SlideShare a Scribd company logo

Scanning the Internet for External Cloud Exposures via SSL Certs

Download as PPTX, PDF
R
Rizwan Syed

Title: Scanning the Internet for External Cloud Exposures via SSL Certs Presenter: Rizwan Syed Event: BreachForce CyberSecurity Cohort Talk Date: 21st April 2024 In this presentation, Rizwan Syed dives deep into the process of scanning the internet for external cloud exposures using SSL certificates. The slides cover the methodology and tools employed in identifying potential vulnerabilities in cloud environments. Explore real-world examples and case studies illustrating the importance of SSL certificate monitoring in ensuring robust cloud security. From understanding the significance of SSL certificates to practical techniques for scanning and remediation, these slides offer valuable insights for cybersecurity professionals seeking to safeguard their organization's cloud infrastructure.

Technology
1 of 29
Scanning the Internet for External Cloud Exposures via SSL Certs. Rizwan Syed @_r12w4n breachforce.net
About Me Consultant - Cyber Risk Advisory @ Deloitte Certified Red Team Professional - CRTP Penetration Tester | Offensive Cyber Security Enthusiast 2
Attack Surface Attack Surface Monitoring (ASM) refers to the proactive and continuous process of identifying and assessing an organization's external-facing assets, vulnerabilities, and potential points of entry for cyber threats. 3
You can’t secure what you don’t know. Exploring ASM 4
External Attack Surface Management in Red Teaming 5
Presentation title 20XX 6 https://breachforce.net/scrape-cloud-for-ssltls-certificate
Challenges 20XX 7 As a red teamer, it is difficult to find all of an organization's apps in the cloud if they are not advertised. Application are often developed on the cloud, while public to the internet. "Ephemeral" cloud hosted applications are sometimes brought online to do small things and then go offline. They have bugs Reference Talk Title: CloudRecon finding ephemeral assets in the cloud – CloudVillage By Gunnar Andrews & Jason Haddix Link: https://youtu.be/vWRvczG7Fvc
8 https://github.com/lord-alfred/ipranges/
9 https://kaeferjaeger.gay ~ @schniggie
10 https://kaeferjaeger.gay/?dir=sni-ip-ranges
11 https://github.com/mr-rizwan-syed/kaefer-g
12
13
14 https://breachforce.net/external-recon-1#heading-unveiling-the-apexroottlds-with-crtshhttpcrtsh-and-reverse-whois
15 https://github.com/g0ldencybersec/CloudRecon
DigitalOcean Droplet VPS 16
17
18
19
Extracting Data 20 # cat 20042024-ssl-scrape.json | grep '.uber.com' | jq –r . # cat 20042024-ssl-scrape.json | grep '.uber.com' | jq –r .commonName | anew # cat 20042024-ssl-scrape.json | grep '.uber.com' | jq –r .ip | anew # cat 20042024-ssl-scrape.json | grep 'Uber Technologies, Inc.' | jq -r .ip | cut -d : -f1 | awk "{print "https://" $0}" | anew uber-ssl-ip-urls.txt # cat 20042024-ssl-scrape.json | grep 'Uber Technologies, Inc.' | jq -r .commonName | anew uber-domains.txt # wget https://raw.githubusercontent.com/mr-rizwan-syed/Red-Team-Resources/main/tldextractor.py # python3 tldextractor.py uber-domains.txt # cat uber-ssl-ip-urls.txt | httpx -title -sc -td
Nuclei Template Spray Scan 21 # nuclei -rl 0 -bs 10000 -l target-ip-urls.txt -t git-config.yaml -stats -stream -elog errors.txt -o git-nuclei-scan.txt # nuclei -rl 0 -bs 10000 -l target-ip-urls.txt -t dotEnv.yaml -stats -stream -elog errors.txt -o dotEnv-nuclei-scan.txt Reference: Mass Scanning with Nuclei Strategy Template Spray Host Spray Description Scans multiple targets with one template at a time Scans one target with all templates at a time Approach Stealthy mode Focused mode Target Selection Multiple targets Single target Load Distribution Distributed load across multiple targets Concentrated load on a single target Speed Maintains scanning speed May slow down if target is unresponsive or busy
Nuclei Template Spray Scan 22
23
Mapping Nuclei Results with commonName 24 # wget https://raw.githubusercontent.com/mr-rizwan-syed/Red-Team-Resources/main/rancho.sh
Mapping Nuclei Results with commonName 25
Scanning the Whole Nation for Exposures via SSL Certs. 26 # # https://github.com/ip2location/ip2location-python-csv-converter ip2location-csv-converter -range -replace IP2LOCATION-LITE-DB1.CSV IP2L-DB.NEW.CSV # wget https://raw.githubusercontent.com/lord-alfred/ipranges/main/all/ipv4_merged.txt # cat IP2LOCATION-DB1.NEW.CSV | grep '"US"' | csvcut -c 1,2 | tr ',' '-' | mapcidr -a > US-CIDR.txt # grep -v -F -f ipv4_merged.txt US-CIDR.txt > US-CIDR-NO-CLOUD.txt
27
Resources / References 28 • CloudRecon finding ephemeral assets in the cloud https://youtu.be/vWRvczG7Fvc • ToolTime - Cloud Recon 1 https://youtu.be/7hKEfF-yR1w • Tool Time SSL Certificate Parsers https://youtu.be/dgEwPXQKqlU • Certificate Parsing with domain-recon https://ervinszilagyi.dev/articles/certificate-parsing-with-domain-recon • Recon Methods Part 2 – OSINT Host Discovery Continued https://redsiege.com/tools-techniques/2020/02/recon-methods-part-2-osint-host-discovery-continued/#SSL_Certificate_Search • How To Scan AWS's Entire IP Range to Recon SSL Certificates https://www.daehee.com/scan-aws-ip-ssl-certificates/ • Catch Me If You Can - Shubham Shah & Michael Gianarakis at 44CON 2018 https://youtu.be/C85ZOJgufuw • External Reconnaissance Unveiled: A Deep Dive into Domain Analysis https://breachforce.net/external-recon-1 • Scrape Cloud for SSL/TLS Certificate https://breachforce.net/scrape-cloud-for-ssltls-certificate • Mass Scanning with Nuclei https://docs.projectdiscovery.io/tools/nuclei/mass-scanning-cli#understanding-how-nuclei-consumes-resources
Thank You Rizwan Syed github.com/mr-rizwan-syed twitter.com/_r12w4n linkedin.com/in/r12w4n/ BreachForce.net 20XX 29

Recommended

Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinJonnathan Griffin
 
FALCON.pptx
FALCON.pptxFALCON.pptx
FALCON.pptxAvinashRanjan80
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】Hacks in Taiwan (HITCON)
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdfGabriel Mathenge
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCarlos Andrés García
 
Cloud-Native Security
Cloud-Native SecurityCloud-Native Security
Cloud-Native SecurityVMware Tanzu
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}opsSteven Carlson
 

Recommended

Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinJonnathan Griffin
 
FALCON.pptx
FALCON.pptxFALCON.pptx
FALCON.pptxAvinashRanjan80
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】Hacks in Taiwan (HITCON)
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdfGabriel Mathenge
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCarlos Andrés García
 
Cloud-Native Security
Cloud-Native SecurityCloud-Native Security
Cloud-Native SecurityVMware Tanzu
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}opsSteven Carlson
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamPriyanka Aash
 
SEC 572 Entire Course NEW
SEC 572 Entire Course NEWSEC 572 Entire Course NEW
SEC 572 Entire Course NEWshyamuopiv
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013beltface
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learningBryan Fendley
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
7 cloud security tips
7 cloud security tips7 cloud security tips
7 cloud security tipsUnited Technology Group (UTG)
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMMark Secretario
 
Top10 Characteristics of Awesome Apps
Top10 Characteristics of Awesome AppsTop10 Characteristics of Awesome Apps
Top10 Characteristics of Awesome AppsCasey Lee
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
 
Container Workload Security Solution Ideas by Mandy Sidana.pptx
Container Workload Security Solution Ideas by Mandy Sidana.pptxContainer Workload Security Solution Ideas by Mandy Sidana.pptx
Container Workload Security Solution Ideas by Mandy Sidana.pptxMandy Sidana
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Amazon Web Services
 
Optimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusOptimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusChristian Folini
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Atlantic Security Conference
 
Dev secops for real
Dev secops for realDev secops for real
Dev secops for realmradwan
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

More Related Content

Similar to Scanning the Internet for External Cloud Exposures via SSL Certs

AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamPriyanka Aash
 
SEC 572 Entire Course NEW
SEC 572 Entire Course NEWSEC 572 Entire Course NEW
SEC 572 Entire Course NEWshyamuopiv
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013beltface
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learningBryan Fendley
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMMark Secretario
 
Top10 Characteristics of Awesome Apps
Top10 Characteristics of Awesome AppsTop10 Characteristics of Awesome Apps
Top10 Characteristics of Awesome AppsCasey Lee
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
 
Container Workload Security Solution Ideas by Mandy Sidana.pptx
Container Workload Security Solution Ideas by Mandy Sidana.pptxContainer Workload Security Solution Ideas by Mandy Sidana.pptx
Container Workload Security Solution Ideas by Mandy Sidana.pptxMandy Sidana
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Amazon Web Services
 
Optimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusOptimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusChristian Folini
 
Dev secops for real
Dev secops for realDev secops for real
Dev secops for realmradwan
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 

Similar to Scanning the Internet for External Cloud Exposures via SSL Certs (20)

AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
 
SEC 572 Entire Course NEW
SEC 572 Entire Course NEWSEC 572 Entire Course NEW
SEC 572 Entire Course NEW
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learning
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
7 cloud security tips
7 cloud security tips7 cloud security tips
7 cloud security tips
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideM
 
Top10 Characteristics of Awesome Apps
Top10 Characteristics of Awesome AppsTop10 Characteristics of Awesome Apps
Top10 Characteristics of Awesome Apps
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 
Container Workload Security Solution Ideas by Mandy Sidana.pptx
Container Workload Security Solution Ideas by Mandy Sidana.pptxContainer Workload Security Solution Ideas by Mandy Sidana.pptx
Container Workload Security Solution Ideas by Mandy Sidana.pptx
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
 
Optimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusOptimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX Plus
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
Dev secops for real
Dev secops for realDev secops for real
Dev secops for real
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Recently uploaded (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

Scanning the Internet for External Cloud Exposures via SSL Certs

  • 1. Scanning the Internet for External Cloud Exposures via SSL Certs. Rizwan Syed @_r12w4n breachforce.net
  • 2. About Me Consultant - Cyber Risk Advisory @ Deloitte Certified Red Team Professional - CRTP Penetration Tester | Offensive Cyber Security Enthusiast 2
  • 3. Attack Surface Attack Surface Monitoring (ASM) refers to the proactive and continuous process of identifying and assessing an organization's external-facing assets, vulnerabilities, and potential points of entry for cyber threats. 3
  • 4. You can’t secure what you don’t know. Exploring ASM 4
  • 5. External Attack Surface Management in Red Teaming 5
  • 6. Presentation title 20XX 6 https://breachforce.net/scrape-cloud-for-ssltls-certificate
  • 7. Challenges 20XX 7 As a red teamer, it is difficult to find all of an organization's apps in the cloud if they are not advertised. Application are often developed on the cloud, while public to the internet. "Ephemeral" cloud hosted applications are sometimes brought online to do small things and then go offline. They have bugs Reference Talk Title: CloudRecon finding ephemeral assets in the cloud – CloudVillage By Gunnar Andrews & Jason Haddix Link: https://youtu.be/vWRvczG7Fvc
  • 12. 12
  • 13. 13
  • 17. 17
  • 18. 18
  • 19. 19
  • 20. Extracting Data 20 # cat 20042024-ssl-scrape.json | grep '.uber.com' | jq –r . # cat 20042024-ssl-scrape.json | grep '.uber.com' | jq –r .commonName | anew # cat 20042024-ssl-scrape.json | grep '.uber.com' | jq –r .ip | anew # cat 20042024-ssl-scrape.json | grep 'Uber Technologies, Inc.' | jq -r .ip | cut -d : -f1 | awk "{print "https://" $0}" | anew uber-ssl-ip-urls.txt # cat 20042024-ssl-scrape.json | grep 'Uber Technologies, Inc.' | jq -r .commonName | anew uber-domains.txt # wget https://raw.githubusercontent.com/mr-rizwan-syed/Red-Team-Resources/main/tldextractor.py # python3 tldextractor.py uber-domains.txt # cat uber-ssl-ip-urls.txt | httpx -title -sc -td
  • 21. Nuclei Template Spray Scan 21 # nuclei -rl 0 -bs 10000 -l target-ip-urls.txt -t git-config.yaml -stats -stream -elog errors.txt -o git-nuclei-scan.txt # nuclei -rl 0 -bs 10000 -l target-ip-urls.txt -t dotEnv.yaml -stats -stream -elog errors.txt -o dotEnv-nuclei-scan.txt Reference: Mass Scanning with Nuclei Strategy Template Spray Host Spray Description Scans multiple targets with one template at a time Scans one target with all templates at a time Approach Stealthy mode Focused mode Target Selection Multiple targets Single target Load Distribution Distributed load across multiple targets Concentrated load on a single target Speed Maintains scanning speed May slow down if target is unresponsive or busy
  • 23. 23
  • 24. Mapping Nuclei Results with commonName 24 # wget https://raw.githubusercontent.com/mr-rizwan-syed/Red-Team-Resources/main/rancho.sh
  • 25. Mapping Nuclei Results with commonName 25
  • 26. Scanning the Whole Nation for Exposures via SSL Certs. 26 # # https://github.com/ip2location/ip2location-python-csv-converter ip2location-csv-converter -range -replace IP2LOCATION-LITE-DB1.CSV IP2L-DB.NEW.CSV # wget https://raw.githubusercontent.com/lord-alfred/ipranges/main/all/ipv4_merged.txt # cat IP2LOCATION-DB1.NEW.CSV | grep '"US"' | csvcut -c 1,2 | tr ',' '-' | mapcidr -a > US-CIDR.txt # grep -v -F -f ipv4_merged.txt US-CIDR.txt > US-CIDR-NO-CLOUD.txt
  • 27. 27
  • 28. Resources / References 28 • CloudRecon finding ephemeral assets in the cloud https://youtu.be/vWRvczG7Fvc • ToolTime - Cloud Recon 1 https://youtu.be/7hKEfF-yR1w • Tool Time SSL Certificate Parsers https://youtu.be/dgEwPXQKqlU • Certificate Parsing with domain-recon https://ervinszilagyi.dev/articles/certificate-parsing-with-domain-recon • Recon Methods Part 2 – OSINT Host Discovery Continued https://redsiege.com/tools-techniques/2020/02/recon-methods-part-2-osint-host-discovery-continued/#SSL_Certificate_Search • How To Scan AWS's Entire IP Range to Recon SSL Certificates https://www.daehee.com/scan-aws-ip-ssl-certificates/ • Catch Me If You Can - Shubham Shah & Michael Gianarakis at 44CON 2018 https://youtu.be/C85ZOJgufuw • External Reconnaissance Unveiled: A Deep Dive into Domain Analysis https://breachforce.net/external-recon-1 • Scrape Cloud for SSL/TLS Certificate https://breachforce.net/scrape-cloud-for-ssltls-certificate • Mass Scanning with Nuclei https://docs.projectdiscovery.io/tools/nuclei/mass-scanning-cli#understanding-how-nuclei-consumes-resources