top of page
< Back

AttackSurfaceMapper: Automate and Simplify the OSINT Process

11 Aug 2019

Lightening Talk

AttackSurfaceMapper: Automate and Simplify the OSINT Process

Andreas Georgiou & Jacob Wilkin


Reconnaissance is an integral part of the testing process. Successfully scanning and footprinting the attack surface can assist Red Teamers in crafting precise attacks, but can also help defenders identify weak spots.

AttackSurfaceMapper aims to automates and simplify the OSINT process. It does this by taking a target domain as input, then analysing it using passive OSINT techniques and (optional) active reconnaissance methods. It expands the attack surface automatically with the aim to provide actual useful intelligence for an engagement.

This means that you can plug in a target domain, make a cup of tea and come back later to collect:

 * Email

 * Usernames

 * Breached Passwords

 * Phone Numbers

 * Linked IPs

 * Target subdomains

 * Website Maps

 * Social Media Presences

 * Open Ports


 This is a list of techniques that AttackSurfaceMapper uses:

 [+] Reconnaissance:

 * Find IPs from ASN

 * Find Subdomains

 * BruteForce Subdomains

 * Port Scanning

 * Hostname Discovery

 * Passive & Active DNS Record capturing

 * WHOIS records

 * Take screenshots of web portals and remote services


 [+] Intel Extraction:

 * Content Discovery (Phone Number, Addresses and Vacancy Postings)

 * Scrap LinkedIn Employee Names & Email addresses

 * Check Public Breaches

 * Find AWS buckets

 * Interesting Files (e.g PDF and XML)

 * Interesting Strings (sensitive data such us API keys, AWS secret keys and CreditCard numbers).

 [+] Plugins:

 * Support for Shodan API

 * Support for dnsdumpster [Generate a DNS map]


 The tools takes as input a list of IPv4 addresses or domain names. It then expands these into more targets through techniques such as ASN lookups and subdomain finding.

 It then attempts to map the subdomains and IPs to each other and run a variety of open source intelligence techniques to gather and compile useful data for an engagement.

 AttackSurfaceMapper supports "stealth" mode where it only runs all of the passive modules and the active reconnaissance components are optional. This is an ideal feature for Red Teaming, as it allows the user to minimises the noise usually generated from more active reconnaissance techniques.

 A database is created for each engagement and the results are stored in a MongoDB database using the target's IP address as the primary key. This can then be integrated into further automated workflows

 While the tool's modules are running the attack surface will further expand as it discovers hostnames and IP addresses. It performs a recursive analysis so that if new targets are found, it will feed them back and perform the full OSINT analysis cycle on them.

 It is important to note that most tools work by providing a domain name as initial input but there are not many solutions for performing recursive OSINT analysis given a set of IP addresses.

 Another distinct feature of AttackSurfaceMapper is the ability to add more modules in the future to support more functionality. Along with the flexibility of having output in CSV, text and NoSQL database format. AttackSurfaceMapper will be the first tool of choice for mapping a large corporate external network.

bottom of page