SlideShare a Scribd company logo

Recon-Fu @BsidesKyiv 2016

Vlad Styran
Vlad Styran

80/20 Rule or «You Cannot Spend Too Much Time Enumerating» – the Recon-Fu for pentesters & bug hunters

Technology
1 of 36
80/20 Rule or «You Cannot Spend Too Much Time Enumerating» the Recon-Fu for pentesters & bug hunters Vlad Styran OSCP CISSP CISA
Intro • Working in security since 2005 • Doing IT security, pentests, IT & security audit, appsec, ISM & RGC consulting… • For IT companies, cellular carriers, financial service providers, investment banks, insurance, oil & gas heavy industry, energy… • Starting 2014 – co-founder and COO @berezhasecurity
root@kali:~# man sapran • Social Engineering assessments & awareness trainings • Full scope penetration tests (red-teaming) • WebApp/web-service security assessments • Occasional CTF organizer and player • UISG co-founder, UISGCON organizer • Securit13 Podcast founder • Blogger, speaker @ cons, event producer • Endurance runner
Mission • Recap the recon phase in pentests & bug bounties • Identify recon goals and purpose • Learn recon methods, tools, and principles • Watch a demo
Pentest 1. Plan the project 2. Run a vuln scanner 3. Verify something you can 4. Attempt to exploit it 5. Generate a report 6. Take the money 7. Run away
Good pentest 1. Agree on the terms 2. Do proper scoping 3. Enumerate the scope 4. Analyze the attack surface 5. Build the threat model 6. Execute attack scenarios 7. Report, present, remediate 8. Re-test
Bug Bounties Pentest vs. Bug Bounty • Crowdsourcing the security • Scopes may be limited or not • Find bugs. Many. Fast. • Rewards: from kudos to $$
Why recon Reconnaissance is a direct analogy of sharpening the axe before the security assessment
Recon purpose & goals • Validate the scope Clients suck at scoping • Save time nmap –p1-65535 0.0.0.0/0 ?? • Find stuff to hack. Legally. *.yahoo.com • Cover more ground Running Nessus != pentesting Running Burp != bug hunting
Recon artifacts • DNS names & URLs • IP addresses & ranges • Network services/ports • Software and config data Frameworks, versions etc. • Locations • Contact data Names, nicknames Emails, IM, phone numbers
Recon methodology • Search Search for initial artifacts while you can • Transform There are parent and child artifacts • Organize Maintain the links between artifacts, and the versioning • Log. Backup.
Phase 1: Search • Google is your BFF • Bing and Yahoo! too • Special friends: • Shodan • Censys • FOCA • Robtex and similar sites • Nmap, Masscan, Nikto…
Google it • Google hacking 4ever GHDB: https://www.exploit- db.com/google-hacking-database/ • CSE and web search APIs Wait for it… • Bing API rules too
Shodan
Censys
FOCA
theHarvester
Nmap • nmap • -Pn, -P0 • -n • -sn • -sC • -oA • !-A • 529 NSE scripts discovery, vuln, exploit, fuzzer
Nmap • Detect XSS, CSRF, LFI, ../../ • Discover .git, .svn, backups, comments • Identify platforms and frameworks versions • Check default/common/custom creds for popular webapps e.g. WP, Drupal etc. • Check for known vulns and backdoors • And many more!
Nmap: discovery sudo nmap -n -P0 -p80 -iL hosts.lst --script= http-apache-server-status, http-auth-finder, http-backup-finder, http-comments-displayer, http-default-accounts, http-devframework, http-enum, http-headers, http-mobileversion-checker, http-php-version, http-robots.txt, http-svn-info, http-useragent-tester, http-vhosts, http-webdav-scan, http-xssed -oA nmap_tcp_80_with_scripts
Nmap: exploit sudo nmap -n -P0 -p80 -iL hosts.lst --script= http-csrf, http-dombased-xss, http-fileupload-exploiter, http-shellshock, http-stored-xss, http-vuln-cve2006-3392, http-vuln-cve2009-3960, http-vuln-cve2012-1823, http-vuln-cve2013-0156, http-vuln-cve2013-6786, http-vuln-cve2013-7091, http-vuln-cve2014-3704, http-vuln-cve2014-8877, -oA nmap_tcp_80_with_scripts
Masscan • masscan • -p 80,443,8000-81000 • --rate 500 • --banners • --nmap • Choose rates wisely!
Fuzz!! • BurpSuite Intruder • SecLists https://github.com/danielmiessler/SecLists • Nmap brute NSE scripts • DirBuster • Kali information gathering tools • Python/Scapy
Phase 2: Transform
Transform examples • From an email ü Domain name • From a domain name ü Web-sites ü DNS records ü IP address • From a web-site ü Documents and metadata • From an IP address ü IP range ü Virtual hosts ü TCP services • From an IP range ü Live hosts within ü Routing information ü Whois information
Transform tools • Maltego https://www.paterva.com/ • Recon-NG https://bitbucket.org/LaNMaSteR53/recon-ng • /dev/hands Python, bash, perl…
Maltego • Cool visual graph-based UI • Uses transforms to explore data • Easily extensible: write your own transforms • Costs relatively much but is worth every cent • Has a free CE version
recon-ng • MSF-like interactive tool • Has a CLI • Written in Python • Easily extensible by modules • SQL DB as backend
recon-ng test drive
/dev/hands • Bash: grep, sed, awk, sort, wc, pipes etc. • Lots of OSS console tools & Kali Lunix • perl –ne • Python • Tons of modules • Scapy • Stack Overflow
Phase 3: Organize • OneNote Was the coolest, now online • CherryTree Old, Linux-only • Evernote Cool, but offline costs money • Growly Notes /me using now. Mac only. • Casefile Coolest for investigations, now free, Java. • Xmind Basic feature set is free, Java.
And now… the demo! • Maltego • Low and medium scale goodness. • Nice and elegant way to beat the crap out of your scope. • Recon-ng • Writing your own module (the right way). • Demo of masscan to probe for tcp ports. • Nmap • nmap -sC after all the initial scope recon.
Actual recon of *.yahoo.com • Initial scoping with Maltego • Scanning the IP ranges for live hosts with Nmap • Using Masscan to find open TCP ports • Using Nmap to collect TCP service information
Wrap it up • Increase the quality as you recon Data in – info out; info in – knowledge out. • Search for similar things others did. GitHub, Stack Overflow, Google… • Script and automate everything • Share with the community • Try harder. Keep it simple.
References • Maltego https://www.paterva.com/web7/buy/maltego -clients.php • Recon-NG https://bitbucket.org/LaNMaSteR53/recon- ng • Nmap NSE scripts https://nmap.org/nsedoc/ • https://www.shodan.io • https://censys.io • theHarvester https://github.com/laramies/theHarvester • FOCA https://www.elevenpaths.com/labstools/foca / • Masscan https://github.com/robertdavidgraham/mass can • SecLists https://github.com/danielmiessler/SecLists • Growly Notes http://www.growlybird.com/notes/ • Yahoo Bug Bounty https://hackerone.com/yahoo • GHDB https://www.exploit-db.com/google- hacking-database/
Contact me • https://blog.styran.com/aboutme/ • https://keybase.io/sapran • @saprand

Recommended

Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...UISGCON
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-about
David Busby, CISSP
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-about
David Busby, CISSP
 
PLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursPLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yours
David Busby, CISSP
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
Scott Sutherland
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration TestingMd Samsul Kabir
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breach
Sumedt Jitpukdebodin
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT Security
Patrycja Wegrzynowicz
 

Recommended

Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...UISGCON
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-about
David Busby, CISSP
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-about
David Busby, CISSP
 
PLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursPLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yours
David Busby, CISSP
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
Scott Sutherland
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration TestingMd Samsul Kabir
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breach
Sumedt Jitpukdebodin
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT Security
Patrycja Wegrzynowicz
 
The Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionThe Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL Injection
Patrycja Wegrzynowicz
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Kirill Ermakov
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
PRISMA CSI
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and FutureLuis Grangeia
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT Security
Patrycja Wegrzynowicz
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
EC-Council
 
Кібер-Шмібер
Кібер-ШміберКібер-Шмібер
Кібер-Шмібер
Vlad Styran
 
Прелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINTПрелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINTVlad Styran
 
Социальная инженерия для инженеров
Социальная инженерия для инженеровСоциальная инженерия для инженеров
Социальная инженерия для инженеровVlad Styran
 
правда про ложь
правда про ложьправда про ложь
правда про ложь
Vlad Styran
 
Путевые заметки социального инженера
Путевые заметки социального инженераПутевые заметки социального инженера
Путевые заметки социального инженера
Vlad Styran
 
Процедура внедрения СУИБ в банке: основные шаги и подводные камни
Процедура внедрения СУИБ в банке: основные шаги и подводные камниПроцедура внедрения СУИБ в банке: основные шаги и подводные камни
Процедура внедрения СУИБ в банке: основные шаги и подводные камниVlad Styran
 
Next generation pentest your company cannot buy
Next generation pentest your company cannot buyNext generation pentest your company cannot buy
Next generation pentest your company cannot buyVlad Styran
 
Социальные аспекты ИБ
Социальные аспекты ИБСоциальные аспекты ИБ
Социальные аспекты ИБVlad Styran
 
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновениеНаступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
Vlad Styran
 
Построение Secure Development Lifecycle
Построение Secure Development Lifecycle Построение Secure Development Lifecycle
Построение Secure Development Lifecycle
Vlad Styran
 
#root это только начало
#root это только начало#root это только начало
#root это только начало
Vlad Styran
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Berezha Security
Berezha SecurityBerezha Security
Berezha Security
Vlad Styran
 
NightLight Social Media and You
NightLight Social Media and YouNightLight Social Media and You
NightLight Social Media and You
Jerry Gamblin
 

More Related Content

What's hot

The Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionThe Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL Injection
Patrycja Wegrzynowicz
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Kirill Ermakov
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
PRISMA CSI
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and FutureLuis Grangeia
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT Security
Patrycja Wegrzynowicz
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
EC-Council
 

What's hot (8)

The Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionThe Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL Injection
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and Future
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT Security
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
 

Viewers also liked

Кібер-Шмібер
Кібер-ШміберКібер-Шмібер
Кібер-Шмібер
Vlad Styran
 
Прелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINTПрелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINTVlad Styran
 
Социальная инженерия для инженеров
Социальная инженерия для инженеровСоциальная инженерия для инженеров
Социальная инженерия для инженеровVlad Styran
 
правда про ложь
правда про ложьправда про ложь
правда про ложь
Vlad Styran
 
Путевые заметки социального инженера
Путевые заметки социального инженераПутевые заметки социального инженера
Путевые заметки социального инженера
Vlad Styran
 
Процедура внедрения СУИБ в банке: основные шаги и подводные камни
Процедура внедрения СУИБ в банке: основные шаги и подводные камниПроцедура внедрения СУИБ в банке: основные шаги и подводные камни
Процедура внедрения СУИБ в банке: основные шаги и подводные камниVlad Styran
 
Next generation pentest your company cannot buy
Next generation pentest your company cannot buyNext generation pentest your company cannot buy
Next generation pentest your company cannot buyVlad Styran
 
Социальные аспекты ИБ
Социальные аспекты ИБСоциальные аспекты ИБ
Социальные аспекты ИБVlad Styran
 
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновениеНаступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
Vlad Styran
 
Построение Secure Development Lifecycle
Построение Secure Development Lifecycle Построение Secure Development Lifecycle
Построение Secure Development Lifecycle
Vlad Styran
 
#root это только начало
#root это только начало#root это только начало
#root это только начало
Vlad Styran
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Berezha Security
Berezha SecurityBerezha Security
Berezha Security
Vlad Styran
 
NightLight Social Media and You
NightLight Social Media and YouNightLight Social Media and You
NightLight Social Media and You
Jerry Gamblin
 

Viewers also liked (14)

Кібер-Шмібер
Кібер-ШміберКібер-Шмібер
Кібер-Шмібер
 
Прелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINTПрелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINT
 
Социальная инженерия для инженеров
Социальная инженерия для инженеровСоциальная инженерия для инженеров
Социальная инженерия для инженеров
 
правда про ложь
правда про ложьправда про ложь
правда про ложь
 
Путевые заметки социального инженера
Путевые заметки социального инженераПутевые заметки социального инженера
Путевые заметки социального инженера
 
Процедура внедрения СУИБ в банке: основные шаги и подводные камни
Процедура внедрения СУИБ в банке: основные шаги и подводные камниПроцедура внедрения СУИБ в банке: основные шаги и подводные камни
Процедура внедрения СУИБ в банке: основные шаги и подводные камни
 
Next generation pentest your company cannot buy
Next generation pentest your company cannot buyNext generation pentest your company cannot buy
Next generation pentest your company cannot buy
 
Социальные аспекты ИБ
Социальные аспекты ИБСоциальные аспекты ИБ
Социальные аспекты ИБ
 
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновениеНаступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
 
Построение Secure Development Lifecycle
Построение Secure Development Lifecycle Построение Secure Development Lifecycle
Построение Secure Development Lifecycle
 
#root это только начало
#root это только начало#root это только начало
#root это только начало
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Berezha Security
Berezha SecurityBerezha Security
Berezha Security
 
NightLight Social Media and You
NightLight Social Media and YouNightLight Social Media and You
NightLight Social Media and You
 

Similar to Recon-Fu @BsidesKyiv 2016

PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
Kenneth Kwon
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
Andrew Morris
 
Web Development using Ruby on Rails
Web Development using Ruby on RailsWeb Development using Ruby on Rails
Web Development using Ruby on RailsAvi Kedar
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Case study
Case studyCase study
Case study
karan saini
 
Learning to code
Learning to codeLearning to code
Learning to code
Sara-Jayne Terp
 
Data Science at Scale: Using Apache Spark for Data Science at Bitly
Data Science at Scale: Using Apache Spark for Data Science at BitlyData Science at Scale: Using Apache Spark for Data Science at Bitly
Data Science at Scale: Using Apache Spark for Data Science at Bitly
Sarah Guido
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
DaveEdwards12
 
Blue Teaming on a Budget of Zero
Blue Teaming on a Budget of ZeroBlue Teaming on a Budget of Zero
Blue Teaming on a Budget of Zero
Kyle Bubp
 
PyData Texas 2015 Keynote
PyData Texas 2015 KeynotePyData Texas 2015 Keynote
PyData Texas 2015 Keynote
Peter Wang
 
Ruby and Distributed Storage Systems
Ruby and Distributed Storage SystemsRuby and Distributed Storage Systems
Ruby and Distributed Storage Systems
SATOSHI TAGOMORI
 
APIs distribuidos con alta escalabilidad
APIs distribuidos con alta escalabilidadAPIs distribuidos con alta escalabilidad
APIs distribuidos con alta escalabilidad
Software Guru
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
Tiago Mendo
 
Prototyping like it is 2022
Prototyping like it is 2022 Prototyping like it is 2022
Prototyping like it is 2022
Michael Yagudaev
 
My Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is MagicMy Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is Magic
Apollo Clark
 
Node.js Getting Started &amd Best Practices
Node.js Getting Started &amd Best PracticesNode.js Getting Started &amd Best Practices
Node.js Getting Started &amd Best Practices
botsplash.com
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques
 

Similar to Recon-Fu @BsidesKyiv 2016 (20)

PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
 
Web Development using Ruby on Rails
Web Development using Ruby on RailsWeb Development using Ruby on Rails
Web Development using Ruby on Rails
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Case study
Case studyCase study
Case study
 
Learning to code
Learning to codeLearning to code
Learning to code
 
Data Science at Scale: Using Apache Spark for Data Science at Bitly
Data Science at Scale: Using Apache Spark for Data Science at BitlyData Science at Scale: Using Apache Spark for Data Science at Bitly
Data Science at Scale: Using Apache Spark for Data Science at Bitly
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Blue Teaming on a Budget of Zero
Blue Teaming on a Budget of ZeroBlue Teaming on a Budget of Zero
Blue Teaming on a Budget of Zero
 
PyData Texas 2015 Keynote
PyData Texas 2015 KeynotePyData Texas 2015 Keynote
PyData Texas 2015 Keynote
 
Ruby and Distributed Storage Systems
Ruby and Distributed Storage SystemsRuby and Distributed Storage Systems
Ruby and Distributed Storage Systems
 
SGCE 2015 REST APIs
SGCE 2015 REST APIsSGCE 2015 REST APIs
SGCE 2015 REST APIs
 
APIs distribuidos con alta escalabilidad
APIs distribuidos con alta escalabilidadAPIs distribuidos con alta escalabilidad
APIs distribuidos con alta escalabilidad
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
 
Be faster then rabbits
Be faster then rabbitsBe faster then rabbits
Be faster then rabbits
 
Prototyping like it is 2022
Prototyping like it is 2022 Prototyping like it is 2022
Prototyping like it is 2022
 
My Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is MagicMy Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is Magic
 
Node.js Getting Started &amd Best Practices
Node.js Getting Started &amd Best PracticesNode.js Getting Started &amd Best Practices
Node.js Getting Started &amd Best Practices
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 

More from Vlad Styran

В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
Vlad Styran
 
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Vlad Styran
 
The sooner the better but never too late
The sooner the better but never too lateThe sooner the better but never too late
The sooner the better but never too late
Vlad Styran
 
Threat Modeling 101
Threat Modeling 101Threat Modeling 101
Threat Modeling 101
Vlad Styran
 
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
Vlad Styran
 
Application Security Webcast
Application Security WebcastApplication Security Webcast
Application Security Webcast
Vlad Styran
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
Vlad Styran
 
NoNameCon partnership opportunities
NoNameCon partnership opportunitiesNoNameCon partnership opportunities
NoNameCon partnership opportunities
Vlad Styran
 
BruCON 0x09 Building Security Awareness Programs That Don't Suck
BruCON 0x09 Building Security Awareness Programs That Don't SuckBruCON 0x09 Building Security Awareness Programs That Don't Suck
BruCON 0x09 Building Security Awareness Programs That Don't Suck
Vlad Styran
 
Организация, культура, и управление кибер-безопасностью
Организация, культура, и управление кибер-безопасностьюОрганизация, культура, и управление кибер-безопасностью
Организация, культура, и управление кибер-безопасностью
Vlad Styran
 
Cybersecurity Framework 021214 Final UA
Cybersecurity Framework 021214 Final UACybersecurity Framework 021214 Final UA
Cybersecurity Framework 021214 Final UA
Vlad Styran
 
Fantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from themFantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from them
Vlad Styran
 
Использование приватных, публичных и гибридных облаков для обеспечения информ...
Использование приватных, публичных и гибридных облаков для обеспечения информ...Использование приватных, публичных и гибридных облаков для обеспечения информ...
Использование приватных, публичных и гибридных облаков для обеспечения информ...
Vlad Styran
 
Центр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностьюЦентр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностьюVlad Styran
 

More from Vlad Styran (14)

В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
 
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
 
The sooner the better but never too late
The sooner the better but never too lateThe sooner the better but never too late
The sooner the better but never too late
 
Threat Modeling 101
Threat Modeling 101Threat Modeling 101
Threat Modeling 101
 
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
 
Application Security Webcast
Application Security WebcastApplication Security Webcast
Application Security Webcast
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
NoNameCon partnership opportunities
NoNameCon partnership opportunitiesNoNameCon partnership opportunities
NoNameCon partnership opportunities
 
BruCON 0x09 Building Security Awareness Programs That Don't Suck
BruCON 0x09 Building Security Awareness Programs That Don't SuckBruCON 0x09 Building Security Awareness Programs That Don't Suck
BruCON 0x09 Building Security Awareness Programs That Don't Suck
 
Организация, культура, и управление кибер-безопасностью
Организация, культура, и управление кибер-безопасностьюОрганизация, культура, и управление кибер-безопасностью
Организация, культура, и управление кибер-безопасностью
 
Cybersecurity Framework 021214 Final UA
Cybersecurity Framework 021214 Final UACybersecurity Framework 021214 Final UA
Cybersecurity Framework 021214 Final UA
 
Fantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from themFantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from them
 
Использование приватных, публичных и гибридных облаков для обеспечения информ...
Использование приватных, публичных и гибридных облаков для обеспечения информ...Использование приватных, публичных и гибридных облаков для обеспечения информ...
Использование приватных, публичных и гибридных облаков для обеспечения информ...
 
Центр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностьюЦентр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностью
 

Recently uploaded

Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 

Recently uploaded (20)

Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 

Recon-Fu @BsidesKyiv 2016

  • 1. 80/20 Rule or «You Cannot Spend Too Much Time Enumerating» the Recon-Fu for pentesters & bug hunters Vlad Styran OSCP CISSP CISA
  • 2. Intro • Working in security since 2005 • Doing IT security, pentests, IT & security audit, appsec, ISM & RGC consulting… • For IT companies, cellular carriers, financial service providers, investment banks, insurance, oil & gas heavy industry, energy… • Starting 2014 – co-founder and COO @berezhasecurity
  • 3. root@kali:~# man sapran • Social Engineering assessments & awareness trainings • Full scope penetration tests (red-teaming) • WebApp/web-service security assessments • Occasional CTF organizer and player • UISG co-founder, UISGCON organizer • Securit13 Podcast founder • Blogger, speaker @ cons, event producer • Endurance runner
  • 4. Mission • Recap the recon phase in pentests & bug bounties • Identify recon goals and purpose • Learn recon methods, tools, and principles • Watch a demo
  • 5. Pentest 1. Plan the project 2. Run a vuln scanner 3. Verify something you can 4. Attempt to exploit it 5. Generate a report 6. Take the money 7. Run away
  • 6. Good pentest 1. Agree on the terms 2. Do proper scoping 3. Enumerate the scope 4. Analyze the attack surface 5. Build the threat model 6. Execute attack scenarios 7. Report, present, remediate 8. Re-test
  • 7. Bug Bounties Pentest vs. Bug Bounty • Crowdsourcing the security • Scopes may be limited or not • Find bugs. Many. Fast. • Rewards: from kudos to $$
  • 8. Why recon Reconnaissance is a direct analogy of sharpening the axe before the security assessment
  • 9. Recon purpose & goals • Validate the scope Clients suck at scoping • Save time nmap –p1-65535 0.0.0.0/0 ?? • Find stuff to hack. Legally. *.yahoo.com • Cover more ground Running Nessus != pentesting Running Burp != bug hunting
  • 10. Recon artifacts • DNS names & URLs • IP addresses & ranges • Network services/ports • Software and config data Frameworks, versions etc. • Locations • Contact data Names, nicknames Emails, IM, phone numbers
  • 11. Recon methodology • Search Search for initial artifacts while you can • Transform There are parent and child artifacts • Organize Maintain the links between artifacts, and the versioning • Log. Backup.
  • 12. Phase 1: Search • Google is your BFF • Bing and Yahoo! too • Special friends: • Shodan • Censys • FOCA • Robtex and similar sites • Nmap, Masscan, Nikto…
  • 13. Google it • Google hacking 4ever GHDB: https://www.exploit- db.com/google-hacking-database/ • CSE and web search APIs Wait for it… • Bing API rules too
  • 16. FOCA
  • 18. Nmap • nmap • -Pn, -P0 • -n • -sn • -sC • -oA • !-A • 529 NSE scripts discovery, vuln, exploit, fuzzer
  • 19. Nmap • Detect XSS, CSRF, LFI, ../../ • Discover .git, .svn, backups, comments • Identify platforms and frameworks versions • Check default/common/custom creds for popular webapps e.g. WP, Drupal etc. • Check for known vulns and backdoors • And many more!
  • 20. Nmap: discovery sudo nmap -n -P0 -p80 -iL hosts.lst --script= http-apache-server-status, http-auth-finder, http-backup-finder, http-comments-displayer, http-default-accounts, http-devframework, http-enum, http-headers, http-mobileversion-checker, http-php-version, http-robots.txt, http-svn-info, http-useragent-tester, http-vhosts, http-webdav-scan, http-xssed -oA nmap_tcp_80_with_scripts
  • 21. Nmap: exploit sudo nmap -n -P0 -p80 -iL hosts.lst --script= http-csrf, http-dombased-xss, http-fileupload-exploiter, http-shellshock, http-stored-xss, http-vuln-cve2006-3392, http-vuln-cve2009-3960, http-vuln-cve2012-1823, http-vuln-cve2013-0156, http-vuln-cve2013-6786, http-vuln-cve2013-7091, http-vuln-cve2014-3704, http-vuln-cve2014-8877, -oA nmap_tcp_80_with_scripts
  • 22. Masscan • masscan • -p 80,443,8000-81000 • --rate 500 • --banners • --nmap • Choose rates wisely!
  • 23. Fuzz!! • BurpSuite Intruder • SecLists https://github.com/danielmiessler/SecLists • Nmap brute NSE scripts • DirBuster • Kali information gathering tools • Python/Scapy
  • 25. Transform examples • From an email ü Domain name • From a domain name ü Web-sites ü DNS records ü IP address • From a web-site ü Documents and metadata • From an IP address ü IP range ü Virtual hosts ü TCP services • From an IP range ü Live hosts within ü Routing information ü Whois information
  • 26. Transform tools • Maltego https://www.paterva.com/ • Recon-NG https://bitbucket.org/LaNMaSteR53/recon-ng • /dev/hands Python, bash, perl…
  • 27. Maltego • Cool visual graph-based UI • Uses transforms to explore data • Easily extensible: write your own transforms • Costs relatively much but is worth every cent • Has a free CE version
  • 28. recon-ng • MSF-like interactive tool • Has a CLI • Written in Python • Easily extensible by modules • SQL DB as backend
  • 30. /dev/hands • Bash: grep, sed, awk, sort, wc, pipes etc. • Lots of OSS console tools & Kali Lunix • perl –ne • Python • Tons of modules • Scapy • Stack Overflow
  • 31. Phase 3: Organize • OneNote Was the coolest, now online • CherryTree Old, Linux-only • Evernote Cool, but offline costs money • Growly Notes /me using now. Mac only. • Casefile Coolest for investigations, now free, Java. • Xmind Basic feature set is free, Java.
  • 32. And now… the demo! • Maltego • Low and medium scale goodness. • Nice and elegant way to beat the crap out of your scope. • Recon-ng • Writing your own module (the right way). • Demo of masscan to probe for tcp ports. • Nmap • nmap -sC after all the initial scope recon.
  • 33. Actual recon of *.yahoo.com • Initial scoping with Maltego • Scanning the IP ranges for live hosts with Nmap • Using Masscan to find open TCP ports • Using Nmap to collect TCP service information
  • 34. Wrap it up • Increase the quality as you recon Data in – info out; info in – knowledge out. • Search for similar things others did. GitHub, Stack Overflow, Google… • Script and automate everything • Share with the community • Try harder. Keep it simple.
  • 35. References • Maltego https://www.paterva.com/web7/buy/maltego -clients.php • Recon-NG https://bitbucket.org/LaNMaSteR53/recon- ng • Nmap NSE scripts https://nmap.org/nsedoc/ • https://www.shodan.io • https://censys.io • theHarvester https://github.com/laramies/theHarvester • FOCA https://www.elevenpaths.com/labstools/foca / • Masscan https://github.com/robertdavidgraham/mass can • SecLists https://github.com/danielmiessler/SecLists • Growly Notes http://www.growlybird.com/notes/ • Yahoo Bug Bounty https://hackerone.com/yahoo • GHDB https://www.exploit-db.com/google- hacking-database/
  • 36. Contact me • https://blog.styran.com/aboutme/ • https://keybase.io/sapran • @saprand