Web Asset

Discovery
AJ Dumanhug

Red Team Philippines x hackstreetboys

Web Asset Discovery – September 2021
 AJ Dumanhug
● Cybersecurity Officer at Secuna

● Professional Science Master Candidate in Cybersecurity

● Member of hackstreetboys (Professional CTF Group)

● Member of Pwn De Manila (CTF Organizer for ROOTCON)

● Infosec Training Instructor at DLS-CSB SPaCE

● Former Infosec Training Instructor at UP SITF & Adamson CPDD

● Former Highly Technical Consultant at the National Privacy Commission

● Former Cybersecurity Analyst at the University of the Philippines

● Capture the Flag Competition Champion at ROOTCON

● Top 3 with hackstreetboys at DEFCON 29 CTF (Red Team Village)

● Top 7 Hacker out of 100+ in Facebook & Google’s BountyCon 2019

● Top 2 in 2v2 HackTheBox Battleground Tournament with Ameer

● CEH, ECSA, CRTP, CRTE, OSCP, OSWE, PNPT

Red Team Philippines x hackstreetboys

Web Asset Discovery – September 2021
 Web Asset Discovery
Asset discovery is the process of keeping track of all active and inactive web application
assets.

Name of the game is simple

You can't protect what you don't know

Red Team Philippines x hackstreetboys

Web Asset Discovery – September 2021
 Benefits of Asset Discovery for Web
It helps you:

● make quick and better data-driven decisions to address risks

● better manage third party software/services/applications
● maintain a good security posture

Red Team Philippines x hackstreetboys

Web Asset Discovery – September 2021
 Solutions

Internal
Reconnaissance
Policy/Process

Register assets before deploying it online Find every assets externally

Red Team Philippines x hackstreetboys

Web Asset Discovery – September 2021
 Reconnaissance
● Public Datasets

● Open Source Intelligence

● Data Providers

Red Team Philippines x hackstreetboys

Web Asset Discovery – September 2021
 Whois
Whois is a query and response protocol that is widely used for querying databases that store
the registered users of an Internet resource such as domain name or an IP address block,
but it is also used for a wider range of other information.

Link: https://www.whoxy.com/

Red Team Philippines x hackstreetboys

Web Asset Discovery – September 2021
 Cloudflare
Cloudflare is one of the biggest networks operating on the Internet. People use their services
for the purposes of increasing the security and performance of their websites.

Link: https://cloudflare.com/

Red Team Philippines x hackstreetboys

Web Asset Discovery – September 2021
 Autonomous System Number (ASN)
ASN is a collection of connected Internet Protocol routing prefixes under the control of one or
more network operators on behalf of a single administrative entity or domain that presents a
common, clearly defined routing policy to the internet.

Links:

1. https://www.shodan.io/
2. https://hackertarget.com/as-ip-lookup/

Red Team Philippines x hackstreetboys

Web Asset Discovery – September 2021
 Shodan Search
Shodan is a search engine that lets the user find specific types of computers connected to the
internet using a variety of filters. Some have also described it as a search engine of service banners,
which are metadata that the server sends back to the client.

Look for assets with SSL certificate:

● ssl.cert.subject.cn:mil.ph
● ssl.cert.subject.cn:mil.ph -HTTP
● org:"100995417_AFP-CEIS"
● org:"1-138CH3T_950TH CEISG, PHILIPPINE AIR FORCE"
● org:"2039304_PRESIDENTIAL SECURITY GROUP"

Red Team Philippines x hackstreetboys

Web Asset Discovery – September 2021
 Google Search
You can utilize Google to enumerate the subdomains of your target domain using the Google
Dorks. It is basically a search string that uses advanced search query to find information that
are not easily available on the websites.

Go to https://www.google.com/ and search for the following dorks:

● site:".mil.ph" - To get the list of subdomains under the target domain

Red Team Philippines x hackstreetboys

Web Asset Discovery – September 2021
 GitHub Search
You can use GitHub to search for domains of your target.

Go to https://www.github.com/ and search for the following dorks:

● “gov.ph” - To get the list of subdomains under the target domain

Red Team Philippines x hackstreetboys

Web Asset Discovery – September 2021
 Certificate Transparency
In Pentesting, some tools can be used to gather information about their certificate and gather
secret or hidden subdomains with certificate.

Websites below can be used to search certificates of a website:

● https://crt.sh/
● https://developers.facebook.com/tools/ct/search/
● https://transparencyreport.google.com/https/certificates

Red Team Philippines x hackstreetboys

Web Asset Discovery – September 2021
 Subfinder
Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using
passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is
built for doing one thing only - passive subdomain enumeration, and it does that very well.

Install and Run:

1. Download:
https://github.com/projectdiscovery/subfinder/releases/download/v2.4.8/subfinder_2.4.8_linux_
amd64.tar.gz
2. Add the binary to home path: “sudo mv subfinder /usr/bin/subfinder”
3. Run tool: “subfinder -d mil.ph”

Red Team Philippines x hackstreetboys

Web Asset Discovery – September 2021
 Amass
Amass performs network mapping of attack surfaces and external asset discovery using
open source information gathering and active reconnaissance techniques.

Run:

1. amass enum -passive -src -d mil.ph

Red Team Philippines x hackstreetboys

Web Asset Discovery – September 2021
 Thank You!
https://www.linkedin.com/in/allanjaydumanhug/

https://atom.hackstreetboys.ph/

Red Team Philippines x hackstreetboys

Web Asset Discovery – September 2021