Scout Sniper-grade OSINT website reconnaissance

-

Initial Disclaimer: 
I have focused on using open source tools for this blog due to their accessibility and general ease of use. I have purposely not included premium tools like Spiderfoot HX, Nessus, Burp Suite, or others I have used in the past, or more invasive ones like FOCA, NMAP/Zenmap and Dirb, because it’s not the focus of this blog. Those tools also require permission use to before scanning any site. Further, that I am not, or ever have been, a scout sniper or in the military, but I have always admired military ethos and the focus on decision making skills. Although, I do know someone who is.

︻デ═δΈ€

If you are a website owner or on the security team of an organisation, it’s always worth seeing through the eye of a potential attacker to scout your perimeter and check your defenses. Another reason to use OSINT tools is because most threat actors will not typically be using enterprise-grade tools either - other than APTs. The general idea is to self-footprint what you want to protect via passive reconnaissance and gain a closer understanding of how an attacker views your site. 

I’ve started with a general overview of the site we want to protect (or scout out) with a handy tool called DNSdumpster. Which provides a lot of useful information generally about one site. It does not brute force subdomain enumeration, but checks the open source passive domain name server (DNS) records that are freely available.




We immediately learn a lot of useful things about the site such as the hosting provider, content delivery network, the mail exchange servers, IP address, subdomains and more. What I would be usually looking out for here is any insecure subdomains such as a login page without HTTPS, subdomain takeovers, or any signs of record or name mismatches. However, other clear signs of compromise or defacements can be quickly discovered this way too. (Link to stories about recent NatWest mismatches and Microsoft subdomain takeovers)

︻デ═δΈ€

It is also increasingly important to monitor for similar websites that are typosquatting your domain, imitating you for either copyright fraud or for threat actors setting up attacks - often executed within 24 hours. This will impact your reputation and will be picked up by other security researchers who like to write blogs about malware campaigns surrounding your organisation (see Cerberus and the INPS and AT&T's phishing guide).

⨁ Two open source tools for this can be the Certificate Stream and DNSTwister:  



Threat actors running along your perimeter for weaknesses will typically check what technology your website is running on to see what vulnerabilities are present, if it is patched with the latest security update, running of end-of-life software, and in certain cases (usually involving APTs) to potentially create a 0day exploit for the known software in use. 

⨁ Tools useful for this include Shodan, Builtwith, MxToolbox, and ExploitDB:



WHOIS information is always one that will be checked as it is useful for finding out various information about the site. It generally displays registration and hosting information about any given domain. With this we can find registrant data (the person or organisation who registered the domain), its date of creation, ASN, IP address, other sites on the same server, and the country the site is hosted in. One important aspect can be the date in which the site was last updated. This can be matched with dates of security updates and if the site has not been updated, then threat actors can tell if it may be vulnerable to new exploits.

⨁ For this, you can go to Domain Tools


Furthermore, one useful technique of tracking malware or phishing campaigns against your domain can be to monitor the relations of your site. This can be done by correlating all crowd-source data from public submissions about any IP, URL, domain, or file that is uploaded and can map how it communicates with other entities online. It can be used to check DNS requests, connections, communicating files, and behaviours.

⨁ The tool you can generally use for this is VirusTotal


It’s also vehemently advised to check other open source tools for phishing campaigns against your customers. Certain tools can check online for structurally similar websites, websites with the same name, and websites that use the exact same images as the one from yours (with image hashes). 

⨁ I like to use URLscan for this:

Any good scout sniper will always check, double check, and triple check before executing their mission, scouting the defenses before attacking. The goal is to build up such a transparent picture of your target that you can imagine every situation in which you can achieve your goals. Plans and backup plans are required to successfully bring down a site. Therefore, the defenders must stay as vigilant, and patrol the border, as possible for any invaders waiting like ghillied snipers in the mist… 


Lastly, Google Dorks are a useful and simple technique for uncovering publicly exposed vulnerabilities in your site, which are indexed for all to see. With this, attackers could find insecure VPN gateways, server logs, cloud buckets, testing pages on the live product, or they can look at what you are trying to hide from Google with ‘robots.txt’.


The majority of findings on the site itself includes insecure login pages (without HTTPS), expired certificates, unpatched or end-of-life (EoL) software, or testing pages on the live product. Other off-site issues include typosquatting domains that are used for credential harvesting, adware or malware deployment, click-fraud, or redirecting users to other malicious pages.

︻デ═δΈ€

Footprinting your own site can be a difficult challenge for someone new, as recognising what is safe or not comes with experience. I have had to slowly learn what to check, what is vulnerable or not, and questions of my own still arise as to whether something is an issue or not. So it is always important to know someone with lots of experience and who is willing to field your questions.

⨁ The full list of tools is available here.

Stay frosty Blue Team.

References:

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more