SlideShare ist ein Scribd-Unternehmen logo

Recon-Fu @BsidesKyiv 2016

Vlad Styran
Vlad Styran

80/20 Rule or «You Cannot Spend Too Much Time Enumerating» – the Recon-Fu for pentesters & bug hunters

Technologie
1 von 36
80/20 Rule or «You Cannot Spend Too Much Time Enumerating» the Recon-Fu for pentesters & bug hunters Vlad Styran OSCP CISSP CISA
Intro • Working in security since 2005 • Doing IT security, pentests, IT & security audit, appsec, ISM & RGC consulting… • For IT companies, cellular carriers, financial service providers, investment banks, insurance, oil & gas heavy industry, energy… • Starting 2014 – co-founder and COO @berezhasecurity
root@kali:~# man sapran • Social Engineering assessments & awareness trainings • Full scope penetration tests (red-teaming) • WebApp/web-service security assessments • Occasional CTF organizer and player • UISG co-founder, UISGCON organizer • Securit13 Podcast founder • Blogger, speaker @ cons, event producer • Endurance runner
Mission • Recap the recon phase in pentests & bug bounties • Identify recon goals and purpose • Learn recon methods, tools, and principles • Watch a demo
Pentest 1. Plan the project 2. Run a vuln scanner 3. Verify something you can 4. Attempt to exploit it 5. Generate a report 6. Take the money 7. Run away
Good pentest 1. Agree on the terms 2. Do proper scoping 3. Enumerate the scope 4. Analyze the attack surface 5. Build the threat model 6. Execute attack scenarios 7. Report, present, remediate 8. Re-test
Bug Bounties Pentest vs. Bug Bounty • Crowdsourcing the security • Scopes may be limited or not • Find bugs. Many. Fast. • Rewards: from kudos to $$
Why recon Reconnaissance is a direct analogy of sharpening the axe before the security assessment
Recon purpose & goals • Validate the scope Clients suck at scoping • Save time nmap –p1-65535 0.0.0.0/0 ?? • Find stuff to hack. Legally. *.yahoo.com • Cover more ground Running Nessus != pentesting Running Burp != bug hunting
Recon artifacts • DNS names & URLs • IP addresses & ranges • Network services/ports • Software and config data Frameworks, versions etc. • Locations • Contact data Names, nicknames Emails, IM, phone numbers
Recon methodology • Search Search for initial artifacts while you can • Transform There are parent and child artifacts • Organize Maintain the links between artifacts, and the versioning • Log. Backup.
Phase 1: Search • Google is your BFF • Bing and Yahoo! too • Special friends: • Shodan • Censys • FOCA • Robtex and similar sites • Nmap, Masscan, Nikto…
Google it • Google hacking 4ever GHDB: https://www.exploit- db.com/google-hacking-database/ • CSE and web search APIs Wait for it… • Bing API rules too
Shodan
Censys
FOCA
theHarvester
Nmap • nmap • -Pn, -P0 • -n • -sn • -sC • -oA • !-A • 529 NSE scripts discovery, vuln, exploit, fuzzer
Nmap • Detect XSS, CSRF, LFI, ../../ • Discover .git, .svn, backups, comments • Identify platforms and frameworks versions • Check default/common/custom creds for popular webapps e.g. WP, Drupal etc. • Check for known vulns and backdoors • And many more!
Nmap: discovery sudo nmap -n -P0 -p80 -iL hosts.lst --script= http-apache-server-status, http-auth-finder, http-backup-finder, http-comments-displayer, http-default-accounts, http-devframework, http-enum, http-headers, http-mobileversion-checker, http-php-version, http-robots.txt, http-svn-info, http-useragent-tester, http-vhosts, http-webdav-scan, http-xssed -oA nmap_tcp_80_with_scripts
Nmap: exploit sudo nmap -n -P0 -p80 -iL hosts.lst --script= http-csrf, http-dombased-xss, http-fileupload-exploiter, http-shellshock, http-stored-xss, http-vuln-cve2006-3392, http-vuln-cve2009-3960, http-vuln-cve2012-1823, http-vuln-cve2013-0156, http-vuln-cve2013-6786, http-vuln-cve2013-7091, http-vuln-cve2014-3704, http-vuln-cve2014-8877, -oA nmap_tcp_80_with_scripts
Masscan • masscan • -p 80,443,8000-81000 • --rate 500 • --banners • --nmap • Choose rates wisely!
Fuzz!! • BurpSuite Intruder • SecLists https://github.com/danielmiessler/SecLists • Nmap brute NSE scripts • DirBuster • Kali information gathering tools • Python/Scapy
Phase 2: Transform
Transform examples • From an email ü Domain name • From a domain name ü Web-sites ü DNS records ü IP address • From a web-site ü Documents and metadata • From an IP address ü IP range ü Virtual hosts ü TCP services • From an IP range ü Live hosts within ü Routing information ü Whois information
Transform tools • Maltego https://www.paterva.com/ • Recon-NG https://bitbucket.org/LaNMaSteR53/recon-ng • /dev/hands Python, bash, perl…
Maltego • Cool visual graph-based UI • Uses transforms to explore data • Easily extensible: write your own transforms • Costs relatively much but is worth every cent • Has a free CE version
recon-ng • MSF-like interactive tool • Has a CLI • Written in Python • Easily extensible by modules • SQL DB as backend
recon-ng test drive
/dev/hands • Bash: grep, sed, awk, sort, wc, pipes etc. • Lots of OSS console tools & Kali Lunix • perl –ne • Python • Tons of modules • Scapy • Stack Overflow
Phase 3: Organize • OneNote Was the coolest, now online • CherryTree Old, Linux-only • Evernote Cool, but offline costs money • Growly Notes /me using now. Mac only. • Casefile Coolest for investigations, now free, Java. • Xmind Basic feature set is free, Java.
And now… the demo! • Maltego • Low and medium scale goodness. • Nice and elegant way to beat the crap out of your scope. • Recon-ng • Writing your own module (the right way). • Demo of masscan to probe for tcp ports. • Nmap • nmap -sC after all the initial scope recon.
Actual recon of *.yahoo.com • Initial scoping with Maltego • Scanning the IP ranges for live hosts with Nmap • Using Masscan to find open TCP ports • Using Nmap to collect TCP service information
Wrap it up • Increase the quality as you recon Data in – info out; info in – knowledge out. • Search for similar things others did. GitHub, Stack Overflow, Google… • Script and automate everything • Share with the community • Try harder. Keep it simple.
References • Maltego https://www.paterva.com/web7/buy/maltego -clients.php • Recon-NG https://bitbucket.org/LaNMaSteR53/recon- ng • Nmap NSE scripts https://nmap.org/nsedoc/ • https://www.shodan.io • https://censys.io • theHarvester https://github.com/laramies/theHarvester • FOCA https://www.elevenpaths.com/labstools/foca / • Masscan https://github.com/robertdavidgraham/mass can • SecLists https://github.com/danielmiessler/SecLists • Growly Notes http://www.growlybird.com/notes/ • Yahoo Bug Bounty https://hackerone.com/yahoo • GHDB https://www.exploit-db.com/google- hacking-database/
Contact me • https://blog.styran.com/aboutme/ • https://keybase.io/sapran • @saprand

Empfohlen

Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...UISGCON
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
PLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursPLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursDavid Busby, CISSP
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration TestingMd Samsul Kabir
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breachSumedt Jitpukdebodin
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityPatrycja Wegrzynowicz
 

Empfohlen

Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...UISGCON
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
PLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursPLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursDavid Busby, CISSP
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration TestingMd Samsul Kabir
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breachSumedt Jitpukdebodin
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityPatrycja Wegrzynowicz
 
The Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionThe Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionPatrycja Wegrzynowicz
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Kirill Ermakov
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)PRISMA CSI
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and FutureLuis Grangeia
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityPatrycja Wegrzynowicz
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderEC-Council
 
Кібер-Шмібер
Кібер-ШміберКібер-Шмібер
Кібер-ШміберVlad Styran
 
Прелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINTПрелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINTVlad Styran
 
Социальная инженерия для инженеров
Социальная инженерия для инженеровСоциальная инженерия для инженеров
Социальная инженерия для инженеровVlad Styran
 
правда про ложь
правда про ложьправда про ложь
правда про ложьVlad Styran
 
Путевые заметки социального инженера
Путевые заметки социального инженераПутевые заметки социального инженера
Путевые заметки социального инженераVlad Styran
 
Процедура внедрения СУИБ в банке: основные шаги и подводные камни
Процедура внедрения СУИБ в банке: основные шаги и подводные камниПроцедура внедрения СУИБ в банке: основные шаги и подводные камни
Процедура внедрения СУИБ в банке: основные шаги и подводные камниVlad Styran
 
Next generation pentest your company cannot buy
Next generation pentest your company cannot buyNext generation pentest your company cannot buy
Next generation pentest your company cannot buyVlad Styran
 
Социальные аспекты ИБ
Социальные аспекты ИБСоциальные аспекты ИБ
Социальные аспекты ИБVlad Styran
 
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновениеНаступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновениеVlad Styran
 
Построение Secure Development Lifecycle
Построение Secure Development Lifecycle Построение Secure Development Lifecycle
Построение Secure Development Lifecycle Vlad Styran
 
#root это только начало
#root это только начало#root это только начало
#root это только началоVlad Styran
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Berezha Security
Berezha SecurityBerezha Security
Berezha SecurityVlad Styran
 
NightLight Social Media and You
NightLight Social Media and YouNightLight Social Media and You
NightLight Social Media and YouJerry Gamblin
 

Weitere ähnliche Inhalte

Was ist angesagt?

The Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionThe Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionPatrycja Wegrzynowicz
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Kirill Ermakov
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)PRISMA CSI
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and FutureLuis Grangeia
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderEC-Council
 

Was ist angesagt? (8)

The Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionThe Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL Injection
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and Future
 
The Hacker's Guide to JWT Security
The Hacker's Guide to JWT SecurityThe Hacker's Guide to JWT Security
The Hacker's Guide to JWT Security
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
 

Andere mochten auch

Кібер-Шмібер
Кібер-ШміберКібер-Шмібер
Кібер-ШміберVlad Styran
 
Прелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINTПрелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINTVlad Styran
 
Социальная инженерия для инженеров
Социальная инженерия для инженеровСоциальная инженерия для инженеров
Социальная инженерия для инженеровVlad Styran
 
правда про ложь
правда про ложьправда про ложь
правда про ложьVlad Styran
 
Путевые заметки социального инженера
Путевые заметки социального инженераПутевые заметки социального инженера
Путевые заметки социального инженераVlad Styran
 
Процедура внедрения СУИБ в банке: основные шаги и подводные камни
Процедура внедрения СУИБ в банке: основные шаги и подводные камниПроцедура внедрения СУИБ в банке: основные шаги и подводные камни
Процедура внедрения СУИБ в банке: основные шаги и подводные камниVlad Styran
 
Next generation pentest your company cannot buy
Next generation pentest your company cannot buyNext generation pentest your company cannot buy
Next generation pentest your company cannot buyVlad Styran
 
Социальные аспекты ИБ
Социальные аспекты ИБСоциальные аспекты ИБ
Социальные аспекты ИБVlad Styran
 
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновениеНаступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновениеVlad Styran
 
Построение Secure Development Lifecycle
Построение Secure Development Lifecycle Построение Secure Development Lifecycle
Построение Secure Development Lifecycle Vlad Styran
 
#root это только начало
#root это только начало#root это только начало
#root это только началоVlad Styran
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Berezha Security
Berezha SecurityBerezha Security
Berezha SecurityVlad Styran
 
NightLight Social Media and You
NightLight Social Media and YouNightLight Social Media and You
NightLight Social Media and YouJerry Gamblin
 

Andere mochten auch (14)

Кібер-Шмібер
Кібер-ШміберКібер-Шмібер
Кібер-Шмібер
 
Прелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINTПрелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINT
 
Социальная инженерия для инженеров
Социальная инженерия для инженеровСоциальная инженерия для инженеров
Социальная инженерия для инженеров
 
правда про ложь
правда про ложьправда про ложь
правда про ложь
 
Путевые заметки социального инженера
Путевые заметки социального инженераПутевые заметки социального инженера
Путевые заметки социального инженера
 
Процедура внедрения СУИБ в банке: основные шаги и подводные камни
Процедура внедрения СУИБ в банке: основные шаги и подводные камниПроцедура внедрения СУИБ в банке: основные шаги и подводные камни
Процедура внедрения СУИБ в банке: основные шаги и подводные камни
 
Next generation pentest your company cannot buy
Next generation pentest your company cannot buyNext generation pentest your company cannot buy
Next generation pentest your company cannot buy
 
Социальные аспекты ИБ
Социальные аспекты ИБСоциальные аспекты ИБ
Социальные аспекты ИБ
 
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновениеНаступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
 
Построение Secure Development Lifecycle
Построение Secure Development Lifecycle Построение Secure Development Lifecycle
Построение Secure Development Lifecycle
 
#root это только начало
#root это только начало#root это только начало
#root это только начало
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Berezha Security
Berezha SecurityBerezha Security
Berezha Security
 
NightLight Social Media and You
NightLight Social Media and YouNightLight Social Media and You
NightLight Social Media and You
 

Ähnlich wie Recon-Fu @BsidesKyiv 2016

PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEChris Gates
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonKenneth Kwon
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
Web Development using Ruby on Rails
Web Development using Ruby on RailsWeb Development using Ruby on Rails
Web Development using Ruby on RailsAvi Kedar
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Data Science at Scale: Using Apache Spark for Data Science at Bitly
Data Science at Scale: Using Apache Spark for Data Science at BitlyData Science at Scale: Using Apache Spark for Data Science at Bitly
Data Science at Scale: Using Apache Spark for Data Science at BitlySarah Guido
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDaveEdwards12
 
Blue Teaming on a Budget of Zero
Blue Teaming on a Budget of ZeroBlue Teaming on a Budget of Zero
Blue Teaming on a Budget of ZeroKyle Bubp
 
PyData Texas 2015 Keynote
PyData Texas 2015 KeynotePyData Texas 2015 Keynote
PyData Texas 2015 KeynotePeter Wang
 
Ruby and Distributed Storage Systems
Ruby and Distributed Storage SystemsRuby and Distributed Storage Systems
Ruby and Distributed Storage SystemsSATOSHI TAGOMORI
 
APIs distribuidos con alta escalabilidad
APIs distribuidos con alta escalabilidadAPIs distribuidos con alta escalabilidad
APIs distribuidos con alta escalabilidadSoftware Guru
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?Tiago Mendo
 
Prototyping like it is 2022
Prototyping like it is 2022 Prototyping like it is 2022
Prototyping like it is 2022 Michael Yagudaev
 
My Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is MagicMy Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is MagicApollo Clark
 
Node.js Getting Started &amd Best Practices
Node.js Getting Started &amd Best PracticesNode.js Getting Started &amd Best Practices
Node.js Getting Started &amd Best Practicesbotsplash.com
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 

Ähnlich wie Recon-Fu @BsidesKyiv 2016 (20)

PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
 
Web Development using Ruby on Rails
Web Development using Ruby on RailsWeb Development using Ruby on Rails
Web Development using Ruby on Rails
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Case study
Case studyCase study
Case study
 
Learning to code
Learning to codeLearning to code
Learning to code
 
Data Science at Scale: Using Apache Spark for Data Science at Bitly
Data Science at Scale: Using Apache Spark for Data Science at BitlyData Science at Scale: Using Apache Spark for Data Science at Bitly
Data Science at Scale: Using Apache Spark for Data Science at Bitly
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Blue Teaming on a Budget of Zero
Blue Teaming on a Budget of ZeroBlue Teaming on a Budget of Zero
Blue Teaming on a Budget of Zero
 
PyData Texas 2015 Keynote
PyData Texas 2015 KeynotePyData Texas 2015 Keynote
PyData Texas 2015 Keynote
 
Ruby and Distributed Storage Systems
Ruby and Distributed Storage SystemsRuby and Distributed Storage Systems
Ruby and Distributed Storage Systems
 
APIs distribuidos con alta escalabilidad
APIs distribuidos con alta escalabilidadAPIs distribuidos con alta escalabilidad
APIs distribuidos con alta escalabilidad
 
SGCE 2015 REST APIs
SGCE 2015 REST APIsSGCE 2015 REST APIs
SGCE 2015 REST APIs
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
 
Be faster then rabbits
Be faster then rabbitsBe faster then rabbits
Be faster then rabbits
 
Prototyping like it is 2022
Prototyping like it is 2022 Prototyping like it is 2022
Prototyping like it is 2022
 
My Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is MagicMy Little Webap - DevOpsSec is Magic
My Little Webap - DevOpsSec is Magic
 
Node.js Getting Started &amd Best Practices
Node.js Getting Started &amd Best PracticesNode.js Getting Started &amd Best Practices
Node.js Getting Started &amd Best Practices
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 

Mehr von Vlad Styran

В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...Vlad Styran
 
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...Vlad Styran
 
The sooner the better but never too late
The sooner the better but never too lateThe sooner the better but never too late
The sooner the better but never too lateVlad Styran
 
Threat Modeling 101
Threat Modeling 101Threat Modeling 101
Threat Modeling 101Vlad Styran
 
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...Vlad Styran
 
Application Security Webcast
Application Security WebcastApplication Security Webcast
Application Security WebcastVlad Styran
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecurityVlad Styran
 
NoNameCon partnership opportunities
NoNameCon partnership opportunitiesNoNameCon partnership opportunities
NoNameCon partnership opportunitiesVlad Styran
 
BruCON 0x09 Building Security Awareness Programs That Don't Suck
BruCON 0x09 Building Security Awareness Programs That Don't SuckBruCON 0x09 Building Security Awareness Programs That Don't Suck
BruCON 0x09 Building Security Awareness Programs That Don't SuckVlad Styran
 
Организация, культура, и управление кибер-безопасностью
Организация, культура, и управление кибер-безопасностьюОрганизация, культура, и управление кибер-безопасностью
Организация, культура, и управление кибер-безопасностьюVlad Styran
 
Cybersecurity Framework 021214 Final UA
Cybersecurity Framework 021214 Final UACybersecurity Framework 021214 Final UA
Cybersecurity Framework 021214 Final UAVlad Styran
 
Fantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from themFantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from themVlad Styran
 
Использование приватных, публичных и гибридных облаков для обеспечения информ...
Использование приватных, публичных и гибридных облаков для обеспечения информ...Использование приватных, публичных и гибридных облаков для обеспечения информ...
Использование приватных, публичных и гибридных облаков для обеспечения информ...Vlad Styran
 
Центр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностьюЦентр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностьюVlad Styran
 

Mehr von Vlad Styran (14)

В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
 
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
 
The sooner the better but never too late
The sooner the better but never too lateThe sooner the better but never too late
The sooner the better but never too late
 
Threat Modeling 101
Threat Modeling 101Threat Modeling 101
Threat Modeling 101
 
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
 
Application Security Webcast
Application Security WebcastApplication Security Webcast
Application Security Webcast
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
NoNameCon partnership opportunities
NoNameCon partnership opportunitiesNoNameCon partnership opportunities
NoNameCon partnership opportunities
 
BruCON 0x09 Building Security Awareness Programs That Don't Suck
BruCON 0x09 Building Security Awareness Programs That Don't SuckBruCON 0x09 Building Security Awareness Programs That Don't Suck
BruCON 0x09 Building Security Awareness Programs That Don't Suck
 
Организация, культура, и управление кибер-безопасностью
Организация, культура, и управление кибер-безопасностьюОрганизация, культура, и управление кибер-безопасностью
Организация, культура, и управление кибер-безопасностью
 
Cybersecurity Framework 021214 Final UA
Cybersecurity Framework 021214 Final UACybersecurity Framework 021214 Final UA
Cybersecurity Framework 021214 Final UA
 
Fantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from themFantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from them
 
Использование приватных, публичных и гибридных облаков для обеспечения информ...
Использование приватных, публичных и гибридных облаков для обеспечения информ...Использование приватных, публичных и гибридных облаков для обеспечения информ...
Использование приватных, публичных и гибридных облаков для обеспечения информ...
 
Центр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностьюЦентр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностью
 

Kürzlich hochgeladen

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 

Kürzlich hochgeladen (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 

Recon-Fu @BsidesKyiv 2016

  • 1. 80/20 Rule or «You Cannot Spend Too Much Time Enumerating» the Recon-Fu for pentesters & bug hunters Vlad Styran OSCP CISSP CISA
  • 2. Intro • Working in security since 2005 • Doing IT security, pentests, IT & security audit, appsec, ISM & RGC consulting… • For IT companies, cellular carriers, financial service providers, investment banks, insurance, oil & gas heavy industry, energy… • Starting 2014 – co-founder and COO @berezhasecurity
  • 3. root@kali:~# man sapran • Social Engineering assessments & awareness trainings • Full scope penetration tests (red-teaming) • WebApp/web-service security assessments • Occasional CTF organizer and player • UISG co-founder, UISGCON organizer • Securit13 Podcast founder • Blogger, speaker @ cons, event producer • Endurance runner
  • 4. Mission • Recap the recon phase in pentests & bug bounties • Identify recon goals and purpose • Learn recon methods, tools, and principles • Watch a demo
  • 5. Pentest 1. Plan the project 2. Run a vuln scanner 3. Verify something you can 4. Attempt to exploit it 5. Generate a report 6. Take the money 7. Run away
  • 6. Good pentest 1. Agree on the terms 2. Do proper scoping 3. Enumerate the scope 4. Analyze the attack surface 5. Build the threat model 6. Execute attack scenarios 7. Report, present, remediate 8. Re-test
  • 7. Bug Bounties Pentest vs. Bug Bounty • Crowdsourcing the security • Scopes may be limited or not • Find bugs. Many. Fast. • Rewards: from kudos to $$
  • 8. Why recon Reconnaissance is a direct analogy of sharpening the axe before the security assessment
  • 9. Recon purpose & goals • Validate the scope Clients suck at scoping • Save time nmap –p1-65535 0.0.0.0/0 ?? • Find stuff to hack. Legally. *.yahoo.com • Cover more ground Running Nessus != pentesting Running Burp != bug hunting
  • 10. Recon artifacts • DNS names & URLs • IP addresses & ranges • Network services/ports • Software and config data Frameworks, versions etc. • Locations • Contact data Names, nicknames Emails, IM, phone numbers
  • 11. Recon methodology • Search Search for initial artifacts while you can • Transform There are parent and child artifacts • Organize Maintain the links between artifacts, and the versioning • Log. Backup.
  • 12. Phase 1: Search • Google is your BFF • Bing and Yahoo! too • Special friends: • Shodan • Censys • FOCA • Robtex and similar sites • Nmap, Masscan, Nikto…
  • 13. Google it • Google hacking 4ever GHDB: https://www.exploit- db.com/google-hacking-database/ • CSE and web search APIs Wait for it… • Bing API rules too
  • 16. FOCA
  • 18. Nmap • nmap • -Pn, -P0 • -n • -sn • -sC • -oA • !-A • 529 NSE scripts discovery, vuln, exploit, fuzzer
  • 19. Nmap • Detect XSS, CSRF, LFI, ../../ • Discover .git, .svn, backups, comments • Identify platforms and frameworks versions • Check default/common/custom creds for popular webapps e.g. WP, Drupal etc. • Check for known vulns and backdoors • And many more!
  • 20. Nmap: discovery sudo nmap -n -P0 -p80 -iL hosts.lst --script= http-apache-server-status, http-auth-finder, http-backup-finder, http-comments-displayer, http-default-accounts, http-devframework, http-enum, http-headers, http-mobileversion-checker, http-php-version, http-robots.txt, http-svn-info, http-useragent-tester, http-vhosts, http-webdav-scan, http-xssed -oA nmap_tcp_80_with_scripts
  • 21. Nmap: exploit sudo nmap -n -P0 -p80 -iL hosts.lst --script= http-csrf, http-dombased-xss, http-fileupload-exploiter, http-shellshock, http-stored-xss, http-vuln-cve2006-3392, http-vuln-cve2009-3960, http-vuln-cve2012-1823, http-vuln-cve2013-0156, http-vuln-cve2013-6786, http-vuln-cve2013-7091, http-vuln-cve2014-3704, http-vuln-cve2014-8877, -oA nmap_tcp_80_with_scripts
  • 22. Masscan • masscan • -p 80,443,8000-81000 • --rate 500 • --banners • --nmap • Choose rates wisely!
  • 23. Fuzz!! • BurpSuite Intruder • SecLists https://github.com/danielmiessler/SecLists • Nmap brute NSE scripts • DirBuster • Kali information gathering tools • Python/Scapy
  • 25. Transform examples • From an email ü Domain name • From a domain name ü Web-sites ü DNS records ü IP address • From a web-site ü Documents and metadata • From an IP address ü IP range ü Virtual hosts ü TCP services • From an IP range ü Live hosts within ü Routing information ü Whois information
  • 26. Transform tools • Maltego https://www.paterva.com/ • Recon-NG https://bitbucket.org/LaNMaSteR53/recon-ng • /dev/hands Python, bash, perl…
  • 27. Maltego • Cool visual graph-based UI • Uses transforms to explore data • Easily extensible: write your own transforms • Costs relatively much but is worth every cent • Has a free CE version
  • 28. recon-ng • MSF-like interactive tool • Has a CLI • Written in Python • Easily extensible by modules • SQL DB as backend
  • 30. /dev/hands • Bash: grep, sed, awk, sort, wc, pipes etc. • Lots of OSS console tools & Kali Lunix • perl –ne • Python • Tons of modules • Scapy • Stack Overflow
  • 31. Phase 3: Organize • OneNote Was the coolest, now online • CherryTree Old, Linux-only • Evernote Cool, but offline costs money • Growly Notes /me using now. Mac only. • Casefile Coolest for investigations, now free, Java. • Xmind Basic feature set is free, Java.
  • 32. And now… the demo! • Maltego • Low and medium scale goodness. • Nice and elegant way to beat the crap out of your scope. • Recon-ng • Writing your own module (the right way). • Demo of masscan to probe for tcp ports. • Nmap • nmap -sC after all the initial scope recon.
  • 33. Actual recon of *.yahoo.com • Initial scoping with Maltego • Scanning the IP ranges for live hosts with Nmap • Using Masscan to find open TCP ports • Using Nmap to collect TCP service information
  • 34. Wrap it up • Increase the quality as you recon Data in – info out; info in – knowledge out. • Search for similar things others did. GitHub, Stack Overflow, Google… • Script and automate everything • Share with the community • Try harder. Keep it simple.
  • 35. References • Maltego https://www.paterva.com/web7/buy/maltego -clients.php • Recon-NG https://bitbucket.org/LaNMaSteR53/recon- ng • Nmap NSE scripts https://nmap.org/nsedoc/ • https://www.shodan.io • https://censys.io • theHarvester https://github.com/laramies/theHarvester • FOCA https://www.elevenpaths.com/labstools/foca / • Masscan https://github.com/robertdavidgraham/mass can • SecLists https://github.com/danielmiessler/SecLists • Growly Notes http://www.growlybird.com/notes/ • Yahoo Bug Bounty https://hackerone.com/yahoo • GHDB https://www.exploit-db.com/google- hacking-database/
  • 36. Contact me • https://blog.styran.com/aboutme/ • https://keybase.io/sapran • @saprand