• Hive Five
  • Posts
  • NahamSec interviews Alyssa Herrera

NahamSec interviews Alyssa Herrera

August 08, 2020

Note that during these interviews I also moderate thus quality may vary.

PROFILE

  • Got into hacking in middleschool

  • Cicumventing security on school laptops.

  • Bypass school web filter, youtube etc.

  • Got into web app hacking through hackthissite missions

  • Breakthrough moment was hacking on Department of Defense

  • Thought of DoD hacking was very novel.

  • Wanted more challenge coins.

  • Good training ground

  • Different coding languages etc.

RECON

  • Gathering as much actionable information as possible.

  • Architecture

  • Subdomains

  • How does company operate

  • Google dorking

  • Internal documents

  • Read the documentation and leverage that information

TOOLS

  • Aquatone

  • Burp Suite

  • ffuf

WALKTHROUGH

  1. List subdomains

  2. Portscanner

  3. Focus on stuff that is more vulnerable

  4. Look for interesting subdomain names, dev, console, test, vpn, graphana, beta, staging

  5. Google dork with interesting subdomain

  6. Brute force directories

  7. Look for interesting behaviour

  • Are there weird errors

  • Is there a proxy

  • Try to change host header to localhost

  • Are there apis?

TIPS

  • Monitor Twitter, it’s an endless source of info

  • Knowing how to code is not needed

  • Understand when to disconnect and take time off to prevent burnout.

  • Just because you missed something that someone else didn’t doesn’t mean you’re bad.

  • Ask good questions (not things you can Google)

  • Asking for help isn’t inherently bad

  • Checklist can consist of Google dorks, documentation, API that’s over permissive

MOTIVATION

  • To learn and help secure stuff. Protecting websites against hackers.

  • Money is a big motivator

  • Hacking is meditative

IMPOSTER SYNDROME

  • Definitely a thing

  • Rather to see it as a fault of your own and see it as a challenge.

  • It’s manageable and you can work on it

  • If person X found a big vulnerability and you didn’t just learn from it and use it in the future.

COLLABORATION

  • Started of solo

  • Once they started to collab you’re able to accomplish so much more.

  • You’re able to share informationa and styles of hacking, e.g. breaking things apart vs recon head.

  • You can combine different experiences and profit