External Recon and Enumeration
Like any recon, we are trying to get the lay of the land to ensure we provide the most comprehensive test possible for our customer.
This can be as simple as gleaning a username format from the customer's main website or social media. Any information that allows us to dive deeper into the target is what we're looking for.
Scanning Github & other CI/CD platforms for possible credentials, sensitive documents, or links to an intranet or resources. Or just information that gives use a view on how the enterprise environment is configured.
What Are We Looking For?
Data Point
Description
IP Space
Valid ASN for our target, netblocks in use for the organization's public-facing infrastructure, cloud presence and the hosting providers, DNS record entries, etc.
Domain Information
Based on IP data, DNS, and site registrations. Who administers the domain? Are there any subdomains tied to our target? Are there any publicly accessible domain services present? (Mailservers, DNS, Websites, VPN portals, etc.) Can we determine what kind of defenses are in place? (SIEM, AV, IPS/IDS in use, etc.)
Schema Format
Can we discover the organization's email accounts, AD usernames, and even password policies? Anything that will give us information we can use to build a valid username list to test external-facing services for password spraying, credential stuffing, brute forcing, etc.
Data Disclosures
For data disclosures we will be looking for publicly accessible files ( .pdf, .ppt, .docx, .xlsx, etc. ) for any information that helps shed light on the target. For example, any published files that contain intranet site listings, user metadata, shares, or other critical software or hardware in the environment (credentials pushed to a public GitHub repo, the internal AD username format in the metadata of a PDF, for example.)
Breach Data
Any publicly released usernames, passwords, or other critical information that can help an attacker gain a foothold.
Where Are We Looking?
Resource
Examples
ASN / IP registrars
Domain Registrars & DNS
Social Media
Searching Linkedin, Twitter, Facebook, your region's major social media sites, news articles, and any relevant info you can find about the organization.
Public-Facing Company Websites
Often, the public website for a corporation will have relevant info embedded. News articles, embedded documents, and the "About Us" and "Contact Us" pages can also be gold mines.
Cloud & Dev Storage Spaces
Breach Data Sources
TOOLING:
ASN/IP & Domain Data:
DNS:
Public Data:
Social media can be a treasure trove of interesting data that can clue us in to how the organization is structured, what kind of equipment they operate, potential software and security implementations, their schema, and more. On top of that list are job-related sites like LinkedIn, Indeed.com, and Glassdoor
Sharepoint Admin Job Listing
Here we understand more of the inner workings of their company tooling.
IMPORTANT: Websites hosted by the organization are also great places to dig for information. We can gather contact emails, phone numbers, organizational charts, published documents, etc. These sites, specifically the embedded documents, can often have links to internal infrastructure or intranet sites that you would not otherwise know about.
Searching Github:
Google Dorking:
Credential Hunting:
\
Netcraft
Last updated
