NETLAS FOR SECURITY ANALYSIS

Attack Surface Discovery with Netlas.io

The success of a penetration test is often determined by the first step.


Reconnaissance and attack surface discovery are the first steps in any penetration testing process. Testers gather information about the target system, identify potential entry points, and map out the external attack surface. This information is crucial for understanding the target environment and planning subsequent testing activities.

This guide will demonstrate how to quickly build an attack surface of any size using the Netlas Attack Surface Discovery Tool and Netlas Search Tools.

Netlas Attack Surface Discovery Tool is an intuitive tool designed for building and visualizing attack surfaces. With it, you can quickly generate an attack surface of any size. Users can add or remove objects and instantly see all the connections between them. Its user-friendly graphical interface makes the attack surface easy to understand.

Netlas Search Tools are a comprehensive suite of tools offered by Netlas. They enable users to search through billions of DNS records and certificates, investigate any IP address in the WHOIS database, and retrieve responses for hundreds of millions of hosts. For more detailed information on how to use Netlas Search Tools, please refer to the documentation.

Steps for Building an Attack Surface:

  1. Search for root domains using Domain WHOIS Lookups.
  2. Search for IP ranges using IP WHOIS Lookups.
  3. Subdomain enumeration.
  4. Forward and Reverse DNS Lookups.
  5. Vertical expansion.
  6. Results analysis.
  7. Search for Unlinked Resources.

Step 1: Root Domains

Open the Attack Surface Discovery Tool and create an “Organization” node. Click on it to see possible search options.

placeholder placeholder

If the organization’s name is not clear, but one of its domains is available, this information can be used. Add a node with type domain to the attack surface and make “Organization from WHOIS” search from it.

With a list of organization names, start horizontal expansion from the initial node. Click on the node and select “Domain with same organization” to proceed.

Netlas ASD Tool Genworth Orgs search Netlas ASD Tool Genworth Orgs search

This action will add a group containing the root domains associated with the selected organization.

Netlas root domains node Netlas root domains node

You can view the list of founded domains from the context menu.

Step 2: IP ranges

Next, search for subnets linked to the target company. Use a similar approach to discover these IP addresses. If a company name is associated with any ranges, the corresponding search will be available by clicking on the organization node.

Netlas network search by organization name Netlas network search by organization name

By adding a subnet and transforming it into IP addresses, the attack surface is enhanced. The transform to IPs here is optional, but generally Discovery Tool has more search options for individual addresses compared to ranges.

Network added in Netlas Network added in Netlas

Step 3: Subdomains

Subdomain enumeration helps identify hidden parts of the attack surface. In the Netlas Discovery Tool, perform a subdomain search by clicking on the group of founded domains.

Subdomains search in Netlas Subdomains search in Netlas

After completing the subdomain search, new group representing subdomains will be added to the attack surface map.

Step 4: Forward and Reverse DNS Lookups

The next crucial step is analyzing DNS records.

By clicking on a single domain node or a group of domains, choose “A records for domain” search. This will give you a list of IP addresses corresponding to source list of domains (subdomains).

The next important record is MX. Use the search “Mailservers for domain”.

Netlas MX records search Netlas MX records search

After this, it is worth studying NS records.

Netlas NS records search Netlas NS records search

Next, in the corresponding nodes, select the searches “For whom it is mailserver” and “For whom it is nameserver”.

Netlas searches from NS and MS Netlas searches from NS and MS

Additionally, it’s important to consider reverse DNS lookups. This process helps identify domains associated with specific IP addresses through their A records.

Here is the surface after making all DNS-related searches:

All DNS records All DNS records

Step 5: Vertical Expansion

Vertical expansion involves discovering additional objects related to the found domains and IPs. Typically, the objects detected during vertical expansion are: subdomains, open ports, contacts, and redirects.

Netlas ports search

Netlas contacts search

Netlas redirects search

Full surface

Netlas ports search

Netlas contacts search

Netlas redirects search

Full surface

Step 6: Results Analysis

After gathering enough objects, analyze which ones truly belong to the Attack Surface. Exclude externally hosted resources, as they are not directly part of the target.

In the Netlas Attack Surface Discovery Tool, verify server ownership by checking “AS Name” and “Organization from WHOIS” from any node.

Netlas proof on virtual hosting Netlas proof on virtual hosting

Some nodes may represent third-party hosts. Exclude them from the Attack Surface. Simply right-click on the node and select the “Exclude node” option. In the future, these objects can be hidden from the graph and will not be included in the file if you choose to download the entire surface.

Step 7: Unlinked Resources

The situation in which some resources are located on third-party hosting and are not linked to the rest of the attack surface is quite common. Companies often separate critical infrastructure from their main surface. In the final step, explore options to detect it.

If the company’s name is known, locate networks associated with it using the Netlas IP WHOIS Tool.

Netlas IP WHOIS tool search Netlas IP WHOIS tool search

Discover any additional subnetworks that were initially hidden during reconnaissance. Manually add them to the Discovery Tool.

placeholder placeholder

Conduct searches from these new nodes. New IP address lists will appear on the graph, showing resources on the company’s infrastructure, not external servers. These are part of the Attack Surface.

The final Attack Surface will look something like this:

Netlas final Surface Netlas final Surface

Conclusion

With these steps, the main phase of Attack Surface Discovery is complete. Continue iterating through these steps to include all relevant objects. You can download the Attack Surface as a file for use with nmap or another scanner by clicking the button on the top panel.

Both the Netlas Search Tools and the Discovery Tool use the same data, but the Discovery Tool searches only the most relevant data, while the other gives accesses to historical data. On the other hand, the Netlas Discovery Tool simplifies identifying connections and visualizing the surface, making navigation easier for specialists.

The methods shown here are just the beginning. For example, you can find connections between sites using a favicon or a Google tag. The Netlas Responses Search Tool can help with this.

Get your free Netlas.io account!

Sign up to get up to 50 requests/day for free