Scoping in KIS
In penetration tests or bug bounty programs testing according to the scope can be challenging and time-consuming due to the sometimes complex relationships between the in-scope domain names and the in-scope IPv4/IPv6 addresses.
The following figure illustrates the various relationships between domain names and IPv4/IPv6 addresses:
In addition, the following DNS zone transfer of megacropone.com provides a practical example of relationships between
domain names and IPv4 addresses, which is used across this section:
$ dig -t axfr MEGACORPONE.COM @51.222.39.63
; <<>> DiG 9.17.19-3-Debian <<>> -t axfr MEGACORPONE.COM @51.222.39.63
;; global options: +cmd
[...]
megacorpone.com. 300 IN MX 10 fb.mail.gandi.net.
megacorpone.com. 300 IN MX 20 spool.mail.gandi.net.
[...]
admin.megacorpone.com. 300 IN A 51.222.169.208
beta.megacorpone.com. 300 IN A 51.222.169.209
fs1.megacorpone.com. 300 IN A 51.222.169.210
intranet.megacorpone.com. 300 IN A 192.168.10.11
mail.megacorpone.com. 300 IN A 51.222.169.212
mail2.megacorpone.com. 300 IN A 51.222.169.213
router.megacorpone.com. 300 IN A 51.222.169.214
siem.megacorpone.com. 300 IN A 51.222.169.215
snmp.megacorpone.com. 300 IN A 51.222.169.216
syslog.megacorpone.com. 300 IN A 51.222.169.217
support.megacorpone.com. 300 IN A 51.222.169.218
test.megacorpone.com. 300 IN A 51.222.169.219
vpn.megacorpone.com. 300 IN A 51.222.169.220
ns1.megacorpone.com. 300 IN A 51.79.37.18
ns2.megacorpone.com. 300 IN A 51.222.39.63
ns3.megacorpone.com. 300 IN A 66.70.207.180
www.megacorpone.com. 300 IN A 149.56.244.87
www2.megacorpone.com. 300 IN A 149.56.244.87
[...]
$ ipcalc 51.222.169.208/29 -b
[...]
Network: 51.222.169.208/29
HostMin: 51.222.169.209
HostMax: 51.222.169.214
Broadcast: 51.222.169.215
Hosts/Net: 6 Class A
[...]For example, there might be domain names (e.g., doesnotexist.megacorpone.com) that do not resolve to any IPv4/IPv6
address (see 3) but some domain names (e.g., admin.megacorpone.com) resolve to either IPv4 addresses (see 2.a) or
IPv6 addresses (see 2.b) or both (see 2.c). Finally, there are IPv4/IPv6 addresses (see 1.a and 1.b) to which
no domain names resolve. These possibilities are important to understand because the following scoping possibilities
can be derived from them:
- The simplest scope just comprises single IP addresses/networks in the IPv4 and/or IPv6 address space
(e.g.,
51.222.169.208/29) and the domain name space is completely out of scope. Looking at the figure above, this just comprises the entire set of1.aand/or1.b(in this case the domain name space cycle is fully ignored). In our opinion, just testing the IP address level is an outdated approach and should be replaced by the next point. - Like 1 but any domain name (e.g.,
beta.megacorpone.com,fs1.megacorpone.com,intranet.megacorpone.com,mail.megacorpone.com,mail2.megacorpone.com,router.megacorpone.com) that resolves to an in-scope IP address (e.g.,51.222.169.208/29) is in scope as well. In the figure above, this comprises the entire IPv4 and/or IPv6 address space (see sets1.aand/or1.b) as well as the domain names that intersect with the IPv4 and/or IPv6 address space (see intersects2.a,2.band/or2.c). - Specific second-level domains or specific sub-level domains (e.g.,
ns1.megacorpone.comandns3.megacorpone.com) are in scope but only those IPv4 and/or IPv6 addresses (e.g.,51.79.37.18and66.70.207.180) are in scope to which the mentioned in-scope domain names resolve. Usually, this scope just comprises the domain names and IPv4/IPv6 addresses that intersect each other (see intersects2.a,2.band/or2.c). - Finally, there are domain names (see
3) (e.g.,intranet.megacorpone.com) that either do not resolve to any IPv4/IPv6 addresses or resolve to IP addresses (e.g.,192.168.10.11) that are not accessible from our current testing location. Although they are not accessible, they still might be important for virtual host (vhost) enumeration. As a result, it is important to know whether they are in scope as well.
Scoping is an essential feature of KIS to address the previously mentioned scoping possibilities. Before diving into KIS' scoping mechanism, it is important to understand the collection types that are supported by KIS:
- Passive: Passive collections do not directly interact with the targets but obtain the information from third-party sources like whois or Project Sonar. Per default, KIS automatically executes these collections on any in- and out-of-scope item and, therefore, no scoping is required.
- Active: Active collections directly interact with the targets by for example actively scanning them. Thus, in contrast to passive collections, these type of collection requires permission from the target's owner and, therefore, KIS does not automatically perform active collections unless the targets are explicitly marked as in scope.
- Active*: Active* collections are actually passive collections. Nevertheless, as accessing some third-party sources is somehow limited (e.g., querying certain sources like shodan.io cost credits), they are treated like active collectors, and, as a result, targets must be marked as in scope in order to perform active* collections on them.
The following figure shows KIS' data and collection model and the blue rectangles document on which items, scopes can be defined using the script kismanage:
The following subsections document how the various scopes can be implemented in KIS using the above DNS zone transfer dump as an example.
For IPv4/IPv6 networks (see full sets 1.a and 1.b in the above figure) the following scope types can be set:
-
all: Sets the given IP network (e.g.,
51.222.169.208/29) together with all IP addresses (e.g.,51.222.169.208 - 51.222.169.215) that are within this network range automatically in scope. As a result, KIS automatically executes any active and active* collectors on such IP networks and IP addresses (including their services).This scope type is useful during penetration tests where the scope is limited to certain IP networks and all their IP addresses (see Point 1 in section Introduction).
The following listing provides an example on how this scope type is set during the initial intel collection.
# initialize new database docker exec -t kaliintelsuite kismanage database --drop --init # create a new workspace megacorpone docker exec -it kaliintelsuite kismanage workspace -a megacorpone # add the network 51.222.169.208/29 to megacorpone example and set the scope to all (default) docker exec -t kaliintelsuite kismanage network -w megacorpone -a 51.222.169.208/29 # add new IP addresses to workspace megacorpone. docker exec -it kaliintelsuite kismanage host -w megacorpone -a 66.70.207.180 51.222.169.208 51.222.169.214 51.222.169.215 51.222.39.63 # add HTTPS services to all previously added IP addresses (usually we would import nmap scan results) docker exec -it kaliintelsuite kismanage service -a -w megacorpone --tls --port 443 --protocol tcp --host 66.70.207.180 51.222.169.208 51.222.169.214 51.222.169.215 51.222.39.63 # verify the correct calculation of the scope docker exec -it kaliintelsuite bash (.venv) kis_shell> kisreport service -w megacorpone --csv | csvcut -c "IP Address (Host)","In Scope (Host)","Service (SRV)","Network (NW)","Scope (NW)" | csvlook | IP Address (Host) | In Scope (Host) | Service (SRV) | Network (NW) | Scope (NW) | | ----------------- | --------------- | ------------- | ----------------- | ---------- | | 51.222.39.63 | False | tcp/443 | | | | 51.222.169.208 | True | tcp/443 | 51.222.169.208/29 | all | | 51.222.169.214 | True | tcp/443 | 51.222.169.208/29 | all | | 51.222.169.215 | True | tcp/443 | 51.222.169.208/29 | all | | 66.70.207.180 | False | tcp/443 | | | (.venv) kis_shell> exit # verify that kiscollect only executes active DNS reverse lookups and nikto scanning on in-scope IP addresses and services docker exec -it kaliintelsuite kiscollect -w megacorpone --httpnikto --dnsreverselookup -S /usr/bin/host -4 51.222.169.208 /usr/bin/host -4 51.222.169.214 /usr/bin/host -4 51.222.169.215 /usr/bin/nikto -useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" -ssl -Tuning 12357b -no404 -nointeractive -host https://51.222.169.208 /usr/bin/nikto -useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" -ssl -Tuning 12357b -no404 -nointeractive -host https://51.222.169.214 /usr/bin/nikto -useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" -ssl -Tuning 12357b -no404 -nointeractive -host https://51.222.169.215
-
strict: Sets the given IP networks' (e.g.,
51.222.169.208/29) scope tostrict. In contrast to typeall, the network itself is not in scope and IP addresses within this network range (e.g.,51.222.169.208) are not automatically in scope, unless they are explicitly added. As a result, KIS only automatically executes any active or active* collectors on IP addresses that are explicitly added to the scope.This scope type is useful during penetration tests where the scope is limited to certain IP addresses within a given network.
The following listing provides an example on how this scope type is set during the initial intel collection setup:
# initialize new database docker exec -t kaliintelsuite kismanage database --drop --init # create a new workspace megacorpone docker exec -it kaliintelsuite kismanage workspace -a megacorpone # add the network 51.222.169.208/29 to workspace megacorpone and set the scope to strict docker exec -it kaliintelsuite kismanage network -w megacorpone -a 51.222.169.208/29 -s strict # add new IP addresses 51.222.39.63 and 51.222.169.215 to workspace megacorpone and try to set them in scope (default) docker exec -it kaliintelsuite kismanage host -w megacorpone -a 51.222.39.63 51.222.169.215 # simulate the creation of a new host 51.222.169.214 in workspace via a collector by manually inserting a new host. # this won't automatically set the IP address 51.222.169.214 in scope. docker exec -i kaliinteldb psql -U kis -d kis -c "INSERT INTO host(workspace_id, address, is_up, creation_date) VALUES (1, '51.222.169.214', TRUE, NOW());" INSERT 0 1 # add an HTTPS service to all previously added IP addresses (usually we would import nmap scan results) docker exec -it kaliintelsuite kismanage service -a -w megacorpone --tls --port 443 --protocol tcp --host 51.222.39.63 51.222.169.214 51.222.169.215 # verify the correct calculation of the scope docker exec -it kaliintelsuite bash (.venv) kis_shell> kisreport service -w megacorpone --csv | csvcut -c "IP Address (Host)","In Scope (Host)","Service (SRV)","Network (NW)","Scope (NW)" | csvlook | IP Address (Host) | In Scope (Host) | Service (SRV) | Network (NW) | Scope (NW) | | ----------------- | --------------- | ------------- | ----------------- | ---------- | | 51.222.39.63 | False | tcp/443 | | | | 51.222.169.214 | False | tcp/443 | 51.222.169.208/29 | strict | | 51.222.169.215 | True | tcp/443 | 51.222.169.208/29 | strict | (.venv) kis_shell> exit # verify that kiscollect only executes active DNS reverse lookups and nikto scanning on in-scope IP addresses and services docker exec -it kaliintelsuite kiscollect -w megacorpone --httpnikto --dnsreverselookup -S /usr/bin/host -4 51.222.169.215 /usr/bin/nikto -useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" -ssl -Tuning 12357b -no404 -nointeractive -host https://51.222.169.215
-
exclude (default): Sets the given IP network (e.g.,
51.222.169.208/29) together with all IP addresses (e.g.,51.222.169.215) that are within this network range out of scope. As a result, KIS does not execute any active and active* collectors on this IP network and its IP addresses anymore.# following up on the previous example, we exclude the entire network `51.222.169.208/29` from the megacorpone scope docker exec -it kaliintelsuite kismanage network -w megacorpone -s exclude 51.222.169.208/29 # verify the correct calculation of the updated scope docker exec -it kaliintelsuite bash (.venv) kis_shell> kisreport service -w megacorpone --csv | csvcut -c "IP Address (Host)","In Scope (Host)","Service (SRV)","Network (NW)","Scope (NW)" | csvlook | IP Address (Host) | In Scope (Host) | Service (SRV) | Network (NW) | Scope (NW) | | ----------------- | --------------- | ------------- | ----------------- | ---------- | | 51.222.39.63 | False | tcp/443 | | | | 51.222.169.214 | False | tcp/443 | 51.222.169.208/29 | exclude | | 51.222.169.215 | False | tcp/443 | 51.222.169.208/29 | exclude | (.venv) kis_shell> exit # verify that kiscollect only executes active DNS reverse lookups and nikto scanning on in-scope IP addresses and services docker exec -it kaliintelsuite kiscollect -w megacorpone --httpnikto --dnsreverselookup -S (no output)
Note that this scope type is the default type for all IP networks and IP addresses that are automatically identified by KIS (e.g., via whois, DNS resolution, etc.). Thus, it is not necessary to explicitly set this scope type. Nevertheless, this scope type can be used to manually exclude second-level domains at a later time.
-
vhost: Refer to subsection C for more information.
For host names (see full set 3 in the above figure), the same scope types as for IPv4/IPv6 networks (see above)
exist. Their mode of operation is described below:
-
all: Sets the given second-level domain (e.g.,
megacorpone.com) together with all sub-domains (e.g.www.megacorpone.com) in scope. As a result, KIS automatically executes any active and active* collectors on such host names.The following listing provides an example on how this scope type is set during the initial intel collection setup:
# initialize new database docker exec -t kaliintelsuite kismanage database --drop --init # create a new workspace megacorpone docker exec -it kaliintelsuite kismanage workspace -a megacorpone # simulate the creation of a new second-level domain in workspace megacorpone via a collector by manually inserting a new second-level domain. docker exec -i kaliinteldb psql -U kis -d kis -c "INSERT INTO domain_name(workspace_id, name, creation_date) VALUES (1, 'gandi.net', NOW());" INSERT 0 1 docker exec -i kaliinteldb psql -U kis -d kis -c "INSERT INTO host_name(domain_name_id, name, creation_date) VALUES (1, NULL, NOW());" INSERT 0 1 # add the second-level domain megacorpone.com to workspace megacorpone and set the scope to all (default) docker exec -it kaliintelsuite kismanage domain -w megacorpone -a megacorpone.com # add new host names to workspace megacorpone. Thereby, all sub-level domains of megacorpone.com become automatically in scope due to the second-level # domain's scope all docker exec -it kaliintelsuite kismanage hostname -w megacorpone -a mail.gandi.net siem.megacorpone.com support.megacorpone.com syslog.megacorpone.com # verify the initial setup docker exec -it kaliintelsuite bash (.venv) kis_shell> kisreport hostname -w megacorpone --csv | csvcut -c "Host Name (HN)","In Scope (HN)","Second-Level Domain (SLD)","Scope (SLD)" | csvlook | Host Name (HN) | In Scope (HN) | Second-Level Domain (SLD) | Scope (SLD) | | ----------------------- | ------------- | ------------------------- | ----------- | | gandi.net | False | gandi.net | exclude | | mail.gandi.net | False | gandi.net | exclude | | megacorpone.com | True | megacorpone.com | all | | siem.megacorpone.com | True | megacorpone.com | all | | support.megacorpone.com | True | megacorpone.com | all | | syslog.megacorpone.com | True | megacorpone.com | all | (.venv) kis_shell> exit # verify that kiscollect only executes active DNS bruteforcing and DNS lookups on in-scope second-level domains docker exec -it kaliintelsuite kiscollect -w megacorpone --dnsgobuster --dnshost -S /usr/bin/gobuster dns -i -z -q --wildcard -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -d megacorpone.com /usr/bin/host siem.megacorpone.com /usr/bin/host support.megacorpone.com /usr/bin/host syslog.megacorpone.com /usr/bin/host megacorpone.com
-
strict: Sets the given second-level domains (e.g.,
megacorpone.com) in scope. In contrast to typeall, any sub-level domains (e.g.,www.megacorpone.com) are not automatically in scope, unless they are explicitly added. As a result, KIS only automatically executes any active or active* collectors on sub-level domains that are explicitly added to the scope.The following listing provides an example on how this scope type is set during the initial intel collection setup:
# initialize new database docker exec -t kaliintelsuite kismanage database --drop --init # create a new workspace megacorpone docker exec -it kaliintelsuite kismanage workspace -a megacorpone # add the second-level domain megacorpone.com to workspace megacorpone and set the scope to strict docker exec -it kaliintelsuite kismanage domain -w megacorpone -a megacorpone.com -s strict # simulate the creation of the sub-domain siem.megacorpone.com in workspace megacorpone via a collector by manually inserting a new second-level domain. # this won't automatically set the hostname siem.megacorpone.com in scope. docker exec -i kaliinteldb psql -U kis -d kis -c "INSERT INTO host_name(domain_name_id, name, creation_date) VALUES (1, 'siem', NOW());" INSERT 0 1 # add new host names to workspace megacorpone. They are automatically in scope due to kismanage's default value. docker exec -it kaliintelsuite kismanage hostname -w megacorpone -a support.megacorpone.com syslog.megacorpone.com # verify the initial setup # note that KIS treats the second-level domain megacorpone.com also as a host name. as it has not been explicitly put in scope, it is still out of scope. docker exec -it kaliintelsuite bash (.venv) kis_shell> kisreport hostname -w megacorpone --csv | csvcut -c "Host Name (HN)","In Scope (HN)","Second-Level Domain (SLD)","Scope (SLD)" | csvlook | Host Name (HN) | In Scope (HN) | Second-Level Domain (SLD) | Scope (SLD) | | ----------------------- | ------------- | ------------------------- | ----------- | | megacorpone.com | False | megacorpone.com | strict | | siem.megacorpone.com | False | megacorpone.com | strict | | support.megacorpone.com | True | megacorpone.com | strict | | syslog.megacorpone.com | True | megacorpone.com | strict | (.venv) kis_shell> exit # verify that kiscollect only executes active DNS bruteforcing and DNS lookups on in-scope second-level domains docker exec -it kaliintelsuite kiscollect -w megacorpone --dnsgobuster --dnshost -S /usr/bin/host support.megacorpone.com /usr/bin/host syslog.megacorpone.com
-
exclude: Sets the given second-level domains (e.g.,
megacorpone.com) together with all sub-level domains out of scope. As a result, KIS does not execute any active and active* collectors on these second-level domains.# following up on the previous example, we exclude the second-level domain megacorpone.com from the megacorpone scope docker exec -it kaliintelsuite kismanage domain -w megacorpone -s exclude megacorpone.com # verify the correct calculation of the updated scope docker exec -it kaliintelsuite bash (.venv) kis_shell> kisreport hostname -w megacorpone --csv | csvcut -c "Host Name (HN)","In Scope (HN)","Second-Level Domain (SLD)","Scope (SLD)" | csvlook | Host Name (HN) | In Scope (HN) | Second-Level Domain (SLD) | Scope (SLD) | | ----------------------- | ------------- | ------------------------- | ----------- | | megacorpone.com | False | megacorpone.com | exclude | | siem.megacorpone.com | False | megacorpone.com | exclude | | support.megacorpone.com | False | megacorpone.com | exclude | | syslog.megacorpone.com | False | megacorpone.com | exclude | (.venv) kis_shell> exit # verify that kiscollect only executes active DNS bruteforcing and DNS lookups on in-scope second-level domains docker exec -it kaliintelsuite kiscollect -w megacorpone --dnsgobuster --dnshost -S
Note that this scope type is the default type for all second-level domains and their sub-level domains that are automatically identified by KIS (e.g., via extraction from certificates, etc.). Thus, it is not necessary to explicitly set this scope type. Nevertheless, this scope type can be used to manually exclude second-level domains at a later time.
-
vhost: Refer to subsection C for more information.
KIS supports scanning virtual hosts (vhosts) by using tools like Nikto or
Burp Suite Professional (see argument --vhost of script kiscollect). For the successful execution, KIS
automatically calculate the vhosts' scopes based on the already defined scopes for IPv4/IPv6 networks and host names
(see previous subsections). Only if the host name as well as the IPv4/IPv6 address, to which the host name resolves,
is in scope, then also the vhost is in scope and kiscollect performs active and active*
collections.
Nevertheless, beside the already mentioned scope types all, strict, and exclude for IPv4/IPv6 networks
and host names, there is an additional scope type vhost for IPv4/IPv6 networks and host names, which has not been
discussed yet. The following list discusses this scope type for hostnames and IP addresses:
-
vhost scope for host names (see Point 2 in section Introduction): Sets only those host names in scope that resolve to in-scope IP addresses. In contrast to scope type
all, the second-level domain is not in scope.Let's assume the IPv4 address range
51.222.169.208/29together with all sub-domains ofmegacorpone.comthat resolve to an IP address within this range (51.222.169.208/29) are in scope. In this case, we have two options:-
We manually determine all in-scope hostnames.
-
We create
51.222.169.208/29with scope typealland second-level domainmegacorpone.comwith scope typevhostin KIS. Afterwards, we determine all in-scope hostnames by, among other things, performing an active DNS bruteforce:# initialize new database docker exec -t kaliintelsuite kismanage database --drop --init # create a new workspace megacorpone docker exec -it kaliintelsuite kismanage workspace -a megacorpone # add the IPv4 network 51.222.169.208/29 to workspace megacorpone and set the scope to all (default) docker exec -it kaliintelsuite kismanage network -w megacorpone -a 51.222.169.208/29 # first, we need to add the second-level domain megacorpone.com to workspace megacorpone and set the scope to all. # if we do not set it to scope type all first, KIS won't perform active scans on the second-level domain megacorpone.com docker exec -it kaliintelsuite kismanage domain -w megacorpone -a megacorpone.com -s all # perform active DNS bruteforcing on megacorpone.com to determine subdomains and in-scope IP addresses # as well as passive DNS lookups via the DNS server 8.8.8.8. docker exec -it kaliintelsuite cat /kis/subdomains.txt admin beta fs1 mail mail2 www vpn test # verify on which second-level domains kiscollect will perform the active DNS bruteforcing as well as passive DNS lookups docker exec -it kaliintelsuite kiscollect -w megacorpone --dnsgobuster --dnshostpublic -L /kis/subdomains.txt -S /usr/bin/gobuster dns -i -z -q --wildcard -t 10 -w /kis/subdomains.txt -d megacorpone.com /usr/bin/gobuster dns -i -z -q --wildcard -t 10 -w /kis/subdomains.txt -d megacorpone.com /usr/bin/host megacorpone.com 8.8.8.8 # repeatedly (see flag --continue) perform the actual data collection docker exec -it kaliintelsuite kiscollect -w megacorpone --dnsgobuster --dnshostpublic -L /kis/subdomains.txt --autostart --continue starting command producer thread ... kis (megacorpone)> collector status completed collector type priority dnsgobuster domain 170 1 dnshostpublic domain 312 15 kis (megacorpone)> exit emptying command queue ... terminating all threads ... collection finished # finally, set megacorpone.com's scope to scope type vhost docker exec -it kaliintelsuite kismanage domain -w megacorpone -s vhost megacorpone.com # verify the correct calculation of the scope docker exec -it kaliintelsuite bash (.venv) kis_shell> kisreport service -w megacorpone --csv -r domain | csvcut -c "Host Name (HN)","In Scope (HN)","In Scope (Vhost)","Second-Level Domain (SLD)","Scope (SLD)","Resolved A/AAAA Records","Sources (HN)" | csvlook | Host Name (HN) | In Scope (HN) | In Scope (Vhost) | Second-Level Domain (SLD) | Scope (SLD) | Resolved A/AAAA Records | Sources (HN) | | --------------------- | ------------- | ---------------- | ------------------------- | ----------- | ------------------------------------------------------------- | -------------------------------- | | gandi.net | False | False | gandi.net | exclude | 217.70.185.65 [A] | dnshostpublic | | mail.gandi.net | False | False | gandi.net | exclude | 217.70.178.9 [A] | dnshostpublic | | spool.mail.gandi.net | False | False | gandi.net | exclude | 217.70.178.1 [A] | dnshostpublic | | fb.mail.gandi.net | False | False | gandi.net | exclude | 217.70.178.217 [A], 217.70.178.215 [A], 217.70.178.216 [A] | dnshostpublic | | mail12.gandi.net | False | False | gandi.net | exclude | 217.70.182.73 [A], 2001:4b98:dc4:5:ae1f:6bff:fe2d:9fdc [AAAA] | dnshostpublic | | mail8.gandi.net | False | False | gandi.net | exclude | 217.70.186.186 [A], 2001:4b98:dc2:90:217:70:186:186 [AAAA] | dnshostpublic | | megacorpone.com | False | False | megacorpone.com | vhost | | dnsgobuster, dnshostpublic, user | | mail.megacorpone.com | True | True | megacorpone.com | vhost | 51.222.169.212 [A, In-Scope] | dnsgobuster, dnshostpublic | | fs1.megacorpone.com | True | True | megacorpone.com | vhost | 51.222.169.210 [A, In-Scope] | dnsgobuster | | www.megacorpone.com | False | False | megacorpone.com | vhost | 149.56.244.87 [A] | dnsgobuster | | vpn.megacorpone.com | False | False | megacorpone.com | vhost | 51.222.169.220 [A] | dnsgobuster | | mail2.megacorpone.com | True | True | megacorpone.com | vhost | 51.222.169.213 [A, In-Scope] | dnsgobuster, dnshostpublic | | beta.megacorpone.com | True | True | megacorpone.com | vhost | 51.222.169.209 [A, In-Scope] | dnsgobuster | | admin.megacorpone.com | True | True | megacorpone.com | vhost | 51.222.169.208 [A, In-Scope] | dnsgobuster | | test.megacorpone.com | False | False | megacorpone.com | vhost | 51.222.169.219 [A] | dnsgobuster | (.venv) kis_shell> exit
-
-
vhost scope for IPv4/IPv6 networks (see Point 3 in section Introduction): Sets only those IPv4/IPv6 addresses in-scope to which an in-scope host name resolves.
Let's assume that the second-level domain
megacorpone.comtogether with all its sub-level domains and IP addresses to which the sub-level domains resolve are in-scope. In this case, we have two options:-
We manually determine all in-scope IP addresses.
-
We create the IPv4 network
0.0.0.0/0with scope typevhostand second-level domainmegacorpone.comwith scope typeallin KIS. Afterwards, we, among other things, perform an active DNS bruteforce to identify all sub-domains ofmegacorpone.comto determine all in-scope IP addresses. The following listing shows how this example is implemented in practice:# initialize new database docker exec -t kaliintelsuite kismanage database --drop --init # create a new workspace megacorpone docker exec -it kaliintelsuite kismanage workspace -a megacorpone # add the entire IPv4 address space (0.0.0.0/0) to workspace megacorpone and set the scope to vhost docker exec -it kaliintelsuite kismanage network -w megacorpone -a 0.0.0.0/0 -s vhost # add the second-level domain megacorpone.com to workspace megacorpone and set the scope to all (default) docker exec -it kaliintelsuite kismanage domain -w megacorpone -a megacorpone.com # perform active DNS bruteforcing on megacorpone.com to determine subdomains and in-scope IP addresses # as well as passive DNS lookups via the DNS server 8.8.8.8. docker exec -it kaliintelsuite cat /kis/subdomains.txt admin beta fs1 mail mail2 www vpn test # verify on which second-level domains kiscollect will perform the active DNS bruteforcing as well as passive DNS lookups docker exec -it kaliintelsuite kiscollect -w megacorpone --dnsgobuster --dnshostpublic -L /kis/subdomains.txt -S /usr/bin/gobuster dns -i -z -q --wildcard -t 10 -w /kis/subdomains.txt -d megacorpone.com /usr/bin/host megacorpone.com 8.8.8.8 # repeatedly (see flag --continue) perform the actual data collection docker exec -it kaliintelsuite kiscollect -w megacorpone --dnsgobuster --dnshostpublic -L /kis/subdomains.txt --autostart --continue starting command producer thread ... kis (megacorpone)> collector status completed collector type priority dnsgobuster domain 170 1 dnshostpublic domain 312 15 kis (megacorpone)> exit emptying command queue ... terminating all threads ... collection finished # verify the correct calculation of the scope docker exec -it kaliintelsuite bash (.venv) kis_shell> kisreport service -w megacorpone --csv | csvcut -c "IP Address (Host)","In Scope (Host)","Service (SRV)","Network (NW)","Scope (NW)","Hostnames","Sources (Host)" | csvlook | IP Address (Host) | In Scope (Host) | Service (SRV) | Network (NW) | Scope (NW) | Hostnames | Sources (Host) | | ----------------------------------- | --------------- | ------------- | ------------ | ---------- | ----------------------------------- | -------------------------- | | 51.222.169.208 | True | | 0.0.0.0/0 | vhost | admin.megacorpone.com [A, In-Scope] | dnsgobuster, dnshostpublic | | 51.222.169.209 | True | | 0.0.0.0/0 | vhost | beta.megacorpone.com [A, In-Scope] | dnsgobuster, dnshostpublic | | 51.222.169.210 | True | | 0.0.0.0/0 | vhost | fs1.megacorpone.com [A, In-Scope] | dnsgobuster, dnshostpublic | | 51.222.169.212 | True | | 0.0.0.0/0 | vhost | mail.megacorpone.com [A, In-Scope] | dnsgobuster, dnshostpublic | | 51.222.169.213 | True | | 0.0.0.0/0 | vhost | mail2.megacorpone.com [A, In-Scope] | dnsgobuster, dnshostpublic | | 51.222.169.219 | True | | 0.0.0.0/0 | vhost | test.megacorpone.com [A, In-Scope] | dnsgobuster, dnshostpublic | | 51.222.169.220 | True | | 0.0.0.0/0 | vhost | vpn.megacorpone.com [A, In-Scope] | dnsgobuster, dnshostpublic | | 149.56.244.87 | True | | 0.0.0.0/0 | vhost | www.megacorpone.com [A, In-Scope] | dnsgobuster, dnshostpublic | | 217.70.178.1 | False | | 0.0.0.0/0 | vhost | spool.mail.gandi.net [A, In-Scope] | dnshostpublic | | 217.70.178.9 | False | | 0.0.0.0/0 | vhost | mail.gandi.net [A, In-Scope] | dnshostpublic | | 217.70.178.215 | False | | 0.0.0.0/0 | vhost | fb.mail.gandi.net [A, In-Scope] | dnshostpublic | | 217.70.178.216 | False | | 0.0.0.0/0 | vhost | fb.mail.gandi.net [A, In-Scope] | dnshostpublic | | 217.70.178.217 | False | | 0.0.0.0/0 | vhost | fb.mail.gandi.net [A, In-Scope] | dnshostpublic | | 217.70.182.73 | False | | 0.0.0.0/0 | vhost | mail12.gandi.net [A, In-Scope] | dnshostpublic | | 217.70.185.65 | False | | 0.0.0.0/0 | vhost | gandi.net [A, In-Scope] | dnshostpublic | | 217.70.186.186 | False | | 0.0.0.0/0 | vhost | mail8.gandi.net [A, In-Scope] | dnshostpublic | | 2001:4b98:dc2:90:217:70:186:186 | False | | | | mail8.gandi.net [AAAA, In-Scope] | dnshostpublic | | 2001:4b98:dc4:5:ae1f:6bff:fe2d:9fdc | False | | | | mail12.gandi.net [AAAA, In-Scope] | dnshostpublic | (.venv) kis_shell> exit
-