Title: Scanning the Internet for External Cloud Exposures via SSL Certs Presenter: Rizwan Syed Event: BreachForce CyberSecurity Cohort Talk Date: 21st April 2024 In this presentation, Rizwan Syed dives deep into the process of scanning the internet for external cloud exposures using SSL certificates. The slides cover the methodology and tools employed in identifying potential vulnerabilities in cloud environments. Explore real-world examples and case studies illustrating the importance of SSL certificate monitoring in ensuring robust cloud security. From understanding the significance of SSL certificates to practical techniques for scanning and remediation, these slides offer valuable insights for cybersecurity professionals seeking to safeguard their organization's cloud infrastructure.

1. Scanning the Internet for
External Cloud
Exposures via SSL
Certs.
Rizwan Syed
@_r12w4n
breachforce.net

2. About Me
Consultant - Cyber Risk Advisory @ Deloitte
Certified Red Team Professional - CRTP
Penetration Tester | Offensive Cyber Security Enthusiast
2

3. Attack Surface
Attack Surface Monitoring (ASM) refers to the
proactive and continuous process of
identifying and assessing an organization's
external-facing assets, vulnerabilities, and
potential points of entry for cyber threats.
3

4. You can’t secure what you don’t know.
Exploring ASM 4

5. External Attack Surface Management in Red Teaming
5

6. Presentation title 20XX 6
https://breachforce.net/scrape-cloud-for-ssltls-certificate

7. Challenges
20XX 7
As a red teamer, it is difficult to find all of an organization's apps in the cloud if
they are not advertised.
Application are often developed on the cloud, while public to the internet.
"Ephemeral" cloud hosted applications are sometimes brought online to do small
things and then go offline. They have bugs
Reference Talk Title: CloudRecon finding ephemeral assets in the cloud – CloudVillage
By Gunnar Andrews & Jason Haddix
Link: https://youtu.be/vWRvczG7Fvc

8. 8
https://github.com/lord-alfred/ipranges/

9. 9
https://kaeferjaeger.gay ~ @schniggie

10. 10
https://kaeferjaeger.gay/?dir=sni-ip-ranges

11. 11
https://github.com/mr-rizwan-syed/kaefer-g

12. 12

13. 13

14. 14
https://breachforce.net/external-recon-1#heading-unveiling-the-apexroottlds-with-crtshhttpcrtsh-and-reverse-whois

15. 15
https://github.com/g0ldencybersec/CloudRecon

16. DigitalOcean Droplet VPS
16

17. 17

18. 18

19. 19

20. Extracting Data
20
# cat 20042024-ssl-scrape.json | grep '.uber.com' | jq –r .
# cat 20042024-ssl-scrape.json | grep '.uber.com' | jq –r .commonName | anew
# cat 20042024-ssl-scrape.json | grep '.uber.com' | jq –r .ip | anew
# cat 20042024-ssl-scrape.json | grep 'Uber Technologies, Inc.' | jq -r .ip | cut -d : -f1 | awk "{print "https://" $0}"
| anew uber-ssl-ip-urls.txt
# cat 20042024-ssl-scrape.json | grep 'Uber Technologies, Inc.' | jq -r .commonName | anew uber-domains.txt
# wget https://raw.githubusercontent.com/mr-rizwan-syed/Red-Team-Resources/main/tldextractor.py
# python3 tldextractor.py uber-domains.txt
# cat uber-ssl-ip-urls.txt | httpx -title -sc -td

21. Nuclei Template Spray Scan
21
# nuclei -rl 0 -bs 10000 -l target-ip-urls.txt -t git-config.yaml -stats -stream -elog errors.txt -o git-nuclei-scan.txt
# nuclei -rl 0 -bs 10000 -l target-ip-urls.txt -t dotEnv.yaml -stats -stream -elog errors.txt -o dotEnv-nuclei-scan.txt
Reference: Mass Scanning with Nuclei
Strategy Template Spray Host Spray
Description
Scans multiple targets with one template at
a time
Scans one target with all templates at a
time
Approach Stealthy mode Focused mode
Target Selection Multiple targets Single target
Load Distribution Distributed load across multiple targets Concentrated load on a single target
Speed Maintains scanning speed
May slow down if target is unresponsive or
busy

22. Nuclei Template Spray Scan
22

23. 23

24. Mapping Nuclei Results with commonName
24
# wget https://raw.githubusercontent.com/mr-rizwan-syed/Red-Team-Resources/main/rancho.sh

25. Mapping Nuclei Results with commonName
25

26. Scanning the Whole Nation for Exposures via SSL Certs.
26
# # https://github.com/ip2location/ip2location-python-csv-converter
ip2location-csv-converter -range -replace IP2LOCATION-LITE-DB1.CSV IP2L-DB.NEW.CSV
# wget https://raw.githubusercontent.com/lord-alfred/ipranges/main/all/ipv4_merged.txt
# cat IP2LOCATION-DB1.NEW.CSV | grep '"US"' | csvcut -c 1,2 | tr ',' '-' | mapcidr -a > US-CIDR.txt
# grep -v -F -f ipv4_merged.txt US-CIDR.txt > US-CIDR-NO-CLOUD.txt

27. 27

28. Resources / References
28
• CloudRecon finding ephemeral assets in the cloud
https://youtu.be/vWRvczG7Fvc
• ToolTime - Cloud Recon 1
https://youtu.be/7hKEfF-yR1w
• Tool Time SSL Certificate Parsers
https://youtu.be/dgEwPXQKqlU
• Certificate Parsing with domain-recon
https://ervinszilagyi.dev/articles/certificate-parsing-with-domain-recon
• Recon Methods Part 2 – OSINT Host Discovery Continued
https://redsiege.com/tools-techniques/2020/02/recon-methods-part-2-osint-host-discovery-continued/#SSL_Certificate_Search
• How To Scan AWS's Entire IP Range to Recon SSL Certificates
https://www.daehee.com/scan-aws-ip-ssl-certificates/
• Catch Me If You Can - Shubham Shah & Michael Gianarakis at 44CON 2018
https://youtu.be/C85ZOJgufuw
• External Reconnaissance Unveiled: A Deep Dive into Domain Analysis
https://breachforce.net/external-recon-1
• Scrape Cloud for SSL/TLS Certificate
https://breachforce.net/scrape-cloud-for-ssltls-certificate
• Mass Scanning with Nuclei
https://docs.projectdiscovery.io/tools/nuclei/mass-scanning-cli#understanding-how-nuclei-consumes-resources

29. Thank You
Rizwan Syed
github.com/mr-rizwan-syed
twitter.com/_r12w4n
linkedin.com/in/r12w4n/
BreachForce.net
20XX 29