Using workflows to discover attack surface

January 9, 2021

So you’ve gotten an instance of intrigue-core up and running using the Getting Started guide, but what now!? Give workflows a try. Here’s now.

Create a new project, let’s set this one up on with a name of Mastercard – they run a public bounty on Bugcrowd, and likely have a lot of interesting systems on the Internet.

Once created, you’ll drop into the “Start a Workflow” page:

Hit “Profile an Organization” and we’lll add in as many Mastercard domains that we know exist. Bounty program pages can be instructive for finding domains and other seeds. For now, we’ll just start with mastercard.com, but it’s always better to have more seeds.

Now, hit submit, and notice you’re dropped to the “logs” page so you can monitor what’s happening.

You’ll want to refresh a couple times, and as you do, you’ll see more tasks being automatically scheduled.

Now this is all good and well, but where are the results? For that, you’ll want to hit “Entities” in the top menu. When you do, you’ll see something like the following. Now, you might not recognize every entity in here, and that’s okay. If you look to the far right, you’ll see some are scoped, and some are not. This is Core’s auto-scoping capability at work. If it finds something that it’s not sure belongs to our target organization, it’ll remain unscoped.

In fact, let’s try hitting ‘Only Scoped’ in the search section on the left.and filter only by DnsRecord by selecting that entity in the ‘Types’ list. There we go, that looks a bit more familiar.

Also notice the details give us a bit more info about what each entity is, and we can always click into an entity to learn more about it. The enrichment process ensures that we have a lot of detail per entity.

  • The Ancestors section tells us what the original “seed” entity we entered that resulted in us finding this entity. There can be many ancestor entities.
  • The Aliased Entities section tells us what other entities this DnsRecord resolved to. This creates a group and makes it easier to see if this is a service, or a host, or some combination thereof.
  • The Tasks that Created this Entity section shows us that this domain was found through the dns_brute_sub task, in other words, through Subdomain Bruteforce!
  • The Tasks Run on this Entity section tells us what tasks were auto-queued and run with this entity. This is entirely based on the workflow that we chose ‘Profile an Organization’. If we chose to hit the blue button in the upper right and start a new task, that would also show up in this list.

Finally, notice that full details are preserved in the “Entity Details” section – details can be arbitrary length and help give us more context about the entity.

Now, hit entities again, and let’s take a look at the ‘grouped’ view, now that we know what “Aliased Entities” mean. This is a helpful way to better understand a given organization’s infrastructure. In this case, it looks like there are quite a few subdomains resolving to the 216.119.209.64 address, it is likely a load balancer.

Okay, well let’s slice it a different way now. Hit the Analysis -> Domains page, and you’ll see the top level domains, sorted by count, which gives us a view of the first and third party domains around Mastercard:

If we’re interested to see, for example, priceless.com we can click on that and it’ll drop us back into search:

Now we might want to add the priceless.com domain into this scan. While it’s almost always better to have the full list of domains at the beginning, we can add it, by browsing to ‘Start’ -> ‘Start a new workflow’ and adding priceless.com in. However, if we’re not sure about a given domain, we might want to find everything that mentions priceless.com by CTRL-clicking on the entity type and searching all entity types:

Aha, that top entity https://www.priceless.com:443 might tell us more, let’s click on that one. Looks like it was fingerprinted with Facebook, and Jquery, so it’s probably a marketing or company page. When we browse, you can see a screenshot has already been taken, as well as the certificate stored in the details, giving us a very clear indication that this a Mastercard assets. And in fact, it’s already been scoped automatically.

Okay, so let’s add it to the project by kicking off another workflow on it

And we add the domain as a seed and hit submit.

In this way, you can continuously kick off workflows and keep the system iterating on new entities you discover. .Workflows are incredibly powerful, as they automate the individual tasks inside Intrigue Core. For more information on workflows, see our Workflow help page.