CompTIA CSA+

Cybersecurity Analyst Certification

1.2 Reconnaissance Techniques

 CompTIA CSA+
Cybersecurity Analyst Certification

1.2 Reconnaissance Techniques

 Objectives
• Understand the range of
network reconnaissance
techniques that may be
used to test security
systems
• Identify social
engineering techniques
and web search tools to
perform reconnaissance
• Use topology discovery,
host discovery, and OS
fingerprinting tools
15
Lets Discuss more about Security
 The Kill Chain
• Cyber Attacks
• “Kill chain” lifecycle of attacks . Chart Courtesy
of Lockheed Martin

15
Courtesy of Lockheed Martin and SANs institute.
 Kill Chain Stages (1)
• Planning / scoping
o Methods
o Concealment
o Resources

• Reconnaissance / discovery
o Passive information gathering
o Active scanning
o Identify exploits

16
Planning is critical for you and the hacker. Methods are developed and implemented
 Kill Chain Stages (2)
• Weaponization
o Use an exploit to obtain a pivot point
o Install tools to maintain covert access
o Command and Control (C2 or C&C) network

• Post-exploitation
o Lateral discovery (scan from within network)
o Identify assets and potential exploits
o Harvest credentials and authorizations

16
Weaponization attacker uses and EXPLOIT to gain access
 Kill Chain Stages (3)
• Action on objectives
o Perform data breach / data exfiltration
o Act on other objective…

• Retreat
o Adversary might seek to maintain access
o Alternatively might seek to retreat and remove
o Cover traces of attack

16
Actions and Retreat
 Reconnaissance Techniques
• Information gathering in the reconnaissance
phase of the kill chain
• Open Source Intelligence (OSINT)
o Search the web and social media for company and employee
profiles

• Social engineering
• Active scanning

17
Reconnaissance Phase Objectives
• Identify data assets and pivot points
• Targets for investigation
o Organization
o Employees
o IT systems
o Suppliers and customers

17
 Open Source Intelligence
• “Passive” reconnaissance techniques
• Locate information that the target may not
regard as exploitable or may not even know
they have disclosed
• Performing searches covertly
o Compromise another user account or web server
o Use anonymized proxies / VPNs
o “Bulletproof” hosting providers and ISPs

18
Google Hacking and Search Operators
• What can you find with Google Search?
• Search syntax
o Quotes
o NOT
o AND / OR / Parentheses
o Scope (allin)
o URL modifiers (&xxx=)

• Google Dorks
o Google Hacking Database maintained by Offensive Security
o Search strings to locate vulnerable servers, web applications,
password files, web cams, …
18
 Email Harvesting
• Get list of valid email recipients at target domain
• Identify real names from email addresses and link
to social media accounts
• Identify personal email addresses linked to
employee
• Cross-reference with other sources to identify job
roles (promotional material, regulatory filings, …)
• Methods
o Trade lists
o Google search / automated tools
o Test for bouncebacks
19
Social Media Profiling
• Scan corporate social
media accounts and
feeds
• Identify employees’
personal accounts
o Access private profiles
(become a friend or exploit
a friend’s account)

• Build social
engineering exploits
• Identify current
location
20
 DNS Harvesting
• whois – how are web services
run and hosted? What does that
say about the IT systems?
• nslookup / dig – what
information about hosts is
published?
• netcraft.com – made-to-order
site report

21
Whois nslookup and netcraft---- Know these services for the exam
 Website Ripping
• Cache code behind
website
• Analyze for
vulnerabilities, email
addresses, ...
• Look for links to
customer or supplier
sites (might be more
exploitable than the
primary target)

22
Social Engineering

23
 Topology Discovery
• “Footprinting” the network layout – what are the
connections between switches, routers, access
points, and hosts?
• Variables
o Web / remote access
o Wireless
o Wired
o Virtual versus physical
o On-premise versus cloud

24
 Network Mapping Tools
• Automated software to perform topology and
host discovery
o Enterprise system management suites (MS System Center or HP
OpenView)
o Simple Network Management Protocol (SNMP)
o Native command line tools and Nmap

• Covert network mapping

o Gain local access
o Avoid scan detection
o Gain internetwork access

25
 ipconfig / ifconfig

25
Ipconfig (Windows) and Ifconfig (Linux)
 ping
• Basic connectivity test
• Use a script to perform a ping sweep
• ARP cache and MAC addresses

26
Ping is an ICMP that can detect presence of a host
 Nmap (Zenmap)

26
Zenmap
 Nmap Host Discovery Methods
• -sn / -sP – suppress port scan
• -sL – list targets (and perform reverse-DNS
query if name server available)
• -PS – TCP SYN ping (probe different ports)
• --scan-delay / -T – sparse scanning (to defeat
IDS)
• -sI – idle scanning (disguise source of scan)
• -f / --mtu – fragment probes (to defeat IDS)

27
Nmap host discovery. Scan ports
 tracert / traceroute

28
Tracert (windows) and traceroute (Linux) can probe the path of a host
 Service Discovery
• Fingerprinting – what is the host behind each
IP?
• Types of host / appliance
o Layer 2 interconnectivity (no IP) – switches and access points
(and some types of firewall)
o Layer 3 – routers, servers, and endpoints

29
Fingerprinting Use netstat –aV or –A probe a host
netstat (Windows)
• -a displays all connections
(active and listening)
• -b shows the process name
• -o shows the Process ID (PID)
number
• -n displays ports and addresses
in numerical format
• -s shows per protocol statistics
• -p proto displays connections
by protocol
• -r shows the routing table
• -e displays Ethernet statistics

29
 netstat (Linux)
• -t / -u show TCP / UDP
• -a includes ports in the
listening state
• -p shows the PID
• -r shows the routing
table
• -i displays interface
statistics
• -e verbose mode
• -c updates continuously
30
Netstat
 Nmap Service Discovery
• TCP SYN (-sS) - half-open
scanning
• TCP connect (-sT) - if
privileged driver access is
not available, Nmap has to
use the OS to attempt a full
TCP connection
• TCP flags - set TCP headers
in unusual ways
o Null (-sN)
o FIN (-sF)
o Xmas scan (-sX)

• UDP scans (-sU)

• Port range (-p)

31
Several NMAP Commands will be tested
 Nmap Port States
• Open - an application on the
host is accepting connections
• Closed - the port responds to
probes but no application is
available to accept connections
• Filtered - usually because a
firewall is blocking the probes
• Other port states
o Unfiltered - used with an ACK scan, the
purpose of which is to test a firewall
ruleset
o Open|Filtered - reported by some types
of scan when Nmap cannot determine if
the port is open or filtered
o Closed|Filtered - reported by TCP Idle
scans that cannot determine whether
the port is closed or filtered

33
Know the main NMAP Port States for this EXAM!!!
 OS Fingerprinting
• Use –sV or –a to
perform OS
fingerprinting

34
OS Fingerprinting
 Nmap Scripting Engine

36
Learn NMAP
 Review
• Understand the range of
environmental and network
reconnaissance techniques
that may be used to test
security systems
• Identify social engineering
techniques and web search
tools to perform
reconnaissance
• Use topology discovery,
host discovery, and OS
fingerprinting tools
37
Practice Questions
 Exam Tip

Know the correct flow of

the Kill Chain.
Planning, reconnaissance,
weaponization / exploit,
lateral discovery, data
exfiltration, retreat
 Exam Tip

Know the function –A in

NMAP.
Performs service detection
(verify that the packets
delivered over a port
correspond to the "well
known" protocol associated
with that port) and version
detection (using the scripts
marked "default").
 Exam Tip

Know the tools for passive

social recon
Web search ("Google
Hacking"), email harvesting,
social media harvesting, DNS
harvesting, and website
ripping