 Good morning and good afternoon depending on the wherever you are. Thank you so much for joining in to the next Foundations Open Source Summit 2021 and this is a tool demo and range in. It's an open source reconnaissance framework for continuous asset monitoring. It also will serve as a reconnaissance framework for your pentesters and security audits as well. So before we begin a very quick introduction about me. My name is Yogis and I work as a research incident at a company called TRC Research and Development and my research focus is in building solutions for crime enter. I also build a maintenance range and that's something that I do apart from my full-time job and I also have been a speaker at several conferences like TEDx, Open Source Summit, DEFCON and Black Hat. Let's see the targeted audience for this talk. The targeted audience for this talk is anybody who is looking forward for reconnaissance, for automated reconnaissance, let's say penetration testers. It also could be organizations looking forward for asset discovery and also for continuous monitoring. We'll see what exactly is asset discovery. We'll see what exactly is continuous monitoring. We'll see everything in the coming slides. Before we talk about what this tool does, we need to talk about the state of web application security and where this tool range is very important for you. Now over the last few years, we have seen an increased number of attacks on the web application. On the screen that you see right now, the report where the web applications attack spiked almost 113 million attacks on a single day and that number on an average is approximately 25 to 30 million every single day. And also one report from Portzweiger, it suggests that web application attack contributes to almost half of all the databases and these numbers do not seem to decrease and there are some reasons behind that. One of the reasons behind that is because of the attack surface the modern application generates and also that because the companies are not aware of these assets. It is very difficult for a company to give a track of how many subdomains the organization has. It is also difficult to know that how many of them are in a test subdomains into existence. Let's say your development team has just exposed they want to test a web application and then they just deployed it to one of that web servers which is most of the times not authenticated and most of the times it also could be using your default password like let's say admin, admin, root, root and then they just exposed it to internet for the test purpose and at the end they forgot to decommission. And now these kind of endpoints, these kind of subdomains will serve as an entry point for attackers. And how do you keep a track of them? How do you find out that? And also from an attacker's perspective, from a hacker's or a security auditor's perspective, it's very difficult for you to figure out how many subdomains an organization has and do the data correlation. Let's say you might be using any tools for subdomain gathering. You might be using the other tools for port scanning. You might be using the other tools for vulnerability scanning. At the end it's very difficult for you to correlate all of this data. And one of the solutions from an organization perspective that you can use for the web application security, for strengthening your web application security is of course your security updates and a penetration testing. Now your penetration testing, if you're not aware what exactly is this, it's an uproarge or it's a poster. It's in I would say more of an activity to find out how vulnerable your application is, what an entry point for an attacker and how an attacker could actually an attacker application. So it's more or less like your activity where you emulate the attack from a hacker's perspective. So you could do that. But before you do any penetration testing or security audit, there is a very important step which is called reconnaissance. It also can be named as an asset discovery. So reconnaissance is all about its information gathering phase before you oppose to attack any application or any targets. Let's say you have a target called Google.com and you want to attack this whole organization or probably doing the security poster for this organization. The first thing that you would do is find out how many asset this organization has. So asset could be in terms of your subdomains. It also could be in terms of your IP address. And then it also could be the number of ports and the number of running services. And this at the end will generate an attack surface. So from where an attacker could gain an entry to your organization. Let's say you have a test server, let's say test.pay.google.com. There seems to be an unauthenticated dashboard where an attacker can go and learn some sort of attack. So during the reconnaissance phase, you tend to find out these kind of assets or probably generate an attack surface and figure out the attack surface through which an attacker can actually exploit your applications. So that's all about reconnaissance. But the problem that seems to be, let's talk about the problem. The problem that seems to be with the reconnaissance and asset discovery is that there are many really, really great tool out there that does reconnaissance, automatic reconnaissance and asset discovery. But the problem is that, let's say you use one tool for subdomain gathering. You use the other tool for some other purpose. You use the other tool for screenshot gathering. At the end, it's very difficult for you to do the correlation unless you are really good at doing the graphing. Let's say you have one subdomain and that has an IP that has an open port exposed services. Now it's very difficult for you to do the correlation, data correlation. And also one of the reasons is that a lot of these tools, the output might be in different forms. Let's say subdomain gathering could be in the TXT form. At the end, you run an NMAP. The output could be in the form of XMLs. Now it's very difficult for you to do the data correlation when you do the reconnaissance. And where range in comes in play is to do the data correlation. It helps you to streamline the process and also do an automated reconnaissance, which we'll see that I move. Now, are there any existing tools before I built this range in? Yes, there were many existing tools and also very good monitoring services. Some of them from commercial tools like, you know, Acunetix is a very good vulnerability scanner. You also have your, you know, I forgot the name exactly. I think it's called security trails, I guess. Security trails. You also have Nessus for, you know, vulnerability scanning. These tools are really good out there. And we also have open source alternatives, which seems to do the good job. But not the problem with these tools is that the first thing, commercial tools are really, really expensive. And it's very difficult for a small business and organizations to afford. And if you're an individual pentester, it's very difficult for you to, you know, get a hold of these commercial tools as well. And also that most of these existing commercial tools are not on premise. That means your assets, you know, your data about the asset is going to be in somebody else's server, right? And a lot of times when I discuss with companies, they really don't want to do that. And that's when the reins in the idea of reins in came into idea where you could actually install the tool, the continuous asset monitoring service are probably, let's say, reconnaissance into your own premise, wherever you wish it to be. And some of these open source alternative services that seem to be lacking countries monitoring services and smart alerts. When I say continuous asset monitoring service, it's let's say how many of the subdomains appeared in the last 24 hours, right? Or how many of the new endpoints has appeared. So a very few open source tool, they give you this and also smart alerts. Let's say you want the notifications to be sent on your Discord Slack. It also could be on your, you know, wherever your developers are. So a lot of these open source tools, they lack that, right? And many of these open source tools already exist that does the reconnaissance for you. But the need in expertise, as I said, you need to be really good at gripping if you want to do the data correlations. And the missing part was the tech correlation, right? And reins in came with the idea where I said all this problem that you see in the traditional recon workflow is being solved by that. So if I had to say that in one single line, it's an open source automated reconnaissance framework that does the asset discovery, that does reconnaissance, and it also has open source powered the vulnerability scanner with continuous monitoring. And it's powered by the vulnerability scanner is powered by your nuclei. And that's a really, really good job in finding out the vulnerabilities. So let's see what all features we haven't range in. First, it's powered by all the existing open source tools. So you are not confined to using some certain tools. Rains in allows you to choose what kind of tools to use. Let's say for subdomain scanning, you want to use, you know, subfinder or sublister or you just want to use default, whatever we have. Probably even using multiple of them. So reins in helps you choose the tools that you wish it to be. And we also have powerful and automated asset discovery. So there is a streamline process that we already have. And we also have continuous monitoring. That means you can schedule scans every one hours, every one week, every one month. You can do that as well. And every time there isn't there's something new data discovered new subdomain discovered. We also send you the notifications on that. And we also have, of course, regarded a correlation. We'll see what exactly is that regarded a correlation in some time. And as I said, we also have vulnerability scanning powered by your nuclei. And we also have smart alerts for asset monitoring. Let's say you have kept an asset Google.com for scanning. And every time reins in finds out new subdomains, let's say some subdomain has recently appeared. It's going to send you the notifications on your notification channels. The most important thing is that we also have customizable audit report. So these audit report, it could be your reconnaissance report, or it could also be your vulnerability scanning report. Now the use case for this tool for pen testing, you can use it for reconnaissance. And if you're an organization, you can use it for continuous asset monitoring service. Let's say, hey, scan my target, let's say my own organization.com every once in a week and send me an alerts and notification every time a new vulnerability or a new subdomain has appeared. And you can use reins in for that. For pain testing testers, you can use reins in for an automated reconnaissance pipeline. This is highly customizable and configurable. You can choose what tools to use and what your scanning has to perform. Let's say I only want passive scan. You can do that. Let's say I want the full scan. You can do that as well. And if you have to talk about the pipeline, let's say you have a target here. It's very well explained already here. The target is first sent to subdomain gathering. And it does HTTP probing to find out if the subdomain that we have gathered, let's say 10,000 subdomains, are they alive? Are they 200 and okay? And once we figure out that they're alive, we do the screen start gathering. We also identify the IP addresses behind them. And now this data will be again sent for port scanning and service identification. We also gather your endpoints from your several sources, including your web acura URLs and also crawling your web application base. And we also do the vulnerability scanning plus your open source intelligence. And in vulnerability scanning, let's say if any new vulnerability has been discovered, we send that into your smart alerts, your telegram, Slack and Discord. And also every time a critical higher or medium vulnerability is found, we also send that notifications to your favorite notifications analysts. And on all the URLs that we have gathered, we also do a pattern matching on top of that to figure out if these URLs might be probably, let's say, vulnerable to LFI, RFI or probably your cross-site scriptings, right? So we do the pattern matching to find out the probably vulnerable URLs and send them to a very nice and fancy dashboard UI. And at the end, this whole data can also be sent to your audit reports, which we'll see it's an PDF generated report. And on the left, again, you can see the continuous asset monitoring service as well. So every time a new subdomain is discovered, we send the notifications to telegram or Slack or Discord, whatever you want it to be. That's pretty much about the pipeline. Now we'll see the demo on how exactly to use this tool and how it's going to be super, super beneficial for you. So this is the dashboard of a different dashboard of range in. But before we talk about the dashboard, maybe we need to talk about the installation steps. So installing range is very, very simple. It is just executing the install.assets script. That's it. So all the dependencies, moreover, because range in has everything dockerized, you do not have to worry about your database, you do not have to worry about anything. Everything is taken care of. All the dependencies will be taken care of. So head over to our documentation page. It's the range in Wiki. That's where all the documentation lies. So once you go over there, you can find the installation steps on your VPS provider or even installing it in local machine. All the steps are there. So here on the screen, you can see all the targets, the subdomains, the endpoints. This is a very quick summary, a very quick glance. Let's head over down. You also have the most common vulnerabilities. All the technologies, ports, the most common IP addresses, and the feed is also over here. So this dashboard is more or less like, you know, to give you a glance, to give you a very quick glance of all the things that are happening right now. And if you have any, you know, let's say any scan activities, if any scan is running, you can also find them over here. And then that's pretty much about the dashboard. Now let's look into what exactly is targets and how do we start scanning your organizations or, you know, your targets. So once you go to targets, you can find out the domain names, your organization, if it belongs to any organization and your description, all things are over here. Let's now quickly click on add targets and let's say, learnmyipsum.com. Let's add the target. So it was that simple. It was very, very simple. You can also import your targets from your TXT or CSV file. You can also add multiple targets. You can also add from your IP addresses or you see ID arrays, both are supported. Now that we have seen how to add targets, let's see how to scan. And to do that, you have two options over here. Either you can do a quick scan, that's like scanning right now, or you can also schedule scan. Now, as I said, you're continuous monitoring, you have two options. Either do the periodic scan, that's let's say run scan every 30 minutes, or also you can do an clocked scan to run exactly at the specified time. That's about your scheduler. And for quick scan, you can click here and then now you'll be allowed to choose your scan engines. Now this is very, very important. So what exactly are scan engines and range engines? So scan engines are something that you scan your target against. Let's say the type of scan could be a full scan, subdomain only scan, your open source intelligence, your vulnerability scan, right? It could be anything. Now when you click on add scan engine, what's going to happen is that you can name, you know, the best part about range engine is that you get to configure them very, very many details. Details like what tools to use, what threads to run. It could be pretty much anything. So once you define the engine name here on the left that you can see what your scan engine has to perform. Let's say I only want to perform subdomain discovery, but I don't want like all of them. Or it also could be, let's say I want directory and files as you can click here. And then let's say demo. This is your engine. And then you also get to choose all these configurations from a YAML-based. We do have a YAML-based configuration. So you can choose what tools to use. Let's say your intensity of your open source intelligence. That's your normal intensity or it could be high, deep intensity, your visual identifications. That's why screen shot gathering. So everything is given over here. If you want to find out how the settings work and what are the available options, again, please head over to the documentation. You'll find everything needed for this YAML-based configuration. Now let's click on scan engine. Now remember that we have defined a demo engine. And we're going to scan our lower epsom against this demo engine. So you can come over here and then see the engine capabilities are subdomain discovery, your skin shot gathering. It also is going to do the directory and file search, but it's not going to do the port scanning. So once you choose that, click on next. And now you will also be allowed to import your own subdomains. Let's say if you already have any private recon tools or any other tool has given you the list of subdomains, you can also enter over here and you just need to separate using the new line. And you can also keep out-of-scope subdomain. Let's say you do not want our vulnerability scanners or fuzzers to go and do some attack on your admin.google.com or admin.example.com. If there is a subdomain that you want to skip, you can very well come and, you know, place that subdomain in out-of-scope subdomain list as well. So you can click and start scan and then let's click and start scan. So your scan will be initiated and you can find them over here as well. So one of the scan is right now working. And once you do that, I think maybe let's talk about the organizations. So we also allow you to tag your targets to an organization. So you can tag your, let's say we can name our organization as Linux Foundation. And then we can choose this hacker one, Facebook, Stripe. Now this is going to be super helpful when you have multiple targets for a particular organization. Let's say Google. Let's take an example of Google. Now for Google, you may have Google.com as your target. It could be also Waymo.com. It could be also any of its, you know, children organizations. It could be anything. So you can define all of them here. And instead of scanning them individually, you can tag them to an organization and initiate the scan from the organization. Let's say add organization. Now your Linux Foundation is an organization. Instead of scanning individually, you can, let's say here, it says three domain associated with organization. Linux Foundation, Hacker One, Facebook and Stripe. So again, I can choose the, you know, scan engines and very well initiate the scan. So that's all about initiating, sorry, tagging to a particular organization. It's going to be super helpful for you as well. And once you have started scanning, the result of, you know, scan is something, it's going to look something like this. So once you come over here on your left, you can see all the, you know, scan status, again, all the quick summary over here and all the target information. Your who is record is going to be faced from here. And your HTTP status breakdown, you know, it's going to give you a very fair idea of how many of the solve domains are alive right now, how many of the subdomains are 401. So depending on the status, the color code also is going to change. You also will have an important subdomains. That means we also allow you to mark any subdomains as important as well. And if you go down, you have IP addresses. So all the IP addresses that we have gathered is going to appear over here. And you can also hover them to figure out how many of the ports are open, if in case you have done the port scanning. And then we also allow you to do the, say, we also, since we gather all the technologies, we also quickly tell you how many of the discovered technologies over here. You can see that we have discovered this many technologies and you can click on any of these to, you know, get more idea about how many of these technologies are being used by other targets. Let's say, yeah, so your, this particular technology is being used by this, you know, all of these, what do you say, subdomains. And let's say imagine S3, so it's being used by two subdomains with this technology and these are the subdomains, right? Now, this is what exactly we call the deeper correlation. So now your relationship between your subdomains, your technologies being used, your IPs and ports, everything is going to come over here. And if you click on any of these IP addresses, it's going to tell you how many of the subdomains are actually using that. Now it says it has 30 subdomains that are using this particular, you know, IP address. So this is all the deeper correlation that we do on your reconnaissance data, right? So let's go back here and click on subdomain. This is something which you'll spend a lot of time, a lot of time. All the things that you see over here is very well managed on a tabular structure. So you can also see your subdomains very quickly. You can see the HTTP status as well. And then you also have title. You also have IP addresses, content length. And if we have taken any screenshots, you would also get to see them here. So let me find out if I have taken any screenshots. Probably I do have. Okay. So this one is a full scan. Yep. There's a full scan over here. Let's click on view results. Let's click on subdomain. So you'll get to see all the subdomains with direct screenshots on your right. So all of this data that you see are being generated by multiple tools. Your subdomain could be generated from any of these tools like sublisters, subfinder. It could be anything. And similarly, we take screenshots using tools like eyewitness. So at the end, all of the data is going to be correlated and be shown in a tabular structure. You also will be able to click on this IP address and figure out how many of other subdomains are using that IP address. You can very well do that. You can also click on if there are any open ports. Let's say this particular subdomain has port number 465 open. You can click and you can also find out how many of other subdomain has this port open. So this is the kind of like back and forth data correlations that we do. And you have any screenshots here. You can very well click here and then see that, you know, in a bigger picture. And we also have your response time in case you need to figure out them. And all of these are again sortable. You can very well click on this content length. You can sort them based on content length, IP address, status, equipment, anything. Now, the problem with the recon data is that it's really, really huge. For reconnaissance data, let's take an example for Facebook.com, which is probably Facebook has 16,399 subdomains. Now, finding out interesting data out of 16,000 subdomains is going to be very, very difficult, right? So in Ranging, we also do a lot of interesting stuff. We do what we call as interesting subdomain finding. It uses some certain keywords to find out interesting subdomains. And Ranging does that automatically for you. And it's completely customizable as well. You will also get an option to choose. Let's say you will also get an option to add your own interesting keywords. Right now you see on the screen, it says Ranging has identified 14 interesting subdomains. Check it out. So we'll come back to this one. Maybe let's just go it. So depending on the keyword like admin, dashboard, FTP, Ranging figures out what is the most interesting subdomain for you. Let's say Ranging has discovered admin.dev.facebook.com here. And Ranging also has found out some FTP panels. Similarly, Ranging is also going to identify the interesting endpoints depending on the keywords. Again, all of these are completely customizable. So if you go over here scan engines and click an interesting lookup, you will find out an option to add your own custom keyword. Let's say for me, dashboard is an interesting one. You can do that. Now we also allow you to choose where to look up these keywords. You can figure out them here and also lookup conditions. That's pretty much about here. Let's go back and see how the Rekonditor will look like. Yeah, so this is the Rekonditor that we already saw. Now the interesting part about Ranging is that we also allow you to, you know, we have our custom query language where you can combine multiple queries and filter the Rekonditor. Let's say, hey, I want all the subdomain that uses admin in the base ID. Name equals to admin. So you're going to find out all the subdomain that uses, that has admin in the base title. It was that interesting. You can also filter out based on the HTTP status. So you can also filter out based on the HTTP status. So all of these that you see right now are in HTTP status, 200. So we can also filter them based, sorry, combine the query results. Let's say I want and let's say maybe name equals to Ko-Fi. So you'll see all the subdomain that has HTTP status 200 and has name Ko-Fi. So your filtering could be done based on various titles. That is your base title, HTTP status, if it is important, based on the CNM records, based on technology, based on ports, it could be pretty much anything here. So you can also define the conditions, greater than, smaller than. You can do pretty much anything here. And as I said, interesting recon is all about figuring out what is the interesting recon data for you. Maybe let's go back and click on full scan. We'll find out some more stuff there. Yep. So now recon data, this is very, very important. As I said, range and also can be used as continuous monitoring service. So every time any new subdomain has been appeared, every time a new subdomain has been found, range is going to send you the notification, Discord, Slack or Telegram. Also range will keep a record of which are the interesting subdomains, sorry, recon data changes. So you see here right now this scan has one subdomain that has been recently appeared. So, but it has HTTP status 400. That's all about the recon data changes. We also have screenshots gallery. So if you just want to have a look at all the screenshots, rather than going through the tabular structure, you can also do that. What is interesting is that you also get to filter them based on HTTP status. Let's say, show me all the subdomain that has HTTP status 200. It was that fast and that quick. You also will be able to filter based on your IP addresses, based on running services, based on posts, based on technologies. Let's say which all of these subdomains uses PSB. So all of these uses PSB as a technology, right? Let's say MySQL. So all of these uses MySQL. So you can also filter them based on various of the factors. You can search them. If you have an interesting queries, you can do that here. Now, we also do the directory search. So you can find if range in has done an entire resource. If you have chosen that in the scan engine, you also get to see all the directories over here. And we also have all the URLs that are gathered. And also, of course, your, if we have done any pattern matching using GF, you will also get to see them over here. Again, yes, we also do the vulnerability scanning. So you'll also get to see the vulnerabilities tab here and the vulnerability title, the critical severity, sorry, the severity, the vulnerability URL, and the description if it has any and the status. So you can also open and close the status. You can do that from here. And that's pretty much from vulnerabilities. We also have open source intelligence. We also gather your employees associated with that. We also gather your email address. And once we gather all the email address, we also send them to your ex exposed. It's a leak databases. And we also find out if it has any exposed credentials. We also do that here. And we also do metadata discovering. That's your, you know, finding, figuring out the PDF files and all the metadata associated with that. We also have darking. What all other features that range in open source intelligence supports, you can figure out them here. And interestingly, we also provide you the recon data visualization. So this is very important and is going to be very helpful for you. Let's say here you can see all the technologies, all the IP addresses and all the relationship between your recon data. And what's interesting is that you also get to download them from here. And that's, I don't want to expand all of them. So this is very customizable. You can play around with it. That's from a visualization. Now we also have a dedicated vulnerabilities tab from which you can figure out. Fundament is not only in your one particular target, but across through all of your targets, you can do that. And once you go to quick scan history, you will also get to figure out, you know, let's say Stripe.com. You'll also get to, you know, mark any supplement says important or any even added recon notes and to do. So this is going to be super helpful. If you are doing the security audit right now, and maybe let's say you come back tomorrow and want to resume from same, either you can mark them as important or you can, you know, add new recon notes and to do. So any recon notes and notes are to do are going to be over here. Also, you can mark them as important. Yep. That's pretty much in there to do. And I think scan engine recovered. This is all about brute forcing. Yep. We also allow you to add proxies, you know, using proxies is recommended because you, I mean, when you do this kind of reconnaissance, you're likely to get banned because of any, because of the limits. So you can put as many number of proxies as you want. But at the end, what's going to happen is that the engine is going to pick one randomly from here and then use it to scan against your targets. That's, you can use it here. Tools, I think tools, arsenals. So in the tool arsenal section, all the tool that range in uses, and if there are any updates, range in will, you know, so over here, update STP so you can update the versions of STP or any other tool that range in uses. So it's updated right now. So this is our tool arsenals. And what's important that probably you might need to see is notification settings. So there's notification settings. You will be allowed to send notifications to your Slack, to your Discord, and to your Telegram. You can do that from here. And you will also get to choose what kind of notifications to be sent. Let's say I only want to get a notification when the scan is initiated or completed, or maybe let's say I don't want them. So you can choose from here. So the main thing is as appeared, you can choose them. Pretty much it's very customizable. That's all about notifications. Most importantly, we'll see the report settings. This is something that is coming up in the engine and it's going to be super, super important. So now this is a settings for your audit report. You will get to choose even smaller, minor details like colors of the report. Let's say, let me just say company name is open source summit, address Nepal, footer text if you want to show up anything. If you want to give credits, reins in or not. And we also allow you to completely customize the executive summary as well. So this is going to appear before the quick summary and you can define you on executive summary. We do have some of the syntax that we support which will be replaced by actual data. So when you click and save report settings, let's go back to quick scan history. And then let's say the full scan that we had done, you can click on this dots and click on download report. So you'll have an option with a download only reconnaissance report or only the vulnerability report. You can choose that and click on download report. So the report audit report is being generated right now and it should be ready in no time. So this is your audit report. That region has just now generated for you. So you can see our open source summit. So everything that we have written, table of contents, executive summary. So as I said, the executive summary is going to be filled with the actual data which is over here and all the observations, the quick summary, everything. So this audit report is automatically generated and it's going to be super, super helpful for you. And if you are part of any organizations, this also could be very helpful for you. I think that's pretty much about re-engined. So it's more or less for reconnaissance plus your continuous asset monitoring service. You can use it either only for reconnaissance or either use it only for continuous monitoring services. So use it whatever you like. And it's there in the GitHub. The link for the tool is github.com slash YogisOzern slash re-engined. That's where it is. And that's all about the demo. Now we have come towards the end of this talk. If you have any questions about the tool, if you have any feature requests, please feel free to drop them on the chat sections. I'll be very much happy to answer them if you have any questions. If you have any feature requests, head over to our GitHub page and please raise a request. We also have out on Discord channel. If you need any help, the support is available over there as well. So I look forward for your questions and thank you very much for listening. Thank you once again.