#hack_whatsapp #android_penetration_testing #hardening
🔹Link
📌 @Infosectube

#git #cheatsheet #tips

☢️What is the Tachyon Protocol?
Tachyon Protocol is what nodes and users in the Tachyon network speak to one another. It ensures that traffic moves from place to place privately, securely, and quickly.

Based on Tachyon Protocol, the Next-Gen VPN, IoT, DeFi, Storage, CDN, DNS and other Apps will benefit 900 million users at least.

پروتکل جدید Tachyon
بدون سرور مرکزی
کلیه سرورهایی که استفاده می کنید از سایر کاربران جهانی است که در سراسر جهان توزیع می شوند و توسط افراد مختلف اداره می شوند. از آنجا که هیچ سرور متمرکز برای انتقال اطلاعات وجود ندارد ، امکان ثبت اطلاعات در یک مخزن واحد وجود ندارد ، به این معنی که هیچ کس نمی تواند حریم شخصی شما را جمع کند و هنگام حذف سرورهای مرکزی اطلاعات شخصی شما را بفروشد.
ویژگی ها:
💵رایگان
💎بدون ثبتنام
💣منبع باز
⚙️امن
لینک دانلود ios
ios
لینک گوگل پلی
android
لینک دانلود مک
mac

🆔@InfoSecTube

📡Recon Map
⚒@InfoSecTube

#Bug_Bounty_Tips_1
🛡BugBounty_Tips
useful one-liner to check a list of hostnames for OpenSSL Heartbleed vulnerability:

cat list.txt | while read line ; do echo "QUIT" | openssl s_client -connect $line:443 2>&1 | grep 'server extension "heartbeat" (id=15)' || echo $line: safe; done

☣️@InfoSecTube

#hack_webmail
🔹Link
📌 @Infosectube

#Bug_Bounty_Tips_2
🛡BugBounty_Tips
Here’s a handy command to extract URLs from junk / assorted data:
1-From Files:

cat file | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*

2-From Websites:

curl https://target.com/file.js | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*
 

☣️@InfoSecTube

#Bug_Bounty_Tips_3
🛡BugBounty_Tips
Here’s a tip to extract interesting (potentially sensitive) information from unpacked APK files (Android App):

Make sure to first unpack the APK file using apktool like this:

apktool d app_name.apk

With this one-liner we can identify URLs, API keys, authentication tokens, credentials, certificate pinning code and much more.

grep -EHirn "accesskey|admin|aes|api_key|apikey|checkClientTrusted|crypt|http:|https:|password|pinning|secret|SHA256|SharedPreferences|superuser|token|X509TrustManager|insert into" APKfolder/

☣️@InfoSecTube

Acunetix Web Vulnerability Scanner 12.0.181218140 Retail

@Infosectube

#Bug_Bounty_Tips_4
🛡BugBounty_Tips
Here are the top dorks to find Open Redirect vulnerabilities :

/{payload}
?next={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
 

☣️@InfoSecTube

#Bug_Bounty_Tips_5
🛡BugBounty_Tips
Here are 3 tips to bypass JWT token authentication.

Tip #1:

💎Capture the JWT.
💎Change the algorithm to None.
💎Change the content of the claims in the body with whatever you want e.g.: email: [email protected]
💎Send the request with the modified token and check the result.

Tip #2:

✅Capture the JWT token.
✅If the algorithm is RS256 change to HS256 and sign the token with the public key (which you can get by visiting jwks Uri / mostly it will be the public key from the site’s https certificate)
✅Send the request with the modified token and check the response.
✅You can party with the bounty if the backend doesn’t have the algorithm check.

Tip #3: Check for proper server-side session termination

🔰Check if the application is using JWT tokens for authentication.
🔰If so, login to the application and capture the token. (Mostly web apps stores the token in the local storage of the browser)
🔰Now logout of the application.
🔰Now make a request to the privileged endpoint with the token captured earlier.
🔰Sometimes, the request will be successful as the web apps just delete the token from browser and won’t blacklist the tokens in the backend.

☣️@InfoSecTube

#hack_android_with_spymax
🔹Link
📌 @Infosectube

#Bug_Bounty_Tips_6
🛡BugBounty_Tips

Before Run this script we have to install couple of additional tools:
amass
assetfinder
subfinder
filter-resolved

Here’s a quick and basic recon routine for finding subdomains while doing bug bounty:

#!/bin/bash
# $1 => example.domain

amass enum --passive -d $1 -o domains_$1
assetfinder --subs-only $1 | tee -a domains_41

subfinder -d $1 -o domains_subfinder_$1
cat domains_subfinder_$1 | tee -a domains_$1

sort -u domains_$1 -o domains_$1
cat domains_$1 | filter-resolved | tee -a domains_$1.txt

☣️@InfoSecTube

#Bug_Bounty_Tips_7
🛡BugBounty_Tips
Install Instruction:
apt-get -y install parallel
Here’s a super useful recon one-liner to quickly validate list of hostnames and subdomains:

cat alive-subdomains.txt | parallel -j50 -q curl -w 'Status:%{http_code}\t  Size:%{size_download}\t %{url_effective}\n' -o /dev/null -sk

This one-liner will spawn 50 instances of curl in parallel and display the HTTP status code and response size in bytes for each host in a beautiful way😊

☣️@InfoSecTube

#Bug_Bounty_Tips_8
🛡BugBounty_Tips
Before Run this script you must install several additional tools:
subfinder
amass
httpprob
waybackurls
kxss

this shell script to identify XSS (Cross-Site Scripting) vulnerabilities using a number of open-source tools chained together:

#!/bin/bash
# $1 => example.domain

subfinder -d $1 -o domains_subfinder_$1
amass enum --passive -d $1 -o domains_$1

cat domains_subfinder_$1 | tee -a domain_$1
cat domains_$1 | filter-resolved | tee -a domains_$1.txt

cat domains_$1.txt | ~/go/bin/httprobe -p http:81 -p http:8080 -p https:8443 | waybackurls | kxss | tee xss.txt
 

☣️@InfoSecTube

#Bug_Bounty_Tips_9
🛡BugBounty_Tips
Sometimes, developers think that hiding a button is enough. Try accessing the following sign-up URIs.
Chances are that we will be able to register a new user and access privileged areas of the web application, or at least get a foothold into it.

☣️@InfoSecTube

#Bug_Bounty_Tips_10
🛡BugBounty_Tips
Here are Top 5 Google dorks for identifying interesting and potentially sensitive information about our target:

inurl:example.com intitle:"index of"
inurl:example.com intitle:"index of /" "*key.pem"
inurl:example.com ext:log
inurl:example.com intitle:"index of" ext:sql|xls|xml|json|csv
inurl:example.com "MYSQL_ROOT_PASSWORD:" ext:env OR ext:yml -git

With these dorks we are looking for open directory listing, log files, private keys, spreadsheets, database files and other interesting data.

☣️@InfoSecTube

#Stored_XSS
🔹Link
📌 @Infosectube

#Bug_Bounty_Tips_11
🛡BugBounty_Tips
If you are hunting on a Drupal website, fuzz with Burp Suite Intruder (or any other similar tool) on ‘/node/$’ where ‘$’ is a number (from 1 to 500). For example:

https://target.com/node/1
https://target.com/node/2
https://target.com/node/3
…
https://target.com/node/499
https://target.com/node/500

Chances are that we will find hidden pages (test, dev) which are not referenced by the search engines.

☣️@InfoSecTube

#Bug_Bounty_Tips_12
🛡BugBounty_Tips
Before use this script you must install additional tools:
gau
fff
gf
gf-secrets
Find sensitive information disclosure using special gf-secrets patterns. Here’s how to use them:

# Search for testing point with gau and fff
gau target -subs | cut -d"?" -f1 | grep -E "\.js+(?:on|)$" | tee urls.txt
sort -u urls.txt | fff -s 200 -o out/

# After we save responses from known URLs, it's time to dig for secrets
for i in `gf -list`; do [[ ${i} =~ "_secrets"* ]] && gf ${i}; done

☣️@InfoSecTube

#Bug_Bounty_Tips_13
🛡BugBounty_Tips

✔️Spring Boot is an open source Java-based framework used to build stand-alone spring applications based on the concepts of micro services.

🔰Spring Boot Actuator is a mechanism of interacting with them using a web interface. They are typically mapped to URL such as:
🔶https://target.com/env
🔸https://target.com/heapdump
🔸etc.
#Shodan_Dorks
♦️Search for the following favicon hash in Shodan to find Spring Boot servers deployed in the target organization:

org:YOUR_TARGET http.favicon.hash:116323821

🔺Then check for exposed actuators. If /env is available, you can probably achieve RCE. If /heapdump is accessible, you may find private keys and tokens.

☣️@InfoSecTube