recon & tooling

> whoami

• Lachlan

how to contact me

• [email protected]
• @melon on the SecSoc Discord
• @melon on the SecEdu Slack (kinda dead)

places for course discussion

• course information > course discussion on webcms
• secso.cc/discord
• seceduau.slack.com/signup > #cs6443 (kinda dead)

faq

• are tuts compulsory? no
• are they recorded? maybe?
• where are these resources? waugh.zip/6443/

• your name, degree, year?
• why’d you do the course?
• what’s your favourite course so far at Uni?
• your credit card number and the 3 wacky digits on the back

course content

• wargames (10%)
• 2 x pentesting reports (40%)
• mid-term (0%)*
• final (50%)

* not exactly

wargames

the good stuff

• don’t leave them to the last minute, you’ll be sad :(
• cool to collaborate/work together, but your flags need to be different.
• extended flags aren’t required, but you should do them anyway (they’re way cooler imo)

report

pentesting / vulnerability report

• groups of 3 (organised next week)
• keep track of how you got found each of the flags
• threats and remediation are really important

reconnaissance

check out waugh.zip/6443/resources/recon

what is recon

these should always be your first steps

• essentially everything that isn’t exploitation
  • looking at a website
  • reading the html source
  • giving an application input (e.g. stuff it doesn’t expect: code, really big input, different file type)

why is it important?

important to expand & understand your attack surface

• asymmetry of attack and defence
  • defenders need to defend everything
  • attackers only need a single vulnerability
• you should understand what an application does, before you try to exploit it

passive recon

recon that doesn’t involve interacting with the service

• googling
• osint
• documentation
• etc

demo

website.com (don’t try it at home)

active recon

interacting with the application

• clicking around to finding web content
• information leaked in local files (e.g. robots.txt, sitemap.xml, javascript files, html comments)

nobody exposes information in HTML…

enumeration

grab a big list of words, and see if any of them resolve:

• as a subdomain: WORD.example.com
• as a file/directory: example.com/WORD
• as a port: example.com:NUMBER
• also linpeas, sqlmap, metasploit

subdomain/subdirectory/port

• subdirectory: another part of the same site
  • gobuster, dirbuster, ffuf, etc
• subdomain: another service on the site
  • gobuster, dirbuster, ffuf, etc
• port: another application (probably not a webserver)
  • nmap

seclists and wordlists can be helpful wordlists

demo

bruteforcing considerations

• very noisy
  • bruteforcing over dns vs http
  • you might be blocked
• not everything is a bruteforcing challenge
  • in a real engagement they’d get angry

Bruteforcing at Uni

if you use automated tools, pls dont use uni DNS servers, use these :)

• Google - 8.8.8.8
• Cloudflare - 1.1.1.1