Recently I had a client that was trying to "rein in" their wildcard certificate usage. They had given the same wildcard to their developers, their infrastructure team, security team, everyone really. Easy to solve you say? Sure, if you had a list of all of the public subnets they use - I could easily figure out what they own from arin.net, but not all the subnet address space they were "borrowing" from their various ISPs. Let alone what all they had running in Azure, AWS and a few other clouds. So, after the obvious list (which they already had), I started the fun part. First, I went to arin.net and got their actual subnets. First, let's run the tool - command line options are: root@kali:~# theharvester *******************************************************************
-d: Domain to search or company name Examples: theharvester -d microsoft.com -l 500 -b google Narrowing it down, let's pull just the hostnames, and dump them to a file. theharvester -d customerdomain.com -l 500 -b bing -v -n | grep -v \@ | sed s"\t"/":"/g | cut -d ":" -f 2 | sort | uniq > domainhosts.in Disecting the line above: we're using bing, mostly because google is being picky about me having an API key today :-) Now we can assess the certicate in use on each host - the goal here is to collect the certificate in use on each site and the expiry date. NMAP does a decent job on this: nmap -p443 --open -iL domainhosts.in --script ssl-cert.nse | findstr "report after" This assesses the certificates on each host, then reports back with the hostname being assessed and the expiry date of it's certificate. I'm only checking port 443, but you can easily expand that of course - running it for the default port list or even all ports can often yield good results in a pentest of security assessment for instance. If for instance the domainhosts.in file looks like this: isc.sans.org The output will be just the data we're looking for: Nmap scan report for isc.sans.org (204.51.94.153) What other uses does theharvester have? If you are pentesting a client, it makes a nice collection engine to "find" internet-facing customer assets that maybe they didn't know they have, or maybe aren't protecting as well as they should (dev servers, every time). It also makes a nice "quick and dirty" tool to collect a baseline of email addresses for things like password spray attacks. =============== |
Rob VandenBrink 579 Posts ISC Handler Sep 5th 2018 |
Thread locked Subscribe |
Sep 5th 2018 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!