Fun things to do with CTFR

so I'm doing a talk on CTF R if you guys don't know what that is it's a abusing certificate transparency locks I heard about this in another talk and but I took it a little bit further so basically you put a like what I would if you want to do this manually you can say you could find there's usually api's out there that I'll show you a bunch of stuff and you Paul if you look at subdomains there right and then you could say copy and paste one of these things then get an IP address out of it and then put it through a showdown query and you know type in you know and actually find certain you know

vulnerability sometimes or nothing well yeah but what I did I actually made a script that does all this so let's say we want to do

check that out

so I run the script so basically it's pulling it all subdomains from the API and then it's resolving each sub domain to an IP address and then it's putting it through a show to end query right and the shooting query will actually list all the vulnerabilities and stuff like that open ports and every sort of sort of boasts and stuff that you want to look at right so oops check this out listen CD bees puts the right up there and then I could stew I haven't made a parser for this yet but I will put a L make one eventually and then sometimes they don't actually lead to exploit dB so that'll be my next step in this thing

and then you know then have it actually linked to medicine like through the Metasploit API and have code ready I guess for your engagements so it is passive reconnaissance yep but you guys want to try it out I mean I could actually just type in any domain yeah so here I'm swearing it again I'll delete everything in here real quick

that's open summer oh that's right oops

you guys have your own personal demands you wanna put in here yeah what's the website MUSC health holy Sh

but it actually creates as it goes you know so ok no no see bees there I mean okay be you'll still give you all the other information you would want so yeah I'm not touching the Nanyan touching their website essentially so yeah but it won't touch it

let's see let's see how much we got here I got to make something that Flags it saying Oh CBE listed here and then yeah yeah yeah good imagine do this by an

well yeah I showed this off to a friend he's like yeah put my stuff in there but might put my blog on there and it just like just had a huge list of ships TVs every was like I was like whoa dude well yeah you could I showed her this I showed this off to some pen testers and I think I rotated and we just played with this all day say what yeah yeah I do this whole in Python so like yeah I just use Adam because of the colors like don't make fun of me please

yeah so I just do yeah I just so what I do is I I just do a get request on to that API to grab all the dns name the DNS names right and then I just parse all that out put that into a big list and then I just loop through it and then resolve each to sub domain to an IP address and then and then I just you know put put that all into the each IP address into the showdown query and then profit right yeah I haven't put it up on get up there's if you google CTF are github you can actually get the the original one but I just added to it but

I could put my stuff on get up in a little bit I literally was writing it sitting next to you so are we doing the FBI thing yeah well yeah this this will go on forever sometimes and you'll be surprised at what you can find the other thing I do with it I used Google Dorking techniques with it so you can pull those subdomains with it so you can say subdomains site github right and then you could find people's code that ties to it and sometimes it's like if it says Devon it is it's really something you want to look at because sometimes it has credentials so really really cool Osen scripted Osen essentially so but yeah I've been doing

this for like I'm actually pretty new to cybersecurity I just my friend told me about something and I was like oh this is kind of cool so I've been I guess doing cybersecurity professionally since April so but I'm not super expert in Python so if you look at my code you know don't make fun of me you know yeah yeah yeah yeah yeah okay I saw this picture is like he's like I'm so gonna you know I'm so I'm such a good programmer and you see a book next to him in its Python like is actually really easy oh yeah you get so actually this might be kind of cool yet yeah whenever I see

Devin it it's just like it could be something you know so so what I would do I have another so I have another script that I kind of used with it and see if it'll actually work so I'll do my other one real quick to show you the Google Dorking part it has to be a really good company to do it to search with because like if you do like something with so few subdomains right get to have a huge list of subdomains because I mean sometimes get Google won't find it but the more soapy wins you get the more information you get to the Google Dorking method so I yeah it's it's just a really really I think it's a really

good strategy but yeah you want to try another one out clear I'll just clear it out if you want to tell you another website do one more

which one gap yeah okay okay hold on one sec wait delete what I got in there real quick so we won't have to like filter it out why is this not working

okay cool oh it's the end of the CCF or thing alright yeah give me a give me a domain let's get I'm gonna do one more you want a retailer Capcom I'm afraid what's gonna show up honestly oh Jesus no gifts okay yeah dip tickets then okay cool let's see what's popping up over here

yeah I need a I need a flag to just like to tell me when there's a CVE oh yeah it's just gonna populate through all these things but you guys I missed it I made a parser to for Oh sent a put up on github um you guys play with it at home so well yeah

yeah it's gonna keep going

well yeah my next my next step is gonna be putting it like automating it through Metasploit and then I mean I'm not gonna execute it because that would be kind of illegal unless I had permission of course so but definitely just just to line me up right so I take its courses here yeah but to finish it up horsey so basically I take a list of subdomains form from a CTF our query basically and resolve those IPs and then then loop through them into a showdown API and then that list that lists like all the ports and stuff and and in CBE's is what I'm looking for because there's another API that shows that shows the actual

actual vulnerability so if I do this one because I know this one has one real quick let me just delete everything real quick oh actually nevermind start that over almost done of course

all right here we go

awkward silence right I think it's this one here we go sweet so it's actually looping the see bees listed and showed an to to parse them out so ya know it's it's it's based on the IP yeah so they can lead you to the next steps thank you guys I'll put the I put the thing on github just catch me off line