Recon Methods Part 1 - OSINT Host Discovery

By Corey Overstreet

During an external assessment (be it a penetration test or red team), we here at Red Siege begin by investigating the target as completely as possible before accessing the target's external assets. During this series of articles, we will demonstrate different methods of gathering actionable intelligence on a target focused first on infrastructure and then on employees. We will further break this down into completely open-source intelligence sources and ramp up to light interactions with the target's external assets. As an example, we will take a look at a company that recently restructured. With their recent closing of all retail stores, their organization's previous external hosts are still searchable while largely not being reachable at the time of this writing. 

UPDATE 2/6: The company we selected for this recon is apparently not 100% dead even though all the stores are closed. While all the information in this post is public, we have chosen to redact the company name from the remainder of the post.

Wikipedia

The first stop for gathering information about a company is Wikipedia. Entries on Wikipedia will often have a biography of the company including associated domains and can also contain histories of mergers, acquisitions, and subsidiary companies. Using this list of affiliated companies, an attacker can potentially find additional domains associated with the target. In the case of the target company, Wikipedia indicates a history of acquisitions. We would typically track down each of these companies to check for additional external attack surface.

On a recent red team, we were able to find a list of subsidiary companies that had been acquired by our target. After independently verifying the acquisitions, we had gained a list of additional target domains that ultimately led to the first foothold inside the target’s network. Once inside their networks, we were able to track down each of the subsidiary company’s internal domains that had been incorporated over the years leading to further access and alternate paths for lateral movement. The affiliations were not immediately apparent externally without first investigating the history of the company and mergers.

DNSDumpster

Once we have the domains for our target company and any associated company domains, DNSDumpster is usually our next stop. This site provides a wealth of information about a target domain such as MX records, TXT records, ASN identification, and a list of subdomains.

Starting with MX records, an attacker can often determine spam filters in use by the IP address and ASN associated with the mail exchange hosts. Commonly, we see Cisco IronPort, Barracuda, or ProofPoint records in the MX section. This gives us a good idea of what we’re up against if and when we have to phish the target.

... The full post is located at https://www.redsiege.com/blog/2020/02/recon-methods-part-1-osint-host-discovery/