Attack Surface Management - IP Addresses

We wrote this Blog in order to guide people on what IP addresses to use when they are using the Robo Shadow vulnerability Scanner to externally scan IP addresses. However it will also help in assisting any one who wants to understand what their scope of Penetration Test should be and the all-round thought process on attack surface management when it comes to IP addresses.

Just to be super quick for anyone who lands on this Blog just passing by and wants to know how to check your own “External IP Address” for the device your on now then simply go to Google and type “What is my IP”. This will return what the current IP address is that you are broadcasting to the outside world currently.

What is an Attack Surface?

So by now we should all know what an IP address is, however its also worth noting that every network pretty much has an external IP address, and this is how it broadcasts out onto the Internet (which by definition is a way that people can get into your network).

So your office, your data centres, your home internet, even your mobile phones will have an external IP address that faces raw (or sometimes called dirty) internet.  Depending on how you have your firewall configured (or whatever software is managing remote connections for that particular device) then effectively if you have an external IP address you have an “Attack Surface” that hackers can try and exploit to gain access to your network.

An attack surface encompasses many things and not just IP addresses (i.e it could include a device, webserver or SaaS account etc.) However for this Blog when we are discussing “Attack Surface Management” we specifically mean IP addresses.

How do we choose what IP’s to Scan for a Penetration Test / Vulnerability Assessment

So this subject can get complex but we will try to keep it fairly high level, feel free to reach out and contact us if you would like any more detail on any of the points raise in this Blog.

Home and Office Network IP Addresses

Home Internet connections and Office internet connections like most networks will have an external IP of which needs to be scanned.  Now it doesn’t mean that every Home or Office connection is open to the world, effectively you need to have a “Port Open” for a connection from the outside raw internet to be able to pass through to the internal network.

Most Home or Office Internet connections will only have 1 IP address but it is possible for an internet connection to have more than 1 IP address assigned to it so this is something to look out for but in most circumstances 1 IP address per internet connection should be the rule.

Data Centre / Cloud

When it comes to Cloud or Data Centres then there is likely to be more than 1 IP address, basically the core network (subnet) which the data centre or cloud is on may have a central IP address but different services or servers hosted within the Cloud or Data Centre may have their own dedicated IP addresses for particular services that are running.

To be thorough, if you need to analyse the attack surface on your cloud or data centre then doing a “what is my IP” lookup on each server or service will help to alleviate any ambiguity.  It is also worth mentioning that there maybe other tech in the Cloud / Data centre which is “serverless” and may still be an attack surface (but that you don’t normally associate with an IP address).

Examples of this would be a web application firewall or API endpoint which is typically accessed via a DNS name (friendly name) as opposed to an IP address. If you need any additional advice on serverless of cloud tech then feel free to reach out.

Obviously when working out IP address attack surfaces for Cloud / Data Centres then you may need to involve your IT team or managed service provider to get the scope as accurate as possible.

Website

So your website will also be behind an IP address but depending on hosting it maybe behind load balancers or web application firewalls.  Even if the IP address changes regularly you can still scan the IP address the website responds to currently.

To do this simply ping the website address and what ever IP is returned is the current IP address hosting your website today. Even if you don’t know how to ping you’re your current device a quick google on the subject will get you there.

Legalities around scanning ports

So this is a much debated topic, however port scanning is not considered to be illegal in most countries (however please do check as this is not the case in all countries).

Effectively port scanning (what happens in a vulnerability scan) is pretty benign and wont effect the target IP your scanning, when you come to start doing invasive penetration testing with exploitation tools (this should only be done by people who know what they are doing) then this is where you can start negatively effecting the remote IP your scanning.

Fringe Cases and things to note

• So it is worth nothing some corporate setups will either be behind proxy servers which may have multiple IP addresses
• You may also be behind a VPN connection of you have to dial into a corporate environment which may mask your external IP address to be different compared to the actual network your on.
• Not all IP addresses are fixed, some change every time the router is rebooted this is called a “Dynamic IP”
• Your website domain might also have “sub domains” which will have different IP addresses, do bare this in mind when trying to nail your “Web Attack Surface”. I.e www.mydomain.com could have api.mydomain.com or test.mydomain.com.

In a nutshell if you a responsible for protecting an organisation or certainly just interested in the “Attack Surface” of your organisation then simply having a spread sheet matrix of all your IP addresses is definitely the way to get started.

As always feel free to get in touch if you have any questions.