I wrote a script in Go which queries the Shodan database based on a list of organizations that you feed into it. Then it retrieves all the bug bounty participants from the Bugcrowd website and connects these two things.

INTRODUCTION

Everything began when I wanted to learn a new programming language and start on projects related to security in some way. I decided to start with Go (Golang) and Shodan. I thought to myself, why scan one organization with multiple tools when I can scan multiple organization with one tool?

For those, who doesn’t know what Shodan is, here is their main page.

scan2

Besides webcams, refrigerators, SCADA systems, MMQT, external disks, Shodan can help with subdomain enumeration and it’s very helpful in reconnaissance.

The scariest search engine on the Internet can operate on filters like: “port”, “city”, “hostname” or “org” for organization and by now I think you know where this is going.

A Few Notes On Script

That was my first contact with Golang ever. I quickly have got acquainted with this language (A Tour of Go was very helpful) and just start writing. It wasn’t easy at the beginning but StackOverflow did his job. I realize, this is not a masterpiece but I’m proud that it worked at all.

Script gets file including organization names separated by newline and next makes query to Shodan’s database.

Example usage:

./shodan hosts.txt

Content of hosts.txt

Sony Facebook Dropbox

Counter of founded results is broken, so do not count on them ;)

Additionally, we are not interested in smb, smtp or dns services, so I added most used HTTP ports to request. The final query can look like this:

org:’Sony’ port:’80, 81, 443, 8000, 8001, 8008, 8080, 8083, 8443, 8834, 8888'

Sony is not an accurate request at all. This includes:

Sony Network Communications Sony Computer Entertainment America LLC Sony Network Taiwan Limited Sony Communication Network Corporation Sony Pictures Entertainment Sony Media Software and Services

scan3

The script will ask you exactly which companies you want to scan. It’s extremely important that you shouldn’t test any domains, which are out of scope or do not participate in bug bounty program.

An excellent example is in this screenshot:

scan4

As output, script makes directory with same name as scanned organization and HTTP responses are saved into file named with corresponding IP. I added also port number and hostname (if exists).

Example output can look like below:

scan5

What Is This Script For?

This script is of course for finding vulnerabilities, which often exist in old, forgotten or subdomains that have not been updated. Shodan can find interesting (from security perspective) web applications which can lead to information disclosure on other more or less dangerous vulnerabilities. To proof my words, I obtained all organizations from official Bug Bounty list (https://bugcrowd.com/list-of-bug-bounty-programs) with help of goquery (below function) and next of course I passed it to my script.

    func bugcrowd() []string{
     doc, err := goquery.NewDocument("https://www.bugcrowd.com/bug-bounty-list/")
        if err != nil { // if cant connect
                log.Fatal(err)
        }
    s := make([]string, 455 ) //slice of strings
    doc.Find("td a").Each(func(index int, item *goquery.Selection) { //for every organization in "td a" (table)
     linkTag := item.Text() // get text
     s[index] = linkTag //put in to map
     })
 
     return s // return slice of organizations
    }

I had to be cautious and paid close attention to scope of the programs. When only one domain is in scope, there is no need for scanning and we need to go to the next one. Only organizations, which allow us to test all of their infrastructure or have *.domain in scope are our potential targets.

What can be found?

After scanning all of the companies and digging a while, I found local file inclusion vulnerability on of the scanned websites. It did not even take too long. I reported it and possible will update this article with more info when it will be fixed.

Additionally is great source of information, from link to link, I stumbled upon path disclosures, internal addresses and hostnames and a lot more. Also some of the websites look like from 10 years ago, so it’s good start to look closer and try known tricks.

There are also plenty of 403, 404 or 401 errors but it’s not a problem to remove them in bash.

find -exec grep -l ‘404’ {} \;| xargs rm

Conclusion

This script was written as a tool to find vulnerabilities in companies who are currently offering bug bounties. I remember a guy who found an open redirect vulnerability in Apache, scanned all in-scope domains of bug bounty programs and reported them all.

My approach is “quantity over quality” and you need to dig a little to find something interesting, but it’s good place to start. I have not looked through all files yet but I feel that previously mentioned Local File Inclusion won’t be the only one.

You can find the full script here.

Header Image by Vic Bell