Reconnaissance?

Recon (we look for)

       - Any sensitive info any doc , meta data ,records

  - credential like email ,pass , API keys 

         - info abouts domains , ip ranges

-  Architecture

Domain co-relation

a

   Horizontal

 Vertical

https://0xpatrik.com/asset-discovery/

Finding Sub-Domain

Through search engine

- searching  over google , bing ,online safari

- using advance operators for filtering

site: (vertical domain)

ip: (horizotal domain) if target is shared hosting

inurl:

Using 3rd party services

Virus total (run own passive DNS)

viewdns.info

pentest-tools.com

https://securitytrails.com/blog/top-20-intel-tools

How helpful is Certificate Transparency

CT in short is meant to log, audit, and monitor certificates that Certificate Authorities (CA) issue

Any one can look through the CT  logs ad find certificates issued for domain

An SSL/TLS certificate usually contains domain names, sub-domain names and email addresses. This makes them a treasure trove of information for attackers.

There are various search engines that collect the CT logs. We can easily search through them just like how we can Google anything.

1. https://crt.sh/ (write : %domainame.com)
2. https://censys.io/
3. https://developers.facebook.com/tools/ct/
4. https://www.google.com/transparencyreport/https/ct/

Bad side of  CT

for

Recon

- Once it is up , there is no way to delete it

- At CT log  the domain name found might be not exit any more but they can't be removed

https://github.com/CaliDog/certstream-server

As we see these give some domain as non resolved

so we use CT log and massdns  combine

USING CETSPOTER

this service not only provide vertical but also give horizontal co-relation

https://certspotter.com/api/v0/certs?domain=example.com

CERTDB.COM

Certdb is based on the scanning the IPv4 segments,domain and "finding & analyzing" all the certificate

https://certdb.com/domain/eff.org

Text

Zone Transfer

dig @ns.example.com example=.com AXFR

The best practice advises administrators to allow AXFR requests only from authorized DNS servers, so the above technique will probably not work. But if it does, you have found a goldmine

https://thehackerblog.com/the-international-incident-gaining-control-of-a-int-domain-name-with-dns-trickery/index.html

Text

Text

Sublist3r

One of the most popular open source tools for subdomain enumeration, is called Sublist3r. It aggregates output from many different sources, including: google,crt.sh,virustotall  etc

- It doesnot validate  the give domain exit or not

https://github.com/aboul3la/Sublist3r

command-

python sublist3r.py -d example.com

DNSDumpster

publicly provides its Forward DNS study/dataset on scans.io repository. The DNS dataset aims to discover all domains found on the Internet

https://dnsdumpster.com/

CESYS.IO

- Same service as certdb

- SSL Certificate

- Good source of domain & email address

Cloud Storage

1.  AWS s3 bucket
2. Digital ocen spaces

- It contains large amount of data , which probably any attacker want

- user store eve there password in plain txt on 3rd party services

Attacker search for open/publicly available s3 bucket

- each bucket get a unique URL

google dork

-site: s3.amazoaws.com file:pdf

we ca also do dictory based attack  by tools like AwsBucket Dump ,Slurp

GITHUB

Popular VC (Version Control)

Code repo

Github section

+ Repo

+ code

+ Commits

+Issue

Look for

• API ad Keys
• Token
• Secret
• vulerable
• http://