CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

Offensive security tools with Brendan O'Leary from ProjectDiscovery

In this episode we are joined by Brendan O'Leary from ProjectDiscover we learn about the tools that hackers, bug bounty hunters, and red teams use to be able to map infrastructure and find vulnerabilities.

Video Transcript

and it's creating that pipeline of tools together right so you know I said at the beginning we're focused on these many Sharp Tools so it's very much the Unix philosophy of many Sharp Tools and there's lots of different kinds of projects out there some proprietary some open source and a lot of them have tried to be everything for you know the bug bounty hunter or the red team and we we've kind of taken a different approach to say we're going to have many tools right so this is we've heard us people have heard us saying things like SubFinder and nuclei there's also a tool called httpx so I actually piped those three tools together right that was part of a conversation that we had with Brendan O'Leary Brendan is the head of community at projectdiscovery.io an organization that builds some of the most widely used hacker tools for both red teams and blue teams and in this podcast we're going to discuss exactly those tools how they came about who uses them and why you should know that they exist that's all coming up in a minute but first is time to take a look at our breach of the week [Music] in this week's breach of the week we're looking at Western Digital Western Digital is a california-based drive manufacturer and personal storage solution provider mostly what they sell is physical external hard drives and data storage solutions they also have a component in the cloud named my cloud what we do know is that since Sunday the my cloud component of Western Digital has been unreachable and intentionally shut down by the organization they have released a statement saying that attackers or Intruders were able to breach multiple systems and are still infiltrated on their Network since the breach Western Digital have released some statements saying that upon discovery of the incident the company implemented incident response efforts and initiated an investigation with the assistance of leading outside security and forensic experts we don't know right now exactly what has been affected or how the attackers were able to infiltrate the network and compromise their systems being that Western Digital deals with personal data this could be quite a significant breach if you are a user of Western Digital products now should be a very good time to ensure that you don't have sensitive information stored on your physical or Cloud drives and if you do to limit the damage as much as possible this will include rotating any passwords that are exposed and backing up any data that you still have access to what is scary at this point is that this almost certainly does have some wide reaching implications businesses don't regularly shut down core services for hours let alone many days and the my cloud service has been shut down for at least three days at this point because we don't know exactly how The Intruders were able to make initial access what systems are compromised and ultimately what personal or customer data has been exposed is always best to play on the safe side and assume at this stage that your information has been breached but of course we will hear more information from Western Digital as their forensic investigation unfolds as I said we don't actually know how the attackers were able to intrude the network of Western Digital and there's lots of ways that they could have potentially done this including many tools that they could have used in today's podcast episode we're actually going to look at some of those tools that could have been used we're going to discuss exactly what they are and why you should be using them as part of your red team operations in your organization so without further Ado and more to that conversation I want to invite Brendan O'Leary the head of community at projectdiscovery.io to lead us in our conversation yeah I'm so happy to be here thanks so much for having me uh I'm currently a head of community at a company called project Discovery the makers of nuclei and other open source security tooling um but Dwayne and I go way back to my days at gitlab and maybe even before that so yeah really excited to be here um so yeah just diving right in there project Discovery uh could just give us a quick super high level what what's project Discovery all about sure yeah so so project Discovery are at uh here our mission is to democratize security uh and so the way we're doing that is we're focusing on heavily on having a lot of sharp open source tools uh that can enable a modern security engineer to get their job done so you know the modern security engineer thinks a lot about how is an attacker going to look at our attack surface or a bad actor or you know bad internal actor uh and and then how can I you know scan for Meaningful vulnerabilities not just you know the world worth of possible false positives um but you know the things that really are going to be where an attacker is going to be able to gain a hold into my infrastructure and so we make a lot of really popular tools nuclei is probably the most popular uh that's used for scanning and is able to represent vulnerabilities as code there's nuclei templates or this yaml specification that allows you to kind of Define how a vulnerability can be exploited and that allows folks to you know really clearly communicate and as something that we're excited to bring to the Enterprise because we think that it can enable communication between security engineering and the rest of engineering to really find and mitigate vulnerability is and remediate them much quicker so that's what we're we're doing right now no nuclei is such a a cool tool and uh it's I mean it's interesting because obviously we're talking about defense here but it's actually used by a lot of red teams um as well it's a very versatile tool in kind of our you know discovering just discovering project was it intended as a kind of purely a blue team uh a blue team tool something for for defense or was it always kind of meant to be that dual purpose purpose kind of uh vulnerability scanner yeah that's a great question I think actually interestingly enough it probably started life more on the red team side of things so our co-founders actually met uh through GitHub um you know building nuclei together uh and they were you know self-taught uh you know hackers at heart right and so they um you know one of ours our CTO Sandeep used to work actually at hacker one and then was also independent bug Bounty Hunter and so you'll see a lot of you know bug bounty hunters using our tooling uh and then like you said many red teams uh but I think that we're kind of seeing the shift where you know as a Defender as someone on The Blue Team uh you know I want to think more like an attacker when I'm when I'm you know trying to defend right and so that's why I think we're seeing this Advent of the the word you know purple team right you know this concept of kind of bringing together both aspects of offensive security and defensive security uh to bear on the problem of you know these you know especially large Enterprise have massive online Footprints right a big thing you hear a lot about just uh you know in today that I was kind of surprised about coming into security it's just you know the attack surface management side of things like what's out there what what DNS records are sitting out there waiting to you know have someone take advantage of them uh it's kind of incredible I actually so I wasn't a bug Bounty Hunter before I joined but I've been trying to kind of like get in that mindset and I actually recently submitted my first ever bug bounty hunt uh or bug Bounty entry and it I can't talk about who it was but I'll tell you it was a Fortune 50 company who I own a subdomain of right now like I own some subdomain dot this fortune50company.com uh and it's just surprising to me like and that's just the nature of this massive attack surface and and managing that attack surface is actually a big part of it and so uh the tools outside of nuclei we make like sub finder and Naboo and these other tools are about that attack service management side of it and you know what we would say on the red team side or what we would call on the red team side or on the bug Bounty side Recon we could call on The Blue Team side you know attack service management so again these things are kind of interconnected I think I like that term attack surface uh management um could you talk a little bit I know not you can't talk about specifics but just the type of attack the uh subject subdomain hijacking um just can you describe that for people that might not be familiar with that type of attack that was A New Concept for me about six months ago the first time I'd ever even heard anybody doing that yeah so so the concept of a subdomain attack or subdomain takeover is there are a myriad number of ways that an organization can accidentally leave a subdomain up for an attacker to take control of and so this is actually kind of a not even like a penetrating attack what it is is we've you know had some sub domains spun up at one point and we had something living there and then since then we've maybe decommissioned or transitioning the application that was living there but the DNS record's still active and if that DNS record points to something that I as an attacker can go get that's a big problem so for instance you know elastic Beanstalk from AWS or the domain at Heroku or netlify or some of these things where I can specify the subdomain the domain that I want um can then mean I can take over right so if if the organization had you know project Discovery dot us east1.elasticbeanstalk.com pointed to myapplication.projectdiscovery.io and that application is no longer there but the DNS record's still there I as an attacker can just log on to my AWS account and take that uh route and now I can act as if I'm on really projectdiscover.io and then that has weight for extended attacks like if I wanted to do a phishing campaign now even if folks are trying to look like oh let me make sure this is on the right domain it is on the right domain but it's still owned by an attacker and so it's a really it's kind of a dangerous thing but one that comes out of I think just again not being able to manage that attack service really well it's like oh we spun down that application it's not vulnerable anymore while the DNS record actually can make it very vulnerable to you know this kind of extended subdomain takeover attack yeah that's really interesting and and you know what whilst we're speaking about some of these tools that you had if you want to I don't even know if you realize but if you want to check out uh how an attack unfolded uh using SubFinder and nuclei there's a a hacking group called Securus Samurai who uh did an attack on the Indian government well I shouldn't say attack they were ethical happened group on there on the Indian government and they actually go through I they should sponsor project Discovery because I think they use all of your tools in this one hack and it's really interesting to see what you're talking about the attack surface mapping and then going in to find vulnerabilities I mean this is exactly what this group described to me and and there's videos of it you know where they they start off you know trying to identify all the sub domains using subfinders than trying then they'll actually specifically looking for exposed git repositories and then they're using nuclei for uh you know other vulnerabilities in that so it's really really interesting how you you know to talk about this and people that are wondering you know how on Earth did you manage to do that I'm assuming that you use some of these project Discovery Tools in that research that you did for that bug Bounty I did I did and I'm gonna write a blog post right like best laid plans I've ever run a devrel like I've got a blog post that I'm going to write for sure but it will come out it'll be you know how I got my first bug Bounty uh with just PD tools so that's exactly what I did and and it's creating that pipeline of tools together right so you know I said at the beginning we're focused on these many Sharp Tools so it's very much the Unix philosophy of many Sharp Tools and there's lots of different kinds of projects out there some proprietary some open source and a lot of them have tried to be everything for you know the bug bounty hunter or the red team and we've kind of taken a different approach to say we're going to have many tools right so this is we've heard us people have heard us saying things like SubFinder and nuclei there's also a tool called httpx so I actually piped those three tools together right so sub finder does passive subdomain Discovery so what it does is it looks at you know various internet uh databases of subdomains from DNS records and other things and it finds you know all of those sub domains so again if I was looking at projectdiscovery.io I want to find every subdomain right API dot project discovery.io store.project discovery. all these things that are subdomains of it and then I used our tool I piped that tool right very unix-like right into httpx which is a tool that then looks you know are there is there an HTTP response on the most common ports right ad443 but then also like eight four four three and like lots of other ports that that you commonly look for and then if it gets a response that tells you something or if it gets a dnsx does a similar thing if it gets that does this DNS record still exist that gives you an interesting piece of information and then you feed that into nuclei and then nuclei runs well our nuclei templates have over 4 500 public templates that folks have contributed right and so one of those templates might be again going back to the AWS example elastic stock takeover like does this domain point to elastic Beanstalk but doesn't respond to an HTTP request thus this application's down but the DNS record still exists right that those two things in combination Flags comes back as a finding from nuclei that says this is possibly vulnerable to that attack or this kind of attack and then you'll find lots of other templates like the probably the vast majority of our templates are named cve Dash and then the cve number right like how is this this property vulnerable to the cve right that um you know the classic example here is and log for Shell or log for J or whatever you want to the right way to call that that vulnerability is when that came out within hours there was a nuclei template in the public domain you know to detect that and the difference that makes for folks that are using our tooling is you know it takes the proprietary vendors longer than that in some cases days maybe weeks maybe that attack's not a great one because I think everyone woke up really quick to that one and probably had it within a few days but sometimes it can take weeks for you know a cve to get translated into a signature that a proprietary tool can recognize versus with nuclei a you might get it from the open source Community quickly and B you can actually write your own templates so we have a lot of folks that are using our templates to you know write things that they are unique to them right um so you know things that are in their application stack that that they want to be aware of or that they just want to be alerted to you can write these nuclei templates which are super super flexible you just Define a request or a port or a DNS lookup and then it can come back in five years of Finance so that's that's really valuable and you see lots of folks that have their own custom templates alongside maybe some of our public templates to really make it powerful so we've been talking a lot about nuclei on this column but you mentioned just briefly there um httpx I know that's one of the other tools that project Discovery makes available out there and their open source open source stack um I'm curious how did that evolve like did nuclei start as the project and then the company grew around that or it was Asset Management like something else going on entirely and then you realized we can tie these things together and I guess it's a really two-part question because the next part would be like something that I've heard thrown around talking about Nikolai is uh the concept of intelligent Automation and you talk about like tying these things together but how should people approach this like there are a lot of tools there's a lot of moving Parts but are you talking about architect in your own system just I know there's a lot in that question but I'll I'll leave it to you yeah no I'll take I'll take a couple stabs of that um so first I think the way that each of these tools evolved I think nuclei pardon the pun on its name but has really become the center of a lot of these things right um and in fact it it integrates hdpx and dnsx right into it now um and there's lots of other tools that we have and I think each of those tools grew out of a need right again our our Founders were bug bounty hunters they were you know security engineers at companies that had a very modern take on security engineering not like kind of the old stuffy guys in suits at RSA buying things from other guys in suits um you know they they they're more of the bearded security engineer that's really trying to understand you know the attack surface and so each of these tools came from a point that you made at the end there Dwayne that there's lots of these tools out there right uh and what they did is they wanted to you know again make them make them sharper right so for instance let's talk about subdomain enumeration there's lots of tools that do that some do it through Brute Force which is a lot uh a longer process um and then some do it in passive ways and some do it in both and we really wanted to build a tool that was sharper and could you know by default out of the box does passive only as quick as possible subdomain enumeration right and then yes you can do more complicated things but we wanted it to come out of the box for someone who's learning about bug bounty hunting or learning about red teaming or learning about this modern security engineer approach uh to be able to get at it quickly and that's that's where our open source ethos really is with those individual users now when you're talking about you know folks setting up this pipeline you know then that that gets more complicated right you if you talk to a given bug Bounty Hunter at the top of you know bug bounty hunting I'm sure they could show you their very complex Pipeline with a lot of PD tools and a lot of other tools that come in but I think for the Enterprise that wants that kind of you know again out of the box we want it to work we want this modern security approach but we don't know we don't want to like be stitching these things together that's where we're we're focusing our efforts on the commercialization side with what we're calling nuclei Cloud uh and so nuclei cloud is something that we're currently released in kind of a a closed beta for folks to be able to stand up and have a a GUI and an interface and a scalable way of running these tools against their infrastructure and so that's something we're really excited about it's in the very early days right now um but but it's exciting and we've got a lot of um you know interest from those in our community who also work at large Enterprises and want to bring these tools in and and make them a part of of how they they are doing their security practice and the other big piece of that is remediation so again if I'm the bug Bounty Hunter I don't want to say I don't care about remediation but I don't I want to identify the problem and send it to the person who's in charge of remediating right the company that I'm I'm doing the bug Bounty for but I don't have any control over that process right that then it's up to them if I'm the Enterprise I want to be able to remediate these things really quickly all right and so it's really interesting actually if you look at um for instance Starbucks hacker one bug Bounty program they actually offer more money to a bug Bounty Hunter if they include a nuclei template with the bounty um and you know we can only assume that's good Starbucks is then using that template as the way to communicate with engineering and and and the Ops folks about how and and why this this uh exploit exists uh and so I think that's where that remediation cycle and kind of having an out of the box um way to run those tools together is where we see you know an opportunity for the Enterprise us to help the Enterprise while also maintaining this amazingly awesome set of Open Source tools that are focused on the individual user you know that community of bug bounty hunters and Security Professionals that that are in our community today so that's really exciting all right let's let's get into something something new here that that I knows on the cards at project Discovery um and if they're described in just one word which is chaos which has left me very very curious but you've talked about kind of piecing these things together and I really liked what you said about remediation because that's such an important part that I think is is often forgot not by the organizations because they have to deal with it but by vendors by the people building the tools so but so what what is what is this offering here that I see just chaos can you dive into a little bit about what that is sure yeah I know it's a great term for it right that it's you know I think the term comes from the the chaos of what we were talking about earlier right the chaos of especially if you're a large multinational Enterprise the sprawling infrastructure right you know we've we talk about this and I come from the devops world right we talk about this in the devops world like we have you know microservices and systems everywhere and we can't really human reason against that just because of the scale of what they are right if I'm a fortune 1000 company or or a large Enterprise and and so part of that you know is is that a tax service management and there's kind of again two ways of looking at that is it is it passive discovery of attack surface right through you know known public databases of of things that you know are out there or is it kind of a more active Discovery where we're maybe using common terms to see does this does API dot exist does test dot stage dot does prod dot right exist for all these things and so the idea of again sub finder was was a quick fast uh passive right and so it hits internet databases um that have uh information about DNS records and other things and then chaos is our goal of creating a better active scanner that can then be used by those passive scanners so chaos will be another data source or it can be another data source for SubFinder but it involves our team actually doing active scanning of the entire internet to try and map against these large Enterprises that have you know bug Bounty programs so we also keep a a public repository of bug Bounty programs on our GitHub that has all the details about what's in scope what's out of scope you know where the bug Bounty program exists if it's bug crowd or yes we hack or hacker one or maybe their own bug Bounty program on their website right um and so for those public bug Bounty programs we want to provide you know great attack surface uh Discovery for again both individuals who may want to be participating in these bug Bounty programs but then also I think of course it's going to have value for the Enterprise in discovering their own attack surface and figuring out you know what what they're missing from where their attack surface is and again it's something that I guess I was like a little bit surprised to find out but then again if I apply my devops add to it not that surprise like it seems obvious to me to say and it's because I'm you know an amateur software Runner well I know every sub domain that is on you know boliary.dev or whatever um but you know as soon as you scale up to you know a hundred a thousand ten thousand software Engineers right that problem of what's out there what's production et cetera Etc becomes a very hard problem to solve and one you can't really solve with human reasoning anymore easily right it's not a spreadsheet of all your sub domains it's got to be more of an automated process to understand what's going on yeah that so if if I understand this correctly chaos is kind of a resource it's a resource for the bounty hunters to be able to kind of gather more information about about their the the types of organizations bounties and information about them that they can use to I guess okay launch research yeah start their reconnaissance right that that reconnaissance piece of the bug bounty hunting can be or maybe many times is the longest process right what is this what do these folks have what's the technology that these things are running um you know where's WordPress where's the what you know uh WAFF are they using all these questions that you're going to have when you start a new you know maybe take a look at a new bug Bounty program the idea of chaos is try and like have us spend that time quote unquote doing that Recon for folks so that they can then have a package of like here's the latest reconnaissance information for this particular bug Bounty program um and when we talk to not only bug bounty hunters but Enterprises that are running bug Bounty programs that's hugely valuable right I was talking with a CSO actually just the other day who was saying like I want to be able to give especially to the bug bounty hunters that I trust more and more access to information and inside systems so that's not just a a black box that they're coming out but a grayer box because I trust those folks to then use that gray box to expand their footprint and show me vulnerabilities before you know someone with bad intentions finds them so it's really interesting that's that's really cool uh and I and I like that I love that enterprises see value in this because I see value in this as well for the Enterprises there will be people out there listening that are Embrace uh some security by obscurity uh model let's say and you know that that may be listening to another organizations that say Hey I don't want to make it harder for the bug I don't want to make it easier for the guys doing bug bounties I wouldn't make it harder for the bad guys you know like so I want to make it harder for everyone what do you get pushback from that and what's your kind of reasoning to get around that I think they're probably from the right organization is pushback right from an organization who kind of has that stodgy order view of of security and maybe again security through obscurity isn't invalid I don't think but if there's public information available out there about your company then you're not practicing secure through obscurity By ignoring it you're you're you're just ignoring the fact and assuming there's obscurity right um so actually identifying what assets are out there and available to the internet is really the first step anyone should take whether you kind of have the security by absorbing uh by you know obscurity approach or you have a modern approach where you know we think that and we obviously believe that the you know having bug bounty hunters and encouraging that Community to come and do ethical hacking against you is probably one of the best ways to help secure your perimeter and that's why we see these large Enterprise we see the US Department of Defense right very the number one security by obscurity group out there may be um you know participating in bug Bounty programs bringing in folks right like um in in Las Vegas every year there's a big uh hacking convention on an Air Force Base like again those are folks that are love obscurity as part of their security plan but still see the value in like whatever is exposed we need to know what that is right because not knowing about it and pretending like it doesn't exist is going to actually harm us more in the end that's that's a really good segue here toward or wrapping up um thank you very much for for being on the show today uh but yeah how would someone that wants to get started and you recently just became a bug Bounty Hunter yourself uh how would you recommend someone get started with this if they're like yeah this actually resonates with me I need to be on top of this for my org or I want to go out and help the community where should they start yeah so of course project discovery.io is a great place to discover more about our tooling you can also join our Discord server there there's a lot of folks in there with various levels of um experience right we get folks with brand new questions we get folks with Advanced questions that I look at and I'm like yep gonna have to get like some our serious Engineers involved so I highly recommend joining that and then there's lots of other communities too right so I learned a lot on YouTube from uh folks like um namsac and and stonk these these folks that are are content creators focused on the bug Bounty Community um that's a really I learn a lot through YouTube right if I'm trying to do almost anything I I can find a great YouTube video about it and I think bug bounty hunting is is is ripe for that there's a lot of great content out there uh and then yeah join these communities again namsac has a great Discord um and so you get involved and don't feel um don't feel like you can't get involved just because you don't know what you're doing I I still don't know what I'm doing um but I I dove in head first um and I think that's true of learning any new technology and so it's kind of my general advice for life which is you know dive in learn don't be afraid of asking a stupid question if you have the question guaranteed there's 10 other people that aren't speaking up that have the question too so speak up and ask the question and and uh I've found the community to be very willing and able to help answer those questions yeah I think the security the security Community is one that's actually really surprisingly welcoming I think anyone that comes into this for the first time I think it's quite intimidating from the outside but once you go on the inside you realize that actually there's lots of people in your position and everyone has been there so everyone can relate well I think that takes us to the end of the episode so Brendan uh thank you so much for for taking the time and being here now if people want to to learn more about you or follow your articles I know you speak at conferences how can people kind of follow you and keep up to date with what you're up to yeah so probably the best way is on Twitter at O'Leary crew but you can also follow my blog directly at boleary.dev b-o-l-e-a-r-y.dev and you can find My Links there to like Mastodon and Linkedin and all those other fun places but I'd be lying if I didn't say I spend most of my time on Twitter still so find me there does uh disability Dev have a bug Bounty program if I find a sub domain that's uh unattached I should work one out right like gonna add a security.text to it so that you know how to get all right thanks again mate and we'll see you next time foreign