Wouldn’t it be great if there was a convenient way to securely network your on-prem and cloud assets? Well, you’re in the right place! If you’re as passionate about network security as I am, read on to learn more about securing your offensive tools.

Hey, hi, hello 👋 Welcome to LevelUp! My name is Rami (drunkrhin0). I’m a Security Solutions Architect at Bugcrowd, but I was actually hired from the crowd! Prior to information security, my background primarily stems from infrastructure, networking, and architecture. This laid a strong foundation for me by learning to build first and break later. This helps me find those unique attack angles that many others may not take the same approach to.

My experience in the bug bounty community has demonstrated that many of the best bounty hunters know how to get P1s, but they lack the experience when it comes to networking and securing their own infrastructure.

Securing your offensive tools is vital, not only for your protection of the data you’ve worked so hard to obtain, but to safeguard the data of the organizations you’re hunting on. Everyone learns differently and today I’ll demonstrate how you can leverage network security to level up your bounty game….sorry I won’t make that pun again.

What You’ll Learn Today

  1. Creating and securing your software defined network.
  2. Masking and routing network traffic through exit nodes.
  3. Sharing files through your network.
  4. SSH from anywhere without an SSH key.

What You’ll Need

Before we begin it’s worth noting, everything shown in this LevelUp is for demonstration purposes. This tutorial doesn’t have to be strictly adhered to and everything shown here is very flexible!

With that out of the way, you’ll need a free Tailscale account and at least two devices of your choice. I’ll be using the following: 

  1. Linux VPS – Ubuntu 24.04 LTS
  2. A computer – Windows 11
  3. A mobile phone – Android 14

Introducing Tailscale

A couple of months ago, a friend introduced me to Tailscale and it revolutionized my recon workflow without sacrificing security. I quickly incorporated it alongside other utilities like UFW (Uncomplicated FireWall).

Tailscale is a WireGuard based zero config software defined network allowing you to access your infrastructure from anywhere. It’s easy to set up without all the annoyances of traditional networking like port forwarding.

Personally, I use Tailscale to connect my computers, home lab, and cloud servers. It’s incredibly convenient to be able to access my resources securely from anywhere, without having to worry about exposing them to the public internet.

As security professionals, Tailscale is a game-changer. It allows us to build and manage secure networks without the hassle of traditional networking. In this guide, I’ll walk you through how to set up Tailscale for your bug bounty recon.

Setup Tailscale

  1. Head to tailscale.com and set up an account with your OAuth provider of choosing.
  2. Follow the tutorial and set up your first device.
    1. Download and set up the Tailscale app on your phone from the App Store or Google Play Store.
    2. Next, download the Mac or Windows application and connect it as well.
  3. Try it out and ping your VPS/computer from the other:
    ssh <username>@100.x.y.z address>

Great! Now you have secure access and a networked set of devices, but we still need to set up our VPS and lock it down! 🔒

Setting Up Your Recon Box

VPS Configuration

Go through the motions of basic setup. If you already have a VPS, set up feel free to skip this section!

  1. Setup a VPS if you don’t have one already (a $5 VPS is fine).
  2. Log into your VPS provider of choice and spin up a Ubuntu VPS.
  3. SSH to the server with its public IP address:
    root@123.456.789.012
  4. Update the OS:
    apt update -y; apt upgrade -y;
  5. Create a user and add it to the sudo group:
    1. adduser USERNAME
    2. usermod -aG sudo USERNAME
  6. Exit the terminal session and SSH as your new user ssh:
    USERNAME@123.456.789.012

Optional: Install Security Tools

This step is optional and primarily for demonstration purposes. If you’d like to skip this section, create a file on your VPS and call it tailscaledemo.txt

Install your toolkit of choice. We’re gonna keep it simple here and install Amass. If you want to learn how to use Amass, I recommend checking their helpful tutorial.

# Download Amass
wget https://github.com/owasp-amass/amass/releases/download/v4.2.0/amass_Linux_amd64.zip

# Download Unzip
sudo apt-get install unzip

# Unzip Amass
unzip amass_linux_amd64.zip

# Remove the zip
rm amass_linux_amd64.zip

# Rename Amass and move it to PATH folder<
cd amass_linux_amd64
sudo mv amass /usr/local/bin

# Cleanup
cd ..
rm -rf amass

# Add Amass to path
nano ~/.bashrc
export PATH="$PATH:/usr/local/bin" # add to the bottom then save and exit
source ~/.bashrc

# Validate amass is in your PATH
amass -version

Next, select your favorite bounty target from the engagements page.

  1. Select a domain you’d like to target and run an amass scan of your choice with output we can use later on:
    amass enum -passive -d bugcrowd.com -o amass_output.txt
  2. Grab a coffee and wait patiently to review your output:
    cat amass_output.txt

Install Tailscale

Now that you’re familiar with Tailscale, let’s install it on your recon VPS.

  1. Install Tailscale on your VPS:
    curl -fsSL <https://tailscale.com/install.sh> | sh
  2. Start Tailscale and then follow the prompts to connect it to your account:
    sudo tailscale up
  3. Authenticate to your account with the provided URL in your terminal.

Ping one of your other devices connected to Tailscale:
ping mobiledevice

Firewalls 🔥

If you’re familiar with most Linux distros, you’re likely familiar with Uncomplicated FireWall (UFW). Like the name says, it’s a basic firewall that’s more than sufficient for our needs here and it’s installed by default on Ubuntu. Since we’ve set up networking and remote access through Tailscale, our VPS doesn’t need to be public to the whole world anymore. We’ll use some basic firewall rules to achieve this:

Firewall Rules

# Enable firewall rules
sudo ufw default deny incoming # Deny incoming traffic
sudo ufw default allow outgoing # Allow outgoing traffic
sudo ufw allow in on tailscale0 # Allow access through Tailscale

Enable UFW

sudo ufw enable # Enable UFW
sudo ufw status verbose # View verbose UFW rules
sudo ufw reload # Reload UFW
sudo service ssh restart # Restart SSH

Exit your existing SSH session (public IP) and attempt to SSH again. If successful it will timeout.

Reconnect your SSH session with your tailscale hostname/IP address:
ssh drunkrhin0@reconbox

Exit Nodes

Tailscale exit nodes are your egress points in your Tailscale network, allowing you to route all your traffic through a specific device on your Tailnet (your Tailscale network), similar to how a firewall works in traditional networking. Through this process, we’re going to anonymize traffic from our other devices to always appear as the exit node, similar to how consumer VPNs work. The diagram below by Tailscale shows this in an easy to understand way:

  1. Enable IP forwarding on your Ubuntu VPS

For systems that may not use /etc/sysctl.d check the docs here

// Enable IP Forwarding - Linux with /etc/sysctl.d (Ubuntu)
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

 

2. Advertise the VPS as an exit node:
sudo tailscale up --advertise-exit-node

3. Navigate to the Tailscale admin console and you’ll notice there’s an exit-node label under your VPS now. That means we did it correctly. Click the 3 dots and click Edit route settings….

4. Tick the Use as exit node checkbox and click Save.

5. On another Tailscale connected device, select your VPS as an exit node and lookup your public IP address.

Taildrive

Taildrive allows you to share folders with other users and devices on your Tailnet. Remember the Amass scan we just ran? Once configured you can access it from other devices by navigating to: /yourtailnetdomain.com/yourVPS/yourUSER. Let’s go ahead and set it up!

Add Taildrive access policies

  1. Navigate to Access Controls in the admin console.
  2. Add the attributes to enable Taildrive in your policy file. The example below allows every device to share directories and access shared directories:
// Enable Taildrive - Allow all devices to share directories and access shared directories


"nodeAttrs": [
 {
 "target": ["autogroup:member"],
 "attr": [
 "drive:share",
 "drive:access",
 ],
 }
]

 

3. Define sharing permissions below the node attributes you just inserted.

// Enable Taildrive
// Enable broad sharing permissions
"grants": [
  {
    "src": ["*"],
    "dst": ["*"],
    "app": {
      "tailscale.com/cap/drive": [{
        "shares": ["*"],
        "access": "rw"
      }]
    }
  }
]

4. Click Save.

5. Share your VPS directory:
tailscale drive share <share-name> <path>

drunkrhin0@localhost:~$ tailscale drive share reconbox ~/
Sharing "/home/drunkrhin0/" as "reconbox"

Access the Directory (Windows)

If you are using a different OS, check out the docs here

This process is similar to setting up a local network drive. We’re going to strictly follow the official docs below:

  1. Open This PC and select Map network drive (not add a network location)
  2. Configure the following settings:
    1. Drive letter
    2. Folder
    3. Reconnect at sign-in (recommended)
    4. Connect using different credentials

    1. Select Connect to a website. Choose one that you can use to store your documents and pictures
    2. Choose a custom network location:
      http://100.100.100.100:8080
    3. Leave the username and password fields blank and complete the mapping.

3. It will now appear like a normal shared network drive on your computer.

SSH without SSH keys?! 🔑

You don’t need to actually use SSH keys to securely access your server. This is where Tailscale feels like magic 🪄Tailscale SSH allows Tailscale to do the heavy lifting by taking over incoming port 22 connections. It will then authenticate it and encrypt it using tailscale and node keys. Thus, allowing you to create an SSH connection.

Remember above when we advertised the VPS as an exit node? Let’s make a small change to that.

Notice we added -ssh to the command. This tells Tailscale we want to use Tailscale SSH and advertise the VPS as an exit node. Go ahead and execute that command.

  1. Enable SSH and advertise as an exit node:
    tailscale up --ssh --advertise-exit-node
  2.  If a warning appears, that’s ok. Go ahead and add --accept-risk=lose-ssh to the end of it:
    sudo tailscale up --ssh --advertise-exit-node --accept-risk=lose-ssh
  3. You’ll be logged out but that’s ok now! we’re going to use Tailscale SSH instead.
  4. Head back to your admin console and your VPS should now have an SSH tag and an exit node tag.

5. Hover your mouse toward the ellipses (…) and click the SSH button.

Now Tailscale will create another Tailnet node to secure SSH into your server from anywhere!

6. Click SSH and choose the user you’d like to sign in with, click SSH again.

Once you’re authenticated you’ll have your own browser-based SSH session accessible from anywhere! Don’t worry, once you’re finished with your remote shell session, Tailscale will destroy the temporary node you can see.

Conclusion

Congratulations! You’ve now built a secure, flexible, and private recon network using Tailscale. Not only have you streamlined your workflow, but you’ve also gained valuable skills applicable to both offensive and defensive security.

Remember, this is just the beginning. Tailscale offers many more features to explore, and the world of network security is constantly evolving. So, continue to experiment, learn, and adapt these tools to your unique needs.

I hope this guide has empowered you to take your bug bounty hunting and security practices to the next level. Feel free to share your experiences or ask any questions you may have.

Don’t stop here! Go check out the other LevelUp articles here: https://www.bugcrowd.com/resources/levelup/

If you want to continue the discussion, tweet at me, or connect with me on LinkedIn!

Thanks so much to the Bugcrowd team for allowing me to share 🧡

Happy hunting!

Tags: