Let’s see how to find emails using JWT tokens.
Subdomain Enum
First, collect all subdomains.
Below, I used assetfinder
to do it.
┌──(carabiner1㉿carabiner)-[~]
└─$ assetfinder --subs-only carabinersec.com
<SNIP>
Wayback URLs
waybackurls
First, use go
to install waybackurls:
┌──(carabiner1㉿carabiner)-[~]
└─$ /usr/local/go/bin/go install github.com/tomnomnom/waybackurls@latest
go: downloading github.com/tomnomnom/waybackurls v0.1.0
g
If go install is not working, try changing the proxy:
export GOPROXY=https://goproxy.io
Next, download anew
:
┌──(carabiner1㉿carabiner)-[~]
└─$ /usr/local/go/bin/go install -v github.com/tomnomnom/anew@latest
go: downloading github.com/tomnomnom/anew v0.1.1
github.com/tomnomnom/anew
Now you should have anew
and waybackurls
on your system:
┌──(carabiner1㉿carabiner)-[~/go/bin]
└─$ ls
anew waybackurls
Below command will take the list of subdomains and retrieve historical URLs from the Wayback Machine associated with those subdomains using waybackurls
, and then appends only the new, unique URLs to the file wayback_urls
:
┌──(root㉿carabiner)-[/home/carabiner1/Documents/bbh/who]
└─# cat who-subs | /home/carabiner1/go/bin/waybackurls | /home/carabiner1/go/bin/anew wayback_urls
We can see that it collected 22033 URLs:
┌──(carabiner1㉿carabiner)-[~/Documents/bbh/who]
└─$ wc -l wayback_urls
22033 wayback_urls
gau
We can achieve the same with gau
gau
is used to retrieve URLs that have been indexed by various online services (not just the Wayback Machine).
First, install it:
┌──(carabiner1㉿carabiner)-[~/Documents/bbh/who]
└─$ /usr/local/go/bin/go install github.com/lc/gau/v2/cmd/gau@latest
go: downloading github.com/lc/gau/v2 v2.2.3
go: downloading github.com/lc/gau v1.2.0
go: downloading github.com/sirupsen/logrus v1.8.1
Collect historical URLs:
┌──(root㉿carabiner)-[/home/carabiner1/Documents/bbh/who]
└─# cat who-subs | /home/carabiner1/go/bin/gau | /home/carabiner1/go/bin/anew gau_urls
gau
collected 13026 lines:
┌──(carabiner1㉿carabiner)-[~/Documents/bbh/who]
└─$ wc -l gau_urls
13026 gau_urls
waymore
We can achieve the same with waymore.
First, install it:
pip install waymore
Collect historical URLs:
┌──(carabiner1㉿carabiner)-[~/Documents/bbh/who]
└─$ cat who-subs | ~/.local/bin/waymore | sudo ~/go/bin/anew waymore_urls
IMPORTANT: It looks like you may be passing a subdomain. If you want ALL subs for a domain, then pass the domain only. It will be a LOT quicker, and you won't miss anything. NEVER pass a file of subdomains if you want everything, just the domains.
WARNING: Cannot find file "config.yml", so using default values
waymore
collected 39992 historical URLs:
┌──(carabiner1㉿carabiner)-[~/Documents/bbh/who]
└─$ wc -l waymore_urls
39992 waymore_urls
Search for JWT Tokens
Now, go through the historical URLs downloaded and look for JWT Tokens:
┌──(carabiner1㉿carabiner)-[~/Documents/bbh/who]
└─$ cat *urls | grep "=eyJ"
https://<SNIP>?mkt_tok=eyJpIjoiT0RKaE9XWmpaak0xTUROaSIsInQiOiJ1SEhjUU9ZTE9Ia3VBUU9LbEo2d2Y0VW5nektJc2o4bTZXVkQzQnpub21hdmg0R005eENjTFFMeHh0b2NPMU1pV3dKV1JyTVFnR2hudEhldXRCRUdCeVVEK2Nob2VxTjNnVnZCK3ZzVGd5VkxtREtCQnZPZUUwakJvdUE0NUI1ZiJ9
https://<SNIP>?mkt_tok=eyJpIjoiWWpsbU1tRTVPV0prWW1NeiIsInQiOiJGTXNuUFBVeFVUdmJMc0ZVK0dySFprUkxQQ0MxTDFHdEx0ZU83SFJDa1hRbzVmNkptXC9UWGpMaEFDWVZySjZudjdONkU0R3ptUWR3b0p0UG1mS3BQWUhKVkN5YUxkYnM1UnNrNkRHRys0OHFjdk5hQzJ0NmxmYjhJc0lCXC9hWnhsIn0=
https://<SNIP>?mkt_tok=eyJpIjoiWWpsbU1tRTVPV0prWW1NeiIsInQiOiJGTXNuUFBVeFVUdmJMc0ZVK0dySFprUkxQQ0MxTDFHdEx0ZU83SFJDa1hRbzVmNkptXC9UWGpMaEFDWVZySjZudjdONkU0R3ptUWR3b0p0UG1mS3BQWUhKVkN5YUxkYnM1UnNrNkRHRys0OHFjdk5hQzJ0NmxmYjhJc0lCXC9hWnhsIn0=
https://<SNIP>?mkt_tok=eyJpIjoiT0RKaE9XWmpaak0xTUROaSIsInQiOiJ1SEhjUU9ZTE9Ia3VBUU9LbEo2d2Y0VW5nektJc2o4bTZXVkQzQnpub21hdmg0R005eENjTFFMeHh0b2NPMU1pV3dKV1JyTVFnR2hudEhldXRCRUdCeVVEK2Nob2VxTjNnVnZCK3ZzVGd5VkxtREtCQnZPZUUwakJvdUE0NUI1ZiJ9
We can also look for info such as email addresses:
┌──(carabiner1㉿carabiner)-[~/Documents/bbh/who]
└─$ cat *urls | grep "gmail.com"
jwt.io
After we collect JWT tokens, we can decode it to see the content of it using jwt.io
If we can see sensitive information such as below, it is a valid bug. Report it.
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}