Without a doubt, tomnomnom is one of my favourite hackers. I look up to his tools and mindset. Recently, I was able to sit down and have a long chat with him. In this podcast, Tom goes into detail and talks about getting started in Bug Bounty, some of his favorite resources and what it’s like to write a tool. If you’re interested, you can browse his tools on his GitHub!
I’ve compiled some of his answers into the blog post is below, but I would encourage you to listen to the full audio for more insight!
What is something unique that sets you apart from other bug bounty hunters?
“Unique” I think is difficult because there are so many people in this space, but certainly the thing I am known for is the ability to have a very quick turnaround on a tool. An example that springs to mind is in Vegas last year a couple of hunters came to me and said “Hey do you have a tool that does this really specific thing?”, to which my reply was “No, but I can have one in about 30 minutes!”.
I went over to their desk and asked them exactly what they wanted it to do, and quizzed them about some edge cases that they hadn’t considered, and handed them the finished product half an hour later. They were completely dumbfounded that I was able to do this without Stack Overflow and Google, which, for the record, I do use a lot. I always aspire to try and be good enough that I can get my thoughts into code reasonably efficiently and I think a lot of people for whatever reason kind of stop at the point of being able to make stuff work if they try really hard for a few days. That would restrict me because I would forget what I was trying to do by that stage. I wouldn’t say this skill is unique, but it is definitely what I’m best known for.
Whenever anyone says “hey is there a tool that does xyz?” someone responds with “have you had a look in Tom’s repos?”. That comes up a lot! Because they’re written in half an hour or an hour, they’re usually just sketches, which makes them easy to forget, even for me. I’ve occasionally written the same tool twice, or been asked about a tool that I’d forgotten I’d written.
If you had to bug bounties all over again with the knowledge that you have now, what would be the first thing that you did?
The answer might not be too useful to everyone, but for me personally, if I was starting all over again I wouldn’t have my tools. So I would write those tools, and I would write them earlier. I didn’t really write anything for the first year or so other than a couple of shell scripts.
I would also get into Burp Suite earlier. Initially, I found it complicated, and I didn’t get into it for about a year or so. What eventually got me going was that I realized I didn’t need to learn it all for it to be useful. I only needed to learn the Proxy and the Repeater features initially, and that was really useful. Before that, I was using Chrome DevTools and Curl which was my repeater, which was okay, but I missed so much stuff.
Do you think you need to be able to code to do bug bounties?
Need is a strong word, and the answer is “no” because there are successful bug bounty hunters who can’t code, or at least they say they can’t! I’ve talked to a few who say “I can’t code”, but they actually can read code. Many bug bounty hunters will say they can’t code, but they actually can bash together some basic scripts and things. I didn’t release any of my code for a long time because I had convinced myself that I wasn’t a very good programmer. Sooner or later I just decided I didn’t care anymore!
Was there a moment that made you decide that you didn’t care? Many people have recently spoken about being inhibited by imposter syndrome.
I think it’s a big mixture of things. Part of it was experience and having lived longer, but I realised that if I continued to care about everything that happened, I would run out of f***s to give! This is a really cliche answer, but having kids also makes you care less, although it is not a prerequisite. I also feel that having some success in my professional life has also helped to gain confidence.
If you could only spend two hours each week on bug bounties, what would you spend that time doing?
This is actually not far from the truth, particularly in the last year or so. Personally, I would prioritize enjoyment and exploration. I like hunting down data leaks and the recon side of things. Not subdomain brute-forcing but reading documentation, old blog posts, staff member’s personal Github repos, and trying to figure out how things work. Sometimes how the company works, or sometimes how a particular piece of software works.
This method is not necessarily conducive to getting bounties. I don’t get many bounties these days because I’m just having fun and exploring how things work. I don’t want to sound like an old man, but back in the old days of hacking, people hacked simply for enjoyment and to cure a curiosity itch. Back then it was illegal but now people can get paid for it. This leads to people doing bounties with the intention of earning as much money as possible, but this is simply not what I am trying to do.
If the question was “how do I spend two hours maximizing profit” I would spend those two hours automating things.
Out of all the educational hacking resources out there, what would you say had the biggest impact on your bounty hunting?
It’s hard to pick one, and I’m sorry for the vague answer, but I would say “the community”. I think we are all aware that it exists, and spans a few different platforms including Slack and Twitter. I find things through those people through a variety of different online mediums and in person. A lot of people are very keen to share the things they’ve learned and their tools, this is something that I take part in when I can. Not every industry is as open as bug bounties, in the old days many hackers were very secretive because a lot of the stuff they were doing was legally grey, but now people are willing to share things.
If I had to pick one platform, I would say Twitter. People post blog posts or tips on Twitter and then I will investigate them. I bookmark all tweets that look useful. One of my projects is to download all of my bookmarked tweets, starred repos and my chrome bookmarks, then put them in an elastic search. I haven’t done this yet, but I need to do it!
What was the best or most worthwhile investment you’ve ever made?
Learning to effectively use the command line. I learned it largely because I was interested and curious first. There is a certain mystique and nostalgia about text-based interfaces. In The Matrix you see Trinity running Nmap and some SSH exploit and that is all text based. Whenever you see a hacker on the TV it is always text based. I was always curious about how computers worked, and I had the feeling that I would never know if all I ever did was click on icons.