Professional Documents
Culture Documents
02 Reconnaissance Techniques
02 Reconnaissance Techniques
15
Courtesy of Lockheed Martin and SANs institute.
Kill Chain Stages (1)
• Planning / scoping
o Methods
o Concealment
o Resources
• Reconnaissance / discovery
o Passive information gathering
o Active scanning
o Identify exploits
16
Planning is critical for you and the hacker. Methods are developed and implemented
Kill Chain Stages (2)
• Weaponization
o Use an exploit to obtain a pivot point
o Install tools to maintain covert access
o Command and Control (C2 or C&C) network
• Post-exploitation
o Lateral discovery (scan from within network)
o Identify assets and potential exploits
o Harvest credentials and authorizations
16
Weaponization attacker uses and EXPLOIT to gain access
Kill Chain Stages (3)
• Action on objectives
o Perform data breach / data exfiltration
o Act on other objective…
• Retreat
o Adversary might seek to maintain access
o Alternatively might seek to retreat and remove
o Cover traces of attack
16
Actions and Retreat
Reconnaissance Techniques
• Information gathering in the reconnaissance
phase of the kill chain
• Open Source Intelligence (OSINT)
o Search the web and social media for company and employee
profiles
• Social engineering
• Active scanning
17
Reconnaissance Phase Objectives
• Identify data assets and pivot points
• Targets for investigation
o Organization
o Employees
o IT systems
o Suppliers and customers
17
Open Source Intelligence
• “Passive” reconnaissance techniques
• Locate information that the target may not
regard as exploitable or may not even know
they have disclosed
• Performing searches covertly
o Compromise another user account or web server
o Use anonymized proxies / VPNs
o “Bulletproof” hosting providers and ISPs
18
Google Hacking and Search Operators
• What can you find with Google Search?
• Search syntax
o Quotes
o NOT
o AND / OR / Parentheses
o Scope (allin)
o URL modifiers (&xxx=)
• Google Dorks
o Google Hacking Database maintained by Offensive Security
o Search strings to locate vulnerable servers, web applications,
password files, web cams, …
18
Email Harvesting
• Get list of valid email recipients at target domain
• Identify real names from email addresses and link
to social media accounts
• Identify personal email addresses linked to
employee
• Cross-reference with other sources to identify job
roles (promotional material, regulatory filings, …)
• Methods
o Trade lists
o Google search / automated tools
o Test for bouncebacks
19
Social Media Profiling
• Scan corporate social
media accounts and
feeds
• Identify employees’
personal accounts
o Access private profiles
(become a friend or exploit
a friend’s account)
• Build social
engineering exploits
• Identify current
location
20
DNS Harvesting
• whois – how are web services
run and hosted? What does that
say about the IT systems?
• nslookup / dig – what
information about hosts is
published?
• netcraft.com – made-to-order
site report
21
Whois nslookup and netcraft---- Know these services for the exam
Website Ripping
• Cache code behind
website
• Analyze for
vulnerabilities, email
addresses, ...
• Look for links to
customer or supplier
sites (might be more
exploitable than the
primary target)
22
Social Engineering
23
Topology Discovery
• “Footprinting” the network layout – what are the
connections between switches, routers, access
points, and hosts?
• Variables
o Web / remote access
o Wireless
o Wired
o Virtual versus physical
o On-premise versus cloud
24
Network Mapping Tools
• Automated software to perform topology and
host discovery
o Enterprise system management suites (MS System Center or HP
OpenView)
o Simple Network Management Protocol (SNMP)
o Native command line tools and Nmap
25
ipconfig / ifconfig
25
Ipconfig (Windows) and Ifconfig (Linux)
ping
• Basic connectivity test
• Use a script to perform a ping sweep
• ARP cache and MAC addresses
26
Ping is an ICMP that can detect presence of a host
Nmap (Zenmap)
26
Zenmap
Nmap Host Discovery Methods
• -sn / -sP – suppress port scan
• -sL – list targets (and perform reverse-DNS
query if name server available)
• -PS – TCP SYN ping (probe different ports)
• --scan-delay / -T – sparse scanning (to defeat
IDS)
• -sI – idle scanning (disguise source of scan)
• -f / --mtu – fragment probes (to defeat IDS)
27
Nmap host discovery. Scan ports
tracert / traceroute
28
Tracert (windows) and traceroute (Linux) can probe the path of a host
Service Discovery
• Fingerprinting – what is the host behind each
IP?
• Types of host / appliance
o Layer 2 interconnectivity (no IP) – switches and access points
(and some types of firewall)
o Layer 3 – routers, servers, and endpoints
29
Fingerprinting Use netstat –aV or –A probe a host
netstat (Windows)
• -a displays all connections
(active and listening)
• -b shows the process name
• -o shows the Process ID (PID)
number
• -n displays ports and addresses
in numerical format
• -s shows per protocol statistics
• -p proto displays connections
by protocol
• -r shows the routing table
• -e displays Ethernet statistics
29
netstat (Linux)
• -t / -u show TCP / UDP
• -a includes ports in the
listening state
• -p shows the PID
• -r shows the routing
table
• -i displays interface
statistics
• -e verbose mode
• -c updates continuously
30
Netstat
Nmap Service Discovery
• TCP SYN (-sS) - half-open
scanning
• TCP connect (-sT) - if
privileged driver access is
not available, Nmap has to
use the OS to attempt a full
TCP connection
• TCP flags - set TCP headers
in unusual ways
o Null (-sN)
o FIN (-sF)
o Xmas scan (-sX)
31
Several NMAP Commands will be tested
Nmap Port States
• Open - an application on the
host is accepting connections
• Closed - the port responds to
probes but no application is
available to accept connections
• Filtered - usually because a
firewall is blocking the probes
• Other port states
o Unfiltered - used with an ACK scan, the
purpose of which is to test a firewall
ruleset
o Open|Filtered - reported by some types
of scan when Nmap cannot determine if
the port is open or filtered
o Closed|Filtered - reported by TCP Idle
scans that cannot determine whether
the port is closed or filtered
33
Know the main NMAP Port States for this EXAM!!!
OS Fingerprinting
• Use –sV or –a to
perform OS
fingerprinting
34
OS Fingerprinting
Nmap Scripting Engine
36
Learn NMAP
Review
• Understand the range of
environmental and network
reconnaissance techniques
that may be used to test
security systems
• Identify social engineering
techniques and web search
tools to perform
reconnaissance
• Use topology discovery,
host discovery, and OS
fingerprinting tools
37
Practice Questions
Exam Tip