My name is Tommy, I go by the alias dawgyg (@thedawgyg on twitter). I am from Richmond Virginia, in the US. I have been hacking off and on for a little over 20 years now, started in the mid 90s. I got into hacking because of IRC back in the 90s. After spending a bit of time on EfNet, I ran into a couple of the old school hackers and whats instantly fascinated by the concept of hacking. I am currently most active on Synack, and have participated in programs such as Yahoo, Facebook, Hack the Army, Hack the Pentagon, and Etsy.
I recently made the switch to doing bug bounties full time last month (April 2017). It originally started as a hobby, just because it was so cool to me that companies were willing to pay me to hack them when I am bored.
When it comes to managing personal life with the bug bounty thing and other work that I do, I basically like to have fun. So I spend a couple days here and there per month hacking until I have what I think is enough coming in from bug bounties to cover my expenses for the month + whatever that months adventure will be. Then I may spend some extra time other days through the month, but basically when I get bored, or if I find a new toy or adventure I want.
This varies a bit, but I generally spend about 8-10 hours a week spread through the 7 days hunting. Sometimes its more if there happens to be some good programs launched on Synack, and other times it may be a little less.
I think I generally average about 20 or so bugs per month across all platforms/programs.
With regards to bug bounties, I started in March of 2016 after finding my first bug for Yahoo’s bug bounty, and fund what is still today my most critical issue. (RCE on 2 different servers with the ImageTragik vulnerability, with a combined reward of $5,000)
I think my favorite so far was a recent one. About 3 weeks ago I managed to find a Auth Bypass in a Employee login portal for a Synack target. While testing this, I ended up being able to get it into a Blind Error Based SQL Injection (huge shoutout to @jstnkndy and @secgeek for their help in figuring out how to manually exploit and extract information on this)
I figured this out in March of last year as well. When I got my first bounty from Yahoo and realized that it was something totally legit. (I am an old school hacker, and former blackhat. So I was, and still am, quite weary of hacking a bunch of different companies again).
I have always loved hacking, and reading about other people’s hacks. I spent a very good portion of my teen/young adult years hacking for free. Just because we were told we couldn’t do it. They were smarter than us. So we wanted to prove them wrong. This led me to what would become my biggest hurdle when it comes to being a bug bounty hunter.
Because of my bad choices as a kid, and I guess the reluctance to use a new alias, I am not allowed to participate in some bug bounties, and feel that I have to be extra careful when I am actually doing the bug bounties that I can do. I constantly worry that I may go too far and upset a company and just cause problems from there. So now I try to make sure I read the scope of each program before even opening their page in my browser, and will constantly go back and check for updates on programs before I take a new look at them each time. I have also found that reporting issues the instant I find them, then asking for permission to attempt to escalate it has been accepted by most of the programs, and puts me a bit more at ease.
I read every blog post that is shared by any hacker (regardless of their hat) that comes across my Twitter account, or in the blogs room on slack. I also check out Packetstorm Security for news from various different links, and I follow /r/netsec occassionally.
I have done some hacking with a few guys from the community. @nahemsec @bbuerhaus @rohk @zeano @secgeek @yaworsk come to mind, there are others as well. (Sorry if I didnt list you)
I generally run sublister first, and include the brute force flag, and port scan for about 15 ports I have found to be pretty common. While that is running, I will spend some time googling, checking the facebook cert tool, and other cert pages to find some other subdomains. If I find any that seem like they might be interesting, I will run dirsearch on them to see if I can find any interesting files or folders and start googling the subdomain to see what its generally used for. From there its basically just wash and repeat until I find something that deserves more attention.
It really depends on the web app itself. There are some very basic pages/apps that I dont really look for much other than XSS or info disclosure on, but if its more than just a page or 2 then I will try to spend atleast some time looking for any vuln category for the most part.
I have written simple bash scripts to help me run programs quicker and easier, and sending the output to various places or onto the next phase of my recon. I use the basic tools, sublist3r, dirsearch, burp repeater, parameth
I have had a bit of luck using ImageTragik, so now I hve several images that test for this in various ways, and I make sure I upload this in every place that is available, just on the off chance it gets processed somewhere somehow. (It has worked a couple of times in the last year)
Quite often. My 2 biggest programs have both been running bug bounty programs for quite some time. Just because something is older, doesn’t mean it is secure. We all think about things differently and approach them differently. So never skip something just because you think to many people have looked at it.
I am a Unix (mainly Linux) Sys Admin by job, so I deff think this has helped, as it lets me think like some of the other sys admins for the companies I may be targeting, and I know some of my common mistakes, or those of coworkers/friends, so gives me a decent place to start out when looking at something new.
American Country, Hip Hop and R&B
Travel, watch Spongebob, play with my dog and my daughter
Almost out of debt, traveling alot more, and allowing me to help out some family and friends when they need it.
Don’t give up. I think I heard that the most. Hearing it from Sean Melia (@meals) and Ben (@nahemsec) helped prevent me from giving up on several bugs that ended up being worth the extra effort.
I want to get into hardware hacking and do more mobile. Most of what I do now is host or web app, but I am constantly trying to learn more to expand what I am able to do.
Read. You can never read to much or stop learning. Dont ever think you know all there is to know about a topic. Start out by reading blog posts from people doing bug bounties and start learning what types of things to look for, what others have had success with or no success with. It’s all about constantly learning and doing what you can to keep up with newer technology.
Strawberry jam and butter
Worst experience so far has been an ongoing issue with trying to get a response from a free program for bugs submitted more than 9 months ago. Its discouraging but have to remember that this is not the norm.
Mark Litchfield or filedescriptor
A way for the researchers to provide feed back on experiences with a program.
Gedit if I am on my laptop nano if I am doing it from the command line