Talk given at Infosec Southwest (ISSW) 2019 in Austin Texas

1. Beyond Internet Scanning
Open Source Attack Surface Discovery
with Intrigue Core

3. But don’t forget
about these sources
(and many more!!!)

4. Identity for everyone who doesnt pay for privacy
Identity for everyone who doesnt pay for privacy and isnt subject to GDPR!
STILL USEFUL! (But check out RDAP!)

5. We need a more flexible model to find issues. Assets aren’t just PCs anymore, and we need to query
many sources to find the assets we care about.
Linking disparate datasets often provides insight. Think: Email addresses <> Leaked Creds.
In the exploratory phase it requires a human, but we should be able automate this.
The cloud (read: shared) security model (AWS, etc) means we need a more complete picture of hosts
to understand what an asset (ip, dns, etc) really is.
Graphs turn data into information. Distinct entities become important because of their relationships.
Why Graph Disovery?

6. Graph-Based
Discovery
Concepts

7. Entities (nodes)
autonomous_system
aws_credential
aws_region
aws_s3_bucket
credential
dns_record
document
domain
email_address
file
github_account
github_repository
info
Ip_address
nameserver
net_block
network_service
organization
person
phone_number
physical_location
screenshot
software_package
ssl_certificate
string
uri
web_account

9. Tasks (edges)
aws_ec2_gather
aws_s3_brute
aws_s3_put_file
convert_entity
create_entity
create_service
dns_brute_srv
dns_brute_sub
dns_brute_sub_async
dns_brute_sub_http
dns_brute_tld
dns_lookup_mx
dns_lookup_txt
dns_permute
dns_recurse_spf
dns_search_sonar
dns_snoop_cache
dns_transfer_zone
email_brute_gmail_glxu
email_harvest
email_validate
enumerate_nameservers
example
finger_extraction
ftp_enumerate
gitrob
import/arin_ipv4_ranges
import/aws_ipv4_ranges
import/data_file
import/domainlist_domains
import/shodan_json_tmp
import/umbrella_top_domains
import/umbrella_top_sites
ip_geolocate
masscan_scan
net_block_expand
network_service_fuzz
nmap_scan
phone_number_lookup
saas_google_calendar_check
saas_google_groups_check
saas_jira_check
saas_trello_check
scrape_publicwww
search_bgp
search_binary_edge
search_bing
search_builtwith
search_censys
search_crt
search_edgar
search_github
search_github_code
search_grayhat_warfare
search_have_i_been_pwned
search_opencorporates
search_phishtank
search_project_honeypot
search_robtex
search_shodan
search_sublister
search_threatcrowd
search_towerdata
search_virustotal
search_whoisology
security_trails_historical_dns
security_trails_historical_whois
security_trails_nameserver_search
security_trails_subdomain_search
snmp_walk
tcp_bind_and_collect
uri_analyze_target
uri_brute
uri_brute_common_content
uri_brute_creds
uri_brute_focused_content
uri_check_security_headers
uri_check_subdomain_hijack
uri_enumerate_js
uri_extract_metadata
uri_gather_linked_content
uri_gather_robots
uri_gather_sitemap
uri_gather_ssl_certificate
uri_screenshot
uri_spider
uri_youtube_metadata
vulns/apache_struts_jakarta_parser
vulns/atlassian_fisheye_mostactivec
ommiters_disclosure
vulns/atlassian_jira_oath_plugin_ssrf
vulns/cisco_smart_install_scan
vulns/etcd_harvester
vulns/rails_info_leak_cve_2019_5418
vulns/ssrf_brute_headers
vulns/ssrf_brute_parameter
vulns/ssrf_proxy_host_header
vulns/tomcat_put_jsp
vulns/vmware_horizon_info_leak
vulns/wordpress_ez_smtp_plugin_rce
web_account_check
whois_lookup

11. Enrichment builds
out the individual
set of entities
iteratively, allowing
us to get a
“complete” entity -
which we can feed
into a machine.

13. Machines (graph builders)
enumerate_certificates
org_asset_discovery_active
org_asset_discovery_passive
saas_misconfigurations
ssrf_discovery_scan

16. Quick Demo
(brace yourselves, it’s early)

20. Scaling Up!
Going beyond a single organization

21. Core “Engine”
running light
“active” discovery
Load in a set of seeds per project:
(read: Organization) … ex: Google:
Domain#google.com
Domain#googlemail.com
Domain#gmail.com
Nameserver#ns1.google.com
Nameserver#ns2.google.com
...
Per-Org
CSV
JSON
Load in a Per-project
No-Traverse list (Blacklist):
Domain#microsoft.com
Domain#yahoo.com
Domain#walmart.com
Domain#.com
...
Export
Now we can ask some interesting questions!

22. What sort of app
stacks are exposed
externally by the f500?

23. What sort of Microsoft-based services are exposed? https://github.com/intrigueio/intrigue-ide
nt/blob/master/checks/microsoft.rb

24. https://github.com/intrigueio/intrigue-ident/blob/master/checks/microsoft.rb

25. Who’s still running Coldfusion?

26. Scaling up!
Lessons Learned

27. Intrigue Ident
Application & Network
Comprehensive
Easy to Extend
Version-Aware
Vulnerability-Aware
Browser Enabled
Free (as in Freedom)
JSON
App fingerprinting isn’t a solved problem
If you can’t fingerprint it, you can’t attack it well. (and
more to the point, you can’t automate attacks)
More here:
http://core.intrigue.io/2019/03/09/using-intrigue-ident-for-application-fingerprinting/

28. Ident
Standalone
usage

29. DNSGrep
task: dns_search_sonar
(thanks @erbbysam!)
Lesson: Use the Data Lake Luke!
(DnsGrep for easy DNS subdomain search)
vs
Try it out here: https://dns.bufferover.run/dns?q=rapid7.com

30. Lesson: Asset Ownership, it’s complicated!
[301] [301]
[301]
[301]
[301]

31. Lesson: Asset Ownership, let’s go home?

32. Lesson :Heuristic-Based Scoping - Multi-Stage
If the entity was created manually (either via api or via webform), scope it in [and thus, iterate on it with
whatever machine is defined for the run]
If the entity was created by code with a :scoped => true setting, scope it in
If the entity was created by code with an :unscoped => true setting, scope it out
If the task that was run to create the entity had an :auto_scope => true setting, automatically scope in any
entities created by that task [this is helpful when you know anything created by that source/task is valid]
If you need more specific logic on an entity, you can create a "scoped?" method on the entity definition
that will override all prior logic, and let you set it. An example of where this is useful is on the NetBlock
object.

33. Heuristic-Based Scoping - Multi-Stage (NetBlock)
Check existing Dns/Domain and
Organization names to see if there’s a
match with our whois text
First, “Seeds”
Then, discovered entities.
If not, default back to original scope.

34. DNS NSECWalk Enabled
Zone Transfer Enabled
Hijackable Subdomain *
SSL - Deprecated Protocol enabled
SSL - Weak Ciphers enabled
Missing Application Security Headers
Discovered Sensitive Content (Forced Brute)
Leaked Email / Password Account (via HIBP)
Git Secret Exposure (Gitrob)
Misconfigured Google Groups Account enabled
Misconfigured Google Calendar enabled
Misconfigured (No Auth) S3 Bucket
New! “Issues”
(Current: March 2019)

35. Let’s go find some bugs!
Handy Information Disclosures & Vulns

36. Quick run of Core over the last 48 hours…
Machine Flow:
Manually create an “AwsRegion” entity, pulls
down AWS JSON, filter on EC2, creates
NetBlock if in scope
Creates many “NetBlock” entities, which are
set to check for open :80,443,:8080 etc
Which then creates many “Uri” entities and
uns uri_brute_focused_content, creating the
“Issues” we’ll analyze
Task: uri_brute_focused_content (above)
Checks the fingerprint and looks for
technology-specific paths that leak sensitive
info. Fast, because we’re not checking a
bunch of irrelevant paths!

37. $ head *applications* …. 29,175 fingerprinted in ~48 hours … ~10s
Baseline… 8% were Wordpress (2407/29175)

38. PHP
Info Disclosure
(everybody knows this one!)
Path: /phpinfo.php
Hostname, Paths,
Versions etc
Found 182 / 29175
(Pretty common. 0.60%)

39. BigIPServer Cookie Disclosure
Hostname only. Not that common on
AWS, but super common in enterprise.
~80% of BigIP cookies do this!

40. Fun vuln? Magento Unauth’d SQLi
The affected versions are 2.1 prior to 2.1.17, 2.2prior
to 2.2.8, and 2.3 prior to 2.3.1.
Version 1 fingerprinting:
/RELEASE_NOTES.txt
No (known) version fingerprint (without
checksum method) for Magento 2+
Relative versions:
/skin/frontend/default/css/styles.css
Found 127/29175
(Pretty common. 0.4%)
(Work in progress)

41. SAP NetWeaver Web Dynpro 6.4 to 7.5
Paths:
- /webdynpro/dispatcher/sap.com/caf~eu~gp
~example~timeoff~wd/ACreate
- /webdynpro/dispatcher/sap.com/caf~eu~gp
~example~timeoff~wd/com.sap.caf.eu.gp.ex
ample.timeoff.wd.create.ACreate
Allows you to enumerate users, roles, etc
Uncommon, 0 instances detected in AWS
scanning. Have run into a few on enterprise
networks though.
https://www.exploit-db.com/exploits/44647

42. VMWare Horizon View (CVE-2019-5513)
/portal/info.jsp - lists hostname
/broker/xml - lists authentication
mechanism, internal hostname etc
Very common, almost all Horizon
instances currently vulnerable.
Not much (1) Horizon on AWS, but
tons on corporate networks
Thanks @hdmoore!

43. VMWare Horizon View (CVE-2019-5513)

44. Splunkd info disclosure
Example: https://x.x.x.x.x/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json
Found 3/29175 (uncommon. 0.01%)
{"links":{"_acl":"/services/server/info/_acl"},"origin":"https://1.2.3.4/services/server/info","updated":"2019-03-30T14:42:57+00:00","generator":{"bui
ld":"f44cfc17f820","version":"6.5.7"},"entry":[{"name":"server-info","id":"https://XYZ/services/server/info/server-info","updated":"2019-03-30T14:42
:57+00:00","links":{"alternate":"/services/server/info/server-info","list":"/services/server/info/server-info"},"author":"system","acl":{"app":"","can_list"
:false,"can_write":false,"modifiable":false,"owner":"system","perms":{"read":["*"],"write":[]},"removable":false,"sharing":"system"},"fields":{"required
":[],"optional":[],"wildcard":[]},"content":{"activeLicenseGroup":"Enterprise","activeLicenseSubgroup":"Production","addOns":null,"build":"f44cfc17f
820","cluster_label":["bci-aws-idx-cluster"],"cpu_arch":"x86_64","eai:acl":null,"guid":"90639B23-9885-4BF2-9F3C-XXXXXFE3EC42","host":"cisco
-bci-sh-03.XXXXX.com","host_fqdn":"cisco-bci-sh-03.XXXXXX.com","isForwarding":true,"isFree":false,"isTrial":false,"kvStoreStatus":"ready","lice
nseKeys":["XYZ"],"licenseSignature":"XYZ","licenseState":"OK","license_labels":[],"master_guid":"XYZ","max_users":4294967295,"mode":"norm
al","numberOfCores":32,"numberOfVirtualCores":64,"os_build":"#1 SMP Thu Dec 28 14:23:39 EST
2017","os_name":"Linux","os_name_extended":"Linux","os_version":"3.10.0-693.11.6.el7.x86_64","physicalMemoryMB":257774,"product_type":"
enterprise","rtsearch_enabled":true,"serverName":"XXXXX.XXXXX.com","server_roles":["cluster_search_head","search_head","search_peer","k
v_store","shc_member"],"shcluster_label":"xxx-aws-sh-cluster","startup_time":1548073304,"staticAssetId":"XYZ","version":"6.5.7"}}],"paging":{"to
tal":1,"perPage":30,"offset":0},"messages":[]}

45. /actuator/env - 3
(uncommon)
/actuator/health - 0
(uncommon)
Java Spring
Info Disclosures
{"name":"actuator","profiles":["health"],"label":"master
","version":"7708f989b5802a13fbbc8aa9a661edcb00
c8df3b","state":null,"propertySources":[{"name":"https
://ghe.XXXXXXXX.com/DDC-PartnerSolutions/config
-repo.git/application.properties","source":{"spring.clo
ud.config.server.health.enabled":"false","spring.cloud
.config.overrideNone":"true","info.foo":"Rhababerbarb
arabarbabarenbärtbarbierbierbarbärbel
","spring.cloud.config.allowOverride":"true"}}]}

46. /env - commonish!
49/29175
Default Page:
{"profiles":[],"server.ports":{"local.server.port":11686},"commandLineArgs":{"spring.config.location":"file:///usr/commsuite/server/eventtracker-ex
ternal/eventtracker-external.properties"},"servletContextInitParams":{},"systemProperties":{"java.runtime.name":"Java(TM) SE Runtime
Environment","java.protocol.handler.pkgs":"null|org.springframework.boot.loader","sun.boot.library.path":"/usr/lib/jvm/java-8-oracle/jre/lib/amd6
4","java.vm.version":"25.191-b12","java.vm.vendor":"Oracle
Corporation","java.vendor.url":"http://java.oracle.com/","path.separator":":","java.vm.name":"Java HotSpot(TM) 64-Bit Server
VM","file.encoding.pkg":"sun.io","user.country":"US","sun.java.launcher":"SUN_STANDARD","sun.os.patch.level":"unknown","wrapper.key":"***
***","PID":"5713","java.vm.specification.name":"Java Virtual Machine
Specification","user.dir":"/data/commsuite/server/eventtracker-external","wrapper.version":"3.5.5","java.runtime.version":"1.8.0_191-b12","java.
awt.graphicsenv":"sun.awt.X11GraphicsEnvironment","java.endorsed.dirs":"/usr/lib/jvm/java-8-oracle/jre/lib/endorsed","os.arch":"amd64","com.
newrelic.agent.deps.org.apache.commons.logging.LogFactory":"com.newrelic.agent.logging.ApacheCommonsAdaptingLogFactory","java.io.tm
pdir":"/tmp","line.separator":"n","java.vm.specification.vendor":"Oracle
Corporation","wrapper.cpu.timeout":"10","os.name":"Linux","log4j.configuration":"file:///usr/commsuite/server/eventtracker-external/log4j.propert
ies","sun.jnu.encoding":"UTF-8","spring.beaninfo.ignore":"true","java.library.path":"/usr/commsuite/init/lib:/usr/commsuite/init/wrapper/lib","org.ta
nukisoftware.wrapper.WrapperManager.mbean":"TRUE","wrapper.service":"TRUE","wrapper.jvm.port.max":"31999","newrelic.config.app_nam
e":"produs/eventtracker-external/default","java.specification.name":"Java Platform API
Specification","java.class.version":"52.0","sun.management.compiler":"HotSpot 64-Bit Tiered
Compilers","wrapper.pid":"5711","os.version":"4.4.0-1072-aws","wrapper.java.pid":"5713","wrapper.disable_console_input":"TRUE","user.home
":"/root","wrapper.jvmid":"1","user.timezone":"US/Pacific","java.awt.printerjob":"sun.print.PSPrinterJob","file.encoding":"UTF-8","java.specificatio
n.version":"1.8","java.class.path":"/usr/commsuite/init/wrapper/lib/wrapper.jar:/usr/commsuite/server/eventtracker-external/eventtracker-extern
… snip …
Corporation","file.separator":"/","java.vendor.url.bug":"http://bugreport.sun.com/bugreport/","sun.io.unicode.encoding":"UnicodeLittle","sun.cpu.
endian":"little","wrapper.native_library":"wrapper","wrapper.jvm.port.min":"31000","sun.cpu.isalist":""},"systemEnvironment":{"PATH":"/usr/local/
sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games","WRAPPER_PID":"5711","WRAPPER_WORKING_DIR":"/data/com
msuite/server/eventtracker-external","WRAPPER_OS":"linux","WRAPPER_HOSTNAME":"im-0-oh2.prodoh.xyz.com","TERM":"xterm-256color"
,"LANG":"en_US.UTF-8","WRAPPER_BITS":"64","WRAPPER_BIN_DIR":"/data/commsuite/init/wrapper/bin","XDG_SESSION_ID":"2","WRAP
PER_HOST_NAME":"im-0-oh2.prodoh.xyz.com","MAIL":"/var/mail/root","WRAPPER_LANG":"en","LOGNAME":"root","PWD":"/data/commsuite
/init","WRAPPER_FILE_SEPARATOR":"/","_":"/bin/sh","SHELL":"/bin/bash","SSH_TTY":"/dev/pts/0","SSH_CLIENT":"10.81.11.68 39552
22","WRAPPER_PATH_SEPARATOR":":","OLDPWD":"/root","USER":"root","SSH_CONNECTION":"10.81.11.68 39552 10.79.19.32
22","WRAPPER_ARCH":"x86","XDG_RUNTIME_DIR":"/run/user/0","HOME":"/root","SHLVL":"1"},"applicationConfig:
[file:///usr/commsuite/server/eventtracker-external/eventtracker-external.properties]":{"authem.secret":"******","global.eventtrackerdb.connection
url":"jdbc:mysql://db-gdr.prodoh.xyz.com/","global.eventtrackerdb.password":"******","management.info.git.mode":"full","server.use-forward-hea
ders":"true","server.port":"11686","authem.host":"https://authem.prodoh.xyz.com","management.context_path":"/","endpoints.health.sensitive":"f
alse","authem.url":"https://authem.xyz.com","authem.clientId":"eventTracker","management.health.jms.enabled":"false","global.eventtrackerdb.
username":"eventtracker","global.eventtrackerdb.opts":"?useServerPrepStmts=false&useUnicode=true&characterEncoding=UTF-8&character
SetResults=UTF-8&cacheServerConfiguration=true&useLocalSessionState=true&connectTimeout=30000","management.security.enabled":"fal
se","global.eventtrackerdb.driver":"com.mysql.jdbc.Driver","global.eventtrackerdb.name":"eventtracker"},"defaultProperties":{"endpoints.jmx.uni
que-names":true,"management.health.diskspace.enabled":true,"server.port":11686,"endpoints.health.sensitive":true,"management.shell.ssh.en
abled":false,"endpoints.jmx.domain":"ExternalEventTrackerApplication","spring.jmx.default-domain":"ExternalEventTrackerApplication"}}
Java
Spring
Info
Disclosures

47. Wait… a wellbore?

48. ASP.NET Exposure - /Trace.axd
Common! ( 219 / 29175 … 0.8%)

49. ASP.NET Exposure - /Elmah.axd

50. ASP.NET Exposure - /Elmah.axd (cont.)

51. ASP.NET Exposure - /Elmah.axd (cont.)
Debug logs
Sessions!
Creds
Uncommon
8/29175 (0.02%)

52. Try it out!
Twitter: @intrigueio
Email: hello@intrigue.io
Web: https://core.intrigue.io

53. Thank you!!
@jcran

54. Other Fun (SaaS) Info Leaks

55. saas_google_groups_misconfiguration

56. saas_google_calendar_misconfiguration