Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Scanning the Internet for External Cloud Exposu...

Scanning the Internet for External Cloud Exposures via SSL Certs

Title: Scanning the Internet for External Cloud Exposures via SSL Certs.
Presenter: Rizwan Syed
Event: BreachForce CyberSecurity Cohort
Talk Date: 21-April-2024

Key Takeaways: Insights into utilizing SSL certificates to identify and assess cloud exposures across the internet.

BreachForce

April 21, 2024
Tweet

More Decks by BreachForce

Other Decks in Technology

Transcript

  1. About Me Consultant - Cyber Risk Advisory @ Deloitte Certified

    Red Team Professional - CRTP Penetration Tester | Offensive Cyber Security Enthusiast 2
  2. Attack Surface Attack Surface Monitoring (ASM) refers to the proactive

    and continuous process of identifying and assessing an organization's external-facing assets, vulnerabilities, and potential points of entry for cyber threats. 3
  3. Challenges 20XX 7 As a red teamer, it is difficult

    to find all of an organization's apps in the cloud if they are not advertised. Application are often developed on the cloud, while public to the internet. "Ephemeral" cloud hosted applications are sometimes brought online to do small things and then go offline. They have bugs Reference Talk Title: CloudRecon finding ephemeral assets in the cloud – CloudVillage By Gunnar Andrews & Jason Haddix Link: https://youtu.be/vWRvczG7Fvc
  4. 12

  5. 13

  6. 17

  7. 18

  8. 19

  9. Extracting Data 20 # cat 20042024-ssl-scrape.json | grep '\.uber\.com' |

    jq –r . # cat 20042024-ssl-scrape.json | grep '\.uber\.com' | jq –r .commonName | anew # cat 20042024-ssl-scrape.json | grep '\.uber\.com' | jq –r .ip | anew # cat 20042024-ssl-scrape.json | grep 'Uber Technologies, Inc.' | jq -r .ip | cut -d : -f1 | awk "{print \"https://\" \$0}" | anew uber-ssl-ip-urls.txt # cat 20042024-ssl-scrape.json | grep 'Uber Technologies, Inc.' | jq -r .commonName | anew uber-domains.txt # wget https://raw.githubusercontent.com/mr-rizwan-syed/Red-Team-Resources/main/tldextractor.py # python3 tldextractor.py uber-domains.txt # cat uber-ssl-ip-urls.txt | httpx -title -sc -td
  10. Nuclei Template Spray Scan 21 # nuclei -rl 0 -bs

    10000 -l target-ip-urls.txt -t git-config.yaml -stats -stream -elog errors.txt -o git-nuclei-scan.txt # nuclei -rl 0 -bs 10000 -l target-ip-urls.txt -t dotEnv.yaml -stats -stream -elog errors.txt -o dotEnv-nuclei-scan.txt Reference: Mass Scanning with Nuclei Strategy Template Spray Host Spray Description Scans multiple targets with one template at a time Scans one target with all templates at a time Approach Stealthy mode Focused mode Target Selection Multiple targets Single target Load Distribution Distributed load across multiple targets Concentrated load on a single target Speed Maintains scanning speed May slow down if target is unresponsive or busy
  11. 23

  12. Scanning the Whole Nation for Exposures via SSL Certs. 26

    # # https://github.com/ip2location/ip2location-python-csv-converter ip2location-csv-converter -range -replace IP2LOCATION-LITE-DB1.CSV IP2L-DB.NEW.CSV # wget https://raw.githubusercontent.com/lord-alfred/ipranges/main/all/ipv4_merged.txt # cat IP2LOCATION-DB1.NEW.CSV | grep '"US"' | csvcut -c 1,2 | tr ',' '-' | mapcidr -a > US-CIDR.txt # grep -v -F -f ipv4_merged.txt US-CIDR.txt > US-CIDR-NO-CLOUD.txt
  13. 27

  14. Resources / References 28 • CloudRecon finding ephemeral assets in

    the cloud https://youtu.be/vWRvczG7Fvc • ToolTime - Cloud Recon 1 https://youtu.be/7hKEfF-yR1w • Tool Time SSL Certificate Parsers https://youtu.be/dgEwPXQKqlU • Certificate Parsing with domain-recon https://ervinszilagyi.dev/articles/certificate-parsing-with-domain-recon • Recon Methods Part 2 – OSINT Host Discovery Continued https://redsiege.com/tools-techniques/2020/02/recon-methods-part-2-osint-host-discovery-continued/#SSL_Certificate_Search • How To Scan AWS's Entire IP Range to Recon SSL Certificates https://www.daehee.com/scan-aws-ip-ssl-certificates/ • Catch Me If You Can - Shubham Shah & Michael Gianarakis at 44CON 2018 https://youtu.be/C85ZOJgufuw • External Reconnaissance Unveiled: A Deep Dive into Domain Analysis https://breachforce.net/external-recon-1 • Scrape Cloud for SSL/TLS Certificate https://breachforce.net/scrape-cloud-for-ssltls-certificate • Mass Scanning with Nuclei https://docs.projectdiscovery.io/tools/nuclei/mass-scanning-cli#understanding-how-nuclei-consumes-resources