1. 80/20 Rule
or «You Cannot Spend
Too Much Time Enumerating»
the Recon-Fu for pentesters & bug hunters
Vlad Styran
OSCP CISSP CISA
2. Intro
• Working in security since 2005
• Doing IT security, pentests, IT &
security audit, appsec, ISM & RGC
consulting…
• For IT companies, cellular carriers,
financial service providers,
investment banks, insurance, oil &
gas heavy industry, energy…
• Starting 2014 – co-founder and
COO @berezhasecurity
3. root@kali:~# man sapran
• Social Engineering assessments & awareness trainings
• Full scope penetration tests (red-teaming)
• WebApp/web-service security assessments
• Occasional CTF organizer and player
• UISG co-founder, UISGCON organizer
• Securit13 Podcast founder
• Blogger, speaker @ cons, event producer
• Endurance runner
4. Mission
• Recap the recon phase in pentests & bug bounties
• Identify recon goals and purpose
• Learn recon methods, tools, and principles
• Watch a demo
5. Pentest
1. Plan the project
2. Run a vuln scanner
3. Verify something you can
4. Attempt to exploit it
5. Generate a report
6. Take the money
7. Run away
6. Good pentest
1. Agree on the terms
2. Do proper scoping
3. Enumerate the scope
4. Analyze the attack surface
5. Build the threat model
6. Execute attack scenarios
7. Report, present, remediate
8. Re-test
7. Bug Bounties
Pentest vs. Bug Bounty
• Crowdsourcing the security
• Scopes may be limited or not
• Find bugs. Many. Fast.
• Rewards: from kudos to $$
9. Recon
purpose & goals
• Validate the scope
Clients suck at scoping
• Save time
nmap –p1-65535 0.0.0.0/0 ??
• Find stuff to hack. Legally.
*.yahoo.com
• Cover more ground
Running Nessus != pentesting
Running Burp != bug hunting
10. Recon
artifacts
• DNS names & URLs
• IP addresses & ranges
• Network services/ports
• Software and config data
Frameworks, versions etc.
• Locations
• Contact data
Names, nicknames
Emails, IM, phone numbers
11. Recon
methodology
• Search
Search for initial artifacts while
you can
• Transform
There are parent and child
artifacts
• Organize
Maintain the links between
artifacts, and the versioning
• Log. Backup.
12. Phase 1: Search
• Google is your BFF
• Bing and Yahoo! too
• Special friends:
• Shodan
• Censys
• FOCA
• Robtex and similar sites
• Nmap, Masscan, Nikto…
13. Google it
• Google hacking 4ever
GHDB: https://www.exploit-
db.com/google-hacking-database/
• CSE and web search APIs
Wait for it…
• Bing API rules too
19. Nmap
• Detect XSS, CSRF, LFI, ../../
• Discover .git, .svn, backups,
comments
• Identify platforms and
frameworks versions
• Check default/common/custom
creds for popular webapps e.g.
WP, Drupal etc.
• Check for known vulns and
backdoors
• And many more!
25. Transform examples
• From an email
ü Domain name
• From a domain name
ü Web-sites
ü DNS records
ü IP address
• From a web-site
ü Documents and metadata
• From an IP address
ü IP range
ü Virtual hosts
ü TCP services
• From an IP range
ü Live hosts within
ü Routing information
ü Whois information
27. Maltego
• Cool visual graph-based UI
• Uses transforms to explore data
• Easily extensible: write your
own transforms
• Costs relatively much but is
worth every cent
• Has a free CE version
30. /dev/hands
• Bash: grep, sed, awk, sort,
wc, pipes etc.
• Lots of OSS console tools &
Kali Lunix
• perl –ne
• Python
• Tons of modules
• Scapy
• Stack Overflow
31. Phase 3: Organize
• OneNote
Was the coolest, now
online
• CherryTree
Old, Linux-only
• Evernote
Cool, but offline costs
money
• Growly Notes
/me using now. Mac only.
• Casefile
Coolest for investigations,
now free, Java.
• Xmind
Basic feature set is free,
Java.
32. And now… the demo!
• Maltego
• Low and medium scale goodness.
• Nice and elegant way to beat the crap out of your scope.
• Recon-ng
• Writing your own module (the right way).
• Demo of masscan to probe for tcp ports.
• Nmap
• nmap -sC after all the initial scope recon.
33. Actual recon of
*.yahoo.com
• Initial scoping with Maltego
• Scanning the IP ranges for live hosts with Nmap
• Using Masscan to find open TCP ports
• Using Nmap to collect TCP service information
34. Wrap it up
• Increase the quality as you recon
Data in – info out; info in – knowledge out.
• Search for similar things others did.
GitHub, Stack Overflow, Google…
• Script and automate everything
• Share with the community
• Try harder. Keep it simple.