“Before anything else, preparation is the key to success” – Alexander Graham Bell
Whether you’re robbing a bank, breaking into a warehouse or ethically hacking a business for a penetration test, being prepared is key. An attackers first step is often gaining knowledge about their target.
The art of obtaining this knowledge is known as Reconnaissance or Recon.
Everything we do online leaves a digital trace. From posting holiday snaps on Instagram to standing up a cloud environment for our company, there is a silent and invisible virtual paper trail that can lead somebody (with the right tools) straight to your virtual door.
Reconnaissance in the context of cyber security testing involves taking advantage of this fact with the aim of yearning actionable information about a target. Most if not all of this information is available online from a variety of services and tools. Spyse hopes to make this collection process streamlined and easy for read teams and researchers alike.
Why do we need reconnaissance?
Without proper reconnaissance how does a would-be attacker know what their target looks like? Or what tools they need to be successful in their attacks?
An attacker worth their salt needs to discover some of the below information:
- Where is our target?
- What industry is our target in?
- How do we contact our target?
- What are our targets online presence?
- What online services does our target use?
- Are there any outside vulnerabilities we can exploit?
- And more
The list goes on and on, but fundamentally without proper reconnaissance red teams are flying blind and perhaps bringing a knife to a gunfight.
A penetration tester may start his engagement with nothing more than a company name, this is known as a blackbox test. It would be almost impossible to begin his attack unless he knows where the front door is and what kind of virtual locks they are using.
First things first the tester may start with a classic Google search to find some basic publicly available information like company address, domain, and industry.
From here an attacker could track employees on Facebook and Linkedin to generate a relevant phishing campaign and attempt to social engineer staff.
Further to this, the budding penetration tester could use datasets like DNS and WHOIS records combined with more detailed web searches and port scans to uncover technical detail about the target. Most if not all of this information is freely available online, it can be unearthed with little effort. You just have to know where to look. This could mean running tools locally or querying the right online database or even as simple as putting together right google search query dork.
Unfortunately gathering data in this way can be time consuming and cumbersome. The analyst must pull and combine data from many sources and collate them into one database or text file. This method is slow and old fashioned.
Spyse is a cyberspace search engine that can be used by penetration testers, OSINT artists and researchers alike which allows its users too quickly and easily gather the information they need in one place.
Spyse allows its users to perform a detailed search on the such elements of a network:
- Domains & Subdomains: Rapidly understand where your target is publishing themselves on the internet as well as find unsecured subdomains without time consuming manual wildcard searching.
- IP address and subnets: Use target IP addresses scope out external networks. This is an excellent feed for pointing your vulnerability and port scanners in the right direction.
- Digital Certificates: In 2011 it was decided that Certificate Authorities would make certificate information transparent in order to help protect people and computers from being fooled into trusting a system controlled by bad actors. These changes are standardized in x509.
Attackers or red teams can use this transparency to their advantage by extracting fields from certificates and using them to find other assets affiliated with the target or with the same certificates in use. This is an excellent way of finding more pieces of the target’s networks. The Spyse interface makes preforming research against these very certificates simple and intuitive and of course, in the same window as all of the other searches.
- Open Ports: Depending on the assignment red teams probably want to get from the outside in. Knowing which ports are open can lead to exploitation and eventually a route into the network. Spyse allows users to easily check hosts for open ports and combine the output with the rest of its rich data in a clear and concise format. This process is much faster and inconspicuous than traditional local port scanning
- WHOIS Records: Looking up WHOIS records is an important step on the path to complete reconnaissance. Of course Spyse covers this use case by allowing users to search the WHOIS databases without pesky CAPTCHAs or advertising as most other services do. Discovering where your targets domains are registered or maybe even an address can be done here.
- Autonomous Systems: AS blocks are a group of IP addresses that are under control by one administrator or number of administrators. Knowing which block your target is a member of can help reveal large parts of their network and infrastructure which of course is invaluable to any red teamer. Even if your target isn’t large enough to have their own AS, just knowing they are a member of a particular group could help reveal information about the technology stack they use.
Traditionally penetration testers would have to collate all of this information manually from multiple tools, services and sites all whilst having to wait for scans to complete.
Spyse takes away this problem by having the required information already stored, which means the analyst can get almost instantaneous access to the right pieces of data when it matters.
The data can be saved and exported in multiple formats for easy digestion and use with other reconnaissance tools.