Thailand’s Attack Surface (Part One)

The above image is a good representation of an organization’s attack surface (or a country’s for that matter). Now, we often hear only about the perimeter but there is much more. It may normally be the domain of spies, thieves, and scammers but it is there none-the-less. We will begin this series by talking about the perimeter, but we will eventually look beneath the surface when the time comes. First and foremost because there are many other ways to attack that can be found there but also because in order to launch an effective attack, we need to consider all angles. An effective attack is a multi-step process involving many different steps and involving many different attack vectors. These many different steps and many different attack vectors much be cobbled together from the entire attack surface. For the time being though, we will take a look at the perimeter. It is easily reached, it can be reached by anyone, and it makes a big splash on the front pages because it is easy to make a personal connection. That being the case, it also makes a good place to start our discussion.

Thailand’s Perimeter

Our ultimate goal is addresses. However, there are many different ways to get those addresses. The easiest is a public record with our target’s name on it. For that, we look at BGP prefixes. What prefixes advertised via BGP are associated with Thailand? A good database of those prefixes can be found at Hurrican Electric. However, that won’t get you all of those addresses. There are many addresses in-use by Thai entities that are not located in Thailand such as those in-use in the cloud or at a co-location facility. Neither of which would necessarily be located in Thailand. This is where DNS comes in handy.

Thai organizations (or entities) have domains. Those domains can be identified through search engines. Each domain represents a zone. The records in those zones can be guessed using curated lists of potential system names. Each successful guess will identify an address in-use by Thailand. Sites like VirusTotal will have some of these records as they have already acquired many via PassiveDNS. PassiveDNS always make a nice addition to any collection. It is true that some of these records will point to the address space identified using BGP but many more will point to the cloud and to co-location.

Now, this is a lot of work. We did this work but there are other ways to do it. They don’t produce the quality of results that you need to identify all the systems (and remediate the issues found there) but it does give you an idea of the work that lies ahead of us.

Superficial View of Thailand’s Perimeter

The first of the techniques that can be used to get an idea of the work ahead is Google Dorks. Google dorking, also called Google hacking, is a hacker technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using.

The second of the techniques that can be used to get an idea of the work ahead is a Shodan search. Shodan is a search engine that lets users search for various types of servers (webcams, routers, servers, etc.) connected to the internet.

Both of these search engines are constantly scanning the Internet, collecting data, collating it, and making it available for use. That is it for this blog post. In the next blog post, we will talk about what you can find with Google Dorks. Hopefully, we’ll see you there.