DFS Discovery and Mapping

# Digital Footprint Discovery for DFS Platforms **Lab Goal**: To discover all public-facing digital assets (domains, subdomains, APIs, IP ranges) of a bank in order to map its attack surface. This lab simulates how attackers build a profile of a DFS (Digital Financial Services) platform before exploitation. ## Hardware and software tools * A computer (Linux-based OS recommended, e.g., Kali or Ubuntu) * Stable internet connection * Tools: * Sublist3r – subdomain discovery * Amass – advanced subdomain/ASN discovery * dnsutils – DNS queries * Nmap – port & service scanning * Gobuster / Feroxbuster / dirb – directory & file brute-forcing * httpx / httprobe – live subdomain verification * Arjun – API parameter discovery * whois – domain/ASN lookup * Optional: Maltego / draw.io for visualization ## Installation * `sudo apt install whois` * `sudo apt install sublist3r` * `sudo snap install amass` * `sudo snap install httpx` * `sudo snap install nmap` * `sudo apt install gobuster` * `sudo snap install seclists` * `sudo snap install feroxbuster` * `sudo apt install arjun` * `sudo apt install dirb` ## Lab Procedure #### Step 1: Define the Scope - Identify the primary target domain (e.g., examplebank.com). - Check if the bank owns an ASN (Autonomous System Number) using: - `whois examplebank.com` - If found, note down the ASN for infrastructure mapping. #### Step 2: Passive Subdomain Discovery (No Direct Contact) This step identifies assets without alerting the bank. * Sublist3r: `sublist3r -d examplebank.com -o subdomains_sublist3r.txt` * Amass (Passive Mode): `amass enum --passive -d examplebank.com -o subdomains_amass.txt` * Certificate Transparency Logs (crt.sh): * Visit: https://crt.sh * Search: examplebank.com * Note any discovered subdomains. * Wayback Machine (archived URLs): `https://web.archive.org/` * GitHub & Search Engines: * Search queries like: * site:github.com examplebank.com * site:pastebin.com examplebank.com * Combine results: `cat subdomains_sublist3r.txt subdomains_amass.txt | sort -u > all_subdomains.txt` #### Step 3: Active Subdomain Confirmation Check which discovered subdomains are actually live. * Using httpx: `cat all_subdomains.txt | httpx -o live_subdomains.txt` * Using dnsutils to resolve: `dig sub.examplebank.com +short` #### Step 4: Infrastructure & IP Mapping Map subdomains to IP addresses and IP ranges. * Amass Intel (ASN mapping): `amass intel -asn <ASN_number> -o asn_hosts.txt` * Shodan / Censys (optional, if allowed): `Search for IP ranges and banners` #### Step 5: Port & Service Scanning Identify open services on live subdomains or IPs. * Nmap Full Scan: `nmap -sC -sV -Pn -p- api.examplebank.com -oA api_scan` * Flags: * -sC = Default scripts * -sV = Service versions * -p- = All ports * -Pn = No Ping scan * -oA = Output in multiple formats * UDP Scan (optional): `nmap -sU -p 53,123,161 examplebank.com` #### Step 6: Web Path & Directory Discovery Look for hidden files and directories. * Gobuster: `gobuster dir -u https://examplebank.com/ -w /usr/share/wordlists/dirb/common.txt -x php,html,txt` * Feroxbuster (recursive): `feroxbuster -u https://examplebank.com/ -r` * Dirb: `dirb https://developers.1password.com` #### Step 7: API Endpoint & Parameter Discovery * Browser DevTools (Manual): * Open https://online.examplebank.com * Press F12 → Network Tab * Interact with the site → capture API requests. * Arjun (Automated): `arjun -u https://api.examplebank.com -o api_params.json` * Look for endpoints like /api/v1/, /graphql, /rest/. #### Step 8: Threat Modeling & Prioritization Rank discovered assets: * High Risk: test/dev environments (dev.examplebank.com, staging.examplebank.com), exposed admin portals. * Medium Risk: login portals, APIs, externally hosted services. * Low Risk: static websites, marketing sites. #### Step 9: Documentation & Reporting Create a structured record of findings. * Spreadsheet Columns: * Asset Type (Website, API, Portal, IP) * URL / IP Address * Technology (from Nmap / headers) * Status (Alive/Dead) * Notes (Login required, Exposed directory, API endpoint) * Risk Level (High/Medium/Low) * Visual Mapping: * Use Maltego or draw.io to create an attack surface diagram. ## Key Takeaway This lab demonstrates how attackers can map a bank’s digital footprint. Forgotten or poorly secured assets (e.g., test-api.examplebank.com, dev.examplebank.com) greatly increase the attack surface and provide easy entry points for exploitation.