API Recon with Kiterunner - Hacker Toolbox
Рет қаралды 31,249
Күн бұрынKiterunner is a brand new tool for API Recon which launched last week, and it's INCREDIBLE. I was so impressed when testing it out that I had to share it because this will be a game-changer for API recon, seriously. As in, this tool was able to find domain-specific API endpoints, where every tool has failed.
Did you know this episode was sponsored by Intigriti? Sign up with my link go.intigriti.com/katie I'm so pleased with everyone's positive response to the Intigriti sponsorship and I'm so pleased you folks are finding bugs and even finding your first bugs! Thank you for being awesome!
- Links -
- Kiterunner Introduction: blog.assetnote.io/2021/04/05/...
- Assetnote Wordlists: wordlists.assetnote.io
- Kiterunner GitHub: github.com/assetnote/kiterunner
- Slides from BSides Canberra: drive.google.com/file/d/1PDc2...
- Install Go: golang.org/doc/install
- Install Brew: brew.sh
- Commands -
- Windows Instructions: go build -o dist/kr.exe ./cmd/kiterunner
- Standard scan: kr scan 127.0.0.1:8000/ -w ~/Downloads/routes-large.kite
- Standard fuzzer: kr brute 192.168.1.2:8000/ -A=apiroutes-210228
- Multiple Targets: kr scan source.txt -w ~/Downloads/routes-large.kite
- Repeat a request: kr kb replay -w ~/Downloads/routes-large.kite "GET 404 [ 7620, 1867, 167] 127.0.0.1:8000/api/api/secure/acclandingpage/shoppers/60974302/orders/18350 0cf6832438c001b0aeeed5bc5a70f536908b08e7"
- Add a filter: kr scan 127.0.0.1:8000 -w ~/Downloads/routes-large.kite -A=apiroutes-210328:20000 --fail-status-codes 400,401,404,403,501,502,426,411
- Plain text format: kr scan 127.0.0.1:8000/api -w ~/Downloads/routes-large.kite -o text
- Social Media -
Discord: insiderphd.dev/discord
Patreon: / insiderphd
Twitter: / insiderphd
- Patreon Shoutouts -
David Kupratis
Bruna Simonian
Sean Doody
Forrest Held
Patreon
Wardell Castles
Gynvael
Ram
James Clee
00:00 - Introduction & Intigriti Sponsorship
02:00 - What makes Kiterunner special
10:55 - Installing Kiterunner
16:05 - Getting started, basic commands
22:33 - Adding extras
31:11 - Outro and Patreon shoutouts
@MosnoAlMoseeki 2 жыл бұрын
That was so excellent! Thank you so much. I've marked this video to watch again in the future, and I actually am using Kiterunner as I'm watching this video. I do wish you a speedy recovery, and congrats on the Bug Crowd position!
@dhruvkandpal9909 3 жыл бұрын
Thank you for explaining each aspect of the tool clearly. It was really helpful! :)
@wardellcastles 3 жыл бұрын
Thanks for the video! I am already using it!
@zerosum535 2 жыл бұрын
Thank you, using it first time tonight
@x7331x Ай бұрын
Great video and tutorial, thanks for doing that!
@cihan-3439 3 жыл бұрын
Thanks for the great content !
@ismailramzan8927 3 жыл бұрын
Thank You so much :)
@cybersecurity3523 3 жыл бұрын
Very good Dr
@innerjoy6361 3 жыл бұрын
Love from india .great content thanks
@bharathpatel1757 3 жыл бұрын
Hi dhidhi ! Is it necessary to shift from burpsuite community to professional version? Cant we find bugs with community version .
@karimsz2009 3 жыл бұрын
Amazing video indeed..
@chizzlemo3094 3 жыл бұрын
thank you !
@sql7002 3 жыл бұрын
Our Queen 👸👸😍
@hanko1 3 жыл бұрын
you deserve 10000000000000000 likes Katie
@Unknown-zf9yg 3 жыл бұрын
i’m one of them 🤪
@cristianmorillas2247 Жыл бұрын
So nice!
@kumaran88thiru 3 жыл бұрын
Lot of love for u
@mikekihoro6372 2 жыл бұрын
Hi Katie, thanks for the informative video, do you have a step by step installation of the tool on linux, I am kind of a beginner and really struggling to get it up and running.
@arbazfarooqi5050 3 жыл бұрын
thank you
@hossamshady1383 9 ай бұрын
wow so great
@Imhamzaazam 3 жыл бұрын
Hey katie, I am unable to print any output out on the terminal. It keeps running and outputs no results found.
@narsi_04a0 2 жыл бұрын
thank u
@ihebhamad1477 2 ай бұрын
Thank you @kati would you do some web application testing, how do you approach a real target.
@NotToBeTooTakenSeriously 4 ай бұрын
what command do you usally use?
@axelvirtus2514 3 жыл бұрын
FTL failed to read from stdin error="failed to open file: open routes.json: no such file or directory" Downloaded and extracted this files same problem
@RR-hl6zi 5 ай бұрын
It seems that the kiterunner project has been abandoned. Do you know if it has been forked or if there are any similar (but more recently updated) tools? If not, I really need to learn golang and patch the tool up myself. And figure out how to keep the api definitions up to date...
@InsiderPhD 5 ай бұрын
Yeah :( this is an older video, you can download the larger wordlists, but I’ve not seen anything similar, the most I’ve seen is some work looking at swagger files and extracting a wordlist from thousands of them
@bluey8302 2 жыл бұрын
It does not work on windows, I type in the command in cmd but returns errors.
@cloufish7790 3 жыл бұрын
A great idea with marking when doing presentation, but I really recommend you buying a cheap graphics tablet. I'm sure It'll be easier to underline and draw arrows : P
@InsiderPhD 3 жыл бұрын
I knowwwww I use my iPad but it doesn’t play nice with the two screens I use. I might have to check out alternatives
@bharathpatel1757 3 жыл бұрын
Hi dhidhi ! There is a thing people mostly discussing now a days . Do really AI replace cyber security ? For security Enthusiast like me we always look for future do this field goes green ?
@InsiderPhD 3 жыл бұрын
No! Don’t worry about AI! I did a talk at bugcrowd level up it’s in my playlist of talks on AI and why you don’t need to worry!
@DEADCODE_ Жыл бұрын
@@InsiderPhD this why I love dude
@alph4byt3 3 жыл бұрын
This is why they say it's good to get familiar with Linux, not a must per say but very much a great thing to have....Linux familiarity
@nigelcarruthers335 Жыл бұрын
Katie, you MUST learn VIM. I promise it's worth it.
@juanjoivars3254 Жыл бұрын
Can anybody explain the difference between scan and brute mode?, please
@InsiderPhD Жыл бұрын
Scan uses some guessing to get likely endpoints it produces less noise
@morrismbogo1798 11 ай бұрын
is this vlog still valid? It seems like Kiterunner support was discontinued
@quangvo4563 3 жыл бұрын
Can it do parameters fuzzing like fluff ?. Where we can place POST body data like password=FUZZ&username=FUZZ ?
@InsiderPhD 3 жыл бұрын
Yup! You can use FUZZ anywhere in a request
@quangvo4563 3 жыл бұрын
@@InsiderPhD i cannot find that option in their docs :-(, i must’ve missed something ...
@drmikeyg 3 жыл бұрын
Good job InsiderPhD, Since you're from England, do you know The Beatles?
@InsiderPhD 3 жыл бұрын
Of course :D
@forranach 3 жыл бұрын
I love your accent. Where is it from ?
@InsiderPhD 3 жыл бұрын
I’m from a place near London :)
@daddy.69. 3 жыл бұрын
@limonhasan6723 3 жыл бұрын
love ur accent 😍 please make an English learning channel also.😂
@mrankit2889 3 жыл бұрын
All of the content on 1 side nd another side your channel name insider phd??? What does it actually mean??🤨🤨Can i get the answer???
@InsiderPhD 3 жыл бұрын
I have a PhD and my PhD was in Insider Threats so InsiderPhD.
@josephgosling9593 3 жыл бұрын
First
@InsiderPhD 3 жыл бұрын
👏👏👏
Blippi - Educational Videos for Kids
Рет қаралды 16 МЛН
SALEM EPISODES
Рет қаралды 505 М.