External Active Directory Recon
External Active Directory reconnaissance is about collecting data that can be leveraged later in our attack. As with other forms of recon, the work that we do may prove essential at any other point in an engagement. We’re looking to understand as much as possible about the target, including what platforms, technologies, and defenses may be in place, as well as gather specific information including but not limited to:
- Usernames
- Email addresses
- Company structure
- Employees
- Departments
- Breached data
- Technologies used
- Who owns what infrastructure (e.g. what resources are self-hosted and which are hosted in the cloud, SaaS, PaaS, etc)?
Most methodologies teach that recon should start as passive as possible and become more active over time. The goal is to obtain and digest as much useful information as possible. As such, before scanning any targets we may rely on third-party resources to provide data such as whois, dns, and ports. This allows us to learn about the target without actively engaging, and is therefore a completely silent way of performing recon.
Company Websites
There’s a ton of information that can be gleaned from websites, search engines as well as social media.
Many companies have websites that offer a ton of information. We can learn about its platforms and gather employee information, email address format and valid email addresses, etc. Company websites may also be hosting files that may be of value. We may be able to find links to cloud-based assets such as S3 buckets hosting images.
SSL certificates that we find for company sites can also be extremely helpful, and they can point us to other company owned domains or subdomains.
Social Media
It almost doesn’t need to be said, but social media is a powerful source of information. Many companies have their own social media profiles, and we can easily get information about the company, find employee profiles, get departmental information, etc. This information can be used to generate lists of potential usernames or email addresses, and these lists should be cross-checked for historically breached data.
Publicly available data on social media sites can also facilitate improved phishing attacks.
DNS, IP, and Whois
There are a plethora of websites providing free DNS, IP, and whois information. While this information should be verified, it can be very helpful for recon, as it requires no direct interaction with a target.
Hurricane Electric BGP Toolkit
Hurricane Electric provides the BGP Toolkit, which provides DNS, IP, and Whois information for free and is extremely easy to use. I’m mentioning it because it’s a very popular tool that has been around for a long time (and therefore is likely to still be working when others read this). However other websites also work well and can easily be found on search engines.
Hunting for Email Addresses
We can use the dork ‘intext:”@<domain>”‘ to search Google for email addresses pertaining to domains that we have identified.
For example:
intext:”@google.com” inurl:google.com
This would search for email addresses ending in ‘@google.com’ and would only return results that contain ‘google.com’ in the URL.
Hunting for Files
We can use the filetype dork to search for specific filetypes.
For example:
filetype:pdf inurl:google.com
This would search for any PDFs that are hosted by Google.
Gathering Breached Data
We should cross-check any employees/email addresses that we identified for breached data. We may find valid credentials, or we may find passwords that we can check for reuse later in the assessment.
Gathering Other Public Information
Other publicly available information, such as news, articles, blogs, etc. may be helpful in gaining information about the target, as well as continuing to build a list of potential email addresses/usernames that may be used later on.
One commonly overlooked strategy is to look at job postings. Job postings may provide useful information, especially if they are for security or IT related roles. We can learn what technologies, platforms, and infrastructure are in place by looking at what is required to work there. The postings may also contain contact information and an email address, and may give us another data point about the organization structure.
Cloud Storage
We should search for any cloud storage solutions including S3 buckets or Azure storage. These can be goldmines, but we must also keep in mind the scope of an assessment.
GitHub, GitLab, etc.
Sites used for development and version management can be great sources of information. There have been occasions in which credentials or other sensitive information have been found. For example, we may be able to find an early version of an app that contained sensitive information.