Announcing … Intrigue Core v0.4!
April 24, 2018
Announcing the immediate release of Intrigue Core v0.4!
In this release, you’ll find:
- A new, improved, pluggable application fingerprinting capability.
- Massive improvements to portscanning speed & efficiency (thanks @jgamblin!)
- HTTP Server product identification using the (Rapid7 team’s) excellent Recog.
- A shiny new Vagrantfile to make spinning up an instance simple and easy!
If that weren’t enough, we added a total of 19 new modules:
This release also had a ton of work over the last few weeks as we prepared for RSA 2018. At RSA, Ed Bellis & I discussed “Recon for Defenders” and offered up a few specific CVEs and software that defenders must be very quick to patch – particularly when it’s available for scanning.
As part of that work, we spun up around over 100 simultaneous instances of Intrigue Core, and used these instances to scan the F500 using the “org_asset_discovery_active” strategy and a single domain seed. After running for 10 hours total, we had the world’s first ~complete attack surface scan of the entire F500. Pretty sweet.
We then anonymized and released the data from those tests. As you dig into them, you’ll notice a large number of servers and applications exposed at the perimeter that were still running vulnerable versions of this software at the time of testing.
Digging through the results, I realized that Core’s fingerprinting capabilities needed a lot of work, and so shortly after the talk, I sat down and overhauled the application fingerprinter, creating a pluggable system. Now, for each URI that the system wants to fingerprint, any piece of software can plug in a set of checks. This architecture us to minimize the number of HTTP requests we make, while still supporting a large number of fingerprints.