“If you know the enemy and know yourself, you need not fear the result of a hundred battles…”
– Sun Tzu , The Art of War
Intelligence gathering, an art that is perfectly described by Sun-Tzu, is the key to achieve victory against an opponent. In cybersecurity, our opponent would be the client of a penetration test. Yet, we still restrict ourselves to limitations we hold for ethical reasons.
Considering that the scope of our job is the domain “client.com”, and everything else beneath it, we have to start by knowing the “opponent”. And what is a better way of knowing our opponent than acknowledging all the client’s online data? Acknowledging all his assets, networks, IP ranges, office addresses, number of employees, and many other details you could discover?
When traditional attacks fail, you have to try some conventional social engineering techniques. The more assets you discover, the bigger your chances are of finding a breach, or a human error. The vast majority of companies have external accessible assets. Their list of assets can involve CRMs (that are critical for any business that has a sales department), the Atlassian suite, health monitoring web applications like Zabbix, webmail clients and the list could go on forever.
Any small or medium sized company that owns a domain will usually have at least 1 subdomain. A “www.client.com” that’s usually an alias of the main “client.com” A Record. However, some companies have DNS records that can hold around 50, 100, or more subdomain records. That number would not matter in cybersecurity if it would not mean that any of those sub-domains could represented a potential breach point.
The bigger the company, the more assets it owns. And the more assets a company owns, the more human errors it will have. That is why an attack will always start with intelligence gathering, especially with the DNS sub-domain enumeration.
When my colleague, Efrén Díaz, flawlessly exposed the possibilities of unmasking domains and sub-domains that hide behind a CDN/DDoS protection service in his latest article, he showed that there are passive and active ways to perform this operation.
However, if a subdomain was activated under a CDN/DDoS protection service after its immediate creation, passive reconnaissance techniques will fail. So for this case, we need to use active reconnaissance techniques and propose sub-domain DNS brute-forcing.
Through its Development Labs Division, Open Data Security developed a Fast Subdomain Scanner (FSS). FSS is a tool that uses asynchronous requests over non-blocking sockets to perform the world’s fastest sub-domain brute-forcing. The tool is coded with the latest Php7.1 engine.
The comparison of the enormous speed difference between FSS and the most popular subdomain bruteforcing tools available, is available to watch on the following screencast.
Recently, a Zero-Day exploit affected Apache Struts, along with the Java-based applications that were using it, and literally destroyed the world server map with its simple use and serious impact.
While we all know that it’s almost impossible to stop a Zero-Day in its path, it’s recommended that a company should always have a preemptive policy. The preemptive policy would exist in regards to the exposure of its assets on the Internet.
Some big names were proven to be vulnerable to the Struts RCE (CVE-2017-5638). But what made Struts even more lethal was the simplicity of finding vulnerable targets. Part of this discovery was made by using the famous Google dork “inurl:”struts” filetype:action” (dork = specially crafted Google search query to point to exploitable assets of a certain vulnerability).
But this was not the only way of getting vulnerable targets.
On the 10th of March, 2017, Atlassian, the developing company of one of the biggest business software suites in the world, the Atlassian Suite, published a Security Advisory admitting that the Struts CVE-2017-5638 vulnerability is affecting some of their versions of Bamboo (Atlassian´s continous integration-CI and deployment server), and a few other tools in their suite in their various versions. This gave birth to another vector of potential breach, using subdomain enumeration techniques, and more precisely, looking for subdomains “bamboo.[client].com”, “hipchat.[client].com”; basically “[any-tool-affected-by-struts-cve].[client].com” of a target domain to obtain potential vulnerable assets.
What Are The Best Ways To Defend Your Company?
Use Uncommon Names
Protection from subdomain bruteforce is always a hard task, if not an impossible one.
Since these kind of attacks use a dictionary based bruteforce technique, the protection measures are similar to the measures implemented for password protection against bruteforcing. Thus, it’s recommended to use uncommon names when choosing a subdomain name, and try to make the attacker’s job as hard as possible.
We’ve already seen that “bamboo.client.com” would not be the best choice for an externally exposed corporate Bamboo server, so we could still use “bamboo[random 5 digits number].client.com”. This would make a dictionary attack less likely to happen. Additionally, this would still allow the employees using the asset from the Internet to remember the asset’s URL.
Obviously, this is not a magic bullet solution. The reason is that the bigger the dictionary used in the subdomain bruteforcing operation, the more chances an attacker will have to discover the asset’s A Record.
The use of a CDN/Ddos protection service like Clouflare is always recommended.
In the example of Cloudflare, when creating an A Record that contains a new subdomain, which corresponds to a hostname in the Cloudflare DNS management interface, be sure that the icon representing a cloud and a grey arrow is orange before adding the record. This means that the traffic from the recently created hostname will go through Cloudflare immediately after it’s created.
No passive reconnaissance sources, like dnsdumpster.com, will ever expose the real IP of the created machine from DNS records. This will help you mitigate direct IP attacks like SSH bruteforcing, heartbleed exploiting, or any other vulnerability that your server might suffer from.
Try to use a CDN that offers a WAF (Web Application Firewall) service. Web Application Firewalls are tools designed to counteract web attacks, by applying filtered rules to the HTTP queries sent to the server.
Unfortunately, a WAF is only as good as its rules are. Zero-Day exploits are rarely detected by such a tool, and there are plenty of WAF bypassing techniques that make active rules useless during an attack.
Use Honeypots for active defense
Aimed at gathering active defense intelligence, the use of honeypots in a corporate environment is becoming more and more popular everyday.
The principle is simple. Create hosts that are extremely attractive to potential attackers (accounts.client.com, it.client.com, paymentgw.client.com, etc.), but in reality, place the non-critical machines in a network that is completely isolated from the company’s production environment. To retrieve information about potential attackers, their reasons for attacking, and lots of other data that will help a company develop counter-attack strategies and better protection mechanisms. A great compilation of such tools resides in the Github repository https://github.com/paralax/awesome-honeypots.
Use Special Corporate Protection Services
The measures mentioned above will limit the exposure and the frequency of attacks against your corporate infrastructure. But once the targeted subdomain is discovered by an attacker, especially if we are referring to a server that is running a web based application, those measures won’t be enough to protect your company from getting attacked.
Open Data Security developed Wolf-Ray, a cloud service exclusively designed to counter web application attacks, while keeping a high availability of the services that it protects for the legitimate user. With its simplicity, continuous code, infrastructure audits and its elastic architecture design, Wolf-Ray creates a solution that’s difficult to exploit with known or Zero-Day attacks.
- Crysis, a dangerous ransomware that is infecting companies right now - January 10, 2018
- How to protect your business from brute-forcing subdomains attacks - June 13, 2017
- Hackers, from technological evolution pillars to governmental weapons - January 3, 2017