My setup as a remote hacker
• publicTable of contents
When it comes to working online, the primary advantage is that you can work from anywhere. Some people stay at home, and others prefer to travel. I love to do both so I needed a setup I can use from everywhere in which I'm comfortable to be efficient. So I tried to make a setup I can use at home and in the world.
I don't want to make a tech post with all specs so I will speak more generally about my point of view, and it's mine so it's alright if you disagree with it.
I'm currently in Tokyo Japan for 15 days. I wanted to discover this city before returning to France ( I already miss cheese and charcuterie you know ) and decided to land there.
This city is huge and awesome, I love it. But the tourist spots were so crowded that the experience there wasn't good, so it's better to just walk randomly in the street and discover good restaurants.
Concerning work, I can work in a café, even if in some you can't find any outlet or wifi so it can be annoying. But in a big city like that, you can find pretty easily a good spot to work.
When it comes to work in cybersecurity worldwide, you must ask, is it safe to do it in a café or coworking? Of course, it can be unsafe. That's why I work only on bug bounty programs and not on pentest for clients and I also use a privacy screen and stuff to hide what I'm doing ( for others, they just think I'm a crazy guy who type in front of a black screen ).
I became a minimalist addict throughout the year, and now that I'm traveling, I only travel with a small bag, a 20L bag. Yes, you can say that I'm crazy and I am. But look at it, a perfect bug hunter bagpack ( YesWeHack I'm waiting for the sponsorship ).
I'm not going to show you all the content of my bag, it's not a travel blog, but just to mention that I am minimalist so I can't take a lot of stuff. Concerning IT, I only have my MacBook with me, a simple MacBook Air M1 that I need to change for more RAM, but it's perfect looking at the battery and the weight.
Softwares
Concerning what I use every day, I'm still a minimalist even on my computer, so I don't use plenty of stuff and I try to stay organized in every step, even in the chaos of Bug Bounty.
I started with Burp Suite like everyone I think, but I'm switching to Caido right now, it takes less of your performance, is simple, and has the right amount of functions you have to use when it comes to hacking web apps. Of course, with burp and plugins, you can do a lot more than Caido. But in my opinion, I prefer to use simplicity over complexity. So I can miss plenty of stuff but I'm alright with that.
When Caido will add plugins, it will be easier to build my plugins to cover my needs. And if you look at plenty of top-tier bug hunters, you will see that they primarily only use a proxy and nothing more. And you don't need more to find bugs. The most important is to understand your target and what you are doing.
I'm not an automation guy, I use some tools or make some to help me in my workflow but it's only for some use cases. I think one tip I can give is to learn keyboard shortcuts of your software. Simply to be more efficient on them. I love the workflow of the people who use i3 Window Manager. I tried multiple times, but it's hard to get used to it and to keep it.
The best browser extension
With that setup, If I have to give you one extension, it's Pwnfox. It's only for Firefox sorry but it's very powerful with burp and for you to manage your workflow. It will use the containers of Firefox to give you each tab with a different color and a full new state.
I'm sure that without that when it comes to having 2 or 3 different accounts on a target, you will use different windows with private windows. But with pwnfox, you will only have different tabs. It's very helpful for testing auth and privileges. So a big shoutout to BitK for having created this
Here is the link if you want to use it :
Sorry I have nothing juicy to share, I only use basic tools to keep a simple workflow. I will start in the next few months to make some automation I think, but mainly automating js files and their changes.
VPS
The best stuff when you are a nomad is to use a VPS. It will help you to scan targets without using your IP. And you can set up automation and stuff that will work when you sleep.
I use mine mainly to store software like ezXSS to find blind XSS. I also store my payloads on it when I want to use external js. It's very easy to manage and it will help you to exploit your bugs.
When I don't have a very powerful computer, the good point with caido is that I can use it on my VPS. It means that if I want I can only use an iPad and hunt with it.
The only problem I face is that my VPS is in Germany so by being in Asia I have some latency working with it. I need to find a solution to that. If you want to know, I use Contabo as a provider, that's the cheapest and most powerful provider I found to get a VPS and it works very well.
As you can see, I use a very minimalist setup with not a lot of stuff. But it's still possible to find bugs without looking at a lot of software and a big computer you don't need.
In the next few months, I will probably write some scripts to help me with daily tasks and automation to be less dependent on the boring stuff. For instance, I now have a template for each category of bugs and it helps a lot when you have to report something. And it's better than only reporting a small report with a little information because you have to be fast.
As a bug hunter, I think that I have to find a specific field in which I'm at the top. Because there are so many hunters now and being just good at everything is not enough to be sustainable.
And I think that I found in which field I'm going to dig deep, but I will keep that for another article ;)