Hacker, bounties, entrepreneur. I help cybersecurity companies produce amazing content for their blogs and socials. Founder of:
@haksecio
and
@hacker_content
34 years ago today, Dade Murphy aka Zero Cool crashed 1507 computers, causing a 7 point drop in the NY stock exchange. He was 11 and his family was fined $45,000. He was banned from touching a computer until he turned 18.
#hackers
I want to keep track of the latest cybersecurity news.
I also don't want to spend all my time on Twitter.
Here are 5 great cybersecurity news outlets that I rely on!
🧵👇
Become an Nmap pro in 30s 👇🕥
Nmap is a port scanner, but it does much more including service/OS detection and even vuln scanning.
By default nmap does a standard TCP SYN scan on the top 1000 ports of host.
$ nmap host
For more verbosity use -v or -vv.
$ nmap -vv host
🧵👇
Giveaway! 🎉
I'm going to buy someone a new MacBook Pro M2 13".
To enter, retweet this tweet, then follow:
@hakluke
,
@hacker_content
&
@haksecio
.
If you're a cybersecurity org looking for high quality content and social media management, check out 👇
I use this tool regularly!
It's very simple, it does reverse DNS lookups as fast as possible. It's a great way of discovering domains and subdomains owned by a company when you know their IP address range(s).
Hi all, dropping another tool today. This one is very simple, it does reverse DNS lookups as fast as possible.
It's a great way of discovering domains and subdomains owned by a company when you know their IP address range(s).
Check it out:
I have created a lot of useful little hacking tools over the last few years, sometimes I tweet about them, sometimes I don't.
Here's a list of some of the most useful ones, and a brief explanation of what they do! 🧵👇
Much like Amass, a lot of people don't use Nmap to its full potential. Here's a bunch of tips on how I use actually use Nmap.
If you get something out of this article, share it!
Try this when testing webapps:
1. Set up burp in browser1
2. Do a password reset request in browser1
3. Open the password reset email in browser2 and copy the token
4. Search your Burp history for the token, if it is there, you've got yourself a nice easy account takeover!
I once did an internal network pentest for a large hotel chain. I sat down with a coffee, the head of IT had just finished telling me I won't find much.
The DC was vulnerable to Eternal Blue. I was DA before I finished the coffee.
This was 2 years after eternal blue dropped!
When hacking webapps, I have a little bag of bugs I always check for that are commonly missed. Here's one: I check if signing up with the same username as a deleted account will give me access to their old data.
What's your favourite little bug that others often miss?
Most people click phishing links because they fell for the pretext. I click phishing links because I know it's a phishing link and I'm curious about their tactics.
Nmap tutorial time!
Nmap is a port scanner, but it does so much more including service/OS detection and even vuln scanning.
By default nmap does a standard TCP SYN scan on the top 1000 ports of host.
$ nmap host
For more verbosity use -v or -vv.
$ nmap -vv host
THREAD ⬇️
If I want to quickly, manually spray an application input, I use this payload:
'"><svg/onload=alert()>{{7*7}}
It's fairly short, and will give indicators of basic SQLi, XSS and SSTI vulnerabilities.
Disclaimer: This isn't a replacement for proper testing.
can be super useful for bypassing filters to exploit SSRF vulnerabilities.
<anything>.<IP>.nip.io will redirect to the <IP> you specify.
For example:
will resolve to 1.1.1.1
I learned this from here:
Before learning hacking, get some fundamental knowledge in:
- Networking
- Coding
- Linux
The stronger your foundational knowledge is, the more stable it is to build on.
What are some other things that are good to have fundamental knowledge in?
Well folks, I tried Google Keep, then Notion, then Obsidian. I even tried Microsoft OneNote at one point.
I'm back to using Apple notes.
This meme sums up my process perfectly.
There is still SO MUCH CSRF to find in bounty programs.
CSRF comes in many forms. Try:
- Removing the token parameter entirely
- Setting the token to a blank string
- Changing the token to an invalid token of the same format
- Using a different user's token
More in thread 👇
IPs go in ---> hostnames come out! 🚀
Useful for finding domains and subdomains belonging to a company from their IP addresses!
Install now. Link in thread 🧵👇
Okay infosec twitter - I'd love your help to write a blog! What are your most frequently used hacking tools currently?
(p.s. you can't say a programming language)
I'll start:
Burp Suite
ffuf
nmap
curl
nuclei
I want to keep track of the latest cybersecurity news.
I also don't want to rely solely on Twitter.
Here are 5 great cybersecurity news outlets that I rely on daily! 👇
Become an Nmap pro in 30s 👇🕥
Nmap is a port scanner, but it does much more including service/OS detection and even vuln scanning.
By default nmap does a standard TCP SYN scan on the top 1000 ports of host.
$ nmap host
For more verbosity use -v or -vv.
$ nmap -vv host
👇
Bug bounty rules:
- Go deep
- Focus on areas that other people don't/can't
- Read the documentation
- Don't compare yourself to others
- Try everything
- Detach from the outcome
Okay here's the deal.
I'm giving away 100
@TCMSecurity
training courses. 50 of them are the Practical Ethical Hacking course, and the other 50 are Practical Malware Analysis & Triage.
To enter:
1. Retweet this tweet
2. Follow
@hakluke
,
@haksecio
and
@hacker_content
Good luck!
How to hack web applications in 2023: Part 1 🚀
💻 Types of web apps
⚙️ Setting up for testing
🪲 RCE
🐞 SQLi
🐛 XXE
🪳 Insecure Deserialization
🐜 XSS
And that's just Part 1! 😱 👇
#hacking
#pentesting
#bugbounty
One of my tools, hakrawler, has been added to Kali Linux 2022.2!
This really means a lot to me. I remember using Kali back when it was called BackTrack when I was in high school. I never thought I would write a tool that would be included!
A Bach. of Cybersecurity from a major university in Australia takes 3 years and costs $16,308 USD (after government help) plus textbooks and other random uni fees.
For that price you could get:
- OSCP
- OSEP
- OSWP
- PNPT
- CISSP (training material and exam)
... 🧵👇
When you're brute forcing for endpoints, don't forget to add extensions. You can also use this method to discover backup files. Here's a command I use frequently:
dirsearch -e php,asp,aspx,jsp,py,txt,conf,config,bak,backup,swp,old,db,sql -u <target>
The ultimate OSCP guide: Part 1 - Is OSCP for you?
🤔 Would I recommend it?
⏰ How much time do you need?
🧑🔬 How much lab time should you purchase?
🙋 How to ask good questions
💡 Exam tips
Some info is out of date but most is very relevant.
Did you know
@Cloudflare
released an open source vulnerability scanner that is based off Nmap and Vulners?
👉 Nmap locally within a container
👉 Push results to cloud
👉 Deploy the scanner on Kubernetes
It looks amazing! How did I only just find out?
Did you know that you can run ngrok without even installing ngrok by using as a SSH reverse tunnel?
ssh -R 80:localhost:80 http
Is the equivalent of:
ngrok http 80
🤯
I just hit 30k followers 😊
To celebrate giving away 30
@PentesterLab
subscriptions.
To enter, quote tweet this with a message of gratitude to someone that has helped you become a better hacker/human.
Thanks to
@PentesterLab
/
@snyff
who provided 50% of the subs.
❤️🧡💛💜💚
Soon I'll be releasing hakrawler, a fast web crawler for extracting endpoints + assets from web applications. It allows crawling at scale over large domain sets.
I can wait to let this loose on bug bounties!
Follow me on Github to know when it drops:
Trying this out tonight:
1. Get a list of IP addresses owned by an org using their ASN, or any other technique
2. Get a list of subdomains using any subdomain enumeration technique
3. Try every subdomain as a vhost on every IP address that is running a web server
4. $$$?
Have you created any cool tools on GitHub? I want to see them, half finished or not! Drop them in the comments with a description about what it does.
I'll start :) give hakrawler a URL, it will give back URLs and locations of JavaScript files. Fast!
How to hack web applications in 2023: Part 2 🚀
🪲 SSRF
🐞 Business Logic Vulns
🐛 IDORs
🪳 Authentication Issues
🐜 CSRF
🕷 Directory Traversal
🦟 File Inclusion
And that's just Part 2 😱 👇
#hacking
#bugbounty
#pentesting
Quickly get the ASN of an IP address, along with the associated company name and location:
curl <ip>
This is a great way to confirm ownership of an IP/domain. It also is a great way to services that might be in use (AWS/Azure/Cloudfront/Akamai, etc.)
If you find a S3 subdomain takeover, you need to set up the S3 bucket in the correct region, otherwise it doesn't work.
To find the region, use `dig` to get the IP address, then put the IP into to grab the region easily.
10 handy practical
#hacking
tools I've developed over the years 🧰
Check out this thread for the most valuable ones, along with a brief overview of their functions! 🧵👇
How To Hack Web Applications in 2023: Part 2
🐞 SSRF
🐛 Business Logic Vulnerabilities
🐜 IDORs
🕷 Authentication issues
🦟 CSRF
🪲 Directory traversal
🪳 LFI/RFI
Learn how to hijack web applications before attackers do 👇