Scanning the Internet for External Cloud Exposures via SSL Certs

Transcript

1. Scanning the Internet for External Cloud Exposures via SSL Certs.

   Rizwan Syed @_r12w4n breachforce.

2. About Me Consultant - Cyber Risk Advisory @ Deloitte Certified

   Red Team Professional - CRTP Penetration Tester | Offensive Cyber Security Enthusiast 2

3. Attack Surface Attack Surface Monitoring (ASM) refers to the proactive

   and continuous process of identifying and assessing an organization's external-facing assets, vulnerabilities, and potential points of entry for cyber threats. 3

4. You can’t secure what you don’t know. Exploring ASM 4

5. External Attack Surface Management in Red Teaming 5

6. Presentation title 20XX 6 https://breachforce.net/scrape-cloud-for-ssltls-certificate

7. Challenges 20XX 7 As a red teamer, it is difficult

   to find all of an organization's apps in the cloud if they are not advertised. Application are often developed on the cloud, while public to the internet. "Ephemeral" cloud hosted applications are sometimes brought online to do small things and then go offline. They have bugs Reference Talk Title: CloudRecon finding ephemeral assets in the cloud – CloudVillage By Gunnar Andrews & Jason Haddix Link: https://youtu.be/vWRvczG7Fvc

8. 8 https://github.com/lord-alfred/ipranges/

9. 9 https://kaeferjaeger.gay ~ @schniggie

10. 10 https://kaeferjaeger.gay/?dir=sni-ip-ranges

11. 11 https://github.com/mr-rizwan-syed/kaefer-g

12. 12

13. 13

14. 14 https://breachforce.net/external-recon-1#heading-unveiling-the-apexroottlds-with-crtshhttpcrtsh-and-reverse-whois

15. 15 https://github.com/g0ldencybersec/CloudRecon

16. DigitalOcean Droplet VPS 16

17. 17

18. 18

19. 19

20. Extracting Data 20 # cat 20042024-ssl-scrape.json | grep '\.uber\.com' |

    jq –r . # cat 20042024-ssl-scrape.json | grep '\.uber\.com' | jq –r .commonName | anew # cat 20042024-ssl-scrape.json | grep '\.uber\.com' | jq –r .ip | anew # cat 20042024-ssl-scrape.json | grep 'Uber Technologies, Inc.' | jq -r .ip | cut -d : -f1 | awk "{print \"https://\" \$0}" | anew uber-ssl-ip-urls.txt # cat 20042024-ssl-scrape.json | grep 'Uber Technologies, Inc.' | jq -r .commonName | anew uber-domains.txt # wget https://raw.githubusercontent.com/mr-rizwan-syed/Red-Team-Resources/main/tldextractor.py # python3 tldextractor.py uber-domains.txt # cat uber-ssl-ip-urls.txt | httpx -title -sc -td

21. Nuclei Template Spray Scan 21 # nuclei -rl 0 -bs

    10000 -l target-ip-urls.txt -t git-config.yaml -stats -stream -elog errors.txt -o git-nuclei-scan.txt # nuclei -rl 0 -bs 10000 -l target-ip-urls.txt -t dotEnv.yaml -stats -stream -elog errors.txt -o dotEnv-nuclei-scan.txt Reference: Mass Scanning with Nuclei Strategy Template Spray Host Spray Description Scans multiple targets with one template at a time Scans one target with all templates at a time Approach Stealthy mode Focused mode Target Selection Multiple targets Single target Load Distribution Distributed load across multiple targets Concentrated load on a single target Speed Maintains scanning speed May slow down if target is unresponsive or busy

22. Nuclei Template Spray Scan 22

23. 23

24. Mapping Nuclei Results with commonName 24 # wget https://raw.githubusercontent.com/mr-rizwan-syed/Red-Team-Resources/main/rancho.sh

25. Mapping Nuclei Results with commonName 25

26. Scanning the Whole Nation for Exposures via SSL Certs. 26

    # # https://github.com/ip2location/ip2location-python-csv-converter ip2location-csv-converter -range -replace IP2LOCATION-LITE-DB1.CSV IP2L-DB.NEW.CSV # wget https://raw.githubusercontent.com/lord-alfred/ipranges/main/all/ipv4_merged.txt # cat IP2LOCATION-DB1.NEW.CSV | grep '"US"' | csvcut -c 1,2 | tr ',' '-' | mapcidr -a > US-CIDR.txt # grep -v -F -f ipv4_merged.txt US-CIDR.txt > US-CIDR-NO-CLOUD.txt

27. 27

28. Resources / References 28 • CloudRecon finding ephemeral assets in

    the cloud https://youtu.be/vWRvczG7Fvc • ToolTime - Cloud Recon 1 https://youtu.be/7hKEfF-yR1w • Tool Time SSL Certificate Parsers https://youtu.be/dgEwPXQKqlU • Certificate Parsing with domain-recon https://ervinszilagyi.dev/articles/certificate-parsing-with-domain-recon • Recon Methods Part 2 – OSINT Host Discovery Continued https://redsiege.com/tools-techniques/2020/02/recon-methods-part-2-osint-host-discovery-continued/#SSL_Certificate_Search • How To Scan AWS's Entire IP Range to Recon SSL Certificates https://www.daehee.com/scan-aws-ip-ssl-certificates/ • Catch Me If You Can - Shubham Shah & Michael Gianarakis at 44CON 2018 https://youtu.be/C85ZOJgufuw • External Reconnaissance Unveiled: A Deep Dive into Domain Analysis https://breachforce.net/external-recon-1 • Scrape Cloud for SSL/TLS Certificate https://breachforce.net/scrape-cloud-for-ssltls-certificate • Mass Scanning with Nuclei https://docs.projectdiscovery.io/tools/nuclei/mass-scanning-cli#understanding-how-nuclei-consumes-resources

29. Thank You Rizwan Syed github.com/mr-rizwan-syed twitter.com/_r12w4n linkedin.com/in/r12w4n/ BreachForce.net 20XX 29