External Recon

What are we looking for?

Data Point	Description
IP Space	Valid ASN for our target, netblocks in use for the organization's public-facing infrastructure, cloud presence and the hosting providers, DNS record entries, etc.
Domain Information	Based on IP data, DNS, and site registrations. Who administers the domain? Are there any subdomains tied to our target? Are there any publicly accessible domain services present? (Mailservers, DNS, Websites, VPN portals, etc.) Can we determine what kind of defenses are in place? (SIEM, AV, IPS/IDS in use, etc.)
Schema Format	Can we discover the organization's email accounts, AD usernames, and even password policies? Anything that will give us information we can use to build a valid username list to test external-facing services for password spraying, credential stuffing, brute forcing, etc.
Data Disclosures	For data disclosures we will be looking for publicly accessible files ( .pdf, .ppt, .docx, .xlsx, etc. ) for any information that helps shed light on the target. For example, any published files that contain intranet site listings, user metadata, shares, or other critical software or hardware in the environment (credentials pushed to a public GitHub repo, the internal AD username format in the metadata of a PDF, for example.)
Breach Data	Any publicly released usernames, passwords, or other critical information that can help an attacker gain a foothold.

Where are we looking?

Resource	Examples
ASN / IP registrars	IANA, arin for searching the Americas, RIPE for searching in Europe, BGP Toolkit
Domain Registrars & DNS	Domaintools, PTRArchive, ICANN, manual DNS record requests against the domain in question or against well known DNS servers, such as 8.8.8.8.
Social Media	Searching Linkedin, Twitter, Facebook, your region's major social media sites, news articles, and any relevant info you can find about the organization.
Public-Facing Company Websites	Often, the public website for a corporation will have relevant info embedded. News articles, embedded documents, and the "About Us" and "Contact Us" pages can also be gold mines.
Cloud & Dev Storage Spaces	GitHub, AWS S3 buckets & Azure Blog storage containers, Google searches using "Dorks"
Breach Data Sources	HaveIBeenPwned to determine if any corporate email accounts appear in public breach data, Dehashed to search for corporate emails with cleartext passwords or hashes we can try to crack offline. We can then try these passwords against any exposed login portals (Citrix, RDS, OWA, 0365, VPN, VMware Horizon, custom applications, etc.) that may use AD authentication.

---

Finding Address Space

The BGP-Toolkit hosted by Hurricane Electric is a fantastic resource for researching what address blocks are assigned to an organization and what ASN they reside within

DNS

DNS is a great way to validate our scope and find out about reachable hosts the customer did not disclose in their scoping document. Sites like domaintools, and viewdns.info are great spots to start.

Public Data

A sample scenario is if we found a Sharepoint admin job listing, we may see that they are using Sharepoitn 2013/2016 which is outdated. With this, we might see outdated sharepoint versions that has more vulnerabilities.

Another example is, we might see some github devs probably leave credentials or notes in their releases.

Tools like Trufflehog and sites like Greyhat Warfare are fantastic resources for finding these breadcrumbs.

---

Sample Enumeration

1. Check for ASN/IP & Domain Data in he.net (BGP Toolkit)

   • IP Address: 134.209.24.248

   • Mail Server: mail1.inlanefreight.com

   • Nameservers: NS1.inlanefreight.com & NS2.inlanefreight.com

2. Use viewdns.info to validate the IP address from step 1. Since it matches, it is a good sign.

3. Let's try to validate the 2 nameservers

   $ nslookup ns1.inlanefreight.com
   
   Server:		192.168.186.1
   Address:	192.168.186.1#53
   
   Non-authoritative answer:
   Name:	ns1.inlanefreight.com
   Address: 178.128.39.165
   
   nslookup ns2.inlanefreight.com
   Server:		192.168.86.1
   Address:	192.168.86.1#53
   
   Non-authoritative answer:
   Name:	ns2.inlanefreight.com
   Address: 206.189.119.186 

4. In the output above, we can see 2 IP addresses which we can also take note.

5. We would check sites like LinkedIn, Twitter, Instagram, and Facebook for helpful info if it were a real company.

6. Next, we hunt for files using google dorks filetype:pdf inurl:inlanefreight.com

7. We can also hunt for email addresses intext:"@inlanefreight.com" inurl:inlanefreight.com

8. We can use linkedin2username to scrape data from hte company's linkedin page and generate a username using flast, first.last, f.last, etc. format

9. We can also used Dehashed to check for credentials from data breaches

   $ sudo python3 dehashed.py -q inlanefreight.local -p
   
   id : 5996447501
   email : roger.grimes@inlanefreight.local
   username : rgrimes
   password : Ilovefishing!
   hashed_password : 
   name : Roger Grimes
   vin : 
   address : 
   phone : 
   database_name : ModBSolutions