# 🔐 Corebridge Financial Reconnaissance Report **Auther:** Ohanyan **Date:** April 2025 --- ## 🎯 Objective Conduct passive and active reconnaissance on `corebridgefinancial.com` using OSINT and reconnaissance tools. The goal is to map out the company's digital footprint and identify potential exposures as part of a red team-style assessment. --- ## 🛠 Tools Used | Tool | Purpose | |----------------|----------------------------------------------------------------------| | `assetfinder` | Find domains and subdomains related to the main domain | | `httprobe` | Probe discovered domains for live HTTP/HTTPS services | | `aquatone` | Capture screenshots of active web pages | | `waybackurl` | Collect archived URLs from the Wayback Machine | | `webpaste` | Look for leaked content from public paste services | | `wappalyzer` | Analyze the technology stack used on a target website | --- ## 🔍 Reconnaissance Findings ### 🌐 Subdomain Enumeration (`assetfinder`)   --- ### 🔗 HTTP Probing (`httprobe`) Most discovered subdomains responded on: - **HTTPS (443)** – Secure and encrypted traffic - **HTTP (80)** – Some redirections to HTTPS were found **Conclusion:** HTTPS is enforced for most endpoints, indicating good baseline security.  --- ### 🖼️ Visual Recon (`aquatone`) Captured screenshots of web interfaces showed: - Public landing pages - Internal login forms (likely for employees or partners) - Appian-based workflow portals This confirms the use of internal business tools and possibly legacy or dev environments.    --- ### 🧾 Archived URLs (`waybackurl`) Collected historical URLs from the Wayback Machine, including: - Old login pages - Legacy support documents - Unlinked PDFs **Risk:** If legacy URLs are still accessible, they may expose outdated functionality or sensitive info.   --- ### 🔬 Web Technologies (`wappalyzer`) Identified technologies used by the main website: | Category | Technology | |--------------------|--------------------------------------| | CMS | Adobe Experience Manager (AEM) | | JavaScript | React | | Tag Management | Adobe Launch | | Web Hosting | Amazon Web Services (AWS) | | Security/CDN | Akamai, Cloudfront | | Analytics | Google Analytics | This setup reflects an enterprise-grade architecture with emphasis on performance and marketing.  --- ### 🧷 Public Pastes (`webpaste`) `webpaste` is a powerful utility designed to simplify and automate the process of harvesting URLs from search engine queries and paste them directly into the terminal for further analysis. It complements passive reconnaissance workflows, especially when dealing with sites that don't offer a public API.  --- **Passive Tools Used**: `assetfinder`, `waybackurl`, `wappalyzer`, `webpaste` **Active Tools Used**: `httprobe`, `aquatone` --- ## ✅ Conclusion This project demonstrated how reconnaissance using open-source tools can uncover a company’s digital footprint. Corebridge Financial maintains a professional and secure web presence, but like many enterprises, shows typical signs of legacy exposure and internal development leaks. By combining **passive** and **active** techniques, a comprehensive view of the organization’s public-facing infrastructure was obtained without breaching legal or ethical boundaries. --- ## 📝Notes : All reconnaissance was performed ethically using only publicly accessible information. No unauthorized access or scanning was performed. Most of the tools I used during this project are open-source and available on GitHub. Many of them, like `assetfinder`, `httprobe`, and `waybackurl`, were created by [@TomNomNom](https://github.com/tomnomnom)