Attack Surface Mapper - A Tool for Boosting Your Reconnaissance Process
Reading time: 6 minutes
Are you aware of your infrastructure's weakest spots? Attackers surely are. Target reconnaissance is one of their first steps toward getting full insight into an objective, one that will eventually develop into a complete attack strategy to compromise assets.
Any information that an organization leaks (however benign it may appear) is feasible for malversation and misuse for deceptive purposes.
Today we're testing Attack Surface Mapper, a recon tool designed to help you boost the effectiveness of your OSINT daily tasks and bring extra help to the existing intel tools already used in daily infosec jobs.
Let's now discover what Attack Surface Mapper is, by exploring the installation, configuration, and testing process. And we'll find out whether it's a good choice for your infosec reconnaissance needs.
What is Attack Surface Mapper?
Attack Surface Mapper, as its name implies, is a free, multi-platform (for Linux, macOS, and Windows) tool used to create a full map of your attack surface.
According to its authors Andreas Georgiou and Jacob Wilkin, this recon tool uses both classic OSINT and other types of active techniques to gather all possible intel on any target.
To create the full subdomain map, it launches several brute force mapping attacks as well as passive DNS lookups and searches for data on the same subnet IP addresses to find subdomains.
Once all subdomain, domain, and IP intelligence are found, it can take screenshots of the website, search for email addresses of employees on LinkedIn, perform passive port scans, and generate visual maps of your target.
Installation
Installing Attack Surface Mapper is pretty straightforward, requiring only three simple commands to get it working. Let's cover the process step by step:
Download Attack Surface Mapper from their Github repo:
$ git clone https://github.com/superhedgy/AttackSurfaceMapper
Cloning into 'AttackSurfaceMapper'...
remote: Enumerating objects: 66, done.
remote: Counting objects: 100% (66/66), done.
remote: Compressing objects: 100% (37/37), done.
remote: Total 165 (delta 37), reused 46 (delta 29), pack-reused 99
Receiving objects: 100% (165/165), 3.73 MiB | 2.67 MiB/s, done.
Resolving deltas: 100% (86/86), done.
A few dependencies may be needed. Follow the next steps to solve those dependencies using pip:
$ cd AttackSurfaceMapper/
$ pip3 install --no-cache-dir -r requirements.txt
Collecting beautifulsoup4>=4.6.3
Downloading beautifulsoup4-4.9.3-py3-none-any.whl (115 kB)
|████████████████████████████████| 115 kB 975 kB/s
Collecting colorama>=0.3.9
Downloading colorama-0.4.4-py2.py3-none-any.whl (16 kB)
Collecting dnslib>=0.9.10
Downloading dnslib-0.9.14.tar.gz (72 kB)
|████████████████████████████████| 72 kB 4.2 MB/s
Collecting dnspython>=1.15.0
Downloading dnspython-2.0.0-py3-none-any.whl (208 kB)
|████████████████████████████████| 208 kB 2.7 MB/s
Collecting ipwhois>=1.1.0
Downloading ipwhois-1.2.0-py2.py3-none-any.whl (73 kB)
|████████████████████████████████| 73 kB 5.2 MB/s
[...]
The next step is configuring your API key. This is only if you want to integrate any of the following services into your scan: VirusTotal, Shodan, Hunter, LinkedIn, GrayHatWarfare.
Open the keylist.asm file:
nano -w keylist.asm
Then configure all keys as needed:
Do the same, and tweak the API configuration file as you desire to match your own keys.
How does it work?
Running Attack Surface Mapper is easy. Just use:
python3 asm.py -t securitytrails.com -ln -w resources/top100_sublist.txt -o results
Replace "securitytrails.com" with your real target, and set a desired file name to save the results (in our case "results"), and that's it. In our tests, we set the target to be 'shodan.io', as you can see in the following screenshot:
Analyzing the results
We ran numerous tests against several targets, and here's what we discovered.
Once the app finishes its attack surface mapping, it will display the results on the same screen, as you see in the following screenshot:
These results found a lot of subdomains, 185 to be exact. Apart from that, we also found DNS records, including MX and DMARC information, as well as the SPF data. When it comes to IP addresses, after performing the IP lookups it found two addresses and included geolocation, ASN, and CIDR.
Scrolling down a bit, we found the summary of findings related to the shodan.io domain name:
3 IPs, 185 subdomains, 24 open ports, and more. However, let's remember that this was the default command suggested by the documentation. By exploring the official docs a bit and playing with the '--help' option we found other options that may be used:
Now you see that we can add more intelligence data to our ASM execution, by adding options like:
- -sc: to grab a screenshot of the target website
- -ln: to extract a list of emails and employees from LinkedIn
- -sth: to use passive mode using only OSINT traditional techniques
- -w: to load subdomain names from a wordlist
In our tests, however, even if we tried with multiple options combined, we never got what we hoped for—a full solid attack surface map.
We have no doubt that this is a good tool, but our results never yielded the amount of data we expected. Therefore, this tool falls into what we could consider a ‘basic recon tool’ category. It needs to be complemented with other, more powerful, fully dedicated attack surface analysis tools to create a complete surface map of any company or organization you're targeting.
Integrating ASM with the SecurityTrails API™
One way to improve the whole process is to query our SecurityTrails API™ to obtain all related subdomains of your target domain name.
As the image above shows, we did a search on oracle.com to get all associated subdomains. In this case with over ten thousand registries, our tool will significantly improve the amount of time needed for the analysis, as well as its effectiveness.
To perform this, we saved all the obtained subdomains into the oracle.txt file and did the following query:
$ python3 asm.py -t oracle.com -ln -w oracle.txt -o oracle.results
So we run the scan again and the output looks like this:
After a little time, the results are ready. These in particular may not seem that exciting as there aren't any obvious vulnerabilities, but there are still a few interesting things to examine.
Summary
Attack Surface Mapper stands out among reconnaissance tools as a simple solution that works right out of the box, barely requiring any extra configuration. So those are pluses: easy installation and easy API configuration.
The downsides of this tool are its shortfall of results and lack of integrations with other intelligence tools, which would otherwise let you pivot, share, and cross-relate results more effectively.
All in all, it's a good recon tool, one that we recommend for your arsenal.
