Day 46/100 Hack and Improvement

2 minute read

Day 46 comes with a quick review from Offensive AI

Offensive AI, worth it?

From Sam (CoffeeJunkie). Being a noob, spending around two years in network penetration testing and just two months in web application testing or “Bug Bounties”, enumeration was used to be something that I was expect to take couple hours or days according the target. Then, trying out Offensive AI for around a week and a half, it surprised me how fast the recon from my targets can be, and how much time I can save. Of course, some people might like the manual approach, but I’m not patient, I like to put hands on testing, that’s why Offensive AI seemed a time saver.

Here we’ll cover Offensive AI’s approach for known public programs and private programs, as also its usefulness related to threat intel, notes, and reporting. If anybody thinks I missed something, do not hesitate to tell me.

Approach for known public programs

Offensive AI seemed to be constantly updating the enumeration of the assets from known public programs such as yahoo, starbucks, airbnb, at&t, paypal and more. This is amazing for somebody who’s not familiar with the program and wants to have a fast visual recon before jumping on the manual recon. It is also great for hunters who already know certain domains and subdomains from the target and wants to expand their recon in a better scope.

nmap scan

Something cool and totally recommended is to check the the scopy and policy of the company which is well provided by Offensive AI.

Approach for private programs

Offensive AI offers the same recon process to private programs which is great! Therefore, if you’re interested in hunting in private programs, the only thing that you have to do is to provide the domain name from your target and make yourlself a cup of coffee while the recon is done.

nmap scan

As you can see, if you’re planning to update the information from your scans, you simply have to click scan and it will be done.

How about subdomain enumeration, screenshooting, dns information, assets, portscanning and crawling?

Offensive AI has everything you need for your recon. The tool includes subdomain enumeration, screenshoting, DNS information (useful for subdomain takeovers), assets, crawling, database leaks, and port scanning. Besides, it provides part of the banner including versions of the server and the HTTP requests that have been made. If you see a service which is running a vulnerable version of a server, Offensive AI will recommend you the latest exploits found for that version including the attack tree.

The following are examples of the enumeration made for yahoo.com

nmap scan

As you can see, it includes the technology that different assets from yahoo.com are running.

nmap scan

In this case it appears the services and port running in the target.

nmap scan

Of course, screenshots, you can spend a good amount of time just by looking at the information provided in the screenshot section

nmap scan

This is one of my favorite sections, just by looking at the assets, I can check a domain, service, or port that is on my interest and look at the attack tree and possible exploits given.

nmap scan

This section comes pretty handy at the time to look for titles in the websites, and also at the responses from the HTTP requests.

nmap scan

This one is another of my favorites due to the capabilities to see a possible subdomain takeover, besides as you can see, the capabilities are good.

Need more info about a payload or something? No problem

By the section called Threat Intel, users from Offensive AI are capable to gather information from twitter by submiting the information that the user wants to obtain.

nmap scan

Need reporting notes?

As well, Offensive AI has a reporting and note taking section!

nmap scan nmap scan

As something nice, it comes with markdown editor where you can make sure your report is good before submiting it. Besides that it has templates for different vulnerability types.

Conclusion

Offensive AI is a great tool, but it’s not perfect, would be good if users have the option to export the scan in some kind of HTML form with the purpose to save it as future reference when updating a new scan. But, it’s a time saver and gives an amazing perception scope about the target! People might like it or not, it all depends in the methodology and approach from the hunter. It has worked fine for me, in future blog posts I’ll explain how I obtained account take overs by only using Offensive AI

Leave a comment