Real World Hacking Tools Tutorial (Target: Tesla)

Name: Real World Hacking Tools Tutorial (Target: Tesla)
Uploaded: 2023-07-30T14:00:00.000Z
Duration: 2 h 44 min 28 s

Understanding the Adversary

In this section, Jason Haddix discusses the importance of emulating the adversary in order to have a successful campaign. He emphasizes the need to focus on the 10% that sets you apart from others.

Emulating the Adversary

To achieve a successful campaign, it is crucial to emulate the adversary.

By doing what others don't (the 10%), you increase your chances of success.

Obtaining valuable information, such as VPN login addresses for companies like Tesla, allows for targeted attacks.

Understanding a company better than they understand themselves through recon can be advantageous.

Reconnaissance and Workshop

Jason explains how recon data can be used to conduct workshops with companies, highlighting vulnerabilities they were unaware of.

Utilizing Recon Data

Recon data provides insights into a company's vulnerabilities and blind spots.

Conducting workshops using gathered recon data helps companies become aware of their weaknesses.

Sharing findings with companies often reveals unknown information about their online presence.

The Motivation Behind Red Teaming

Jason expresses his passion for red teaming and highlights how it aligns with protecting organizations and making a positive impact.

The Red Team's Motivation

Red teamers are driven by a desire to protect and make a positive impact on the world.

Although they play "bad guys" on TV, their ultimate goal is to safeguard organizations.

Jason is grateful for finding like-minded individuals who share his passion for cybersecurity.

Sponsorship Message - Brilliant

David Bombal thanks Brilliant for sponsoring the video and promoting their platform for learning math, computer science, AI, and development topics.

Sponsorship Message

David Bombal expresses gratitude to Brilliant for sponsoring the video.

Brilliant offers an interactive platform for learning various subjects, including math and computer science.

The platform provides a more engaging learning experience compared to traditional methods like reading books or watching videos.

Introduction of Jason Haddix

David introduces Jason Haddix as a well-known figure in offensive security and invites him to share his background.

Introducing Jason Haddix

Jason Haddix has extensive experience in offensive security, including penetration testing, red teaming, web application assessments, and bug bounty hunting.

He is recognized for his talks and presentations at conferences like Defcon.

Jason's expertise lies in finding vulnerabilities that others may overlook by thinking like an adversary.

Thinking Like an Adversary

Jason discusses his approach to profiling companies and finding ways to hack into their systems by thinking like an adversary.

Profiling Companies

As part of his job, Jason profiles different companies to identify potential vulnerabilities.

His goal is to emulate real adversaries and find ways to breach large organizations.

Thinking like an adversary helps uncover weaknesses that can be exploited during engagements.

Reconnaissance on Tesla

Jason suggests conducting reconnaissance on Tesla as a case study to demonstrate the initial steps of a Bug Bounty or Red Team engagement.

Reconnaissance on Tesla

Reconnaissance (recon) is the first step in understanding the target company's infrastructure.

By examining Tesla's online presence, we can gain insights into how Bug Bounty or Red Team engagements begin.

Red Teaming and Full Scope Adversarial Emulation

Jason explains how his company, "buddobot," focuses on full scope adversarial emulation through red teaming engagements.

Full Scope Adversarial Emulation

Jason's company specializes in full scope adversarial emulation, which goes beyond traditional penetration testing.

They engage with clients for longer periods (6 months to a year) to thoroughly assess all assets and attempt to pivot from external to internal networks.

The team covers various areas such as cloud security, external web security, phishing, social engineering, and even monitoring the dark web for potential threats.

Learning from Past Breaches

Jason shares his experience of being a security leader at Ubisoft during a breach and highlights the importance of emulating such incidents.

Learning from Breaches

Jason recalls his time as a Chief Security Architect at Ubisoft when they experienced a breach by threat actors.

He emphasizes the need for services that can accurately emulate real-world breaches.

This motivates him to provide comprehensive red teaming services that simulate actual threats.

Presenter's Background

The presenter has experience presenting at Defcon and other conferences on offensive security. They also have YouTube videos and occasionally stream on Twitch.

The presenter has presented at Defcon and other conferences worldwide on offensive security topics.

They occasionally stream on Twitch and have YouTube videos available.

Links to the presenter's YouTube videos will be provided.

Attack Surface Management

Attack Surface Management is a service that uses hacker tools for defensive purposes. It can help companies understand their online presence.

Techniques discussed in this presentation can be used for both offensive and defensive purposes.

Attack Surface Management is a service that utilizes hacker tools but presents the information in a more user-friendly way.

By using these techniques, companies can gain insights into their online presence and identify potential vulnerabilities.

DIY Attack Surface Management

If you don't have an Attack Surface Management platform, you can still gather similar data by stringing together various tools discussed in this presentation.

Companies without an Attack Surface Management platform can still achieve similar results by combining different tools.

The information covered in this presentation will provide valuable insights even without a dedicated platform.

Live Training

The presenter offers live training sessions called "Bug Hunter's Methodology" which cover reconnaissance and hacking techniques.

The presenter has been giving talks at conferences for about 12 years, including Defcon, Black Hat, RSA, and smaller hacker cons.

They offer a two-day live training session called "Bug Hunter's Methodology," covering reconnaissance (day one) and hacking (day two).

Interested individuals can sign up for the training through the provided link.

Real-World Examples

The presenter shares a story about a successful hack they conducted on an e-commerce site, highlighting the importance of reconnaissance.

The presenter's expertise in reconnaissance has led to significant successes in hacking.

They share an example of hacking into an e-commerce site that had recently acquired a CRM software.

By identifying the acquisition and exploiting an access control vulnerability, the presenter gained access to millions of customer records and had full control over the site.

Major Data Breach

The presenter describes one of their biggest data breaches, which involved accessing personal data, purchase records, and admin controls through a simple vulnerability.

The presenter accessed an e-commerce company's CRM software after finding a demo version with URLs for the admin section.

Exploiting an access control vulnerability in the installed version, they gained access to millions of customer records and had complete control over the site.

This breach was significant due to the sheer number of records compromised and the range of sensitive information obtained.

Timestamps are approximate and may vary slightly.

Finding an Acquisition that Paid Off

In this section, the speaker discusses how finding an acquisition paid off in a significant way. They explain the workflow and how accessing a demo CRM software through a URL led to discovering a bug.

Workflow of Finding an Acquisition

The speaker found a demo CRM software as part of an acquisition.

To access the live system, they simply typed the URL into it.

Authentication was not applied to the URL, allowing easy access.

Discovery of an Amazing Bug

The speaker had to explore the demo until they found the admin section.

By visiting the URL in the live production system without authentication, they discovered a significant bug.

This example highlights the importance of recon and finding vulnerabilities by doing thorough work.

From Dark Web to Ethical Hacking

The speaker shares their origin story, starting from their involvement in the dark web as a young adult and transitioning into ethical hacking. They discuss their experiences with fake IDs and learning about web hacking.

Origin Story: Dark Web Involvement

At a young age, the speaker was involved in the early days of the dark web, including sites like Carter's Market and Shadow Crew.

Initially focused on credit card fraud and web hacking emerging at that time.

Their interest in making fake IDs stemmed from buying a low-quality one themselves.

Transitioning to Ethical Hacking

Curiosity led them to research how to make better fake IDs through Counterfeit Library (precursor to Shadow Crew).

Through this process, they delved into learning about web hacking and became familiar with different ecosystems within the dark web.

They connected with hackers who taught them various aspects of hacking and shared knowledge on forums.

Ecosystems within Dark Web Activities

The speaker explains the different ecosystems within dark web activities, including hackers, Carters (credit card fraud), and ID makers. They discuss their involvement in learning about these ecosystems and the changes brought by chip and pin technology.

Dark Web Ecosystems

The dark web activities were divided into three main ecosystems: hackers, Carters (credit card fraud), and ID makers.

The speaker primarily interacted with hackers due to their interest in making fake IDs.

Hackers taught them about web bugs and provided insights into the workings of the dark web.

Impact of Chip and Pin Technology

Chip and pin technology significantly affected the ecosystem dynamics.

It changed how credit card numbers were hacked, printed on fake cards, and used for cashing out.

Despite changes, similar ecosystem structures still exist today.

Brush with Law Enforcement

The speaker recounts a personal experience where they had a close encounter with law enforcement due to their involvement in making fake IDs. They share their fear during that time as a young adult.

Buying Fake ID and Getting Caught

To join friends at bars despite being underage, the speaker bought a low-quality fake ID from a friend.

Their attempt to use it resulted in immediate detection by authorities without legal consequences.

This incident frustrated them, leading to an interest in improving fake IDs.

Fearful Response

Feeling scared after seeing law enforcement actions against others involved in dark web activities.

Discarded all equipment related to making fake IDs by driving two towns away, setting it on fire, and abandoning it in a dumpster.

Despite being a small player in the scene, fear was prevalent due to lack of understanding about potential consequences.

Transitioning into Ethical Hacking Education

The speaker discusses how they transitioned into ethical hacking education through a college elective course. They highlight the outdated content taught and their realization of pursuing hacking as a career.

Ethical Hacking College Elective

The speaker enrolled in a college elective course called "ethical hacking and network defense."

The teacher, Angel, presented outdated material that was already five years old at the time.

The speaker recognized the need for more up-to-date knowledge in the field.

Realization of Hacking as a Career

The speaker challenged their teacher about the outdated content and learned that ethical hacking could be pursued as a career.

This revelation sparked an interest in exploring hacking further and utilizing their skills for legitimate purposes.

Reconnaissance and Bug Bounty Platforms

In this section, the speaker discusses the importance of bug bounty platforms and how they provide opportunities for individuals with hacking skills to earn money legally and ethically. The speaker also expresses their love for the hacking community and emphasizes the need for hackers in protecting the world.

Bug Bounty Platforms

Bug bounty platforms offer opportunities for individuals with hacking skills to earn money legally and ethically.

There is an increasing amount of e-learning content available on hacking, which focuses on using these skills for good and defense.

The speaker expresses their love for the hacking community and highlights their affiliation with Defcon.

Introduction to Reconnaissance

This section introduces reconnaissance as a crucial aspect of ethical hacking. The speaker explains that reconnaissance involves gathering information about a target in order to hack them or use that information.

Reconnaissance

Reconnaissance is a subset of Open Source Intelligence (OSINT) focused on finding assets, such as servers belonging to a company.

Large companies like Tesla often have multiple websites and IT infrastructure that can become unmanageable over time.

Adversaries look for vulnerabilities in a company's IT infrastructure, so it is important to conduct thorough reconnaissance.

Hackers often spend significant time on the reconnaissance process to make their attacks more effective.

Reconnaissance Process

In this section, the speaker demonstrates how they use terminal tools and mind maps during the reconnaissance process. They emphasize the importance of organization in keeping track of gathered information.

Tools Used in Reconnaissance

The speaker uses a terminal for executing various hacking tasks.

Mind mapping tools, such as Xmind, are utilized to organize information during reconnaissance projects.

Reconnaissance Example: Tesla

The speaker uses Tesla as an example to illustrate the scope of reconnaissance. They explain that even a medium-sized company like Tesla can have a complex IT infrastructure, including acquired companies and multiple domains.

Reconnaissance on Tesla

Tesla has an open bug bounty program, allowing ethical hackers to find security vulnerabilities and potentially get paid for their findings.

Reconnaissance on Tesla involves exploring more than just tesla.com, as the company has absorbed other companies like SolarCity and Gourmet Engineering.

Large companies often have sprawling IT infrastructures that can be challenging to manage, providing opportunities for adversaries to exploit vulnerabilities.

The transcript provided does not contain enough content for further sections.

Checklist for Reconnaissance

The speaker discusses the importance of having a checklist during reconnaissance to ensure that no tasks are forgotten and to capture all necessary data.

Importance of a Checklist

Having a checklist helps in not forgetting important tasks during red teaming, bug bounty hunting, or any other reconnaissance activity.

The purpose of reconnaissance is to find websites to hack and gather as much information as possible about the target.

Finding Target Websites

The speaker explains that finding websites related to the target is crucial for successful hacking attempts. It is not just limited to the main website but also includes subdomains and other related domains.

Types of Target Websites

Main website (e.g., tesla.com)

Subdomains (e.g., forum.tesla.com, purchase.tesla.com)

Other related domains (e.g., SolarCity)

Levels of Reconnaissance

The speaker mentions that there are three levels of reconnaissance, but only level one will be covered in this session.

Level One Reconnaissance

Focuses on finding the target's IP space and autonomous system number.

Identifying Apex domains (e.g., tesla.com) and subdomains.

Tools used will primarily focus on finding subdomains.

Finding Autonomous System Number

The speaker emphasizes the importance of finding the target's autonomous system number for successful infrastructure identification.

Using Hurricane Electric Website

Hurricane Electric's website (bgp.he.net) provides an open search box to search for companies' autonomous system numbers.

Searching with relevant keywords like "Tesla" retrieves a list of companies with autonomous system numbers related to Tesla.

Care must be taken to select the correct company and not go out of scope.

Autonomous System Numbers

The speaker explains the concept of autonomous system numbers and their significance in identifying a company's IP space.

Significance of Autonomous System Numbers

Autonomous system numbers represent groupings of IP space owned by a company.

They are assigned by registries to designate a company's IP space.

Clicking on an autonomous system number provides additional information about the company, such as whois data.

Timestamps may not align perfectly due to differences in transcription and video playback.

New Section

This section discusses the initial steps of viewing Tesla as an adversary and understanding their IP space.

Understanding Tesla's IP Space

The IP space owned by Tesla is not part of their Cloud infrastructure, as clouds have their own ASN (Autonomous System Number).

Separate workflows are required to find assets in the cloud.

Tools like NMAP can be used to gather information on web servers and online services within specific IP ranges.

The gathered data can be dumped into a mind map for later analysis.

New Section

This section focuses on the tools and methods used to gather information about Tesla's assets.

Gathering Asset Information

Various tools are available to collect information about Tesla's assets.

These tools help identify web servers and online services within specific IP ranges.

The collected data is stored in ASN (Autonomous System Number) format.

Free programs like X-Mind and public services like BGP provide access to this information.

New Section

This section emphasizes the availability of freely accessible tools and resources for gathering information on companies' BGP (Border Gateway Protocol) and routing information.

Freely Available Resources

Several websites offer free access to BGP information, routing details, and company-specific data.

The previously gathered IP ranges provide a solid starting point for further investigation.

Having identified targets, the next step is to proceed with red teaming or hacking activities.

New Section

This section highlights additional autonomous system numbers associated with Tesla's assets and ensures comprehensive coverage of all relevant IP ranges.

Identifying Additional Ranges

Three autonomous system numbers were initially identified for Tesla's assets.

It is important to check if any additional IP ranges are associated with these autonomous system numbers.

By reviewing the information, one more range is found and added to the existing data.

New Section

This section discusses the importance of simulating attacks and testing security measures to ensure effective protection against real-world threats.

Importance of Simulating Attacks

The speaker acknowledges Tesla's proactive approach in simulating attacks and testing their security measures.

Traditional security services may not fully replicate what actual attackers do.

The speaker shares personal experience as a security leader and bug bounty hunter, emphasizing the need for comprehensive threat intelligence and wide scope testing.

New Section

This section highlights how personal experiences, including participating in bug bounties, have inspired the speaker's approach to cybersecurity.

Personal Experiences and Inspiration

The speaker's personal experiences as a bug bounty hunter have influenced their perspective on cybersecurity.

Critical findings discovered during bug bounty programs have motivated them to bridge the gap between defensive tools and real-world attacker techniques.

The speaker mentions having participated in bug bounties for various companies mentioned throughout their examples.

New Section

This section provides alternative methods for gathering information about a target company's IP space if it is not available through Hurricane Electric bgp.he.net.

Alternative Information Sources

If a target company is not listed on Hurricane Electric bgp.he.net, other websites can provide autonomous system number data.

ARIN (American Registry for Internet Numbers) offers a free form search option that allows users to search for specific organizations like Tesla Motors Inc.

Process for Handling Large IP Ranges

The speaker discusses the process of handling large IP ranges and explains that it is a time-consuming task. They mention having an order of operations for reconnaissance on a company, which involves taking the IP ranges and performing certain actions.

The speaker suggests grabbing all the IP ranges and using a tool or command line to process them.

They mention using regex on the command line as an option for processing the IP ranges.

Requesting IP Ranges

The speaker talks about how they request specific IP ranges from their AI assistant.

They mention using a front-end website called "Typing Mind" to interact with their ChatGPT API.

The website allows them to input data, such as the requested IP ranges, and receive responses from the API.

The speaker emphasizes that they have their own API key for this purpose.

Front-end Website for ChatGPT API

The speaker explains that Typing Mind is a front-end website they use to interact with their ChatGPT API.

Typing Mind serves as a user interface for accessing and utilizing the ChatGPT API.

It allows them to save questions in a library and provides information about their API usage and expenses.

Differences Between Front-end and API Usage

The speaker highlights differences between using the front-end website (Typing Mind) and directly accessing the ChatGPT API.

When using the front-end website, there are limitations on setting temperature or specifying algorithms compared to using an API key purchased from OpenAI.

With an API key, more customization options are available for answering questions.

The speaker mentions that the front-end website helps them keep track of their expenses.

Utilizing ChatGPT as a Regex Helper

The speaker explains how they use ChatGPT as a helpful tool for regular expressions (regex).

They mention using ChatGPT to assist with tasks that would typically require searching on Google.

ChatGPT is particularly useful for working with regex.

The speaker states that they now have all the IP ranges and can proceed to the next step.

API Key Requirement for Using Typing Mind

The speaker clarifies that using Typing Mind requires inputting one's own API key.

It is necessary to provide an API key in order to access and utilize the features of Typing Mind.

This requirement ensures that users are charged accordingly for their API usage.

Sending IP Ranges to Port Scanner

The speaker discusses sending the gathered IP ranges to a port scanner.

They mention using a port scanner in their workflow after obtaining the IP ranges.

The specific port scanner mentioned is "mass scan," but NMAP can also be used.

Running live scans on such large IP ranges would be time-consuming, so it is done separately from other sections of their methodology.

Choosing a Scanner and Previous Scans

The speaker talks about the scanner they use and asks about the listener's experience with scanning.

They mention using "mass scan" as their preferred scanner for these large IP ranges.

They inquire about which scanner the listener has used and whether it provided back IPs.

The speaker explains that they run scans in their workflow and analyze the results later.

Analyzing Port Scan Results

The speaker discusses how they analyze the results obtained from port scans.

After running the port scans, they move on to other sections of their methodology.

Eventually, they tie everything together and start analyzing the findings from the port scans.

Importance of Subdomains for Target Analysis

The speaker emphasizes the significance of subdomains in target analysis.

They state that for every subdomain found related to Tesla, it increases their chances of success by a multiplier.

Similarly, finding apex domains associated with Tesla provides an even greater multiplier for hacking the target.

The speaker aims to discover more companies acquired by Tesla or associated with them using OSINT tools.

Using Crunchbase as an OSINT Tool

The speaker introduces Crunchbase as an OSINT tool for gathering information about businesses.

Crunchbase is a business aggregator company that sells information about different businesses.

It can provide details on competition, funding, acquisitions, and more.

In a hacker context, they mention using Crunchbase to extract data relevant to their purposes.

Finding Apex Domains and Subdomains

The speaker explains their intention to find additional companies associated with Tesla using Crunchbase.

They express interest in discovering more companies that Tesla has acquired or is connected to.

By finding apex domains like SolarCity, they expect there will be numerous subdomains associated with them.

This expands the attack surface and increases opportunities for further exploration.

Crunchbase and Other OSINT Tools

The speaker mentions using Crunchbase as the first OSINT tool for their research.

They plan to utilize Crunchbase to gather information about businesses.

The speaker indicates that there are other OSINT tools they will use in addition to Crunchbase.

Accessing Crunchbase and Gathering Data

The speaker demonstrates accessing and utilizing Crunchbase for their purposes.

They log into a free account on Crunchbase, which provides them with general access to the platform.

While premium options are available, they mention not needing them for their current objectives.

The speaker intends to extract relevant data from Crunchbase as part of their general workflow.

General Information About Tesla on Crunchbase

The speaker explores the information available about Tesla on Crunchbase.

They search for Tesla on the website and find general details about the company, such as its location (Austin, Texas) and main domain (tesla.com).

This information is already known but serves as an example of what can be found through Crunchbase.

New Section

This section discusses the acquisitions made by Tesla and their significance in terms of potential security vulnerabilities.

Acquisitions and Their Importance

Tesla has acquired several companies, including SolarCity, Grohmann Engineering, Perbix, Maxwell Technologies, Hibar Systems, ATW Automation, Springpower, and Wiferion.

Each acquisition represents a potential opportunity for hackers to exploit vulnerabilities in the acquired company's infrastructure.

It is important to check if these acquired companies have changed their privacy policy or trademark to indicate that they are now owned by Tesla. This helps determine if they are within the scope of a red team engagement or Bug Bounty program.

Acquisitions may provide an easier entry point into a company as they might not have the same level of security measures in place as the main organization. However, this depends on the maturity of the acquired company at the time of acquisition.

Crunchbase provides information about acquisitions but only offers limited access for free users. Additional tools like OCCRP ALEPH can also be used to gather information about a company's filings and acquisitions.

New Section

This section introduces OCCRP ALEPH as a valuable resource for gathering information about companies like Tesla.

OCCRP ALEPH: Investigative Research Tool

OCCRP ALEPH is a search engine designed for investigative reporters that provides access to research materials and databases related to company filings, acquisitions, court cases, and more.

Exploring Data Sets for Tesla Motors

The speaker discusses the importance of accessing data sets related to Tesla Motors. They mention that while there are various filings and court cases available, the focus should be on finding data sets with the "data set" icon.

Accessing US SEC Corp Watch Data Set

To find relevant data sets for a US company like Tesla, look for the data set labeled "US SEC Corp watch" in the database of the Security and Exchange Commission.

Within this data set, search for entries with significant assets associated with them.

Analyzing Corp Watch Entry for Tesla Inc

Clicking on an entry like "Tesla Inc" within the Corp watch data set provides valuable information about smaller companies that Tesla has invested in.

This view offers insights into investments made by Tesla in smaller companies, particularly during their expansion into areas like solar energy.

It also reveals names of these smaller companies, which can be further researched to determine if they were acquired or if Tesla only invested in them.

Using AI to Gather Acquisition and Investment Data

The speaker explains how AI can be utilized to gather information about a target company's acquisitions and investments. They highlight ChatGPT as a tool trained on internet data that can provide insights.

Querying ChatGPT for Tesla Motors Acquisitions

By using ChatGPT, one can ask about a target company's acquisitions. However, it's important to note that ChatGPT's knowledge is limited up until 2021.

When asking about Tesla Motors acquisitions, ChatGPT provides information such as SolarCity, Grohmann Engineering, Maxwell Technologies, and Deepscale.

While some of this information may already be known from sources like Crunchbase, AI can occasionally provide additional insights, such as the mention of Deepscale.

Verifying Acquisitions Using External Sources

To confirm the accuracy of AI-generated information, it is necessary to conduct further research. For example, one can search online to determine if a company like Deepscale is still owned by Tesla.

Verified acquisitions can be added to the target list for further analysis and consideration in red team engagements.

The Power of Open Source Intelligence (OSINT)

The speaker emphasizes the importance of Open Source Intelligence (OSINT) and reconnaissance in gathering information about a target. They discuss how OSINT tools and techniques enable comprehensive investigations.

Extensive Reach of OSINT

Proficiency in OSINT and reconnaissance allows individuals to uncover vast amounts of information about any subject.

Examples include using OSINT to identify IP space associated with a company, discovering acquisitions, and investigating background details from photos.

The speaker highlights that there are remarkable levels of expertise within the community when it comes to conducting thorough recon or OSINT activities.

Passive Approach in Red Teaming

In red teaming exercises, maintaining stealth is crucial. Therefore, all the actions taken so far have been passive, ensuring no IP addresses are burned or blacklisted by the client.

These sections cover exploring data sets related to Tesla Motors, utilizing AI for acquisition data, and highlighting the power of Open Source Intelligence (OSINT).

New Section

This section discusses a method to find other websites related to Tesla using a bookmarklet and a site called BuiltWith.

Finding Other Websites Related to Tesla

BuiltWith is a company that profiles technology and sells that information to other businesses.

BuiltWith offers a bookmarklet, which is available as a Chrome extension or Firefox extension, that can be used to analyze the technology used by Tesla's website.

By visiting tesla.com and clicking on BuiltWith, it provides information about the technology used by Tesla, such as Google Analytics, Bugcrowd, Slack, Adobe, and TeamViewer.

The "Relationships" tab in BuiltWith shows ad and analytics codes used by Tesla for marketing purposes.

Clicking on these codes reveals other sites that use the same code, providing insights into other domains owned by Tesla.

New Section

This section explores how analyzing ad and analytics codes can expand the attack surface for hacking Tesla.

Expanding Attack Surface with Ad and Analytics Codes

By analyzing ad and analytics codes using tools like BuiltWith, additional top-level Apex domains owned by Tesla can be discovered.

Examples of such domains include teslammotors.com and powertesla.ru.

Command-line tools can be used to extract this data from BuiltWith, potentially increasing the attack surface for targeting Tesla.

This method of reconnaissance is not commonly utilized but can provide valuable information for both attackers and defenders.

New Section

This section highlights an example where analyzing ad and analytics codes helped identify phishing domains impersonating a major financial company.

Identifying Phishing Domains

Analyzing ad and analytics codes can help identify fake websites attempting to impersonate legitimate companies.

In a demonstration at a major financial company, the same UA code was found on a phishing domain.

The incident response team had to verify the legitimacy of each domain identified through this method.

This approach can be helpful for defenders in identifying and mitigating potential threats.

New Section

This section emphasizes the business opportunity of helping companies identify fake websites using ad and analytics codes.

Business Opportunity

Assisting companies in identifying fake websites can be a valuable service.

Fake sites often use similar ad and analytics codes to appear legitimate to search engines and browsers.

This method expands the attack surface, providing opportunities for businesses to offer services in detecting and mitigating these threats.

New Section

This section highlights how conducting thorough reconnaissance by analyzing ad and analytics codes can significantly increase the success rate of hacking campaigns.

Increasing Success Rate with Thorough Reconnaissance

Conducting level one reconnaissance for companies like Tesla using methods such as analyzing ad and analytics codes results in thousands of identified sites.

These sites include both Apex domains and subdomains, drastically increasing the chances of running a successful hacking campaign.

The Importance of Reconnaissance

In this section, the speaker emphasizes the importance of reconnaissance in hacking and compares it to baseball terminology.

Getting More "At Bats"

Reconnaissance is crucial in hacking as it allows hackers to gather as much information about their target as possible before launching an attack.

By conducting thorough reconnaissance, hackers can emulate the adversary and increase their chances of success.

The speaker uses a baseball analogy, referring to reconnaissance as getting more "at bats" or opportunities to hit the ball.

Exploiting Weaker Systems

Instead of targeting heavily secured areas, hackers often focus on weaker systems that may not have the same level of security measures.

For example, while Tesla's main website may be well protected, their regional distributor websites or forums might have lower security measures.

Exploiting these undersecured systems provides hackers with additional entry points into the target's network.

Using Shodan for Information Gathering

This section introduces Shodan, a website and infrastructure spider used for information gathering in hacking.

What is Shodan?

Shodan is a website and infrastructure spider that visits every website on the planet and indexes various information about them.

It provides details such as IP addresses, SSL certificate information, and port information for each indexed website.

Hackers can leverage Shodan's extensive database to gather valuable insights about their target before initiating any attacks.

Utilizing Shodan's Data

While some hackers struggle to see how Shodan can be useful, there are tools like Karma that parse and analyze Shodan's data effectively.

Karma is a command-line tool that utilizes Shodan's API to provide comprehensive data about targets.

By using Shodan and tools like Karma, hackers can gain a deeper understanding of their target's infrastructure and vulnerabilities.

The transcript is already in English, so there is no need to respond in the same language.

Using Shodan to Gather Data on Tesla

In this section, the speaker explains how they use Shodan, a search engine for internet-connected devices, to gather data on Tesla without directly accessing their systems.

Gathering Data with Shodan

The speaker uses the "limit minus one" command in Shodan to retrieve as much data as possible on Tesla.

Shodan searches through its connected database and finds thousands of hosts that mention tesla.com.

It retrieves certificate information from these hosts and provides interesting results such as login pages or forbidden sites.

Identifying Interesting Domains

Shodan analyzes favicons associated with websites and identifies those related to interesting technology.

The speaker mentions that a path called "dana-na" is associated with a VPN login, which is valuable information for a red teamer.

Targeting VPN Logins

The speaker highlights that the addresses found by Shodan are prime targets for understanding Tesla's VPN logins.

These addresses can be used to find credentials and gain access to the internal network.

Leveraging IPv6 Addresses with Shodan

In this section, the speaker discusses how they utilize IPv6 addresses in their red teaming efforts using Shodan.

Discovering IPv6 Addresses

The speaker explains that some companies assume their IPv6 addresses are secure because they believe no one will find them.

By using Shodan, the speaker can easily find IPv6 addresses associated with interesting websites hosted by Tesla.

Benefits of Using Shodan for IPv6

Port scanning an entire IPv6 network is usually impractical due to its large size.

However, by leveraging Shodan's data, the speaker can quickly identify IPv6 addresses that are already associated with interesting information.

The Significance of IPv6 in Security Testing

In this section, the speaker discusses the significance of IPv6 in security testing and how it impacts port scanning and infrastructure discovery.

Challenges with Port Scanning IPv6 Networks

Port scanning an IPv6 network is time-consuming due to the large number of addresses.

Shodan simplifies the process by providing a list of known active IPv6 addresses associated with interesting websites.

Pivoting to Infrastructure Discovery

As more companies adopt IPv6, security testers and adversaries need to adapt their strategies for finding infrastructure.

The speaker mentions that Cisco routing and training play a significant role in this transition.

Uncovering Vulnerabilities on IPv6 Addresses

In this section, the speaker shares their experiences finding vulnerabilities on IPv6 addresses using Shodan.

Assumptions about Security on IPv6

Developers often assume that their websites hosted on IPv6 addresses are secure because they believe these addresses are difficult to find.

However, the speaker has found vulnerabilities multiple times by searching for IPv6 addresses on Shodan.

Simplifying Infrastructure Discovery

Shodan's data allows the speaker to quickly identify active and vulnerable IPv6 addresses without having to perform time-consuming port scans.

The transcript provided does not include any content beyond 1:02:27 .

Using Karma and Shodan API for Web Server Discovery

The speaker discusses the use of Karma, a tool that utilizes the Shodan API to discover web servers. By searching for specific keywords associated with login pages, Karma can identify potential targets.

Discovering Web Servers with Karma and Shodan API

Karma uses the Shodan API to search for web servers associated with a specific domain.

By looking for keywords like "login" in the server title, Karma can alert the user to potential targets.

The speaker appreciates Karma's built-in Shodan Dorking checks and its ability to update them over time.

Users can also create their own custom queries in Karma to search for specific vulnerabilities or keywords.

Exploring Subdomains with shosubgo

The speaker introduces shosubgo, a tool used to extract subdomains and domains from the Shodan dataset. This provides a limited view of available information but helps in identifying potential targets.

Extracting Subdomains with shosubgo

shosubgo is used to extract subdomains and domains related to a specific target domain from the Shodan dataset.

It provides a list of subdomains found for tesla.com, which can be further analyzed or added to a mind map.

Different users may choose different methods (such as spreadsheets) to organize this data.

Prioritizing Targets and Approaching Hacking

The speaker explains how adversaries prioritize targets when dealing with large amounts of data. They emphasize that hacking requires manual work and there is no magic way around it.

Prioritizing Targets and Manual Hacking Approach

Adversaries prioritize targets based on various factors, but ultimately it comes down to tackling one site at a time.

The speaker suggests adding all potential targets to a mind map and systematically assessing each one.

They mention that vulnerability scans can be automated, but for red teamers and bug bounty hunters, manual hacking is essential.

Manual hacking involves performing a full web hacking methodology on each site, including checking for login pages, default credentials, SQL injection, cross-site scripting, etc.

Automation vs. Manual Hacking

The speaker discusses the balance between automation and manual hacking in the real world. While automation can speed up certain processes, manual hacking remains crucial for effective testing.

Automation vs. Manual Hacking

Automation tools can help expedite certain tasks and reach the manual hacking phase faster.

However, skipping the manual hacking phase is not recommended as it provides valuable insights and thorough testing.

The speaker encourages viewers to seek assistance from professionals who can guide them through the process effectively.

Timestamps are provided in English as requested.

Reverse Whois Analysis

In this section, the speaker discusses the concept of reverse Whois analysis and how it can be used to identify individuals or companies who have registered multiple websites. They mention a website called Whoxy that provides an online reverse Whois database for this purpose.

Reverse Whois Analysis with Whoxy

Use the website Whoxy for reverse Whois analysis.

It is a paid service but offers a reasonably priced license.

Enter a company name, such as "Tesla," to see other domains registered under that name.

This method can provide valuable information about domain ownership and potential connections between different websites.

Limitations of Reverse Whois Analysis

The speaker explains some limitations of reverse Whois analysis and highlights the need for manual research to validate the findings. They also mention using regular whois lookup for more detailed information on specific domains.

Limitations of Reverse Whois Analysis

Some domains may be parked or exist only temporarily, making them less relevant.

Manual research is necessary to determine if any identified domains are valuable.

Regular whois lookup provides more comprehensive data on individual domains, including registrant information and technical details.

Example of Reverse Whois Analysis

The speaker provides an example of using reverse whois analysis on Twitch.tv to understand its domain history. They demonstrate how this technique can reveal past names and ownership changes.

Example with Twitch.tv

Use reverse whois analysis on Twitch.tv using tools like Whoxy.

Discover that Twitch.tv was previously known as Justin TV before rebranding.

Identify other domains registered by Justin TV, indicating their association with Twitch.

This method helps uncover new apex domains related to the target company.

Reconnaissance and Company Awareness

The speaker emphasizes the value of reconnaissance and how it can provide insights into a company's online presence. They mention instances where companies were unaware of certain websites or online assets associated with their brand.

Importance of Reconnaissance

Reconnaissance allows for a deeper understanding of a company's online presence.

It can reveal websites or assets that even the company itself may be unaware of.

Demonstrating recon findings to a company can help them identify overlooked or forgotten online resources.

Attack Surface and Bug Bounty Programs

The speaker discusses how bug bounty programs can help identify vulnerabilities in a company's attack surface. They highlight the importance of bug bounties as a defensive tool and share their experience with Walmart's bug bounty program.

Bug Bounty Programs and Attack Surface

Bug bounty programs help identify vulnerabilities on a company's main website as well as other sites they may not be aware of.

Companies with bug bounty programs have often already addressed some vulnerabilities found by researchers.

Walmart has an extensive bug bounty program covering over 6000 websites across its various brands.

Utilizing bug bounties as a defensive tool is an investment that strengthens security measures.

Benefits and Challenges of Bug Bounties

The speaker highlights the benefits and challenges associated with bug bounties, using Walmart's bug bounty program as an example.

Benefits and Challenges of Bug Bounties

Bug bounties provide financial incentives for researchers to find vulnerabilities, improving overall security.

Researchers often discover unknown websites or assets during bug bounty engagements.

Companies may face challenges in managing large-scale bug bounty programs, especially for multinational organizations with numerous brands.

Bug bounty programs can make the job of red teamers more challenging as many vulnerabilities have already been discovered and reported.

The transcript provided does not contain any additional sections or timestamps beyond this point.

Using Whois Data for Apex Domains

In this section, the speaker discusses the use of Whois Data to find more Apex domains and how it fits into the methodology of subdomain enumeration and reconnaissance.

Finding Apex Domains with Whois Data

Whois Data can be used to identify additional Apex domains.

This information is valuable for subdomain enumeration and reconnaissance.

The process of Recon is cyclical, and it's important to know when enough information has been gathered without getting overwhelmed.

Deciding When Recon is Enough

This section focuses on the importance of deciding when enough Recon is enough and when to move on to the analysis phase of hacking a site.

Knowing When Enough Recon is Enough

Many bug bounty hunters get overwhelmed with information overload.

It's crucial to decide when enough Recon has been done before moving on to hacking the sites.

The goal is to gather as much information as possible about a company in order to have a successful engagement.

Cloud Space in Hybrid Organizations

Here, the speaker talks about hybrid organizations that have both owned IP space and cloud space, and how to find out what a client has in the cloud.

Identifying Cloud Space in Hybrid Organizations

Many organizations today have both owned IP space and cloud space.

Pentesters often miss out on exploring what clients have in the cloud.

Research companies are scanning published cloud ranges like AWS ranges to download SSL certificates for further analysis.

Continuing with Cloud Space Analysis

This section continues discussing finding what a client has in the cloud by analyzing SSL certificates.

Analyzing SSL Certificates for Cloud Space

SSL certificates can provide information about the sites they are associated with.

Research companies like Kaeferjaeger scan cloud ranges and download SSL certificates to identify sites hosted in the cloud.

By analyzing SSL certificates, sensitive references and subdomains related to a company can be discovered.

Using Cloud Data for Target Analysis

The speaker explains how to use cloud data to analyze a target's infrastructure.

Leveraging Cloud Data for Target Analysis

Cloud data provides insights into a target's infrastructure in the cloud.

Tesla is used as an example, showing their presence in AWS and references to subdomains in their SSL certificates.

Scanning all major cloud providers like Amazon, DigitalOcean, Google, Microsoft, and Oracle can reveal valuable information.

Scanning Cloud Ranges for IP Data

This section discusses scanning cloud ranges to gather IP data using projects like Kaeferjaeger.

Scanning Cloud Ranges for IP Data

Projects like Kaeferjaeger scan all major cloud providers' IP ranges.

These scans collect SSL certificates from IPs that respond on Port 443.

The metadata of SSL certificates reveals which sites they are associated with.

Extracting Site Information from SSL Certificates

Here, the speaker explains how to extract site information from SSL certificates obtained through scanning cloud ranges.

Extracting Site Information from SSL Certificates

Downloaded SSL certificates contain metadata that indicates which site they are usually used for.

Certain areas of the certificate provide additional information about other sites it might be used for.

Groups like Kaeferjaeger perform extensive scanning and provide comprehensive views of all sites that responded on Port 443.

Analyzing SSL Certificates for Cloud Infrastructure

This section focuses on analyzing SSL certificates to gain insights into a company's cloud infrastructure.

Analyzing SSL Certificates for Cloud Infrastructure

SSL certificates can reveal a company's cloud infrastructure.

The speaker demonstrates searching for Tesla's cloud infrastructure within the downloaded SSL certificate files.

The analysis shows that Tesla is mostly hosted in AWS based on the identified cloud infrastructure.

Using Scanned Data for Target Analysis

Here, the speaker explains how scanned data can be used to analyze a target's cloud presence.

Utilizing Scanned Data for Target Analysis

Scanned data provides a complete view of a target's cloud presence.

By searching within the scanned data, specific sites and subdomains related to the target can be identified.

The speaker emphasizes the importance of thorough analysis and testing, especially with sites containing "Dev" in their names.

Due to limitations in available timestamps, some sections may not have corresponding timestamps.

The Importance of Cloud Security

In this section, the speaker discusses the importance of securing cloud services and introduces a tool called Cloud Scan for monitoring and scanning the cloud.

Cloud Scan Tool

The speaker mentions a tool called Cloud Scan that allows users to download and parse files from the cloud on their local machines.

This tool, developed by the speaker and Gunner, helps in creating a fresh database of everything in the cloud.

It can also monitor new domains related to specific companies, such as Tesla, and alert users about potential security vulnerabilities.

Hacking Dev Sites and Bug Bounties

The speaker raises a question about whether hacking a development site would still result in a payout. He confirms that bug bounties usually depend on the data accessed during the hack.

Successful initial access to one site can often be leveraged to pivot to other platforms.

The value of bug bounties depends on the sensitivity of the data obtained. For example, accessing API data related to Tesla's car telemetry could lead to significant payouts due to privacy breaches.

Conclusion and Future Topics

The speaker concludes this section by mentioning that further topics will be covered in future sessions, including cloud analysis and reconnaissance.

He emphasizes that finding assets and vulnerabilities in company systems benefits everyone by preventing adversaries from exploiting them.

Live Training and Red Teaming

In this section, the speaker discusses his live training sessions focused on recon, actual hacking, bug bounty programs, web testing, and red teaming.

Live Training Sessions

The first day of training covers reconnaissance techniques while the second day focuses on actual hacking.

The speaker mentions that his training sessions are virtual and conducted over Discord, allowing participants from anywhere to attend.

Bug Bounty and Red Teaming

The speaker highlights the red team component of his training, which covers bug bounty programs and web testing.

He describes this class as a conglomeration of his research and offers it a few times a year, with another session planned for November.

Additionally, he mentions his consultancy service called Boddobot, which provides comprehensive red team assessments.

Audience Feedback and Course Format

In this section, the speaker discusses audience feedback and the format of his courses.

Audience Feedback

The speaker encourages viewers to provide comments about topics they would like him to cover in future videos or training sessions.

Course Format

The speaker confirms that his courses are virtual but live. They are conducted over Discord, allowing participants from anywhere to attend.

He mentions building a strong community during the live sessions where participants can ask questions and interact with each other.

This summary is based on the provided transcript.