Using scans to discover attack surface

So you’ve gotten an instance of intrigue-core up and running using the AMI or Docker guide, but what now!? Give scans a try. Here’s now.

Create a new project, let’s run this one on Mastercard (They run a public bounty on Bugcrowd):

create_project

Now, run a “Create Entity” task to create a DnsRecord with the name “mastercard.com”.

This time, however, let’s set our recursive depth to 3. This will tell the system to run all viable tasks when a new entity is created, recursing until we reach our maximum depth:

iteration.jpg

Hit “Run Task” and you’ll see that our entity was successfully created:

create_entity.jpg

Now, let’s browse to the “Results” tab and get an overview of the “Autoscheduled Tasks” that have been kicked off automatically:

results-autoscheduled

Wow, 83 tasks in just a few seconds! Core is FAST, thanks to Sidekiq and Sequel. Now we can browse over to the “Graph” tab, and get an overview of the entities (nodes) and the tasks (edges) that created them.

mastercard

Note that the graph is generated every time you load the page, so you will need to refresh a couple times to get the graph to show. You can zoom in and out to get details on the nodes:

zoom-graph.jpg

Browsing over to the “Dossier”, you can see that there’s some fingerprinting happening on the webservers, based on the page contents. Note that there’s nothing invasive happening here, this is simply just doing page grabs and analyzing the results:

dossier-2

One neat feature is that core actually parses web content – including PDFs and other file formats to pull out metadata. More to come on this!

All this in just a few minutes: attack_surface

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s