SOURCE: BOOTCAMP PDF (HOW THE INTERNET WORKS):

The internet works with a client server model, your browser is the client and the server provides the resources you request for using your browser. There are also APIs that allow websites interact with other web services to provide information or services, like using paystack to pay for something on jumia or sporty

DNS:

IPv6 and IPv4 are versions of IP addresses, each web service or website and computer or server has a unique IP, but DNS helps us remember their names, when you request for google.com, this request is first sent to a DNS server, which asks “hey what’s the address for Google.com, then the DNS server tells your browser it’s at “123.344.344.34” your browser then sends a request to the IP asking for the resources that displays Google.com to you, that’s how you get to see a webpage.

PORTS:

Ports allow a server to handle multiple requests for different services at the same time, there are different services and protocols a server can provide like SMTP. FTP, HTTP,HTTPS, let’s say as our browser now has the IP address of Google.com, it will then say, “hey i’m asking for the webpage only , and since he’s requesting from window 80 (port 80), the server know that , this client wants a web service for HTTP, if we want a file, the client will request for FTP from port 21.

REQUESTS AND RESPSONSE HEADERS:

When you make a request, the client creates a request which usually contains the request line, request header , and sometimes the request body, the request line usually contains the type of protocol, version and request, could be GET, POST, OPTION, PUT, or DELETE, this is like a command telling the server what to do with that request. The content and explanation of the request header can be found in the source pdf but it usually contains the client’s tech version (browser details) encoding techniques, language, and referrer etc…. As for a response, it comes with a header as well, that shows the protocol version, and status code, 200 means request successful. 400 means the content you requested was not found , 403 means you’re forbidden to access that content you asked for, and 500 is server failure, it can alsocontain, the size of the content, content file type, encoding , referrer etc….

ENCODING:

content of a request or response can be encoded to protect information from MITM attacks, there are various forms of encoding, like Base64, Hex, URL encoding etc….you can decode these using cyberchef or burp decoder and encoder

COOKIES:

This is the unique session ID the server gives each client anytime they log into the website, it let the server know who you are and keeps you logged in for a certain time or until you log out, There’s also token based authentication, here the server doesn’t need to store and know your session ID, but each time you log in, you’re given a unique signed token from the client side, and each request is sent with your token, and when the server receives your request, it decodes your token to know who you are , if the token is tampered with, it’ll know via the encrypted signature JWT (JSON web tokens) is another token based identifier that ensures data integrity , by signing a user using an algorithm, a base64url encrypted payload and header, read up more on it from source.

Same Origin Protocol (SOP):

this is a script that protects users from data exfiltration after they must’ve clicked a malicious link, let’s say a hacker successfully embeds XSS attack to send users details to his webpage “attacker.com” that shows a link and a legit user clicks it, this might be a script by the attacker asking for the users info and since the link was clicked by a legit user, the request is properly signed and has the users token so the server will send out the users details, but it won’t work because the request wasn’t sent from the same origin example gmail.com, since the requesting site is attacker.com. it wont work because they’re not the same origin.

RECON:

Recon is very important because it helps you find out a lot about the website as well as it’s overall functionality, endpoints and potential vulnerabilities

There are different approaches to recon, first one is manually using the target site, learn how it works, create accounts for different types of users so that you see what’s available to different users, click links, buttons, see where you’re forbidden from accessing

GOOGLE DORKS:

Google hacking database has a wide array of google dorks you can use to find any type of specific info about your target , here are a few examples to dorking and what they can do

Insite: ( insite: google.com) this specifies the site you’re targeting

inurl: ( inurl: “ car”) let’s say you’re looking for wherever a car is mentioned in the site google.com, you can use this

filetype: (filetype: pdf) this is used to specify the file type

WHOIS:

you can query a domain name to know it’s registration info, and some other info about them

[ whois facebook.com] some companies might hide their info using DNS privacy so we perform what is known as REVERSE WHOIS, using a web tool known as [viewDNSinfo]

IP ADDRESSES:

AI:

IP Addresses: The Basics

An IP address (Internet Protocol address) is a unique identifier assigned to each device connected to a network. It allows devices to locate and communicate with each other over the internet. There are two main types of IP addresses:

1. IPv4 (Internet Protocol version 4):
   • Format: IPv4 addresses are written as four numbers separated by periods, e.g., 192.168.1.1.
   • Range: Each number can range from 0 to 255, providing about 4.3 billion unique addresses.
   • Limitations: With the growth of the internet, the available IPv4 addresses became insufficient, leading to the development of IPv6.
2. IPv6 (Internet Protocol version 6):
   • Format: IPv6 addresses are written as eight groups of four hexadecimal digits, separated by colons, e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334.
   • Range: IPv6 provides a vastly larger address space, enough to accommodate the growing number of devices on the internet.

How IP Addresses Work

• Public vs. Private IP Addresses:
  • Public IP addresses are unique across the entire internet, assigned by ISPs (Internet Service Providers) for communication over the internet.
  • Private IP addresses are used within a private network (e.g., your home network) and are not routable on the internet.
• Subnetting:
  • Networks are divided into smaller subnetworks called subnets. Subnetting helps in managing large networks and controlling traffic.
  • An IP address is composed of two parts: the network part and the host part. Subnetting allows multiple networks to exist within a larger network.

Internet Ports: The Basics

Ports are virtual endpoints for network communications. They help direct traffic between the device and the correct service/application.

• Port Numbers: Each port is associated with a specific service or application. For example:
  • Port 80: HTTP (used for web traffic).
  • Port 443: HTTPS (used for secure web traffic).
  • Port 21: FTP (used for file transfers).
• Types of Ports:
  • Well-Known Ports: Ports 0-1023, commonly used for essential or well-known services.
  • Registered Ports: Ports 1024-49151, used for user or software-defined processes.
  • Dynamic/Private Ports: Ports 49152-65535, usually used for dynamic connections by applications.

How Ports Work

• When a device sends data to another device, it specifies the IP address and port number, ensuring that the data reaches the correct application or service.
• Firewalls and routers often filter traffic based on port numbers, which is why understanding ports is critical in network security.

Importance in Security and Bug Bounty

• Open Ports: Unsecured or unnecessary open ports can be exploited by attackers to gain unauthorized access to a system.
• Port Scanning: A common technique used by attackers to identify open ports on a target system. Tools like Nmap are often used for this purpose.
• IP Spoofing: An attacker can falsify their IP address to disguise their identity or to bypass security measures.

JWT:

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token used to securely transmit information between two parties (like a client and a server). JWTs are often used for authentication, meaning they help verify who you are when you're accessing a website or an API.

Breaking Down the Name

• JSON: Stands for JavaScript Object Notation, a lightweight data format used to exchange information in a structured way.
• Web: Indicates that JWTs are designed for web applications and services.
• Token: Refers to a piece of data that represents information, like a user’s identity or permissions.

How a JWT is Structured

A JWT is made up of three parts:

1. Header
2. Payload
3. Signature

These three parts are encoded in Base64URL format (a version of Base64 that is safe to use in URLs) and are separated by periods (.). A JWT might look like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

1. Header

The header usually consists of two parts:

• Algorithm: Specifies the algorithm used to sign the token, like HMAC SHA256 (HS256).
• Type: Indicates that this is a JWT (JWT).

Example:

{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload

The payload contains the claims, which are statements about an entity (usually the user) and additional data. There are three types of claims:

• Registered claims: Predefined claims like iss (issuer), exp (expiration time), sub (subject), etc.
• Public claims: Custom claims defined by the user, like name or role.
• Private claims: Custom claims shared only between the parties that use the JWT.

Example:

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

3. Signature

The signature ensures that the token hasn't been tampered with. It’s created by taking the encoded header, the encoded payload, a secret key, and the algorithm specified in the header, and then hashing them together.

[ nmap [facebook.com](<http://facebook.com>) ] this is an active scan to check for up and running ports and services, for passive scans we can use SHODAN , if we search up facebook on shodan we weill se a lot of useful info including CVEs

DIRECTORY BRUTEFORCING:

Directories are like files inside files , so in order to know the available directories that might hold juicy info we need to scan for them, we’ll use “ dirsearch.py “ [ ./ [dirseach.py](<http://dirseach.py>) -u [facebook.com](<http://facebook.com>) -e php ] assuming we’re looking for PHP related files, we can also bruteforce for directories using gobuster [ gobuster dir -u facebook.com -w wordlist.txt ] or we can use owas zap spider to scan the site.

THIRD PARTY HOSTING:

We can use this method to find S3 bucket if we’re dealing with amazon services S3 means secure storage service , so for this we can [ bucket-Stream ] or a site called buckets-grayhatwarfare.com to find the buckets , after finding them , we can try to access them using [ awscli ] [ aws s3 ls s3:// BUCKET_NAME/ ] still using this tool, you can test if you can upload , delete files from the buckets

GITHUB RECON:

 You can search up the company ongithub to see if they uploaded any  files with useful info

• You can check job postings b a company to know the technologies they use

TECH STACK FINGERPRINTING:

To do this we can use Nmap to know the tech stack the site is built on, [ nmap [facebook.com](<http://facebook.com>) -sV ] this shows us the version and tech stack .

• You can use burp headers or source code of the pages as well.

AI

1. Certificate Parsing

Certificate parsing involves analyzing the digital certificates used by websites for SSL/TLS encryption. These certificates contain valuable information that can be used in recon, such as:

• Domains/Subdomains: Certificates often list the primary domain and any associated subdomains.
• Organization Info: The certificate may contain information about the organization that owns the domain.
• Expiration Dates: Knowing when a certificate expires can help you time your attacks or inform the target about potential security lapses.