Bug bounty programs are becoming increasingly popular among security researchers and ethical hackers who are interested in identifying vulnerabilities in a company’s systems and applications. These programs provide an opportunity to earn rewards for identifying security flaws, but the process can be time-consuming and require a significant amount of effort. In this blog post, we will discuss how you can leverage OSINT tools such as Google Dorking, Censys, and Shodan to conduct 10-minute bug bounties.

Introduction

OSINT stands for Open Source Intelligence, which is the collection, analysis, and dissemination of information from publicly available sources. These sources include traditional media, social media, internet sites, government records, and other publicly available information.

OSINT has become increasingly important in recent years as the amount of information available on the internet has exploded, and the number of threats facing individuals and organizations has increased. OSINT techniques can be used to support a wide range of activities, including intelligence gathering, law enforcement, cybersecurity, and business intelligence.

OSINT is often used in conjunction with other sources of intelligence to provide a more complete picture of a particular situation. For example, law enforcement agencies may use OSINT to identify potential threats or suspects, and then use other sources of intelligence, such as human intelligence (HUMINT), signals intelligence (SIGINT), or geospatial intelligence (GEOINT), to gather additional information.

OSINT is also becoming increasingly important in the business world, where it can be used to gather competitive intelligence, monitor brand reputation, and identify potential threats. Companies can use OSINT to gather information about their competitors, such as new products or services, marketing campaigns, or pricing strategies.

Overall, OSINT is a powerful tool that can be used to gather information from publicly available sources and provide valuable insights for a wide range of activities.

Discover: 14 Recon Phases for Mastering Bug Bounty Hunting

Disclaimer: any information learned in this article or posted is to be used strictly for legal, ‘white-hat’ hacking uses only. I am not responsible for any malicious action taken by readers of this post.

1. Google Dorking

Google Dorking is a technique used to search for sensitive information that is not intended to be publicly available. It involves using advanced search operators to narrow down search results and find information that is not easily accessible through regular searches. For bug bounty hunters, Google Dorking can be a valuable tool for finding vulnerabilities in a company’s systems.

One common technique used by bug bounty hunters is to search for files containing sensitive information, such as configuration files or database backups. By searching for specific file types (e.g., .conf, .bak), they can often find files that have been accidentally left exposed on the internet. This information can be used to gain unauthorized access to a company’s systems or extract sensitive data.

Another technique involves searching for open ports on a company’s network. By using the “site:” operator along with a domain name, a bug bounty hunter can quickly identify all pages that contain open ports. This can help them identify potential vulnerabilities in the company’s network.

Probably the oldest method on this list, but it still works like a charm if you’re in a pinch. A few great dorks to try and find admin login pages include the following:

site:target.com inurl:adminintitle:login site:website.comintitle:/admin site:website.cominurl:admin

intitle:admin
intext:admin

Feel free to swap ‘admin’ with any of the following for best results:

administrator | debug | login | root | wp-login | master | superuser

These dorks are just generally good to know, but they don’t provide the most functionality with the sites we’re trying to pen-test. This next method takes it a step further.

2. Censys

Censys is a search engine that specializes in indexing information about devices and networks on the internet. It can be used to identify vulnerabilities in a company’s systems by searching for open ports, SSL/TLS certificates, and other information.

One common technique used by bug bounty hunters is to search for SSL/TLS certificates that are about to expire. By identifying these certificates, they can alert the company to the need to renew them before they expire and potentially leave the company’s systems vulnerable to attack.

Another technique involves searching for open ports on a company’s network. By using Censys, a bug bounty hunter can quickly identify all devices that have open ports and potentially identify vulnerabilities that can be exploited.

Certainly! Here are a few examples of how Censys can be used:

  1. Search for all HTTPS servers running on a particular domain:

https.tls.version: "TLS 1.2" and parsed.names: "example.com"

This query searches for all HTTPS servers running the TLS 1.2 protocol on the domain “example.com”. The parsed.names field searches for the domain name in the certificate subject or subject alternative name fields.

  1. Search for servers with expired TLS certificates:

443.https.tls.certificate.parsed.extensions.x509v3_basic_constraints.is_ca: false and 443.https.tls.certificate.parsed.validity.end: {0 TO *}

This query searches for all HTTPS servers with non-CA (certificate authority) certificates where the certificate has already expired. The 443 field limits the search to port 443, which is the standard port for HTTPS.

  1. Search for all MongoDB servers on the internet:

protocols: "mongodb" and location.country_code: US

This query searches for all MongoDB servers located in the United States. The protocols field limits the search to servers running the MongoDB protocol, and the location.country_code field limits the search to servers located in the United States.

Discover: My Recon methodology and tools for bug bounty and web security

3. Shodan

Shodan is another search engine that specializes in indexing information about devices and networks on the internet. It can be used to identify vulnerabilities in a company’s systems by searching for open ports, default passwords, and other information.

One common technique used by bug bounty hunters is to search for devices that are running outdated software. By identifying devices that are running outdated software, they can alert the company to the need to update the software to prevent vulnerabilities from being exploited.

Another technique involves searching for default passwords that have not been changed. By identifying these passwords, a bug bounty hunter can potentially gain unauthorized access to the company’s systems and extract sensitive data.

Certainly! Here are a few examples of how Shodan can be used:

  1. Search for all IP cameras with default credentials:

product:"IP camera" http.html:"Login" http.html:"password"

This query searches for all IP cameras with default login credentials by looking for the HTML login page with the word “Login” and “password”.

  1. Search for vulnerable Apache Struts servers:

product: "Apache Struts" http.title:"404 Not Found" -http.title:"Login"

This query searches for servers running Apache Struts by looking for the default error page with the title “404 Not Found” but excluding any login pages.

  1. Search for exposed databases:

"MongoDB Server Information" "Set-Cookie: mongo-express"

This query searches for MongoDB databases with the specific text “MongoDB Server Information” and “Set-Cookie: mongo-express” which is commonly used by the web-based MongoDB management tool “Mongo Express”.

Discover: Creating the Perfect Bug Bounty Automation

FAQ

  1. What is OSINT?

OSINT stands for Open Source Intelligence, which is the collection, analysis, and dissemination of information from publicly available sources. These sources include traditional media, social media, internet sites, government records, and other publicly available information.

  1. What are some OSINT tools?

There are many OSINT tools available, including search engines like Google and Bing, social media monitoring tools like Hootsuite and TweetDeck, and specialized tools like Censys and Shodan for network reconnaissance.

  1. What is Google Dorking?

Google Dorking refers to the use of advanced search operators in Google to search for specific information. By using advanced operators like “site:”, “intitle:”, and “filetype:”, it’s possible to search for specific types of information on the internet.

  1. What is Censys?

Censys is a search engine for network reconnaissance that provides information about hosts and devices on the internet. It allows users to search for specific ports, protocols, and fields in the Censys database to identify potential security risks.

  1. What is Shodan?

Shodan is a search engine for internet-connected devices that allows users to search for specific products, web pages, and headers in the Shodan database to identify potential security risks. It is commonly used for network reconnaissance and can be a valuable tool for both offensive and defensive security professionals.

  1. How can OSINT be used for cybersecurity?

OSINT can be used to identify potential security risks by gathering information about a target’s online presence and identifying vulnerable devices, exposed services, and other potential attack vectors. It can also be used for threat intelligence to monitor for potential threats and attacks.

Final Thought

In conclusion, OSINT is a valuable tool for cybersecurity professionals, researchers, and enthusiasts to gather information about potential security risks and identify vulnerable devices and exposed services. By using tools like Google Dorking, Censys, and Shodan, it’s possible to perform network reconnaissance and identify potential attack vectors. However, it’s important to use these tools responsibly and ethically, and to be aware of the potential risks and limitations of OSINT. By leveraging the power of OSINT and combining it with other security measures, we can improve our ability to protect our networks and systems from cyber threats.

Shares:
  • Avatar hello
    hello
    July 16, 2023 at 8:28 pm

    hello

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *