I wrote a script in Go, which queries Shodan database based on given list of organizations. Next, I retrieve all bug bounty participants from Bugcrowd website and connected this two things. More details below.
INTRODUCTION
Everything was started when I wanted to learn new programming language and make project related with security somehow. I decided on Go (Golang) and Shodan. I thought to myself, why scan one organization with multiple tools? I can scan multiple organization with one tool (As security researcher, I do not have potential target to test).
Let’s start from the beginning, for those, who doesn’t know what Shodan is: (from their main page)
Besides webcams, refrigerators, SCADA systems, MMQT, external disks, Shodan can help with subdomain enumeration and it’s very helpful in reconnaissance. “The scariest search engine on the Internet” can operate on filters like: “port”, “city”, “hostname” or “org” for organization. I think you know where does it go.
Couple words about script.
That was my first contact with Golang ever. I quickly have got acquainted with this language (A Tour of Go was very helpful) and just start writing. It wasn’t easy at the beginning but StackOverflow did his job. I realize, this is not a masterpiece but I’m proud that it work at all.
Script gets file including organization names separated by newline and next makes query to Shodan’s database.
Example usage:
./shodan hosts.txt
Content of hosts.txt
Sony
Dropbox
Counter of found results is broken, so do not count on him ;). Additionally, we are not interested in smb, smtp or dns services, so I added most used HTTP ports to request. Final query can look like this:
org:’Sony’ port:’80, 81, 443, 8000, 8001, 8008, 8080, 8083, 8443, 8834, 8888'.
Sony is not accurate request at all. This includes:
Sony Network Communications
Sony Computer Entertainment America LLC
Sony Network Taiwan Limited
Sony Communication Network Corporation
Sony Pictures Entertainment
Sony Media Software and Services
so script will ask you, which exactly company do you want to scan. It’s extremely important that you shouldn’t test any domains, which are out of scope or do not participate in bug bounty program.
Excellent example is below screenshot:
As output, script makes directory with same name as scanned organization and HTTP responses are saved into file named with corresponding IP. I added also port number and hostname (if exists).
Example output can look like below:
What is this for?
This is of course for finding vulnerabilities, which often exists in old, forgotten or not updated subdomains. Shodan can find interesting, from security point of view, web applications and it may leads to information disclosure or other more or less dangerous vulnerabilities. To proof my words, I obtained all organizations from official Bug Bounty list (https://bugcrowd.com/list-of-bug-bounty-programs) with help of goquery (below function) and next of course I passed it to my script.
func bugcrowd()[]string{
doc, err := goquery.NewDocument("https://www.bugcrowd.com/bug-bounty-list/")
if err != nil { // if cant connect
log.Fatal(err)
}
s := make([]string, 455 ) //slice of strings
doc.Find("td a").Each(func(index int, item *goquery.Selection) { //for every organization in "td a" (table)
linkTag := item.Text() // get text
s[index] = linkTag //put in to map }) return s // return slice of organizations
}
I had to be cautious and paid attention to scope of the programs. When only one domain is in scope, there is no need for scanning and we need to go to the next one.
Only organizations, which allow to test all of their infrastructure or have *.domain in scope are our potential target
What can be found?
After scanning all of the companies and digging a while, I found local file inclusion vulnerability on of the scanned websites. It did not even take too long. I reported it and possible will update this article with more info when it will be fixed.
Additionally is great source of information, from link to link, I stumbled upon path disclosures, internal addresses and hostnames and a lot more. Also some of the websites look like from 10 years ago, so it’s good start to look closer and try known tricks.
There are also plenty of 403, 404 or 401 errors but it’s not a problem to remove them in bash.
find -exec grep -l ‘404’ {} \;| xargs rm
Conclusion
This script was written as a tool to find vulnerabilities in Bug Bounty companies. I remember one guy who found open redirect vulnerability in Apache, scanned all in-scope domains of organizations in Bug Bounty and reported them all. My approach is “quantity over quality” (in this case ofc) and you need to dig a little to find something interesting, but it’s good place to start. I have not looked through all files yet but I feel that previously mentioned Local File Inclusion won’t be the only one.
You can find full script here
Originally published on 20th of August, 2017
Wojciech