SlideShare a Scribd company logo
1 of 29
Scanning the Internet for
External Cloud
Exposures via SSL
Certs.
Rizwan Syed
@_r12w4n
breachforce.net
About Me
Consultant - Cyber Risk Advisory @ Deloitte
Certified Red Team Professional - CRTP
Penetration Tester | Offensive Cyber Security Enthusiast
2
Attack Surface
Attack Surface Monitoring (ASM) refers to the
proactive and continuous process of
identifying and assessing an organization's
external-facing assets, vulnerabilities, and
potential points of entry for cyber threats.
3
You can’t secure what you don’t know.
Exploring ASM 4
External Attack Surface Management in Red Teaming
5
Presentation title 20XX 6
https://breachforce.net/scrape-cloud-for-ssltls-certificate
Challenges
20XX 7
As a red teamer, it is difficult to find all of an organization's apps in the cloud if
they are not advertised.
Application are often developed on the cloud, while public to the internet.
"Ephemeral" cloud hosted applications are sometimes brought online to do small
things and then go offline. They have bugs
Reference Talk Title: CloudRecon finding ephemeral assets in the cloud – CloudVillage
By Gunnar Andrews & Jason Haddix
Link: https://youtu.be/vWRvczG7Fvc
8
https://github.com/lord-alfred/ipranges/
9
https://kaeferjaeger.gay ~ @schniggie
10
https://kaeferjaeger.gay/?dir=sni-ip-ranges
11
https://github.com/mr-rizwan-syed/kaefer-g
12
13
14
https://breachforce.net/external-recon-1#heading-unveiling-the-apexroottlds-with-crtshhttpcrtsh-and-reverse-whois
15
https://github.com/g0ldencybersec/CloudRecon
DigitalOcean Droplet VPS
16
17
18
19
Extracting Data
20
# cat 20042024-ssl-scrape.json | grep '.uber.com' | jq –r .
# cat 20042024-ssl-scrape.json | grep '.uber.com' | jq –r .commonName | anew
# cat 20042024-ssl-scrape.json | grep '.uber.com' | jq –r .ip | anew
# cat 20042024-ssl-scrape.json | grep 'Uber Technologies, Inc.' | jq -r .ip | cut -d : -f1 | awk "{print "https://" $0}"
| anew uber-ssl-ip-urls.txt
# cat 20042024-ssl-scrape.json | grep 'Uber Technologies, Inc.' | jq -r .commonName | anew uber-domains.txt
# wget https://raw.githubusercontent.com/mr-rizwan-syed/Red-Team-Resources/main/tldextractor.py
# python3 tldextractor.py uber-domains.txt
# cat uber-ssl-ip-urls.txt | httpx -title -sc -td
Nuclei Template Spray Scan
21
# nuclei -rl 0 -bs 10000 -l target-ip-urls.txt -t git-config.yaml -stats -stream -elog errors.txt -o git-nuclei-scan.txt
# nuclei -rl 0 -bs 10000 -l target-ip-urls.txt -t dotEnv.yaml -stats -stream -elog errors.txt -o dotEnv-nuclei-scan.txt
Reference: Mass Scanning with Nuclei
Strategy Template Spray Host Spray
Description
Scans multiple targets with one template at
a time
Scans one target with all templates at a
time
Approach Stealthy mode Focused mode
Target Selection Multiple targets Single target
Load Distribution Distributed load across multiple targets Concentrated load on a single target
Speed Maintains scanning speed
May slow down if target is unresponsive or
busy
Nuclei Template Spray Scan
22
23
Mapping Nuclei Results with commonName
24
# wget https://raw.githubusercontent.com/mr-rizwan-syed/Red-Team-Resources/main/rancho.sh
Mapping Nuclei Results with commonName
25
Scanning the Whole Nation for Exposures via SSL Certs.
26
# # https://github.com/ip2location/ip2location-python-csv-converter
ip2location-csv-converter -range -replace IP2LOCATION-LITE-DB1.CSV IP2L-DB.NEW.CSV
# wget https://raw.githubusercontent.com/lord-alfred/ipranges/main/all/ipv4_merged.txt
# cat IP2LOCATION-DB1.NEW.CSV | grep '"US"' | csvcut -c 1,2 | tr ',' '-' | mapcidr -a > US-CIDR.txt
# grep -v -F -f ipv4_merged.txt US-CIDR.txt > US-CIDR-NO-CLOUD.txt
27
Resources / References
28
• CloudRecon finding ephemeral assets in the cloud
https://youtu.be/vWRvczG7Fvc
• ToolTime - Cloud Recon 1
https://youtu.be/7hKEfF-yR1w
• Tool Time SSL Certificate Parsers
https://youtu.be/dgEwPXQKqlU
• Certificate Parsing with domain-recon
https://ervinszilagyi.dev/articles/certificate-parsing-with-domain-recon
• Recon Methods Part 2 – OSINT Host Discovery Continued
https://redsiege.com/tools-techniques/2020/02/recon-methods-part-2-osint-host-discovery-continued/#SSL_Certificate_Search
• How To Scan AWS's Entire IP Range to Recon SSL Certificates
https://www.daehee.com/scan-aws-ip-ssl-certificates/
• Catch Me If You Can - Shubham Shah & Michael Gianarakis at 44CON 2018
https://youtu.be/C85ZOJgufuw
• External Reconnaissance Unveiled: A Deep Dive into Domain Analysis
https://breachforce.net/external-recon-1
• Scrape Cloud for SSL/TLS Certificate
https://breachforce.net/scrape-cloud-for-ssltls-certificate
• Mass Scanning with Nuclei
https://docs.projectdiscovery.io/tools/nuclei/mass-scanning-cli#understanding-how-nuclei-consumes-resources
Thank You
Rizwan Syed
github.com/mr-rizwan-syed
twitter.com/_r12w4n
linkedin.com/in/r12w4n/
BreachForce.net
20XX 29

More Related Content

Similar to Scanning the Internet for External Cloud Exposures via SSL Certs

Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
beltface
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learning
Bryan Fendley
 

Similar to Scanning the Internet for External Cloud Exposures via SSL Certs (20)

AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary:  Creating a Threat-Based Cyber TeamKeeping Up with the Adversary:  Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
 
SEC 572 Entire Course NEW
SEC 572 Entire Course NEWSEC 572 Entire Course NEW
SEC 572 Entire Course NEW
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learning
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
7 cloud security tips
7 cloud security tips7 cloud security tips
7 cloud security tips
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideM
 
Top10 Characteristics of Awesome Apps
Top10 Characteristics of Awesome AppsTop10 Characteristics of Awesome Apps
Top10 Characteristics of Awesome Apps
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 
Container Workload Security Solution Ideas by Mandy Sidana.pptx
Container Workload Security Solution Ideas by Mandy Sidana.pptxContainer Workload Security Solution Ideas by Mandy Sidana.pptx
Container Workload Security Solution Ideas by Mandy Sidana.pptx
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
 
Optimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusOptimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX Plus
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
Dev secops for real
Dev secops for realDev secops for real
Dev secops for real
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 

Scanning the Internet for External Cloud Exposures via SSL Certs

  • 1. Scanning the Internet for External Cloud Exposures via SSL Certs. Rizwan Syed @_r12w4n breachforce.net
  • 2. About Me Consultant - Cyber Risk Advisory @ Deloitte Certified Red Team Professional - CRTP Penetration Tester | Offensive Cyber Security Enthusiast 2
  • 3. Attack Surface Attack Surface Monitoring (ASM) refers to the proactive and continuous process of identifying and assessing an organization's external-facing assets, vulnerabilities, and potential points of entry for cyber threats. 3
  • 4. You can’t secure what you don’t know. Exploring ASM 4
  • 5. External Attack Surface Management in Red Teaming 5
  • 6. Presentation title 20XX 6 https://breachforce.net/scrape-cloud-for-ssltls-certificate
  • 7. Challenges 20XX 7 As a red teamer, it is difficult to find all of an organization's apps in the cloud if they are not advertised. Application are often developed on the cloud, while public to the internet. "Ephemeral" cloud hosted applications are sometimes brought online to do small things and then go offline. They have bugs Reference Talk Title: CloudRecon finding ephemeral assets in the cloud – CloudVillage By Gunnar Andrews & Jason Haddix Link: https://youtu.be/vWRvczG7Fvc
  • 12. 12
  • 13. 13
  • 17. 17
  • 18. 18
  • 19. 19
  • 20. Extracting Data 20 # cat 20042024-ssl-scrape.json | grep '.uber.com' | jq –r . # cat 20042024-ssl-scrape.json | grep '.uber.com' | jq –r .commonName | anew # cat 20042024-ssl-scrape.json | grep '.uber.com' | jq –r .ip | anew # cat 20042024-ssl-scrape.json | grep 'Uber Technologies, Inc.' | jq -r .ip | cut -d : -f1 | awk "{print "https://" $0}" | anew uber-ssl-ip-urls.txt # cat 20042024-ssl-scrape.json | grep 'Uber Technologies, Inc.' | jq -r .commonName | anew uber-domains.txt # wget https://raw.githubusercontent.com/mr-rizwan-syed/Red-Team-Resources/main/tldextractor.py # python3 tldextractor.py uber-domains.txt # cat uber-ssl-ip-urls.txt | httpx -title -sc -td
  • 21. Nuclei Template Spray Scan 21 # nuclei -rl 0 -bs 10000 -l target-ip-urls.txt -t git-config.yaml -stats -stream -elog errors.txt -o git-nuclei-scan.txt # nuclei -rl 0 -bs 10000 -l target-ip-urls.txt -t dotEnv.yaml -stats -stream -elog errors.txt -o dotEnv-nuclei-scan.txt Reference: Mass Scanning with Nuclei Strategy Template Spray Host Spray Description Scans multiple targets with one template at a time Scans one target with all templates at a time Approach Stealthy mode Focused mode Target Selection Multiple targets Single target Load Distribution Distributed load across multiple targets Concentrated load on a single target Speed Maintains scanning speed May slow down if target is unresponsive or busy
  • 23. 23
  • 24. Mapping Nuclei Results with commonName 24 # wget https://raw.githubusercontent.com/mr-rizwan-syed/Red-Team-Resources/main/rancho.sh
  • 25. Mapping Nuclei Results with commonName 25
  • 26. Scanning the Whole Nation for Exposures via SSL Certs. 26 # # https://github.com/ip2location/ip2location-python-csv-converter ip2location-csv-converter -range -replace IP2LOCATION-LITE-DB1.CSV IP2L-DB.NEW.CSV # wget https://raw.githubusercontent.com/lord-alfred/ipranges/main/all/ipv4_merged.txt # cat IP2LOCATION-DB1.NEW.CSV | grep '"US"' | csvcut -c 1,2 | tr ',' '-' | mapcidr -a > US-CIDR.txt # grep -v -F -f ipv4_merged.txt US-CIDR.txt > US-CIDR-NO-CLOUD.txt
  • 27. 27
  • 28. Resources / References 28 • CloudRecon finding ephemeral assets in the cloud https://youtu.be/vWRvczG7Fvc • ToolTime - Cloud Recon 1 https://youtu.be/7hKEfF-yR1w • Tool Time SSL Certificate Parsers https://youtu.be/dgEwPXQKqlU • Certificate Parsing with domain-recon https://ervinszilagyi.dev/articles/certificate-parsing-with-domain-recon • Recon Methods Part 2 – OSINT Host Discovery Continued https://redsiege.com/tools-techniques/2020/02/recon-methods-part-2-osint-host-discovery-continued/#SSL_Certificate_Search • How To Scan AWS's Entire IP Range to Recon SSL Certificates https://www.daehee.com/scan-aws-ip-ssl-certificates/ • Catch Me If You Can - Shubham Shah & Michael Gianarakis at 44CON 2018 https://youtu.be/C85ZOJgufuw • External Reconnaissance Unveiled: A Deep Dive into Domain Analysis https://breachforce.net/external-recon-1 • Scrape Cloud for SSL/TLS Certificate https://breachforce.net/scrape-cloud-for-ssltls-certificate • Mass Scanning with Nuclei https://docs.projectdiscovery.io/tools/nuclei/mass-scanning-cli#understanding-how-nuclei-consumes-resources