"But, it’s just a name…?" or Automating Recon with Battalion

Presented at ToorCon San Diego 18 (2016), Oct. 16, 2016, noon (20 minutes)

Recon is an early stage of a security engagement or malicious targeted attack. It often consists of finding the attack surface, getting info on systems and people, and minimally touching the target systems. This phase of an engagement can cost skilled individuals many hours doing manual tasks with some risk of missing important data. We have written a tool, which we’re releasing today, which will automate a HUGE portion of the recon process. It can save hours to tens of hours on engagements and just requires two very simple pieces of information: By using a series of tools, sanitization methods, APIs, and other methods in a specific order our tool is able to scavenge many useful bits of data. It finds information like user names of employees, discover if employee emails have been involved in breaches, creates some targeted phishing campaigns, enumerate open ports and vulnerabilities (without touching their systems via Shodan and other APIs) and all sorts of other great data. Apart from automating recon the utility will also present data very cleanly. Data is presented in a folder and including a summary report, detailed report, and a set of files detailing the various networks, public hosts, technologies, and other types of data (a list of sites running wordpress with version number, etc.) A small subset of the scan data includes: * Discovered Subdomains with record type, IP, present technologies, open ports, detected vulnerabilities * A list of compromised users (email addresses from the company detected in breaches) * Which sites/subdomains are running WordPress, IIS, Apache, nginx, etc. * Passively (shodan) or actively (nmap) detected open ports/protocols * Known vulnerabilities from scans, shodan, or other tools This tool should save hours for anyone involved on a pentest and will allow the security engineer to do less tedious work and focus more technical challenges, reports, and providing an optimal experience for the client.


  • Patrick Garrity – @eidolonpg
    Patrick Garrity is a Sr. Software Engineer at Nerdery in Minneapolis. His expertise helped turned my crude/inefficient POC scripts in to a polished and documented tool.
  • Stewart Olson – @AbraxasSC2
    Stewart is a seasoned Systems administrator starting to focus on security who has experience with scripting, automation, network/storage/server technologies, and blue team.

Similar Presentations: