DEV Community

Cover image for Leveraging GitHub Actions for Automated Active Reconnaissance
RoseSecurity
RoseSecurity

Posted on

Leveraging GitHub Actions for Automated Active Reconnaissance

What are you doing?

In recent weeks, I have challenged myself to find ways to incorporate offensive security techniques into CI/CD pipelines. Exploring cloud capabilities and automation to wield these techniques has proven both exciting and insightful. Today, I'm thrilled to unveil an unfiltered approach to concealing your origins during the reconnaissance phase of an engagement. In this brief blog, I'll walk you through leveraging GitHub Actions to cloak scanning activities using the power of GitHub's runners.

What is a GitHub Action?

A GitHub Action is an automation workflow that you can define and configure to be triggered by various events in a GitHub repository. It allows you to automate various tasks, processes, and workflows directly within your GitHub repository, enabling seamless integration of development, testing, deployment, and other activities.

GitHub Actions are defined using YAML files and consist of a series of steps that define what actions should be taken when the workflow is triggered. We can utilize this feature to automate the enumeration of a target using GitHub's runners. GitHub Actions can be carried out by self-hosted runners on our infrastructure, but if we want to obfuscate our origin, we can also use GitHub Hosted runners.

These runners are hosted by GitHub itself and are available for use in GitHub Actions workflows. They are maintained and managed by GitHub. GitHub provides a variety of different runner types to support different operating systems and versions. Let's demonstrate how to utilize these for reconnaissance:

name: Active Reconnaissance GitHub Action
on:
  push:
    branches:
      - main
jobs:
  run_security_scans:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Install Nmap, Nikto, and Dirb
        run: |
          sudo apt-get update
          sudo apt-get install -y nmap nikto dirb

      - name: Run Nmap Vulnerability Scanner
        run: |
          git clone https://github.com/scipag/vulscan scipag_vulscan
          sudo ln -s `pwd`/scipag_vulscan /usr/share/nmap/scripts/vulscan
          nmap -sV --script=vulscan/vulscan.nse rosesecurityresearch.com

      - name: Run Nikto Web Scanner
        run: |
          nikto -h rosesecurityresearch.com -useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"

      - name: Run Dirb Directory Scan
        run: |
          dirb http://rosesecurityresearch.com /usr/share/dirb/wordlists/common.txt
Enter fullscreen mode Exit fullscreen mode

Overall, this workflow automates a series of security scans to assess the target domain for vulnerabilities, misconfigurations, and hidden resources. It covers Nmap-based vulnerability scanning, Nikto-based web server scanning, and dirb-based directory brute-forcing, all of which are executed on the target: rosesecurityresearch.com when code is pushed to the main branch.

I hope you enjoyed this simple demonstration of harnessing GitHub Actions to enumerate targets, and feel free to check out my other work on my GitHub.

Top comments (0)