Enumerating Web Attack Vectors
Enumerating Web Attack Vectors

One often helpful task of the penetration tester is being able to identify attack vectors that you might be able to access without needing to be at the location you are assessing. One way of doing this may be to utilize some readily available tools to scan the internet and identify machines and servers that may belong to the client.

A few things should be said before we go any further. One being, most penetration tests have a very clearly defined scope. Conducting scans outside of the scope may violate your agreement with the business and could land you in quite a bit of trouble. Secondly, the tools and techniques involved in this post are by no means limited to penetration testers. I highly encourage any mid-sized business or larger to try these methods out and it may help give you a clearer look at what kind of machines you're exposing to others that you may not be intending to.

DNS Dumpster

DNS Dumpster is an incredibly helpful tool in identifying machines that belong to you that are accessible from the internet. The service allows you to input any domain name and it will immediately begin to enumerate name servers, mail servers, and even subdomains. It then lays this information out for you and includes a graphical map that outlines the paths to each machine from name to IP. I plugged a local security consulting company in the field and came back with quite a few results. 

[Image: company.png]

Simply by putting their domain name into this service, we have discovered all sorts of information about their environment. We now know they use 'G Suite' for their mail service provider. We've also identified a couple of their web servers hosting some of their subdomains like: samurai.(company).com, ingshare.(company).com, labs.(company).com, and boards.(company).com. Often times, companies may have created a subdomain leading to a server that they have forgotten about or do not keep updates as often as others. This information can be crucial to an attacker looking for a way in. For example, you'll notice that in their DNS providers they are using Cloudflare for 2 of their DNS servers. Typically this would shield someones web server from displaying the actual IP address of it so Cloudflare absorbs any DDoS attacks that may bring them down. However in this case, most of the IP addresses for their web servers are still visible to the public.

Censys and Shodan

Most people around the internet these days are aware of a service named "Shodan" that offers a complete database of most internet connected devices in the entire world. Shodan scans the open internet and regularly updates it's findings in an easy to search website. Most commonly known for searching things like webcams with no passwords on them, it can honestly be used to find far more interesting things. While Shodan has become a standard search tool for many, fewer people are aware of a similar service called "Censys". Censys offers the same service but, in my opinion, in a much cleaner interface and with often better results from my experience. Let's see what Censys has to offer us for the same local company we just searched.

[Image: censys.png]

Okay so we only got two results here on Censys. The bottom result is already an address that we saw over on DNS Dumpster but the first result is more interesting. It was not listed in the DNS Dumpster report and if you look closely you'll see a default Apache page. Sometimes, when you run into pages like this, it means the web server running this service hasn't been fully configured yet. This web server could have updates that haven't been run or default settings that may allow an attacker access. We're certainly uncovering some helpful information so far.


One last tool I want to point out that may be helpful here is ViewDNS.info. They have a whole assortment of tools at your disposal for identifying assets. However, I want to draw your attention to one tool in particular, the IP History tool. This tool may not always provide pertinent information but it can be helpful at times. Some businesses hang on to static IP addresses when they stop using them and those may still point to a legacy server that they've forgotten about. Specifically, I've seen this tool used to identify the actual IP addresses of web servers once they've become hidden by Cloudflare's service. Someone was able to use this tool to see the IP address a business last used before the Cloudflare address and were able to see the web server behind their wall. Your IP history can reveal machines you may have forgotten about such as that default Apache web server we just saw in Censys that hasn't been seen by DNS since May of last year:

[Image: iphistory.png]

Knowledge Is Power

All of this is just the tip of the iceberg when it comes to enumerating and fingerprinting machines on the web. Everyone has their own methods and there are many more tools as well as custom manual methods for acquiring all of this information. That's one of the beautiful things about penetration testing is that there are so many unique ways to come at any problem.

None of the things I've written about here are necessarily things you can protect against as it's just information. However, in the right hands, people can take the information and make it a weapon. Things like a default Apache web page have no business or value being exposed to the public and present a risk. Because I am not conducting an assessment, there's very little more I could do without direct consent from the company in question. However, companies should use tools like this to be aware of just what they have out there.

Take some time today and do a quick assessment on your companies web footprint. You may be surprised what you find.

Possibly Related Threads…
Thread Author Replies Views Last Post
  How to find interesting things in the dark web mechytechy 4 5,621 03-23-2022, 02:01 PM
Last Post: sahchee
  [Public Project] Dictionary attack program idea x86Cow 4 8,071 12-19-2021, 07:15 AM
Last Post: baka1024
  DNS Rebinding Attack: How Malicious Websites Exploit Private Networks zzeuss 0 7,626 09-09-2021, 09:17 AM
Last Post: zzeuss
  Sha-1 Collision and torrent files (BitErrant attack) Insider 1 13,648 05-18-2017, 03:05 AM
Last Post: lunorian