Overview

Caution

The documentation on this overall topic is still a work in progress with additional pages and content to be added still.

What is attack surface enumeration❔

Attack surface enumeration for the purpose of this discussion is the identification of external or internet-facing systems that adversaries could target to find and exploit vulnerabilities. The information gathered from this enumeration includes domain names, subdomains, IP addresses/ranges, open ports, services, applications, etc. This can be done in various security testing scenarios. It may be performed by a security tester to identify the scope for potential vulnerabilities or to enhance an organization’s understanding of exposed assets and support asset management validation.

The Purpose of This Documentation

This documentation will go in depth on the sources, methods and flow of surface mapping and enumeration, including analysis and background of sources and where the data originates. It was created from a personal drive to ensure comprehensive coverage of potential attack surfaces, ensuring no vulnerabilities are overlooked during security testing or bug bounty assessments. There are many tools that automate the methods outlined here; however, without understanding how they work and supplementing them where needed, important parts of the attack surface, and therefore vulnerabilities, could be missed.

Why do we care?

Note

It leads to more identified vulnerabilities.

Understanding the attack surface is important because without it, proper security measures cannot be applied. A larger identified attack surface increases the chances of finding vulnerabilities, particularly in hidden or legacy services, which are often more susceptible to exploitation. Additionally, with name-based virtual hosts, having only an IP address may not reveal the full extent of available applications. Domains and subdomains tied to that IP can host separate services, making it neccessary to perform thorough enumeration in order to uncover these additional layers and fully assess the attack surface.

Process and Workflow

The methodology focuses on expanding from an initial seed (e.g., domain, IP, organization name) by using recursive techniques that build upon each other to discover a broader attack surface. The process involves feeding the outputs of one discovery method (e.g., subdomain bruteforcing) into others (e.g., searching for sites with similar favicons) for deeper exploration. By combining these various techniques, the goal is to ensure exhaustive discovery of assets related to the target.

Danger

Attack surface generated must be validated as they can easily include out of scope systems. Please use caution.

As mentioned earlier, there are a lot of tools that take various types of input and perform enumeration. However, most of these support only a subset of the input types or methods for attack surface enumeration and they vary in the sources used. In subsequent sections the plan is provide examples and comparison of each of the specific sources. Instead of analyzing effectiveness at the tool level it will go over each individual method and source of data, so that you can create your own automation/tools or use existing ones better while understanding their limitations. The following workflow diagram is an example of how these can flow recursively from initial data points, such as domains, IPs, or organization names to a comprehensive attack surface.

Depending on the scope and purpose, the approach to attack surface enumeration can vary. For instance, if the scope includes a single domain without subdomains, some enumeration techniques may have limited value. However, when given an IP or a broader scope, the process expands to include domain, subdomain, and IP range mapping. In cases without restrictive boundaries, the aim is to uncover all potential attack surfaces across an organization’s digital footprint.