reNgine: An Automated Reconnaissance Framework

perfect thank you okay so hi guys good morning uh kalimira to those people in cyprus and everybody thank you so much for joining us uh this is early morning saturday so hope you have a very good um friday night and you must have a weekend plans so you have one more day and thank you so much for joining in uh and yes thanks to all the organizers for inviting me here to give a talk on the rain scene and for the next 30 minutes uh 40 minutes i'll be talking about uh rain engine it's an automated reconnaissance framework tool that i've been working working on for several years and it's in every features of range

and how to use it and probably how you can integrate in your workflow so let's begin with that a quick uh background about me so i'm yokis and i'm from nepal i work as a research engineer for a company in cyprus called drz research and development uh we focus mainly on building solutions for crime and terror and yes we are hiring for people in cyber intelligence german so if you have skills on cyber intelligence domain and cyber security issues please feel free to contact us we are hiring for both remote and cyprus apart from that i do build maintenance in and i'm passionate about computer security and mixed martial arts and i've been speaking at several

conferences including black hat defcon and tedx as well uh visiting cyprus has been one of my bucket lists now that i'm working remotely hopefully besides cypress 2022 we can join and probably we can have you know nice souvlaki in the uh nicosia beats and probably you can do in person so let's get started with the actual talk uh so let's begin with uh what is recon so if you're a web application penetration tester and somebody who does spend a lot of time doing recon on web application pen testing you know what exactly needs to be done but for people who have never done recon it's a information gathering process where you gather uh as much information as you can

for a particular target for a particular host it could be for your organization it could be for a person it could be for various purpose right so the data that is of your interest are like suppose when you uh want to go to attack google.com so the data that is likely to be of your interest is your sub domains your endpoints your ip addresses you also want to look for whether it has any particular open ports or not and you also want to find out if it has any known vulnerabilities now probably using something like nuclei are using acunetix or any other tools to find out if it has any known vulnerabilities and you also

might be interested to find out what technology has been using the target this is mainly because uh suppose if you find out any vulnerabilities in one particular subdomain that uses the older technology uh you might also find out that same problem in the other subdomains as well right so technology finding out what technology is being used in the target is also very important and of course you also want to do open source intelligence and this includes your what software is being used the metadata and then after that the employees email addresses uh leaked password of the email employees those kind of things you might be looking right so that's basically recon it's more about gathering the information and

using that information to attack your target to proceed with the target so now in my early zero i was working as a security analyst and my job was to do the pen testing the whole day and one of the really important uh you know uh the job was to task with you to the reconnaissance and find out more information a lot of times your executives also wanted just the recon process uh recurrent data just right before we actually do the pen test so uh what happened was um after some time uh i started to find this process boring because uh we were using a lot of open source tools and that the process was very repetitive and

also the thing was the data that was given by these various tools was in some in some sense they were duplicates and managing the data was a huge problem so i started to think can i build uh so i had a background in development as well uh so i started to think can i build uh an uh you know reconnaissance tool that does end-to-end reconnaissance uh with a lot of features like data correlations which we're going to talk in a couple of slides so i started with that uh the first thing that i wanted from my recon engine was the idea was to have a engine something like an engine that drives this entire scan process where you can integrate the

open source tools because there is no point in reinventing the wheel right there are a lot of other open source tools out there which does a subdomain scan for you which does vulnerability scan for you but the missing component was correlation right so i started to imagine uh think um of an enzyme where you could actually put in your custom tools you can put in your uh open source tools and then do the subdomain enumeration similarly um do the other parts of scanning as well right so i started to build uh what exactly is enzyme and the components involved in in the engine and the other part was the correlation the reason why i'm saying correlation is

because so right now when you do the recon you might be using soft finder for your subdomain enumeration and you might be using nabu for your port scan or even nmr for your port scan right now the problem is that a lot of these tools they give you various different types of output uh some may give you in the form of suggestion some of them may give you in the form of csvs the other may give you in the form of the other format right and at some point in time when you have a huge record data for organizations like facebook and google uh you have a huge recon data like 70 000 80 000 sub domains now with that

many subdomains if you are to do the correlation manually it's gonna take a hell of time right and suppose if you had to find out okay can you give me all the supplement that uses this particular ib address it will be a lot difficult right unless you are really good at doing the graping so i started to imagine an entire reconnaissance tool which also does the correlation so that the data is in a tabular form where you could actually do the correlation that is the data is generated from the various other tools and of course the pipeline of recon as i said uh somebody wants to speak okay yeah so pipeline of recon uh so

pipeline africa in the sense my tool also had to do subdomain enumeration it also had to find out the ip address both scan and it also has to do the vulnerability scan so it was an end to it from starting right from the sub domain scanning to the uh you know vulnerability scanning so i started with the pipeline of recon and also the scheduler scheduler actually has a very interesting idea the thing was i had a full-time job and i also was doing about bounty hunting and a lot of targets uh like in the daytime i was having a full-time job and in the night i used to go do the bug bounty hunting and this

recon process you know that it takes time so i wanted something like a scheduler uh that schedules all of my bug bounty recon while i was at work in the daytime and then i i could just go back home and then uh the recon data is right in front of me so scheduler was also one of the important part that i wanted my recon tool and of course the ability to run multiple scans in parallel this was the idea how i started with my recon engine and then let's talk about quickly the missing gaps in the current recon tools and framework there are many other great recon tools uh one of uh the guy that i know he's working

on recon ftw which is really good if you're into command line uh if you do not want a fancy ui it's a really really good recon tool and similarly there are other tools like asmedia's a couple of other tools they're really good but the problem the biggest problem they have is the correlation right as i said recon data is huge suppose if you had to do now you have all these skin cells you use eye weakness or any other tools to gather all the screenshots but can you find out now tell me all the screen source that has ftp running or can you show me all these screen slots that has smtp running and suppose if you want to find out show me

all the subdomain that uses apache is technology and that also has port number 8080 open right so these kind of things is difficult because they lack something called correlation and the other problem is that they also lack visualization say visualization is not something always important but if you have to show the executive report to somebody okay this is gonna happen if you could actually look uh you know a good visualization always indicates how the recon data relates to each other right so as i said we have sub domains we have ip addresses and we have both now the relation if you could establish between them saying that okay this subdomain has this many ip address and this many ip address has

this many posts open if you were to do that in a nice visualization that would make your job a lot easier right so visualization was also one of the part components that was missing and of course the data analysis um suppose just imagine if you are doing a record on facebook.com which has approximately 100 000 sub domains and you had to find out the interesting subdomains manually it would also take a lot of time right so when i say interesting subdomain it could be your subdomain that has admin.facebook.com or admin.paid.facebook.com or something like that based on your keyboards as i said you need to be very good at doing the gripping and a lot of things that

you do here are going to be repeated and the other thing that was missing from all of these really good recon tools was recon data sciences uh so this was something that came into my mind because i was doing the recon i was doing the continuous monitoring for some of the targets and i want to know how many of the sub uh you know subdomains actually appeared very new or how many of the subdomains are no longer valid are no longer existing same same thing with your endpoints as well right so the recon data changes was also missing components in these tools so i started to build uh a tool for myself initially i didn't plan to make it open

source it was something for my internal use but then after i sold it to a couple of people uh it actually made a lot of people in the bugboard industry crazy and then i thought okay let's let's make it open source so currently ranging has a lot of um interesting features the first is of course it can perform recon um and it does supplement gathering endpoints pattern uh it can also find out the patterns and your endpoints vulnerability scan or synth lot of things the second thing which is the most important part of ranging is the highly configurable scan engines so when i say scan engine it is how you want to perform your scan what tools do you want

to use what threads do you want to use um what are the word list that you're going to use for brute force those kind of things and the best part about scan engines is that you get to choose what all do you want to perform okay right now i only want to perform subdominant scan okay you can do that and suppose if you want to change some threads uh the language that we use in the scan engine configuration is yaml based so common configurations you have a very nice fancy ui where you could just choose them but rest of the things where you want to do the minute configurations if you're not sure what you are doing

probably you might want to use something like yaml configuration and the other thing is that we have deeper correlation we'll see the demo on this one and the fourth one is a powerful recon source query this this as i said earlier suppose if you wanted to combine multiple queries that was a lot difficult when you had to use manual engraving right so i in reason i built our custom natural language like query where you could actually combine a lot of these titles suppose you could do page underscore title equals to admin and http status equals to 200 so you could combine a lot of these queries and then search your recon data which made the

recon process a lot easier and then the other feature that we have in range is a screenshot gallery uh screenshot gallery is very very interesting and ranging because we also allow you to filter the screenshots can you imagine we allow you to filter the screenshots based on the ports based on the ip addresses based on the http status based on a lot of other factors as well uh based on the service that it's running we'll see the demo on that as well we also have record visualization and we also have grouping attacking of organization so suppose if your organization is google and you have several other domains inside your organization called alphabet.com google.com and then it could be other

things right so what you can do is you can define an organization called google and you can attach all of these tag all of these targets into an organization and you can initiate the scan on an organization that means you could scan the entire domains related to that organization but also you could do and then you also have recontact changes and drains and also comes with the interesting subdomain lookup so suppose if you're doing the reconnaissance on facebook.com don't worry ranging is going to show you what all interesting subdomains are by default ranging comes with a few keywords that it's going to look if those keywords are matched then it's going to show you that okay these

are the interesting sub domains but you also have an option to go and add it on custom keyboards to make it uh to make your result more finer and we also have ocean support in the ocean we do metadata searching uh we also do employees uh gathering and then those employees whichever we have gathered we also gather the emails and we also look that emails into the leak database so we also show you the passwords uh if we find out in the leak database we do that as well uh we also have proxy support you know that no any uh recon tool is a complete recontour without the proxy support we have that and we also have customizable uh alerts

for your discord slack and telegram uh so when i say customizable it's that you can choose what kind of scans do you want so what kind of notification that you want to send to your discord uh you want to know when the scan is initiated or finished you can do that you want only to be notified when uh high severity or critical severity whenever it is fi found out you can do that uh and then there's a lot we'll also see on that demo and we also have scheduler so you also get to schedule your scans every once in a month every once in a week every once in a hour or just scan this website in the future at this exact

specified time you can do that as well and something that i have missed out here is that we also have automatic vulnerability reporting that means now when ranging finds out any vulnerabilities using vulnerability scanners like nuclei it is automatically automatically gonna report to hacker one so if you are in the bug bounty game it's gonna make your job a lot easier the best part is that you also get to customize your own report the repo that you're gonna send your hacker one is you can customize it as well and the other interesting feature uh we of course are gonna look the demo on that and if you have any questions feel free to interrupt me in between uh when as

you know when i'm explaining the features we can go through it and then you know uh we can answer some of the questions so the open source tools that are using in range and are listed here a lot of these they they do the subdomain gathering and then what ranging does is that it makes use of these already existing tools and gives you the fancy ui and also does um you know a lot of correlation and those kind of things and uh just to update you in the uh we we are releasing greens in 1.1 in the next month and range in 1.1 is going to be again a game changer because a lot of features like

can you imagine re-engine is going to generate the pdf reboot it's gonna be your uh pen testing report that you submitted to companies because a lot of time when you do the penetration for companies they just want um right before you do the pen test it's like what do you say uh threat modeling i won't say threat modeling but uh it's a kind of like when you use automated scanners like burp or either you use automated scanners like acunetix and then just send them the report right so ranging is also going to come with the ability to generate your own testing report you can write your own executive summary you can customize the whole pen

testing report but that everything comes with just one click so i wanted to make sure that everything is easy uh so that you don't have to spend a lot of time doing configurations and this stuff so now and other features are also coming in range in 1.1 so stay tuned for that recently we had a major release in def con 29 that was range in 1.0 and it was well received by community and right now we do have around 3 300 or 400 stars in github and a very popular reconnaissance tools and web application pen testing so now we have a demo let me quickly share my screen and then we'll right now directly jump into the demo

so if you have any questions until now please feel free to ask stops here

just give me a moment

now so you guys can see my screen right now the dashboard has come up right or you see something else yeah we can say dashboard yeah perfect thank you so much so this is exactly how ranging looks like let me make it more wider yep so this is how exactly your engine looks like the installation process is very very very simple if you're running on vps or running ubuntu installation process is as simple as just running install.assets and it's going to install everything for you uh a quick background we use uh technologies like xango zango is the is where we have written a lot of back-end code and we use redis and salary for task and

queue management um and then we use postgre for your database that's pretty much ranging is just awesome thank you so this is this is just the dashboard how it looks like so you're going to see here how many total targets that you have to sub domains and total endpoints total vulnerabilities everything is here you also get to see all the subdomains not just from one target but also from every other target similarly the same thing goes for your endpoints your vulnerabilities as well and you also have a vulnerability summary right now uh we have only found out uh 977 information vulnerabilities and we have one critical so you also get to see the most common one diabetes and

information whenever it is just ignored here because it's just gonna spam here so we have found out that uh there is one ftp service with a weak credential and it has an account is one that means it has been already only found once and you also have the most fundable targets so this includes informational as well so we um you know we sought the targets based on that number of vulnerabilities you see stripe.com has 489 i scanned the besides cyprus we had 304 we'll see what exactly are these and down if you go you also get to see the most common ip addresses this is just a quick summary um for especially the organizations i

think it's going to be more beneficial for organizations than individuals this kind of data so you have the most common ip addresses most common ports boats so i think 443 is being used by 3163 ip addresses you also have other ports open here and interestingly you also have the most common technology that is used in these applications we also we found out that java is mostly used and this kind of things we also have an activity feed here and the vulnerability feed and down if you go down you see here recently completed scans and then the scan that have been currently running here so before we do anything let's talk about the targets let's go to the target and add something

here um so you can go to so you can see here this is this is all the targets that i have you also get to filter your targets based on the organizations you have defined we'll see how to do that as well and let's click on add target and let's just say gmail.com so this is our target you also can write your own description if your program isn't hackable so if your target is a hacker one and if it has a bug bounty program you can enter your team handle here so when you enter a team handle here rinsing is gonna automatically report the vulnerability as in when it finds out except for the low end

information because we don't want to spam the prizes so by default reason doesn't come up with that so you can put your team handle here you also have an option to add multiple targets here so you can add as many as you want you also have an option to import the targets from txt or csv files you can do that from here so now that we have gmail.gmail.com let's click on the add target so that's how you that's how easily you add the targets now let's talk about the organization so in organizing the same way you added the targets you can click on add organization and then let's just say google now all the target that are associated

with google let's say google.com and then let's say gmail.com so these are associated with google so when i add the targets so when i add the organizations now i can scan the entire google organization that means it includes your google and gmail at once you don't have to scan them individually that is the logic we'll see how to do that exactly so when you go to target now you'll see here uh actions you have quick scan and schedule scan so when you click on schedule scan you can scan in future so periodic scanner clocks can have the two types uh so if you say periodic scan scan every 30 minutes 30 day hours or 30 days and 30 weeks do

whatever you want similarly you have clocked scan run the scan exactly at this specific time uh and then when you click on next now you get to choose the scan engine so this is for your scheduler now to do the quick scan it's even more simple just click on the quick scan and then now you get to choose what kind of scan engine that you want to use now this is very important we our engine comes by default with these many scan engines um you can also define it on scan engines and then we'll see how to do that uh so let's click and create engine and then yeah so let's just name it besides

uh and then we get we get to choose what all things this engine has to do subdomain discovery screenshots whether it has to do a screenshot gathering or not you can turn on and off these features you can also choose get to choose what kind of ports can do you want to do uh everything here and if you go down this is where something very interesting you have a yaml uh based configuration here you get to choose what all do you want to perform so the documentation is there uh ranging is we arranged in dot wiki where we have everything what all we support this is something where you're gonna leverage a lot of these open source tools so

whatever open source tools range in supports you can uh put it here saying uses tools and then just put the tool name and range is gonna do that so if you have multiple of these ranging will use multiple of these tools combine the results and then you know give it to you uh and then you also get to choose minute configurations like threads whether you want to use configurations or not and ocean whatever do you want to look for so these kind of things like very small minor configurations uh you will find out everything about this on range in that wiki this is the yama configuration now let's go back we already have a couple of default ones so

let's just say we only want to do subdomain scan right so let's click on subcommand scan and let's click on next and here this is something which is again interesting no recon tools are a complete recon tool when you do not give them an option to import and export the recon data right so reason works flawlessly with other recon if you have your private recon tools and you just want it to use it with re-engine you can do that as well suppose right now we're using gmail.com right so if you have a subdomain already found out from your private recon tools you can just paste it here so uh separated by new lines you can pass to

paste it thousands of them here and you also get to choose out of scope subdomains so if you do not want a certain subdomains to be searched you can do that here as well and hopefully in range in 1.1 we are also coming with the regex feature so if you want okay i don't want uh internal website if it is starting with something ending with something but it has internal one i don't want it to touch anything up and it's out of scope so you can do that as well in the future but right now we do not support resects you only get to write something like internal.gmail.com and and it'll be escaped so you can click on start scan

and that's as simple as that so range and will do the uh rest of the things for you so you also get to run uh scans in parallel and then now the scan has already started you also have an option to filter here you can filter it using your organization you also get to filter by the targets stripe.com i have scanned it twice and then you also get to choose based on your scan type this is your scan engine so if i had done it range and recommend it so all of these were done using recommended ones and then based on your scan status as well you can you can filter out these results okay so

let's let's just say which is successful yep so we have three scans which are successful here let's just go to one of them and then we'll see how exactly um the dashboard of this target looks like so this is how exactly it looks if you go inside you get to see this status of this scan right now it's completed it is completed in just 25 minutes we did everything about hacker one the target we had was hacker one you have a timeline here and a recent scan so if you had done this scan more than once you also get to see the scan timeline here and you also get to see how many sub domains were discovered

earlier i've spent a lot of time on the user experience so that you get every information regarding your reconnaissance right in front of your eyes so if you see here earlier in our early scan we had discovered 586 87 subdomains but now and this is the current scan which we have found only 321 so all the required information is right in front of you and interestingly you also click get to click on these timelines and it will take you exactly to the same scan so if i click on this one it opens up a new tab and then you have the old scan that i had done so now this becomes a current scan and this

becomes always scan right so if we go down we have important subdomains i'll talk about this in some time and yes i forgot to mention range and also comes with the recon to do so you also get to write the to-do notes recon what sorry notes whatever you want it is as simple as clicking here you also can attach it to a scan history you also can attach it to your sub domain and you you can also just write it uh you know to do you don't have to attach it to anything else let's just say i need to do procedure and then you can choose what subdomain do you want to attach this to do to so

let's just say uh this one and then just write whatever you want and then add recon to do so now you have already added your recon to do and then if you go to uh subdomains you will get to see all of them this we will come in some time but before that let's go here so now regen has discovered 148 ip addresses and as i said i've spent a lot of time on user experience now when you take your mouse over over here you also get to see what all ports are open so this is just over over here and then all of these are sorted based on the number of ports open you also get to see

okay this ip address has two of the ports open click on that a pop-up appears and then you also get to see uh which all quotes were open remember earlier i told you that we also do deep deeper correlation this is exactly the deeper correlation now not only the ip address to sub domain we also tell you how many of the sub domain use this particular ib address how many of the ip addresses has this particular board open everything like um it's a both way correlation that's happening here so if you if you click on just randomly anything over here this has zero ports open and this is being used by one of the subdomains and which says sctp

status 401 right so that's about ip address and discovered port we have only discovered two ports open here that's 80 and 443 and stripe.com i think we can better go to the other one so we get to see proper one yep let's go to hackaway.com yeah so here if you see ranging also comes with the highlighting option for an uncommon ports so if your target has you know a very uncommon port you also get to see that highlighted in a red color which is very easy for you again as i said uh see a lot of time is a penetration pen tester i also don't remember the numbers and services so reason will tell that

for use if it is 80 and service running it's just going to show you 80 hyphen http you click on this one it's going to tell you which all ip addresses has this port open and with all ip addresses sorry subdomain has this particular port open that's that's something how it works and then similarly we also have discover technology and you also get to see how many of the subdomains these technologies is pretty much the same thing and then dark categories if you have done darking that comes here vulnerability summary here and let's go down which is something very important which is the interesting recount data now this interesting recon data is based on the keyword that you have supplied to

re-engine suppose let's go to engine here and let's click an interesting look up uh yeah so range in by default comes with the keyboard like admin ftp cpanel dashboard these are the default keywords which we think it's interesting you also can add your own interesting keywords here so let's just remove all of these and by the way interesting part is that you also get to define a lookup condition for me a subdomain is an interesting subdomain only when it has admin.target.com but also has http status 200 because i don't care about other http status i don't care about 404 you can define those lookup conditions here as well and then you also get to look up where do you want to look up do

you want to look up in page title because a lot of times when i do the pen testing i find admin panels internal dashboard in something like uh helloworld.something.something.com so if you were to only look for admin or dashboard in the subdomain name you're not gonna find out probably you'll find out in the base content or probably in the page title right so region gives you the face of option for that as well and so let's just see how it works for a bigger target like facebook.com let's go back and then i'm going to show you in the facebook which has almost 19 000 sub domains um yep so here now if we go down you're

going to see the interesting recon data here so reason has found out 417 interesting data let's see what are interesting it has found out uh let's just start it by using http status so hopefully we get to see something here uh so it has found out cpanel uh dot dns.facebook.com so you get to see this is one of the valid subdomains so let's just go to fifth one probably oh as i remember as i told you we also get to define our conditions right so let's just go back here let's click uh let's show me only this interesting supplement when it has http status 200. let's see what comes with the facebook if we refresh

this one yep let's go down so it has found out one interesting subdomain which is admin.dns.facebook.com when i click on this one okay uh it doesn't has anything there uh let's just say wait a second click on this one probably some of the http sellers we get to see something

yup so it has found 25 of them let's click on one of these let's go so c panel is 301 http status it has ftp some of the ftp sites are here you also get to see this stressed out so all of these are interesting because reason goes and looks for these uh keywords like internal uh ftp admin those kind of things and similarly we also get to search for the interesting endpoints so it says that there is admin.dns something admin let's see if it has something running here i don't know what it's saying this okay with the certificate must be invalid but this is how it looks for the interesting endpoints of subdomains here now let's

go to our subdomain tab where it shows you exactly how we do the correlation and then show you the recon data so let's go back here for the stripe.com and click on subtomence now you're going to see all the results right in front of your eyes you have status on your left hand side i'll talk about status but if you see the subdomain here this is your subdomain we also show you the cname records and the technologies that your target is using and as i said we do the deeper correlation so you can always click on any of these buses and you can find out which all tech sub domain uses that particular technology you can do

that the badges that you see are the number of vulnerabilities it has found out if it has followed any critical it's just gonna show up here as well so you do not have to go and look for somewhere else in some other tab or some other txt file and you also have my status here the title here ib addresses port if it has any open the content length you also get to sort this you know recon uh results so suppose if you want to sort it best sort based on your content length you can do that if you want to start based on the http status you can do that as well similarly you also have response time and you also

have screenshots so all of these screenshots will appear right here in front of you you also get to see that so you can click on one of these and it's just going to appear here right so that's how it works you also get to go through these screenshots that's how it works here that's pretty much here so now if your sub domain is an interesting subdomain you also get to see the baz is here so that it's very easy for you to look up let's just say uh let's let's say the public is an interesting keyword for me i'm just gonna add up the word here public so click on update lookup and then i'll

come back here yep so let's go to subdomains

yep so now you see these interesting paths here right so ranging is going to tell you okay this uh subdomain is interesting because we had uh entered that public is our interesting keyboard and you have you also have a content type you also have web server that's running that's pretty much here and as i said to you you also get to mark your uh subdomains is important like suppose imagine you're doing a subdomain right now and you just want to continue uh uh doing the pen testing uh our program with the recon right here from tomorrow so or maybe the other day so you can just click and mark important mark important mark important you also get to

click on the recon note for this for one particular subdomains let's see you showing that hooked or something you can click and add recon to do here and then just say lorem ipsum and then you also get to write whatever notes you want add recon to do so you get to see that buzz here if it has any recon uh you know uh notes you also get to see the baz you see here one to do's that means you can click here and then you will find out in the future and you can come back in the home screen and then you will find out all the interesting stuff the important sub domain that you have

marked so these were the important supplement that we marked right so we have three of the important sub domains and you also have record notes that to do you can click on one of these and you will see what you have written you also get this mark is done you also get to mark as important that's totally based on you okay and then so let's click on screen starts this oh by the way i forgot to talk about um which is the most important feature which is the natural language query search so let's say i want to service all the supplement that has http status 200 so it also comes with auto completion so let's say

http under score status equals to 200. so if i click here i'll only see all the sub domain that has http status 200 but what is interesting is that you also get to combine your queries now when you click here it automatically suggests you now you get to combine queries like add or r so let's click on r sorry let's click on and paste title equals to admin let's see if it has any it doesn't has but we can let's say okay it doesn't has we can combine other queries and content underscore length gt is greater than zero so let's see all this um sub domain that has http status 200 and content length is greater than zero

so now we have come up with two of the sub domains here so this has um if you see here it has content length greater than zero and also has actually set as 200. so you also get to combine other queries you also get to write here or http status equals to 300 do whatever you want you also get to do the same thing for your http status and queries like greater than smaller than uh greater than 300 let's just say greater than 200 so you're only going to see all the http status we said which has more than 200 so it's going to be 300 400 500 so you see everything here right but 200 is

ignored so it's a lot powerful than you that you see here then you see here we get to we let you search through cname we let you search if it is an important one will it source to paste title through web server through port so suppose if you want to search with port wait a second four equals to 443 so you will see all the sub domain that has port 443 open you are not going to see any other supplement which says no ports open so you see here everything here right so pretty much every in the minute details you get to filter the results here that's how it works everything is here and now let's go to

screenshots this is something which i'm really excited to show you uh so here in the skin shots what's going to happen is that you get to filter your screenshots based on your http status based on your posts based on everything and since this is a screenshot gallery you also get to see everything at a glance so you don't have to want you'd not have to go back to the you know table if it is not suited for you you can always come back here and then do do that let's take a smaller target because it has a lot of things and it'll take some time i think hacker one has a laser results let's go to

hacker one let's click on screenshots okay so it has already come up here so now you see all of these screenshots gallery right so we have made sure that every important information that you want is right here in front of you this is the page title this is the subdomain you click here it takes you the subdomain all the uh this color code also indicates what exactly is happening so yellow is redirection radius something and you also get to see these interesting bars here so if you're glancing through all these skin sets you get everything every information right in front of you interestingly you also get a filter based on the http status so let's only see all the screen source

that has http that is 200 yes it's it was that simple and that fast right and you also come back you can combine it with other things so i want to see all the subdomain that uses this particular ip address that's how it works and let's see all the supplement that has http as a service running so all of this has http service running um i think better we can go to hacker one that might slow up the better results because this doesn't has much of the ports let's say running service this also doesn't has much anyways so you also get to filter based on the ports and also technology so i want to see all the technology so all the

supplement that uses amazon s3 as a technology so these are all hosted in the s3 pockets similarly you also get to see based on all the other technologies so this is all based on react so that's how it works and you also get to do the full screen you can click on any of these and you'll just see the screenshot you also can get to go forward and backward that's how it works that's all about screenshots now we as i said we also do the endpoint gathering so for the endpoint gathering i've done for our besides cyprus.com so let's go here and then let's click on the uh urls now you'll get to see range in

has done all the endpoint gathering the same thing guys here you also get to see uh filter out all the recon data same thing you also get to filter using your gf patterns based on your content type based on the content length technology whatever you want now because see we did not find out the technology based on particular this one url we find out the technology for a particular subdomain and we tag that to an uh url so that's how all these technology come here that's how exactly the correlation works so if you want to find out all the you know content type equals to pdf so i only want to see all the url that has pdf

open now you see that right it was that simple and that fast so let's go back here you'll get to see all of this and we also do this we use the pattern so if you see here interesting extensions ranging has found out that you have a couple of these robots.txt and this pdf file which range and things it's an interesting extension which you also can customize we'll get back to that later now which is something very important let's go back to directory as arrangement also does it directly but first you're going to see all of them here in the tree like structure in the right hand side this is how it works here as well let's move on to

vulnerabilities yeah so this is how the vulnerability tab works here in the vulnerability you will get to see the vulnerable url the severity if it has critical one high medium severity based on the severity your color code also is gonna change so that it's very easy and uh for you to look up and the description of the vulnerability and if it has any um you know reference you can click and read more and then you'll get back to reference and suppose if the vulnerability has been already closed you also get to click here and then you can mark them as closed so that's that's how it works and the other interesting part is that you also now can report your

vulnerabilities directly to hacker1 as well which we'll see later you can click on here report to hack one click on report if you have attached the team id it's going to directly send the vulnerability report to hacker one we'll come back that later let's go to the ocean tab here so uh in the ocean we have employees and people gathering so these are the people associated with stripe.com these are the email addresses and if we have found out any of that exposed credential that's gonna pop up here now so that's about your employees and exposed credentials we also do the dorking and metadata um this is pretty much here and as i said earlier which is

about you know visualization so this visualization is something which i've spent a lot of time uh now see a good visualization always tells you what is the relationship between the various recon components right so now you have besides dot com so besides cyprus.com which is a target you have two things which is uh subdomains and ocean now click on click on submit you get to see all of the subdomains associated with that so there is one which is color coded is green that means it's a live one it's http that is 200 you click on this one now you get to see further more uh which says ip endpoints technologies and vulnerabilities click on ip now you

have this ip address you uh now click on this ips you will get to see what all ports are open okay so we have found out that there is 843 which is not common code so you get to see that you click an end point you also get to see all of these endpoints here similar thing for technology so these are a lot of technology that uh uses that is being used here and also same thing with for vulnerabilities and that also is categorized based on the severity and you also get to zoom zoom out whatever you want with this visualization that's pretty much how it works here and then the other interesting features we'll see schedule scan i think we

already spent uh some time talking about this uh one degree is as i said this is a common one so here you're gonna see the vulnerabilities for every other targets as you see here we have found out one vulnerability which is of critical severity in stripe.com which says it has ftp service with weak credential i have you know blurred this for certain reasons and then you'll get to see that here you can always mark them as close open whatever you want i also will show you um demo on how exactly it sends the report so let's go back to target uh and let's click and stripe let me edit this target and team handle for any target is exactly

stripe sorry hacka1.com and then slash stripe so this is a team handle and by the way this is this which is coming for other as well for your integrity and for bob crowd this is coming right now i'm doing the analysis on this one so let's see we have found we have already attached the team handle let's go to the vulnerabilities let's click on so let's go to hacker1 settings here so by the way these are our default credentials these are dummy accounts uh you you'll have to enter your api tokens and you'll have to enter your username here and you you also get to choose what all severity do you want to automatically report so

if critical security is found out ranging is gonna automatically reboot and high severity and medium severity and this is how your report looks like so this is by default you can this is again based on your markdown you can customize your report whatever you want these are the syntax that you can customize do whatever you want hi team let's just say testing so you can define customize your account report and the way it reports is that let's go back to vulnerabilities now that we have already attached our team handle let's click on repo to hack on let's click and report a lot of time demos doesn't actually work yeah hopefully yeah it worked so let's go and check my hacka1 account

this is a dummy hacker1 account let's see if it has reported or not

yep now you get to see right so that's how it works with just a simple click you get to report this to hack one you can customize the report completely and this report also can be generated automatically so suppose if you're doing the bounty hunting and if you have clicked on the feature to actually uh automatically send the report to hacker one as in one it finds out the high critical security vulnerability it's just gonna report the same exact uh two hacker one so this is coming for other as well so let me just close this one close report close report so that's how it works for the vulnerability one with just one click you can report the

vulnerabilities and that's pretty much over here uh i think we spoke about vulnerabilities enough and let's click on to do so this is the recon to the notes as i said to you earlier we see what recon loads that we have added it's gonna appear here you also get to mark them as important if you're doing the recon and whatever is important totally important it will come up over here you can classify them using done to do if you have already done just click here just click here just click here that's how simple is it and then if you want to add it from here as well we give you that option i think we already spoke about

organizations uh that is already done targets we have already spoken so let's go to engine yeah so when you're doing the brute force we also allow you an option to upload your own custom word list it is as simple as clicking in the add new word list and then just upload your txt what is so if you want to do the sub number in brute force directly brute force by default yes region comes with the uh i don't remember exactly what word list is that but yes it comes with uh word list which is well and good but if you want to add your own custom word list you also get to add that here i

think that's pretty much about word list uh proxies yeah so if you click on settings and then uh click use proxy so you can add as many numbers of proxy as you want and range and is just gonna pick up one of these from here and uh it's gonna use one of these proxies to do the vulnerability scan subdomain gathering are doing the http probe or whatever you want so arranging also supports the proxies and let's click on tool settings i don't know how many of you have used gf and tools like nuclei and tools like subfinder the best part about ranging is that a lot of these recon tools they tell you to go and edit these

configurations here and there and here and there right so ranging comes with an option for you to do everything right here from the ui and once you have done it works uh flawlessly for every other targets so if you see here ga patterns you get to add your zea patterns here you upload you uploaded j patterns you also get to see what ga pattern that you're using to search for i mean a lot of you might be already using gf patterns to search for the patterns like uh you know ssrf you know ssti whatever is it so you also get to operate a custom cf patterns right from here and then i don't know how many of you have used

nuclei it's an amazing tool for vulnerability scan community power templates so you also get to upload your custom nuclei templates from right from here and you also get to update your custom config files so you don't have to actually log into docker log into these log into that and you know update your configuration files you can do it right from here and every other tools that we use you can change your uh you know configurations from here similarly for mrs and all of these tools here um everything is in central here i think we have come towards end that's pretty much here and hacker one setting as i already saw to you uh you just need two things

here that's your test username and that's your api token okay that's all you need and then wait a second let me revoke that yeah so yeah so uh you just need two things here that's your test username and your api token now that you have your api token you can click here you also get to see whether your api token works here or not yes it's working for us and then you choose what vulnerabilities do you want to report and write your own template whatever you want and click and save that's as simple as that and now notification setting again this is something gonna be useful for you we allow you to send notifications to slack

discord and telegram um so uh things like uh if it has initiated this scan scan completed those also gonna be sent you also get to choose uh what all has to be sent to you if it finds out the interesting subdomain it's gonna report those things subdomain changes so if it has found out sub dimensions oh i forgot to talk about subdomain changes let's let me go back so sub domain changes is when rinsing has found out so if you see here i have done stripe.com twice uh let me show you stripe.com i have scanned twice in the earlier one uh it had found out 587 sub domains and later it found only 321 let's see what happens

when i go to this one uh so it says that yeah so it says that i have 266 subdomains that have changed so you get to see what all has happened removed are added so if it has newly appeared you also get to see that here if it has been removed you also get to see that here pretty much that's all about sub domain changes in the future we'll also have a continuous monitoring where if the port number 80 was not open yesterday scan and now if it is open we also will notify you that that's coming that's coming very soon so uh this is about upload scan results so suppose if you want to upload the whole txt

subdomain.txt file you also get to do that here and as i said earlier uh no any subdomains so recontour is complete recon tool without giving you an option to actually uh import and export so we also have an option for you to download the results right from here click on this download button you get to say download all sub domains so you will see here whether you want to copy or you whether you want to download this txt so now you see that i have downloaded it as a txt file right so you also get to copy and paste it on your other recon tools it's simple so you also have an option to download only the

important sub comments okay so that's that's all about here uh and then i think that's pretty much uh and we also have range in settings of course this is very simple but it's gonna be useful a lot of people they host ranging and vps and a lot of complaint that we heard from people was that with the recon data that rains in stores a lot of times your vps has only 20 gigs of storage 80 gigs of storage and that gets full very soon so you also get to clean all of your scan results all of your screenshots right from here just click here delete and it does that mostly in the user experience that's pretty much i think we have come

towards the end you also have an option for dark mode so if you're a fan of dark mode you're going to enjoy this feature and uh yeah i'll show you the quick um you know uh wait a second glimpse of what is coming in range in 1.1 so if you see the screen right now the report that you see this is automatically generated by hack uh re-engine so this is a full scan report that i was working on for hackamore.com and if you see this is a proper uh i won't say pen testing report but i would say more of a vulnerability assessment report okay so if you come down here now you have this table of content trust me

this everything here is just done with one click um uh and this quick summary uh everything is working let's go to quick summary so now you get to see here it has found a 25 sub domain 11 endpoints 182 vulnerabilities and then your vanity is classified here as well and the timeline of the assessment just like how you make on the actual report you also have interesting recon data here everything is gonna come up here and the summary of the vulnerabilities that is identified so vulnerability name and the times that it is identified we sort based on the civility and then the times identified so that's why you see the critical one here and then the

information down there even though they have highest count so uh if you go down you'll you're gonna see the discover asset this is very very important if your organization just wants to find out how many of the assets that we have so we have found 25 subdomains and you also will have an option whether you want you know detailed information about each of these subdomains suppose if you see this reconnaissance finding this is our sub domain the page title and the ip addresses and the open codes this is just for a pdf report that you want to submit it to executives or even for developers and the vulnerabilities that we have identified in uh this particular

subdomain this is the proper report if you go down you'll find out the vulnerabilities discovered so this section reports the security issues found during the audit so all of these that you see here these are found during the audit the color coding makes it very very simple and easy for you to find out what exactly is happening and then that's pretty much so you also have an option to write your own executive summary if you want you can do that as well and that's pretty much um so if you have any questions please do ask me i have come towards the end of my talk and if you have any feature requests i also am open for

fishery