Cyber security

CloudRecon – Uncovering Hidden Cloud Assets With SSL Certificate Analysis

In the ever-evolving landscape of cybersecurity, red teamers and bug hunters are constantly seeking new tools to aid in their campaigns and hunts.

CloudRecon, a powerful suite of tools presented at DEFCON 31 by Gunnar Andrews and Jason Haddix, is one such solution.

This article explores how CloudRecon empowers security professionals to discover ephemeral and development assets within cloud infrastructures by leveraging SSL certificate analysis.

With its three-part toolkit, CloudRecon promises to be a valuable addition to the arsenal of those exploring the cloud for hidden gems.

Install

** You must have CGO enabled, and may have to install gcc to run CloudRecon**

sudo apt install gcc
go install github.com/g0ldencybersec/CloudRecon@latest

Usage

MAIN

Usage: CloudRecon scrape|store|retr [options]

  -h    Show the program usage message

Subcommands: 

        cloudrecon scrape - Scrape given IPs and output CNs & SANs to stdout
        cloudrecon store - Scrape and collect Orgs,CNs,SANs in local db file
        cloudrecon retr - Query local DB file for results

SCRAPE

scrape [options] -i <IPs/CIDRs or File>
  -a    Add this flag if you want to see all output including failures
  -c int
        How many goroutines running concurrently (default 100)
  -h    print usage!
  -i string
        Either IPs & CIDRs separated by commas, or a file with IPs/CIDRs on each line (default "NONE"                                                                                                                         )
  -p string
        TLS ports to check for certificates (default "443")
  -t int
        Timeout for TLS handshake (default 4)

STORE

store [options] -i <IPs/CIDRs or File>
  -c int
        How many goroutines running concurrently (default 100)
  -db string
        String of the DB you want to connect to and save certs! (default "certificates.db")
  -h    print usage!
  -i string
        Either IPs & CIDRs separated by commas, or a file with IPs/CIDRs on each line (default "NONE")
  -p string
        TLS ports to check for certificates (default "443")
  -t int
        Timeout for TLS handshake (default 4)

RETR

retr [options]
  -all
        Return all the rows in the DB
  -cn string
        String to search for in common name column, returns like-results (default "NONE")
  -db string
        String of the DB you want to connect to and save certs! (default "certificates.db")
  -h    print usage!
  -ip string
        String to search for in IP column, returns like-results (default "NONE")
  -num
        Return the Number of rows (results) in the DB (By IP)
  -org string
        String to search for in Organization column, returns like-results (default "NONE")
  -san string
        String to search for in common name column, returns like-results (default "NONE")
Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Cybersecurity – Tools And Their Function

Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…

13 hours ago

MODeflattener – Miasm’s OLLVM Deflattener

MODeflattener is a specialized tool designed to reverse OLLVM's control flow flattening obfuscation through static…

13 hours ago

My Awesome List : Tools And Their Functions

"My Awesome List" is a curated collection of tools, libraries, and resources spanning various domains…

13 hours ago

Chrome Browser Exploitation, Part 3 : Analyzing And Exploiting CVE-2018-17463

CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, allowed attackers to execute arbitrary…

13 hours ago

Chrome Browser Exploitation, Part 1 : Introduction To V8 And JavaScript Internals

The blog post "Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals" provides…

14 hours ago

Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463

The exploitation of CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, relies on…

16 hours ago