Jason Haddix On Adversarial Reconnaissance (Notes)
This post contains my notes on Jason Haddix’s presentation on adversarial recon from the Red Team and Bug Bounty Conference.
Recon is a subset of OSINT. We’re after Apex domains, subdomains, IP addresses, services, contextual business and tech intel. For every subdomain or apex domain you find, you will 2x or 4x your chances of hacking your target.
Recon is not a linear process, it’s a cycle; there’s a lot of umping around between techniques and tools. Going the extra mile with recon will really help you out with bug bounty hunting and red teaming. Use a notetaking or mind-mapping tool like Xmind to dump your notes.
Techniques and Tools
ASNs and Port Scans
ASNs will give you the IP addresses of servers. These Ips will point you to apex domains, websites, and other services. Because of cloud infrastructure, ASNs won’t give you a full picture of the entity’s network.
- Hurricane Electric’s manual ASN search is useful here.
- ARIN is a US registrar.
- RIPE is an EU & Central Asian registrar.
Once you get the IP ranges, you need to port scan them. NMAP isn’t fast enough to scan large ASNs, so use Naabu.
Focus on ports 80 and 443. Use the results to do a more detailed NMAP port scan.
SHODAN++
Allows for passive recon by using Shodan API to indirectly crawl assets and gather intel. See cheat sheet below:
Automated Shodan
Use Karma script and Shodan API to scan IP ranges.
Use Shusubgo to enumerate subdomains. Use Shodan CLI for bigger projects.
Cloud Recon
Use SSL certificate enumeration tools like CloudRecon to find subdomains, apex domains and internal domains.
Here’s a range of collected IP addresses for large cloud vendors:
Subdomain scraping will be the biggest contributor to subdomain enumeration. There are two main tools, Amass and Subfinder. BBOT is also useful.
You can enhance the results of these tools by providing them with APIs to services that provide more information during enumeration. These APIs include:
GitHub Enumeration
Most tools are focused on scanning a single repository or organization. We want to search all repositories, especially personal repos to find intel. Look for hardcoded credentials in related reports, especially those maintained by developers.
Use github-subdomains with API key.
Also use Haddix’s GitHub dork collection.