The Power of Information Gathering
Hi there, my name is Florian Kunushevci. I am an 19 years old ‘Security Researcher’ from Kosovo. On this article I will talk about something really interesting and is the most important thing that you should learn when you want to join the family of ‘Security Researchers’.
The first thing that I personally do when I want to find vulnerabilities for a company is ‘Information Gathering’. What does this exactly mean ?
Lets take an example that you are a ‘Tiger’ in a jungle and there are many tigers trying to attack the prey, some of them resulted in success, and some of them failed to achieve the goal. The tigers who had success planned the way to attack the prey different than the others, so what they did is they gathered information and calculated the best moment to launch the attack.
In our way of thinking, we should think like Tigers, this means that “Our way of thinking should be build that way that we gather as much information about the prey in order to start the attack” And in our world the prey is the company or the one who we want to research for vulnerabilities. And we cannot find bugs if we don’t know what are we looking into it. If we learn just to immediately copy-paste things that we learned, this means that you are working like most of other security researchers , and by this means that your going to face a duplicate or your gonna be lucky.
Avoiding duplicates through perfection of Information Gathering.
If you change the way of research from just an easy technique or a vulnerability that you used, you will be able to find vulnerabilities worth 1k — 10k or more. Depends on the severity of the vulnerability and the company how much it provides.
The way of thinking will get on places that nobody entered before and this is a good probability of finding vulnerabilities and rewarding them.
Two things that are important are:
- More Sub-domains + Servers = Better probability of finding bugs.
If we have for example eset.com which is the company ‘ESET AntiVirus’
This domain has IP Address: 188.8.131.52
We check through whois about this Server using: whois 184.108.40.206
We will have some basic information about ESET
Inetnum means from 220.127.116.11–167.255 belongs to netname or the company SK-ESET-NET and those servers on this range can have port 8080/80/443/ or other ports that we are interested to research. So the probability of finding a vulnerability got higher.
For example just 18.104.22.168 has 255 available hosts to research, if we calculate the 164–167 we have 1020 hosts. Each of those hosts might represent e server that has a a group of sub-domains, and this means more sub-domains to scan but don’t forget to look also the server it self.
If for example we have an IP Address and there are many ways to do but two things that I use is bing.com and https://www.yougetsignal.com/tools/web-sites-on-web-server/ and its not 100% accurate.
Lets take for example the IP Address 22.214.171.124 and we use it on bing.com by searching IP:126.96.36.199 on the search engine you will find sub-domains:
Sometimes servers might end up having 3 or 4 sub-domains or domains inside and this will also boost our probability of finding.
Lets say for example you have an IP Address and Bing fails to show you the domain of that IP Address, or for example sometimes there is a list of sub-domains inside the HTTPS. This method is 100% correct but in most cases works.
Lets take: 188.8.131.52 if we go inside this domain we will find 403 Forbidden. If we go https://184.108.40.206 it will say ‘Privacy Error’ in Chrome or in Firefox ‘Your connection is not secure’. From this if we go Advance we will find a sub-domain “The certificate is only valid for mail.sk.eset.com.”
If we ping mail.sk.eset.com we get 220.127.116.11, in some cases might show other a list of sub-domains in different servers and this also boosts our probability of finding bugs.
One other important thing when researching is ‘Imagination’ this means creating your own way of doing things in easy and efficient way. By this you think different than the other researchers who already checked.
The art of Hacking is not you learning new techniques, but learning how to use those techniques in creative way. And creativity cannot be learned, it’s inside you when you are born or it’s not.
Other ways of researching:
If for example we take censys.io and we research eset.com you will find a list of sub-domains & servers that you can use.
For example: 18.104.22.168 you will see that it belongs to *.eset.com and we assume that based on those information this server might belong to them.
Common Name (CN)
Of course this is not 100% accurate but it helps you boost the probability.
Other ways of research:
If we take urlscan.io and we search eset.com we can information related to eset.com that we can use later “https://urlscan.io/domain/eset.com”
If we take CertDb you can see also see more new information about the target. https://certdb.com/domain/eset.com
A lot of sub-domains can be also found through https://www.threatcrowd.org/domain.php?domain=eset.com
Also this is not 100% accurate but it helps you boost the probability.
The other things that I use to work rather then working manually and seeing things with my own eyes are also tools that I use. Those are the list of tools that I personally use:
Fast subdomains enumeration tool for penetration testers - aboul3la/Sublist3rgithub.com
A subdomain enumeration tool. Contribute to evilsocket/dnssearch development by creating an account on GitHub.github.com
An OSINT tool that discovers sub-domains by searching Certificate Transparency logs - chris408/ct-exposergithub.com
Knock Subdomain Scan. Contribute to guelfoweb/knock development by creating an account on GitHub.github.com
I hope that you learned something new, and sorry if I have made along the way any technical mistakes. Suggestions would be awesome.
The result of the work using same methodology: