Sergey Nivens - Fotolia
The most important first step to reduce your organization's attack surface is knowing what that attack surface actually looks like. You can't reduce exposure to something that you don't see or are unaware that it even exists.
That's why attack surface mapping is the first step in almost any penetration testing engagement. Doing reconnaissance on organizations to identify vulnerable targets is also exactly what a threat actor does when planning an attack.
The difference largely lies in time. Attackers can maintain a low profile if they spread out their activities over longer time frames, but penetration testers can usually only operate within a limited time frame, according to Andreas Georgiou, security consultant at Trustwave SpiderLabs and co-creator of AttackSurfaceMapper, a new open source cybersecurity platform for automating the attack surface mapping process.
Editor's note: This interview has been edited for clarity and length.
What is AttackSurfaceMapper?
Andreas Georgiou: AttackSurfaceMapper is a tool that aims to automate the reconnaissance process. It takes as input a single IP address, a single domain or a list containing a mixture of both. It then analyzes the target by using a set of passive and active reconnaissance techniques.
When we say 'active reconnaissance,' we mean that traffic will touch the targets. When we say 'passive reconnaissance,' we mean we use sources of information that will not actually link back to the user. That kind of sources of information includes APIs, search engines, stuff that already cached that information and stored it. Instead of querying the target directly, we query those public APIs.
By doing that, we analyze those targets and then try to expand the attack surface. What that really means is that you end up with new targets to scan [and] new web applications to attack, usernames to brute force and credentials to spray over your target's services.
Does AttackSurfaceMapper use existing tools to do attack surface mapping tasks? For example, what do you use to map open ports?
Georgiou: One of the things we do is list the open ports; we do that using the Shodan API, so it's a passive module. We hook on the Shodan API, so you need a Shodan API key, and once we do that, we can find which ports are open and possible CVEs [Common Vulnerabilities and Exposures] to use on those open ports, as well as the location of the IP address you've scanned.
The tool starts with a domain name. You input a domain name, and then it finds the IP addresses related with the domain name. From those IPs, by using the organization name -- for example, bbc.co.uk -- you will find out that the organization name is British Broadcasting Corporation, and you will use another open API to search for IP addresses and IP address ranges and ASNs [autonomous system numbers] related with the BBC. This is how we expand the surface.
Then, it goes on to use other modules to do subdomain brute-forcing. We use a number of word lists -- some of them are short word lists, and some of them are longer. We use a really long word list provided to us by Assetnote [a Brisbane, Australia-based cybersecurity company], which used Google data to basically query the whole internet and create the top half-million subdomains. We also use VirusTotal, which is another public API, to query known subdomains already registered with a domain.
But the power of the tool comes from the recursiveness. All this information will be fed back into the tool once a new target has been discovered, and the whole range of modules will run again and again.
Why did you develop AttackSurfaceMapper?
Georgiou: We wanted something easier to use. There are a number of other reconnaissance frameworks out there, but you need to specifically load each module and configure them. With AttackSurfaceMapper, you just need a target, and the tool will load all the modules and run it automatically.
Andreas GeorgiouTrustwave SpiderLabs
Our target group is not penetration testers and highly skilled security specialists. We want the people actually in the security teams of those organizations to download the tool -- that's why it's open source -- and run it against their companies' domain names and attack surface in an effort to discover the security posture of their information assets.
For example, one of the outputs of the tool will be credentials from past breaches. If you're running against your company domain, you'll be able to identify whether your company had domains, corporate email addresses or credentials previously included in a past data breach found on the internet.
We use the We Leak Info API, which provides the service using ElasticSearch, which is really fast and really useful for not only a penetration test, but for a security team to know that those passwords are already out there so they can ban them and remove them from the database.
Is AttackSurfaceMapper something you would use if you're not technically adept enough to use something like Mitre ATT&CK or Metasploit?
Georgiou: Well, it's different. It runs faster; if expand mode is disabled, it will run much faster. The configuration of those tools is much harder. That doesn't mean someone who is not specialized cannot run those tools; it just means you need more time. Unlike the attackers, in a penetration test, we have a limited window to test an organization. It's really important to finish the reconnaissance phase and move on to the next phases, like exploitation, which are actually the main part of an engagement. Saving time is crucial for a test.
You mentioned that it's open source. Would attackers also find AttackSurfaceMapper helpful for their efforts?
Georgiou: AttackSurfaceMapper is a tool; anyone can use it how they want to. From our past experience, we already know that the bad guys have this kind of software -- and maybe even more advanced software. What we are trying do is level the field by providing this knowledge to the public and raise awareness that this kind of information is open source. What we do is we bring together pieces of information and generate intelligence.
I expect people to run it and find out the vulnerabilities against their organizations. This is how we'll raise awareness. If we hide [these] kind of tools and don't release them to the public, we shouldn't assume that the attackers don't have it. We should assume that they already have it; we just don't know about it.
How certain are you that attackers have similar tools for attack surface mapping?
Georgiou: We're sure because we've seen from the kind of skills they have. I've seen high-skill, advanced threats have used open source intelligence. For example, one common attack is to take a data breach with usernames and passwords and spray them against a well-known service, like Uber.com, and if they find one of the compromised accounts hasn't changed passwords, then they'll get access. This is a pretty simple, common attack, but if you don't know that one of your employees has his or her password in a data breach, you wouldn't be able to take security control measures against it.
Using AttackSurfaceMapper, you can use your organization's domain as a target and then give a list of known data breaches and known usernames and passwords.
What are some of the modules available in AttackSurfaceMapper?
Georgiou: We have the stealth mode -- you can run in stealth mode, and then the tool will only use the passive modules to run against the target. If you use the expand mode, that will take more time, but you will use bigger word lists and more aggressive expansion of the attack surface.
We have one module called subhunter, which is one of the most important of this project because it handles the entire discovery process for subdomains. It uses two different techniques: The first one queries VirusTotal to discover known subdomains, and the second one is a custom word list.
The linkedinner module attempts to search for LinkedIn accounts for each primary domain that is provided. It will display organization name from a whois query and then try to log in to the LinkedIn social network and scrape employees' names and surnames. Combined with the Hunter IO API, we can get the email syntax pattern. If we combine the known names of the employees with the email syntax pattern, we can generate a list of possible usernames.
For example, Trustwave's email address pattern is first initial and surname, so I'm "[email protected]" If we find employees on LinkedIn and then match their names with the email syntax pattern, we can generate possible usernames and use that list to brute force an organization's service.
We have a screen capture module which will go on the target and take screenshots on each target IP address and each domain and subdomain. The user can visually identify which of those subdomains or IP addresses may contain some interesting targets, like administration portals or some backup files that were left on the target.
The buckethunter module uses the Grayhat Warfare API to find AWS S3 [Simple Storage Service] buckets related to the target.
The hosthunter module finds host domains for each IP address. When you try to access an IP address directly, you might not be able to access a web application on that address. A colleague of mine tested an IP address looking for web applications, and he didn't find anything, but once he used hosthunter, he found a virtual hostname for that IP address. He accessed the IP address using the virtual hostname and discovered a web application server sitting there that was vulnerable to SQL injection. Using that information, he compromised the computer and accessed the internal network.
This shows the power of good reconnaissance. With good reconnaissance, you will be able to get better results. That's why good reconnaissance is the first, most essential piece of every engagement.