3. About Me – Abhisek Datta
• Head of Technology (appsecco.com)
• A boutique security consulting company
• TechWing @ null0x00 (null.co.in)
• An Open Security Community
• Security Researcher
• Discovered vulnerabilities in MS Office, Internet
Explorer, HP SiteScope etc.
• Open Source Contributor
• Wireplay, RbWinDBG etc.
github.com/abhisek
5. Let's start with how attackers work
An attacker wants to hack a target and for this, will
perform a bunch of activities
1. Online Attack Surfaces
2. Breached Credentials
3. Known Vulnerable Software
4. (Easy to?) exploit security vulnerabilities
8. • Your-Company.com
• Who is the registrar
• Where is it hosted
• Self-hosted or managed
e-mail service
• External help desk
services
• 3rd party services
What Attackers See – Domain Enumeration
whois
whois your-company.com
whois <IP>
dig
dig your-company.com NS
dig @NS1 your-company.com MX
dig @NS1 your-company.com TXT
9. What Attackers See – Subdomain Enumeration
• Your-Company.com
• Host-1
• Host-2
• Host-3
• Etc.
amass enum –passive –d
your-company.com
amass intel –whois –d
your-company.com
10. What Attackers See – Email Enumeration
• Your-Company.com
• u1@your-company.com
• u2@your-company.com
• u3@your-company.com
• u4@your-company.com
• Etc.
Hunter.io
theHarvester
Many more …
24. Threat What can I do about it?
Attacker able to identify host names Ensure all hosts exposed online are patched
Attacker able to discover email address Enforce strong password policy along with use of
password managers
Attacker able to discovered breached credentials
from public password dump
Enforce 2FA where possible
Subscribe to breach notification and rotate
passwords
Attackers able to discover applications Follow AppSec best practices
OWASP Testers Guide
OWASP Secure Coding Practices
OWASP Proactive Security Controls
Attacker able to discover my application
technology and dependencies
Ensure regular patching of application framework
and external dependencies
Attacker able to discover untracked or long
forgotten online asset
Asset inventory
Infrastructure as Code
Auditing, Logging and Alerting
Staying Safe
25. Fill the form below by 4pm
today and we will share the
results with you by 21 August
2019
https://bit.ly/31Jl7ed
Interested in Discovering Your Internet Exposure?