Title: Scanning the Internet for External Cloud Exposures via SSL Certs
Presenter: Rizwan Syed
Event: BreachForce CyberSecurity Cohort
Talk Date: 21st April 2024
In this presentation, Rizwan Syed dives deep into the process of scanning the internet for external cloud exposures using SSL certificates. The slides cover the methodology and tools employed in identifying potential vulnerabilities in cloud environments. Explore real-world examples and case studies illustrating the importance of SSL certificate monitoring in ensuring robust cloud security. From understanding the significance of SSL certificates to practical techniques for scanning and remediation, these slides offer valuable insights for cybersecurity professionals seeking to safeguard their organization's cloud infrastructure.
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Scanning the Internet for External Cloud Exposures via SSL Certs
1. Scanning the Internet for
External Cloud
Exposures via SSL
Certs.
Rizwan Syed
@_r12w4n
breachforce.net
2. About Me
Consultant - Cyber Risk Advisory @ Deloitte
Certified Red Team Professional - CRTP
Penetration Tester | Offensive Cyber Security Enthusiast
2
3. Attack Surface
Attack Surface Monitoring (ASM) refers to the
proactive and continuous process of
identifying and assessing an organization's
external-facing assets, vulnerabilities, and
potential points of entry for cyber threats.
3
7. Challenges
20XX 7
As a red teamer, it is difficult to find all of an organization's apps in the cloud if
they are not advertised.
Application are often developed on the cloud, while public to the internet.
"Ephemeral" cloud hosted applications are sometimes brought online to do small
things and then go offline. They have bugs
Reference Talk Title: CloudRecon finding ephemeral assets in the cloud – CloudVillage
By Gunnar Andrews & Jason Haddix
Link: https://youtu.be/vWRvczG7Fvc
21. Nuclei Template Spray Scan
21
# nuclei -rl 0 -bs 10000 -l target-ip-urls.txt -t git-config.yaml -stats -stream -elog errors.txt -o git-nuclei-scan.txt
# nuclei -rl 0 -bs 10000 -l target-ip-urls.txt -t dotEnv.yaml -stats -stream -elog errors.txt -o dotEnv-nuclei-scan.txt
Reference: Mass Scanning with Nuclei
Strategy Template Spray Host Spray
Description
Scans multiple targets with one template at
a time
Scans one target with all templates at a
time
Approach Stealthy mode Focused mode
Target Selection Multiple targets Single target
Load Distribution Distributed load across multiple targets Concentrated load on a single target
Speed Maintains scanning speed
May slow down if target is unresponsive or
busy
28. Resources / References
28
• CloudRecon finding ephemeral assets in the cloud
https://youtu.be/vWRvczG7Fvc
• ToolTime - Cloud Recon 1
https://youtu.be/7hKEfF-yR1w
• Tool Time SSL Certificate Parsers
https://youtu.be/dgEwPXQKqlU
• Certificate Parsing with domain-recon
https://ervinszilagyi.dev/articles/certificate-parsing-with-domain-recon
• Recon Methods Part 2 – OSINT Host Discovery Continued
https://redsiege.com/tools-techniques/2020/02/recon-methods-part-2-osint-host-discovery-continued/#SSL_Certificate_Search
• How To Scan AWS's Entire IP Range to Recon SSL Certificates
https://www.daehee.com/scan-aws-ip-ssl-certificates/
• Catch Me If You Can - Shubham Shah & Michael Gianarakis at 44CON 2018
https://youtu.be/C85ZOJgufuw
• External Reconnaissance Unveiled: A Deep Dive into Domain Analysis
https://breachforce.net/external-recon-1
• Scrape Cloud for SSL/TLS Certificate
https://breachforce.net/scrape-cloud-for-ssltls-certificate
• Mass Scanning with Nuclei
https://docs.projectdiscovery.io/tools/nuclei/mass-scanning-cli#understanding-how-nuclei-consumes-resources