bash
    • Dropbox
  • Runs servers at home
  • Subdomain enumeration P2-ish
  • Subdomain takeover
  • All programs, doesn’t discriminate
  • Information Disclosure
    • Google Calendars
  • Apache server status
  • Own unique bugs P1-P2’s

Wordlist 🐝

  • Waybackmachine
  • Pull every path and run against every domain
    • subdomain
    • path
  • Spray-and-pray
    • Once found something good add to wordlist
  • Random mutations
    • merge them together
    • combine with common words
  • 2 million line dictionary

Recon 🐝

  • Subdomain enumeration, more endpoints -> more bugs
  • Spider, waybackmachine
  • Reading reports and Twitter

Tools 🐝

  • ffuf
  • amass + frontend + backend
  • distributed tool
  • favorite tool: waybackmachine

Collaboration 🐝

  • Hogart Jesse
  • Neema
  • DC?
  • Douglas Day

Tips 🐝

  • You can be just as productive by working less
  • Take breaks!
  • Imposter Syndrom:
    • Everyone has amazing skills in their own way
  • Break everything down to smaller components so that it’s managable

Routine 🐝

Every x weeks/month does a week of silence

  • Computer/phone provides reminders
    • Wake up
    • Heartrate
    • Shower
    • Breakfast
    • Go for a walk
    • Meditate
    • Take breaks
Share

What's buzzing?

If you have a question, a comment, or if you just want to say hi, feel free to reach out on Twitter.