Recon Kill Chain Cheat Sheet
The Recon Kill Chain Cheat Sheet provides a structured approach to intelligence gathering using Netlas. It outlines specific queries and methods for identifying a target's digital assets, network infrastructure, and potential vulnerabilities. This guide helps security professionals and bug bounty hunters efficiently map out an organization's online presence, from subdomains and IP ranges to open ports and SSL certificate details.
Key Takeaways
Netlas enables deep host and response searches for asset discovery.
WHOIS queries reveal critical IP and domain ownership information.
DNS searches map out subdomains and network structures.
SSL certificate analysis identifies organizational assets and security posture.
How can Netlas be used for host reconnaissance?
Netlas provides powerful host search capabilities to uncover a target's digital footprint. By querying a domain like apple.com, users can identify a wide array of assets, including subnet ranges, Autonomous System Numbers (ASNs), IP addresses, and related domains. This initial scan also reveals crucial details such as MX and NS records, open ports, active protocols, associated tags, and even known Common Vulnerabilities and Exposures (CVEs). Furthermore, Netlas allows for detailed investigation of specific A records and comprehensive WHOIS IP searches to confirm official ownership of hosts and infrastructure.
- Domain queries uncover assets, subnets, IPs, related domains, records, ports, protocols, tags, CVEs.
- Investigating A records provides detailed information about specific IP mappings.
- WHOIS IP searches by handle, ASN, or organization identify owned hosts and infrastructure.
What information can Netlas's response search uncover?
Netlas's response search functionality allows for in-depth analysis of a target's active web resources and services. Users can discover all subdomains and their scan results, identify reachable web resources by filtering for HTTP status code 200, and pinpoint subdomains utilizing specific cloud services like Amazon S3. This capability extends to locating subdomains running on a target's own network, identifying specific technologies like Java applications, and finding up-and-running services within defined IP ranges. It also helps uncover sensitive information such as web pages with 'api' or 'key' in their content, open ports, SSH access, and login pages.
- Discover all subdomains and their scan results.
- Identify reachable web resources by filtering for HTTP status code 200.
- Pinpoint subdomains utilizing specific cloud services (e.g., Amazon S3).
- Locate subdomains running on a target's own network or specific IP ranges.
- Find web pages containing sensitive keywords like 'api' or 'key'.
- Identify open ports (e.g., 80, 1-10000) and services like SSH.
- Uncover servers with HTTP 301/302 redirects or specific Jenkins headers.
- Detect login pages on target web assets.
How does Netlas facilitate IP WHOIS searches?
Netlas simplifies the process of conducting IP WHOIS searches, providing critical ownership and network allocation details. Users can search by a specific IP address to quickly identify its owner or query multiple IP addresses to determine their collective ownership. The platform also enables the discovery of all hosts within a defined IP range, offering a broad view of network segments. Furthermore, Netlas supports searching by organization name to uncover all networks and services owned by a particular entity, and by Autonomous System (AS) name to identify IP ranges and networks under a specific ASN, such as 'APPLE-ENGINEERING'.
- Search by specific IP address to identify its owner.
- Query multiple IP addresses to determine their collective ownership.
- Find all hosts within a defined IP range.
- Search by organization name to discover owned networks and services.
- Identify IP ranges and networks under a specific Autonomous System (AS) name.
What can be discovered using Netlas DNS search capabilities?
Netlas's DNS search capabilities are essential for mapping out a target's domain infrastructure. It allows for the enumeration of all subdomains for a given domain, providing a comprehensive list of associated web properties. Users can also identify specific-level domains, such as third-level domains containing 'mail'. A powerful feature is TLD enumeration, which helps find domains across various top-level domains using flexible matching patterns. Additionally, Netlas can discover domains utilizing specific name servers and identify domains resolving to IP addresses within a specified subnet, offering a detailed view of DNS configurations.
- Enumerate all subdomains for a given domain.
- Identify specific-level domains (e.g., third-level domains with 'mail').
- Perform TLD enumeration to find domains across various top-level domains.
- Discover domains utilizing specific name servers.
- Find domains resolving to IPs within a specified subnet.
How can Netlas assist with domain WHOIS information gathering?
Netlas provides robust tools for gathering domain WHOIS information, which is vital for understanding domain ownership and registration details. Users can obtain detailed WHOIS information for a specific domain, such as apple.com, revealing registrant contact information, registration dates, and expiration dates. The platform also allows for the identification of top-level and third-level domains associated with a target, although third-level results may sometimes include irrelevant entries. Crucially, Netlas enables searching by registrant organization name, allowing users to find all domains officially registered to a specific entity like 'Apple Inc.', providing a comprehensive overview of their domain portfolio.
- Obtain detailed WHOIS information for a specific domain.
- Identify top-level and third-level domains associated with a target.
- Find all domains registered to a specific organization.
Why is SSL certificate search important in reconnaissance?
SSL certificate search in Netlas is a valuable reconnaissance technique for identifying organizational assets and assessing their security posture. By querying certificates issued to or by a specific organization, such as 'Apple Inc.', analysts can uncover a wide range of associated domains and subdomains. This includes finding certificates for a specific domain like apple.com. Netlas also allows filtering certificates by validation level (Domain Validated, Organization Validated, Extended Validation) to understand the rigor of their issuance. Furthermore, searching by validity period helps identify active or recently issued certificates, providing insights into ongoing infrastructure changes.
- Find certificates issued to a specific organization.
- Identify certificates issued by a particular organization.
- Locate certificates for a specific domain.
- Filter certificates by validation level (DV, OV, EV).
- Search for certificates based on their validity period.
Frequently Asked Questions
What is the purpose of a Recon Kill Chain Cheat Sheet?
It provides structured queries and methods for gathering intelligence on a target's digital footprint. This helps identify potential vulnerabilities and assets, streamlining the initial phase of a cybersecurity assessment or attack simulation.
How does Netlas assist in host and response searches?
Netlas enables detailed queries to uncover host assets, network ranges, and active web resources. It helps identify subdomains, open ports, and technologies in use, providing a comprehensive overview of a target's infrastructure.
Why are WHOIS and DNS searches crucial for reconnaissance?
WHOIS searches reveal ownership details for IPs and domains, while DNS searches map out domain structures and associated records. Together, they help uncover hidden assets, related entities, and potential attack surfaces.
