itsMe Posted October 7, 2023 Share Posted October 7, 2023 This is the hidden content, please Sign In or Sign Up TBHM Live – Course Info I am thrilled to introduce you to The Bug Hunter’s Methodology LIVE, my masterclass designed for aspiring and seasoned offensive security professionals, including web application security testers, red teamers, and bug bounty hunters. The Bug Hunter’s Methodology (TBHM) is a two-day, paid, virtual training that aims to equip you with the latest tools, techniques, and strategies, plus provide a data-driven methodology on how and where to search for vulnerabilities that are currently common in the wild. Unlike other courses, TBHM Live is not an A-Z or beginner-oriented course. True to the spirit of my public TBHM talks, my emphasis is on expert tips, time-saving tricks, practical Q&As, automation strategies, vetted resources, and engagement via the dedicated community on Discord. Here are the details for the upcoming masterclasses: Course for EU TimeZone Students: 11/25/2023 & 11/26/2023 - 2PM-10PM CEST (GMT +2) Course for NA TimeZone Students: 12/2/2023 & 12/3/2023 - 9AM-5PM MDT (GMT -6) Each module will be driven live, using real-time targets where possible. You’ll have access to all source material to refer back to after the training. Plus, a video recording of the class will be available for all participants shortly after the course concludes. TBHM Live is also much more than just a course. I am dedicated to fostering a vibrant and supportive community for our learners. In keeping with this commitment, I will maintain a Discord channel for ongoing support, including resume guidance and job placement assistance. Join us for TBHM Live and get ready to supercharge your skills, refine your strategies, and join an active community of like-minded professionals. I look forward to seeing you in the class! Full syllabus: Day 1 – Recon Recon Part 1: Recon Concepts Introduction to Recon Recon Part 2: Acquisitions and Domains Scope Shodan ASN Analysis Crunchbase ++ ReconGTP Reverse WHOIS Certificate Analysis Add and Analytics Relationships Supply chain investigation and SaaS Google-fu (trademark & Priv Pol) TLDs Scanning 0365 Enumeration for Apex Domains Recon Part 3: Subdomain Enumeration Subdomain Scraping (all the best sources and why to use them) Security Trails + Netlas Brute force Wildcards Permutation Scanning Linked Discovery Wordlists Advantageous Subs (WAF bypass – Origins) Favicon analysis Sub sub domains Esoteric techniques Dnssec / nsec / nsec3 walking Recon Part 4: Server & App Level Analysis Port Scanning Service Bruteforce Tech Stack Screenshotting Recon Part 5: Profiling People for Social Engineering Linkedin (people, tech) Hunter.io Hiring Sites Recon Part 6: Recon Adjacent Vulnerability Analysis CVE scanners vs Dynamic Analysis Subtakover S3 buckets Quick Hits (swagger, .git, configs, panel analysis) Recon Part 7: Recon Frameworks and Helpers Frameworks Understanding your framework Tips for success (keys) Distribution and Stealth Day 2 – Application Analysis Application Analysis Part 1: Analysis Concepts Indented usage (not holistic, contextual) Analysis Layers Application Layers as related to success. Tech profiling The Big Questions Change monitoring Application Analysis Part 2: Vulnerability Automation More on CVE and Dynamic Scanners Dependencies Early running so you can focus on manual. Secrets of automation kings Application Analysis Part 3: Content Discovery Intro to CD (walking, brute/fuzz, historical, JS, spider, mobile, params) Importance of walking the app Bruteforce Tooling Bruteforce Tooling Lists: based on tech Bruteforce Tooling Lists: make your own (from-install, dockerhub, trials, from word analysis) Bruteforce Tooling Lists: generic/big Bruteforce Tooling Lists: quick configs Bruteforce Tooling Lists: API Bruteforce Tooling Tips: Recursion Bruteforce Tooling Tips: sub as path Bruteforce Tooling Tips: 403 bypass Historical Content Discovery Newschool JavaScript Analysis Spidering Mobile Content Discovery Parameter Content Discovery Application Analysis Part 4: The Big Questions How does the app pass data? How/where does the app talk about users? Does the site have multi-tenancy or user levels? Does the site have a unique threat model? Abuse Primitives Has there been past security research & vulns? How does the app handle common vuln classes? Where does the app store data? Application Analysis Part 5: Application Heat Mapping Common Issue Place: Upload functions Common Issue Place: Content type multipart-form Common Issue Place: Content type XML / JSON Common Issue Place: Account section and integrations Common Issue Place: Errors Common Issue Place: Paths/URLs passed in parameters Common Issues Place: chatbots Application Analysis Part 6: Web Fuzzing & Analyzing Fuzzing Results Parameters and Paths (generic fuzzing) Reducing Similar URLs Dynamic only fuzzing Fuzzing resources SSWLR – “Sensitive Secrets Were Leaked Recently” Backslash powered Scanner Application Analysis Part 7: Introduction to Vulnerability Types Indented usage (not holistic. Tips and Contextual) Covered vulns and why Application Analysis Part 8: XSS Tips and Tricks Stored and Reflected Polyglots Blind DOM Common Parameters Automation and Tools Application Analysis Part 9: IDOR Tips and Tricks IDOR, Access, Authorization, MLAC, Direct browsing Business logic, parameter manipulation Numeric IDOR Identifying user tokens GUID IDOR Common Parameters Application Analysis Part 10: SSRF Tips and Tricks SSRF intro schemas Alternate IP encoding Common Parameters Application Analysis Part 11: XXE Common areas of exploitation Payloads Common Parameters Application Analysis Part 12: File Upload Vulnerabilities Tips and Tricks Common bypasses Common Parameters Application Analysis Part 13: SQL Injection Tips and Tricks Manual Identification SQLmap tamper Common Parameters Application Analysis Part 14: Command Injection Tips and Tricks Common Parameters Application Analysis Part 15: COTS and Framework Scanning Default Creds CMS’s WordPress + Adobe Experience Manager Others Application Analysis Part 16: Bypass of security controls Subdomains where controls are not applied Origins TLDs (.jp, .uk, .xx) Red Team Analysis Red Teaming Analysis Part 1: Initial Access Primer Phishing Tips and Tricks Threat Intel + Levels Credential Stuffing Open discussion of C2 SaaS Cloud Red Teaming Analysis Part 2: Post Initial Access Open Discussion of common internal methods to succeed Attendees should have: Burp Suite (PRO preferably), VM or equivalent access to *nix command line. Pre-requisites for attendees: General Web application and network security testing knowledge required. Some topics will assume some knowledge of OWASP Top Ten type vulnerabilities and previous experience. A full list of tools needed will be posted in the class discord before class. **Students who have previously taken the course** Having had the privilege to lead the course numerous times now, it becomes evident that each session cultivates unique queries, responses, and input from students. This diversity presents a wonderful opportunity for thought-provoking discussions on various tools, techniques, and invaluable teachings. Every time the class is conducted, there’s a fresh lesson to be learned. For former participants who have previously purchased this course, I extend an invitation to join any future sessions at a cost of $65 USD. Please feel free to reach out to me on the class discord channel to further discuss this opportunity. This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
.webp.8407a83ac96563f75e1c428a1f0d4c3e.webp)
.webp.9a04cec050a656fab081ac190f971c3f.webp)
Hack Tools Resurrection
itsMe
Recommended Posts