Learning Offensive Cybersecurity — Day 2

Today I am starting with HTB Academy again starting on the Passive Sub-domain Enumeration on Information Gathering — Web Edition.

HTB briefly touched on a website called VirusTotal. When I went to the sight it wanted me to make an account but I was not feeling it. HTB is currently showing it can give me sub-domain information, but I saw I could do that with burpsuite from the comfort of my virtual environment so I do not really want to sign up for this right now.

One interesting bit I did not know is we could get sub-domain information from SSL certificates. I have made solutions for customers in the past that set alerts on SSL certs that were about to expire and have put SSL certs on sites I built in the past, but I usually never thought about diving into them further. Learning cybersecurity is forcing me to remove the “If it works, it works. No need to look behind the curtain to know how it works” mentality that I am so accustomed to in the fast-paced world of quick fixes.

I feel woefully ignorant.

I like the fact that I can do sub-domain search from a website just so I am not crawling it from my computer. It seems like it would be more beneficial to do the passive information gathering before doing the active version. I have a huge fear of accidentally going out of scope by taking a more active route when first attempting to do a bounty. If I can simply collect this data in an OSINT way, that would be outstanding. Less of a chance of accidentally hitting the wrong command. I am paranoid.

TheHarvester sounds amazing. Amazing enough that I think I might do the OSINT: Corporate Recon one day. Maybe add it to one of my future stages. I am a little baffled by the simple statement, “Here are some scripts for what we are trying to do with TheHarvester and then it performs all these tasks.” I feel like it would have been nicer to make an entire section on TheHarvester pointing out more intricacies of how it operates. Instead, I know some scripts and have to go hunt down what is going on here. Normally I would not mind, but I feel like it could have gone more into detail.

I basically glanced over the scripts for TheHarvester, noted the commands, and put on my list to do some more research on theHarvester tonight when the kids go to bed or spend the day tomorrow ignoring modules and just spend an intimate two hours with it. Or, just now thinking of a quote from TCM Security, “It is not about the tool, it is about the process.” Maybe right now I should just focus on the process and then focus on the specific tools later.

The next section, Passive Infrastructure Identification, brought back wild memories of a time I had to convince a customer that the reason they could not see something was because their load balancer was scrubbing the headers. This involved back-to-back emails and me having to spin up a lab environment to show them how their load balancer was indeed scrubbing the header. It felt good because the man called me an idiot quite a few times on Zoom.

Then we look at the Wayback Machine. This site floods me with memories of my first tech job at a web agency where me and my coworker would work late eating Thai food and looking at how sites looked like when we were younger. Ah, fond memories.

Only two sections today, probably because I wrote this while taking notes and learning, but I was also very much caught up on TheHarvester.

Until Tomorrow.