Many freely available data sources are available that can be leveraged to map an organization’s digital assets without actually sending any packets to the target. For large organizations, the first stop is to figure out what IP address blocks they own. The list of Autonomous Systems (AS) are available from several sources, such as Maxmind, and can serve as an initial map of where to look. Obviously, any cloud hosted servers will not be there. There are several other tricks you can use to find these, which we’ll discuss in a bit.
DNS queries is a great place to go next. While it is hard to find a server that still allows zone transfers, several tools, such as fierce.pl, exist which can automate lookups for common subdomains. In the example below, Pure Hacking ran a DNS subdomain brute force attack against the target and located an externally available administrative server, which are often attractive targets for initial exploitation.
Targeted keyword searches in any of the popular search engines can help identify new subdomains that may be of interest. A common technique is to start with site:example.com, then drill down by removing subdomains like so (site:example.com –www.example.com). Netcraft, Builtwith and Shodan are all great resources to see what information your organization is leaking. In the example below, Shodan is used to identify externally available SSH servers belonging to Citigroup. SSH servers are a great target because they can often be brute forced (unless keys are used) and provide shell access when successful.
Once you identify a number of servers hosted in a close IP range, it is a good idea to check other IPs within the same class C to possibly find other related hosts. Depending on the organization, you may be able to get this information via reverse DNS lookups. The Censys and Project Sonar projects scan the internet and provide interesting data such as forward and reverse DNS lookups as well as various internet wide port scan results. Leveraging these scans can be as simple as parsing out any host using a specific parent domain.
Another interesting use case to help identify an organization’s digital assets is to figure out what DNS server they use then query the DNS scan results for other servers configured to use the same DNS server. This technique only works when the organization hosts their own DNS server and does not use a 3rd party service.
In addition, SPF (Sender Policy Framework) records can also be leveraged to connect different IPs and network ranges back to an organization. The SSL scan results can be used to find other hosts which are configured with a certificate common name (CN) matching the parent domain. Finally, ViewDNS.info is a helpful tool that can be leveraged to enumerate other domains registered using the same email address. In the example below, ViewDNS is used to enumerate 12,620 domains that are associated with apple.com.
Whether your tasked with managing your organization’s online security or simply need to accurately scope a pen testing engagement, OSINT (Open Source Intelligence) techniques can and should be leveraged to ensure that you don’t accidently leave insecure devices online.