Cybersecurity Reconnaissance Techniques

Questions and Answers

What is the primary purpose of reconnaissance in an attack?

To enhance firewalls

To exploit vulnerabilities

To gather information about the target (correct)

To create malware

Active reconnaissance methods cannot be detected by the target organization.

False

Name one type of technical data that can be gathered during reconnaissance.

Internet-routable subnets

The two main categories of data sought during reconnaissance are ______ and non-technical.

technical

Match the following types of reconnaissance methods to their descriptions:

Active = Detectable by the target organization Passive = Harder for the target organization to detect Technical = Internet-routable subnets, antivirus software Non-Technical = Geographic locations and personnel titles

Which of the following is an example of passive reconnaissance?

Analyzing publicly available information

There is only one method for gathering reconnaissance data.

False

What is the difference between technical and non-technical reconnaissance data?

Technical data pertains to technology used by the organization, while non-technical data includes organizational structures and personnel.

Which of the following is NOT part of the baseline technical data you should collect about a target organization?

Financial records and statements

An Autonomous System (AS) number can represent multiple IP address ranges.

True

What protocol is commonly known as the 'routing protocol of the internet'?

Border Gateway Protocol (BGP)

IPV4 and IPV6 address allocations can be found in __________ information.

registrant

Match the following DNS concepts with their descriptions:

DNS cache snooping = A method to check what DNS queries have been made Domain Harvesting = Collecting DNS names from websites DNS zones = Different segments managing DNS records for internal and external use BGP = Routing protocol that uses AS numbers

What does DNS stand for?

Domain Name System

Organizations can have separate DNS servers for internal and external use.

True

What is a potential vulnerability that can be exploited in relation to DNS?

DNS cache snooping

What does cache snooping allow us to do?

Enumerate websites and systems requests

A recursive query always returns a direct answer to the client without the need for further questioning.

True

What is the primary routing protocol of the internet?

Border Gateway Protocol (BGP)

DNS server configurations that allow ______ queries can lead to vulnerabilities.

recursive

Which statement best describes an iterative query?

Provides a list of other DNS servers to query.

Match the following terms with their descriptions:

Recursive Query = Asks other DNS servers for an answer Iterative Query = Provides a list of other DNS servers BGP = Primary routing protocol of the internet Port Scanning = Technique to identify systems and services exposed online

BGP configuration typically prefers one provider and uses the second only when the primary connection fails.

True

What basic techniques are useful for identifying systems and services exposed to the internet?

Port scans and ping sweeps

What is the primary purpose of employing both 'slow and low' and 'hard and fast' scans?

To adapt to the organization's security measures

Using a bounce box or proxy is unnecessary when performing scans.

False

What information obtained from port scanning is crucial for spear phishing?

Valid credentials for remote access services

If the target organization lacks remote services, the strategy should shift to delivering a ______.

backdoor

Match the scanning types with their appropriate context:

Slow and low = Used when detection is likely Hard and fast = Used when detection is unlikely Port scanning = Identifying services for phishing Web service enumeration = Determining remote access options

What percentage of organizations is indicated to be unlikely to notice scanning?

95%

Automated programs constantly scanning organizations are rare.

False

What common tool is mentioned for performing scans?

nmap

Which of the following is typically NOT a web system identified in organizations?

Payroll software

Geolocation data relates only to physical assets owned by a target organization.

False

What is the purpose of using tools like nmap in web service exploration?

To identify hosts with common web services via port scanning.

GPS typically uses __________ to calculate the current location on Earth.

satellites

Match the following port numbers with their corresponding web services:

80 = HTTP 443 = HTTPS 8080 = Alternative HTTP 2020 = Not standard for web services

What type of data does active reconnaissance involve?

Data that is easily detectable by the target

Passive reconnaissance methods can be detected by the target organization.

False

Name one source of reconnaissance data.

Physical or Cyber

The two main categories of data sought during reconnaissance are ______ and non-technical.

technical

Match the types of reconnaissance data with their examples:

Technical = Antivirus software used Non-Technical = Major departments within organization

Which of the following is an example of technical data collected during reconnaissance?

Antivirus software used by the organization

Both active and passive reconnaissance can yield the same types of data.

True

What is the main goal of the reconnaissance phase in an attack?

To explore all possible vulnerabilities of the target organization.

Which port is NOT commonly associated with web services?

8081

Geolocation data can be obtained from digital photos.

True

What technology allows for automatic dialing of phone numbers?

VoIP

The most accurate geolocation is provided by __________ coordinates.

GPS

Match the following web systems with their functions:

Teleconference systems = Enables virtual meetings Security camera systems = Monitors physical spaces Server administration tools = Manages server settings Phone management systems = Oversees phone networks

What does an Autonomous System (AS) number uniquely identify?

An IP address range or subnet

DNS information cannot provide technical details about an organization.

False

Name one benefit of domain harvesting.

Identifying multiple hosts associated with a target organization.

BGP can be described as the __________ protocol of the internet.

routing

Match the following terms with their definitions:

IPV4 = A 32-bit address format IPV6 = A 128-bit address format DNS = Domain Name System BGP = Border Gateway Protocol

What type of DNS server configuration might an organization use for secure internal systems?

Separate internal DNS servers

An organization can only have one DNS zone for a specific domain.

False

What is one potential vulnerability that can arise from DNS configurations?

DNS cache snooping.

What is the primary function of cache snooping?

To enumerate websites and systems requested by users

A recursive DNS query will always respond with a direct answer to the client.

True

What are the two basic modes a DNS server can respond with when it does not have an answer to a query?

iterative and recursive

The Border Gateway Protocol (BGP) is the primary __________ protocol of the internet.

routing

Match the following DNS query types with their descriptions:

Iterative = Client is provided with a list of other DNS servers Recursive = DNS server retrieves the answer from other DNS servers

How does BGP configuration typically handle Internet routing connections?

Prefers one provider and uses a backup only when necessary

Identifying systems and services exposed to the internet is an unimportant aspect of reconnaissance.

False

What types of scans are considered basic techniques for identifying systems exposed to the internet?

port scans and ping sweeps

When should you opt for the 'slow and low' scanning approach?

When you suspect the organization has detection technologies

Using a bounce box or proxy is an unnecessary step when performing scans.

False

What is the primary purpose of conducting multiple scans?

To gather valuable information for further phases of the attack.

If no remote services are found, the attack strategy should shift to delivering a ______.

backdoor

Match the scanning types with their characteristics:

Slow and low = Less likely to be detected Hard and fast = Faster but riskier

What is one of the first services to identify in a network during web service enumeration?

Remote access services

Port scanning will almost always trigger security alarms in target organizations.

False

What tool is commonly used for conducting port scans?

nmap

Study Notes

Reconnaissance

• Reconnaissance is the first phase of penetration testing and it must be done before any other step.
• Advanced attackers spend a significant amount of time on reconnaissance compared to less capable attackers.
• Reconnaissance aims to explore and identify all potential vulnerabilities within a target organization.

Data Categories

• Technical Data: Information about the target organization's technical infrastructure, including IP addresses, subnets, and software used.
• Non-Technical Data: Information about the target organization's structure, location, personnel, and operations.

Data Sources

• Physical Source: Information obtained physically, not through digital means, such as documents, videos, or observations.
• Cyber Source: Information obtained digitally, such as websites, servers, and databases.

Data Methods

• Active Reconnaissance: Activities that are detectable by the target organization, such as port scanning and ping sweeps.
• Passive Reconnaissance: Activities that are difficult for the target organization to detect, such as collecting information from public sources.

Technical Data Examples

• Internet-routable subnets used by the organization.
• Antivirus software used by the organization.
• Domain Name System (DNS) records associated with the organization.

Non-Technical Data Examples

• Geographic locations of the organization.
• Major departments within the organization.
• Important personnel and their titles at the organization.

Registrant Information

• Whois and registrant information: Provides details about the owner and contact information for the organization's domain name.
• IPV4 and IPV6 address allocations: Lists assigned IP addresses to the organization's network.
• Autonomous System (AS) number allocations: Identifies the network's unique routing identifier.
• DNS reverse record delegation: Maps IP addresses back to their corresponding domain names.

Network Allocation

• The "Networks" section in search results lists IP address ranges assigned to the organization.
• Many organizations have unused IP address ranges.

Autonomous Systems

• Autonomous System (AS): A unique number identifying a range of IP addresses or subnets.
• Border Gateway Protocol (BGP): The routing protocol of the internet that uses AS numbers to direct network traffic.
• The BGP ensures that all hosts on the internet can reach their intended destination.
• If a routing path fails, BGP identifies an alternative path.

DNS Information and Records

• Domain Name System (DNS): Provides valuable technical and non-technical information about the organization.

Domain Harvesting

• Domain Harvesting: Identifying as many hosts as possible by collecting DNS names from websites through specialized tools.

DNS Zones

• Organizations may have separate DNS zones and servers for internal and external use.
• Different DNS servers can return different results for the same domain name.
• Organizations may also have separate domain names for internal systems.
• Third-party vendors can host domain names belonging to the target organization.

DNS Cache Snooping

• DNS Cache Snooping: Enumerating websites and systems requested by users or systems within the target organization.
• Requires the DNS server to be configured to allow recursive queries.
• A DNS server can respond to a client through iterative or recursive queries:
  • Iterative: The server provides a list of other DNS servers for the client to query directly.
  • Recursive: The server queries other DNS servers and returns the result directly to the client.

Border Gateway Protocol (BGP)

• BGP: The primary routing protocol of the internet.
• Enables decentralized and dynamic exchange of routing information on the internet.
• Two or more internet service providers (ISPs) can handle DNS subnets over their links.
• Typically, one ISP connection is configured as primary and the other as backup, only used if the primary connection fails.
• This can lead to different firewall configurations for each connection, potentially creating vulnerabilities for attackers.

System and Service Identification

• System and Service Identification: Identifying systems and services exposed to the internet within the target organization.
• Port Scanning and Ping Sweeps: Basic techniques used to identify active systems and services.
• Slow and Low Scan: A cautious approach used when the target organization might have security systems in place.
• Hard and Fast Scan: A faster and more aggressive scan used when the target organization is unlikely to detect the activity.
• Bounce Box or Proxy: A system used to conceal the origin of the scan and protect the attacker's identity.
• Nmap: A popular port scanning tool that can be used for both slow and fast scans.
• Information obtained from port scanning is crucial for subsequent attack phases.
• Example: Identifying a VPN service could allow the attacker to focus on obtaining credentials for remote access.

Web Service Enumeration

• Web Service Enumeration: Identifying specific web services on the target network.
• Remote Access Services: A common focus of attackers.
• Often operate over standard web ports or use helper web services.
• Organizations use web services to provide users remote access to key systems.
• Key web services to identify:
  • Secure Sockets Layer (SSL) or web VPN systems.
  • Web email access portals.
  • Teleconference and videoconference systems.
  • Server and system administration tools.
  • Security camera systems.
  • Phone management systems.
• Common Ports to Scan: 80, 443, 8080.

Web Service Exploration

• Web Service Exploration: Identifying the specific services offered by web systems identified through port scanning and DNS hostname enumeration.

Geolocation Information

• Geolocation Data: Any data related to the physical location of assets owned or related to the target organization.
• Often associated with specific employees, but sometimes shared among employees.
• Sources of geolocation data include metadata from digital photos, especially GPS coordinates embedded in images.

Data from the Phone System

• Phone System Reconnaissance: Using phone systems to gather information about the target organization.
• Voice over Internet Protocol (VoIP): Enables automated dialing of phone numbers.

APT (Advanced Persistent Threat) Approach to Reconnaissance

• APT attackers prioritize reconnaissance to gather comprehensive intelligence about the target.
• They utilize both technical and non-technical data sources to gain a complete understanding of the organization's vulnerabilities and attack surface.
• Advanced reconnaissance tools and techniques are employed to perform stealthy and persistent information gathering.
• The collected information is used to develop targeted attack strategies tailored to the specific organization and its infrastructure.
• The aim is to gain a foothold in the target system and maintain a long-term presence for data theft, espionage, or other malicious activities.

Reconnaissance

• Reconnaissance is a crucial phase in penetrating an organization, but not necessarily a required step in the attack process.
• Proper reconnaissance sets the stage for all future attacks.
• The amount of time spent on reconnaissance differentiates advanced attackers from less capable ones.
• Every organization has unique challenges, and attackers spend a significant amount of time in this phase to uncover vulnerabilities.

Reconnaissance Data

• Reconnaissance data can be categorized as:
  • Technical
  • Non-technical
• Data sources can be:
  • Physical
  • Cyber
• Data acquisition methods are either:
  • Active
  • Passive

Technical Data Examples

• Technical data includes:
  • Internet-routable subnets used by an organization
  • Antivirus software in use
  • DNS records associated with the organization

Non-Technical Data Examples

• Non-technical data examples include:
  • Geographic locations of an organization
  • Major departments within an organization
  • Key personnel and their titles

Physical Sources

• Physical sources include anything not obtained automatically through the internet or technology, like documents or video sources.

Active Reconnaissance

• Active reconnaissance involves activities that can be detected by the target organization.

Passive Reconnaissance

• Passive reconnaissance uses sources not owned by the target, making it harder to detect.

Registrant Information

• Registrant information includes:
  • Whois and registrant details
  • IPV4 and IPV6 address allocations
  • Autonomous System (AS) number allocations
  • DNS reverse record delegation

Network Allocation

• Information about IPV4 and IPV6 address space assigned to customers is found under the "Networks" heading.
• This information can be used to identify systems using specific IP addresses.
• Many organizations own a large range of IP addresses for future use.

Autonomous Systems (AS)

• The Autonomous System (AS) number uniquely identifies an IP address range or subnet.
• AS numbers are commonly used by the Border Gateway Protocol (BGP) to ensure internet connectivity.
• BGP is a routing protocol that helps hosts on the network reach their destination.
• If routing fails, alternative paths are identified.

DNS Information and Records

• DNS (Domain Name System) provides technical and non-technical information associated with an organization.

Domain Harvesting

• Domain harvesting identifies hosts by extracting DNS names from websites.
• Specialized tools can assist with this process.

DNS Zones

• Organizations can have different DNS zones and servers for internal and external use.
• This can result in multiple servers claiming to handle secure domain names, which can return different results.
• Some organizations use separate domain names for their internal systems.
• Third-party vendors often host domain names belonging to target organizations.

DNS Cache Snooping

• This method allows attackers to enumerate websites and systems accessed by users or systems within the target organization.
• The DNS server must be configured to allow recursive queries to be vulnerable to this method.
• A recursive query occurs when the DNS server queries other servers for an answer and returns the result directly to the client.

Border Gateway Protocol (BGP)

• BGP is the primary routing protocol for the internet.
• It facilitates the decentralized and dynamic exchange of routing information.
• For example: two ISP providers can provide the DNS subnet over their links.

System and Service Identification

• Following subnet identification, the next goal is to identify systems and services exposed to the internet.
• Port scans and ping sweeps are basic methods used for this purpose.
• Mastery of port scanning is crucial for becoming an effective APT hacker.
• The primary objective is to identify systems, services, and information that will be used in future attack phases.
• Firewall and intrusion prevention systems might block requests or provide unusable data.
• Two scans are recommended: one "slow and low" and another "hard and fast."
• The order of scans depends on the target organization and its security measures.
• Port scans are often undetected due to the constant scanning of organizations by automated programs.
• It is important to use a bounce box or proxy for scanning.
• For basic scans, nmap can be used.
• More advanced scans can be performed with additional nmap command options.
• The amount of time spent on scanning depends on your objectives and the level of information needed.
• Port scanning data is crucial for the next phase of spear phishing.
• If a target organization has a remote access service like a VPN, then a valid set of credentials from the phishing target can be used to gain VPN access.
• In the absence of remote services, a backdoor delivered through phishing can provide remote access.

Web Service Enumeration

• After identifying hosts through port scanning, certain important services are identified.
• Remote access services are a priority.
• These services often operate over a standard web port or have a web service component.
• Organizations prioritize remote access methods for end users that are convenient and familiar.
• Common examples include:
  • SSL or web VPN systems
  • Web email access
  • Portal systems.
• Many interesting web systems are connected to the internet that can reveal valuable information about target organizations, such as:
  • Teleconference and videoconference systems
  • Server and system administration tools
  • Security camera systems
  • Phone management systems.

Web Service Exploration

• To identify specific services, hosts identified through port scanning and DNS hostnames are analyzed.
• Specific ports like 80, 443, and 8080 are examined.
• Nmap is a useful tool for this process.

Geolocation Information

• Geolocation data relates to the physical location of assets owned or related to a target organization.
• Assets are typically associated with a specific employee or shared among employees..
• Metadata, particularly from digital photos, is a common source of geolocation data.
• Cameras and smartphones often embed GPS coordinates, time, and date of picture capture.
• GPS uses satellites to estimate geolocation with a three-foot radius accuracy.

Data from the Phone System

• Phone-based reconnaissance has evolved from manual methods to automated techniques.
• VoIP (Voice over Internet Protocol) facilitates automatic dialing of phone numbers.

Description

Explore the critical phase of reconnaissance in penetration testing. This quiz covers various data categories, sources, and methods used by attackers to identify vulnerabilities within target organizations. Understand the importance of both technical and non-technical data in crafting effective security strategies.