From 1816880861826647f50819edb28e482916c810b5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 10 Jun 2021 18:39:11 +0200 Subject: [PATCH] chg: [techniques] listed and identified --- README.md | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 69 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b605087..1cbe400 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,15 @@ # Active Scanning Techniques -This repository is a collection of different techniques in order to find specific hosts to scan. +This repository is a collection of different techniques in order to find specific hosts to scan. The goal is to document the available techniques and +improve the scanning for defenders. + +## Why this collection? + +- Finding vulnerable devices can be challenging for CSIRTs (waiting for the next scan in Shodan, Censys). +- Finding the scope of the scan (regional versus global, wrong IRR allocation). +- Discovering newly devices exposed without scanning the whole IPv4 space. +- Discovering named-based services (many services are based on name such as HTTP virtual-host, TLS SNI). +- Discovering newly exposed devices or services using IPv6 addresses. # Overview @@ -9,3 +18,62 @@ This repository is a collection of different techniques in order to find specifi # Slides - [Improving Internet Wide Scanning with Dynamic Scanning](https://github.com/adulau/active-scanning-techniques/blob/main/slides/active-scanning.pdf) + +# Techniques + +## (TAS.1) Certificate Transparency + +### (TAS.1.1) Extract subjectAltName + +- Resolving AAAA + + - Adding most common hostname (short dictionary list) + - DNS brute-forcing + + - SDBF + - fierce + - dnsenum + +## (TAS.2) Newly registered domains + +## (TAS.3) Passive DNS feed + +### (TAS.3.1) Extract CNAME, RRNAME + +### (TAS.3.2) Extract AAAA + +## (TAS 4) BGP Monitoring + +## (TAS 5) Discovering active IPv6 subnet from an IPv6 address + +### (TAS 5.1) Finding CIDR from RIR whois + +### (TAS 5.2) Active monitoring of public services logs (HTTP servers, public NTP servers) + +## (TAS 6) Blackhole network monitoring + +### (TAS 6.1) Extracting IPv6 addresses from GRE packets + +### (TAS 6.2) All protocols extraction "tshark -n -r $FILENAME -E separator="/n" -E occurrence=a -T fields -e ipv6.src ipv6.dst | sort -u | gzip -f +" + +## (TAS 7) Bitorrent GET_PEERS N6 request + +## (TAS 8) Guessing IPv6 addresses by using most common IPv6 manual allocations from an IPv6 subnet + +### (TAS 8.1) Enumerating easy to remember hex block (CAFE, DEAD, BEEF, ABBA, FFFF, ....) + +### (TAS 8.2) Enumerating TCP/UDP service port as last part + +## (TAS 9) DomainClassifier extraction (brute-force extraction of potential hostnames) + +### (TAS 9.1) GitHub commit streams + +### (TAS 9.2) Active crawling from CT logs + +### (TAS 9.3) Other sources such as social networks, pasties website, .... + +## (TAS 10) Extract potential hostname from IPv4 reverse PTR + +### (TAS 10.1) Enumerating IPv4/PTR +