What are we looking for?
||Valid ASN for our target, netblocks in use for the organization's public-facing infrastructure, cloud presence and the hosting providers, DNS record entries, etc.|
||Based on IP data, DNS, and site registrations. Who administers the domain? Are there any subdomains tied to our target? Are there any publicly accessible domain services present? (Mailservers, DNS, Websites, VPN portals, etc.) Can we determine what kind of defenses are in place? (SIEM, AV, IPS/IDS in use, etc.)|
||Can we discover the organization's email accounts, AD usernames, and even password policies? Anything that will give us information we can use to build a valid username list to test external-facing services for password spraying, credential stuffing, brute forcing, etc.|
||For data disclosures we will be looking for publicly accessible files ( .pdf, .ppt, .docx, .xlsx, etc. ) for any information that helps shed light on the target. For example, any published files that contain
||Any publicly released usernames, passwords, or other critical information that can help an attacker gain a foothold.|
Where Are We Looking?
||IANA, arin for searching the Americas, RIPE for searching in Europe, BGP Toolkit|
||Domaintools, PTRArchive, ICANN, manual DNS record requests against the domain in question or against well known DNS servers, such as
||Searching Linkedin, Twitter, Facebook, your region's major social media sites, news articles, and any relevant info you can find about the organization.|
||Often, the public website for a corporation will have relevant info embedded. News articles, embedded documents, and the "About Us" and "Contact Us" pages can also be gold mines.|
||GitHub, AWS S3 buckets & Azure Blog storage containers, Google searches using "Dorks"|
||HaveIBeenPwned to determine if any corporate email accounts appear in public breach data, Dehashed to search for corporate emails with cleartext passwords or hashes we can try to crack offline. We can then try these passwords against any exposed login portals (Citrix, RDS, OWA, 0365, VPN, VMware Horizon, custom applications, etc.) that may use AD authentication.|
Finding Address Spaces
Address blocks assigned to an organization:
BGP-Toolkit hosted by Hurricane Electric
Social media can clue us in to how the organization is structured, what kind of equipment they operate, potential software and security implementations, their schema, and more. Also, job-related sites like LinkedIn, Indeed.com, and Glassdoor.
Example Enumeration Process
Example on the
LEGALCORP.com domain without performing any heavy scans.
- IP Address: 220.127.116.11
- Mail Server: mail1.LEGALCORP.com
- Nameservers: NS1.LEGALCORP.com & NS2.LEGALCORP.com
viewdns.info to validate the IP address of our target. Both results match, which is a good sign. Let's try another route to validate the two nameservers in our results.
neutron@kali[/kali]$ nslookup ns1.LEGALCORP.com Server: 192.168.186.1 Address: 192.168.186.1#53 Non-authoritative answer: Name: ns1.LEGALCORP.com Address: 18.104.22.168 nslookup ns2.LEGALCORP.com Server: 192.168.86.1 Address: 192.168.86.1#53 Non-authoritative answer: Name: ns2.LEGALCORP.com Address: 22.214.171.124
We now have
two new IP addresses to add to our list for validation and testing. Before taking any further action with them, ensure they are in-scope for your test.
LEGALCORP is a fictitious company, so there is no real social media presence. However, we would check sites like LinkedIn, Twitter, Instagram, and Facebook for helpful info if it were real.
Looking for any documents. Using
filetype:pdf inurl:LEGALCORP.com as a search, we are looking for PDFs.
intext:"@LEGALCORP.com" inurl:LEGALCORP.com, we are looking for any instance that appears similar to the end of an email address on the website. One promising result came up with a contact page.
Browsing the contact page, we can see several emails for staff in different offices around the globe. We now have an idea of their email naming convention (first.last) and where some people work in the organization. This could be handy in later password spraying attacks or if social engineering/phishing were part of our engagement scope.