Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Recon-Fu @BsidesKyiv 2016

1,958 views

Published on

80/20 Rule or «You Cannot Spend Too Much Time Enumerating» – the Recon-Fu for pentesters & bug hunters

Published in: Technology
  • Be the first to comment

Recon-Fu @BsidesKyiv 2016

  1. 1. 80/20 Rule or «You Cannot Spend Too Much Time Enumerating» the Recon-Fu for pentesters & bug hunters Vlad Styran OSCP CISSP CISA
  2. 2. Intro • Working in security since 2005 • Doing IT security, pentests, IT & security audit, appsec, ISM & RGC consulting… • For IT companies, cellular carriers, financial service providers, investment banks, insurance, oil & gas heavy industry, energy… • Starting 2014 – co-founder and COO @berezhasecurity
  3. 3. root@kali:~# man sapran • Social Engineering assessments & awareness trainings • Full scope penetration tests (red-teaming) • WebApp/web-service security assessments • Occasional CTF organizer and player • UISG co-founder, UISGCON organizer • Securit13 Podcast founder • Blogger, speaker @ cons, event producer • Endurance runner
  4. 4. Mission • Recap the recon phase in pentests & bug bounties • Identify recon goals and purpose • Learn recon methods, tools, and principles • Watch a demo
  5. 5. Pentest 1. Plan the project 2. Run a vuln scanner 3. Verify something you can 4. Attempt to exploit it 5. Generate a report 6. Take the money 7. Run away
  6. 6. Good pentest 1. Agree on the terms 2. Do proper scoping 3. Enumerate the scope 4. Analyze the attack surface 5. Build the threat model 6. Execute attack scenarios 7. Report, present, remediate 8. Re-test
  7. 7. Bug Bounties Pentest vs. Bug Bounty • Crowdsourcing the security • Scopes may be limited or not • Find bugs. Many. Fast. • Rewards: from kudos to $$
  8. 8. Why recon Reconnaissance is a direct analogy of sharpening the axe before the security assessment
  9. 9. Recon purpose & goals • Validate the scope Clients suck at scoping • Save time nmap –p1-65535 0.0.0.0/0 ?? • Find stuff to hack. Legally. *.yahoo.com • Cover more ground Running Nessus != pentesting Running Burp != bug hunting
  10. 10. Recon artifacts • DNS names & URLs • IP addresses & ranges • Network services/ports • Software and config data Frameworks, versions etc. • Locations • Contact data Names, nicknames Emails, IM, phone numbers
  11. 11. Recon methodology • Search Search for initial artifacts while you can • Transform There are parent and child artifacts • Organize Maintain the links between artifacts, and the versioning • Log. Backup.
  12. 12. Phase 1: Search • Google is your BFF • Bing and Yahoo! too • Special friends: • Shodan • Censys • FOCA • Robtex and similar sites • Nmap, Masscan, Nikto…
  13. 13. Google it • Google hacking 4ever GHDB: https://www.exploit- db.com/google-hacking-database/ • CSE and web search APIs Wait for it… • Bing API rules too
  14. 14. Shodan
  15. 15. Censys
  16. 16. FOCA
  17. 17. theHarvester
  18. 18. Nmap • nmap • -Pn, -P0 • -n • -sn • -sC • -oA • !-A • 529 NSE scripts discovery, vuln, exploit, fuzzer
  19. 19. Nmap • Detect XSS, CSRF, LFI, ../../ • Discover .git, .svn, backups, comments • Identify platforms and frameworks versions • Check default/common/custom creds for popular webapps e.g. WP, Drupal etc. • Check for known vulns and backdoors • And many more!
  20. 20. Nmap: discovery sudo nmap -n -P0 -p80 -iL hosts.lst --script= http-apache-server-status, http-auth-finder, http-backup-finder, http-comments-displayer, http-default-accounts, http-devframework, http-enum, http-headers, http-mobileversion-checker, http-php-version, http-robots.txt, http-svn-info, http-useragent-tester, http-vhosts, http-webdav-scan, http-xssed -oA nmap_tcp_80_with_scripts
  21. 21. Nmap: exploit sudo nmap -n -P0 -p80 -iL hosts.lst --script= http-csrf, http-dombased-xss, http-fileupload-exploiter, http-shellshock, http-stored-xss, http-vuln-cve2006-3392, http-vuln-cve2009-3960, http-vuln-cve2012-1823, http-vuln-cve2013-0156, http-vuln-cve2013-6786, http-vuln-cve2013-7091, http-vuln-cve2014-3704, http-vuln-cve2014-8877, -oA nmap_tcp_80_with_scripts
  22. 22. Masscan • masscan • -p 80,443,8000-81000 • --rate 500 • --banners • --nmap • Choose rates wisely!
  23. 23. Fuzz!! • BurpSuite Intruder • SecLists https://github.com/danielmiessler/SecLists • Nmap brute NSE scripts • DirBuster • Kali information gathering tools • Python/Scapy
  24. 24. Phase 2: Transform
  25. 25. Transform examples • From an email ü Domain name • From a domain name ü Web-sites ü DNS records ü IP address • From a web-site ü Documents and metadata • From an IP address ü IP range ü Virtual hosts ü TCP services • From an IP range ü Live hosts within ü Routing information ü Whois information
  26. 26. Transform tools • Maltego https://www.paterva.com/ • Recon-NG https://bitbucket.org/LaNMaSteR53/recon-ng • /dev/hands Python, bash, perl…
  27. 27. Maltego • Cool visual graph-based UI • Uses transforms to explore data • Easily extensible: write your own transforms • Costs relatively much but is worth every cent • Has a free CE version
  28. 28. recon-ng • MSF-like interactive tool • Has a CLI • Written in Python • Easily extensible by modules • SQL DB as backend
  29. 29. recon-ng test drive
  30. 30. /dev/hands • Bash: grep, sed, awk, sort, wc, pipes etc. • Lots of OSS console tools & Kali Lunix • perl –ne • Python • Tons of modules • Scapy • Stack Overflow
  31. 31. Phase 3: Organize • OneNote Was the coolest, now online • CherryTree Old, Linux-only • Evernote Cool, but offline costs money • Growly Notes /me using now. Mac only. • Casefile Coolest for investigations, now free, Java. • Xmind Basic feature set is free, Java.
  32. 32. And now… the demo! • Maltego • Low and medium scale goodness. • Nice and elegant way to beat the crap out of your scope. • Recon-ng • Writing your own module (the right way). • Demo of masscan to probe for tcp ports. • Nmap • nmap -sC after all the initial scope recon.
  33. 33. Actual recon of *.yahoo.com • Initial scoping with Maltego • Scanning the IP ranges for live hosts with Nmap • Using Masscan to find open TCP ports • Using Nmap to collect TCP service information
  34. 34. Wrap it up • Increase the quality as you recon Data in – info out; info in – knowledge out. • Search for similar things others did. GitHub, Stack Overflow, Google… • Script and automate everything • Share with the community • Try harder. Keep it simple.
  35. 35. References • Maltego https://www.paterva.com/web7/buy/maltego -clients.php • Recon-NG https://bitbucket.org/LaNMaSteR53/recon- ng • Nmap NSE scripts https://nmap.org/nsedoc/ • https://www.shodan.io • https://censys.io • theHarvester https://github.com/laramies/theHarvester • FOCA https://www.elevenpaths.com/labstools/foca / • Masscan https://github.com/robertdavidgraham/mass can • SecLists https://github.com/danielmiessler/SecLists • Growly Notes http://www.growlybird.com/notes/ • Yahoo Bug Bounty https://hackerone.com/yahoo • GHDB https://www.exploit-db.com/google- hacking-database/
  36. 36. Contact me • https://blog.styran.com/aboutme/ • https://keybase.io/sapran • @saprand

×