Chapter 4 - APT Reconnaissance - PDF

Chapter 4 part 1 AN APT APPROACH TO RECONNAISSANCE Introduction  Remember from the previous chapter that many of the steps involved in penetrating an organization are interchangeable and do not necessary need to be followed in order  Except one phase that must always be performed first, it is reconnaissance  Proper reconnaissance sets the stage for all or your future attacks.  One very clear difference between an advanced attacker and attackers lower on the capabilities pyramid is the amount of time spent on reconnaissance.  Every organization has unique challenges, and attacker will spend the time in this phase to explore all possible vulnerabilities during reconnaissance. Reconnaissance Data There are two main categories of types of data we will be looking for in our target organization: 1. Technical 2. Non-technical There are two main sources that we might obtain this information from; 3. Physical 4. Cyber There are two main methods for obtaining the categories of data from each of the data sources: 5. Active 6. Passive Data Categories Technical Dat a Non-Technical typ e Dat Physical a Sou Digital rce Active Rec on Passive Met hod Examples of each type of data include:  Technical:  internet-routable subnets in use by the organization  Antivirus software used by the organization  Domain Name Service (DNS) records associated with the organization  :Non-Technical:  Geographic locations of the organization  Major departments within the organization  Important personnel and their titles at the organization Data Sources  Physical Source: it does not mean physically obtained such as a document or a video source, but anything that is not obtained automatically over the internet or from technology. Data Methods (Active and Passive)  Active Reconnaissance: it involves any activities that can be detected by your organization.  Passive Reconnaissance: it involves using sources that the target does not own, thus making it much harder for them to detect our reconnaissance. Technical Data  The baseline of technical data you should obtain about any target organization includes:  User name and e-mail formats  Remote access or login systems Registrant Information  The information includes: Whois and registrant information  IPV4 and IPV6 address allocations  Autonomous System (AS) number allocations  DNS revers record delegation Network Allocation  Any IPV4 and IPV6 address space assigned to customers returned in our search results will be listed under “Networks” heading.  The organization has any systems actually using these IP addresses.  Many organizations have extremely large range of IP addresses that are unused. Autonomous Systems  We have the Autonomous System (AS) owned by the organization.  AS numbers uniquely identify an IP address range or subnet with a simple 16-bit or 32-bit number.  These IP addresses are commonly used by the Border Gateway Protocol (BGP).  BGP is commonly known “routing protocol of the internet.”. To ensure that all hosts on the network (the internet) will reach its destination.  If the routing fails then an alternative path is identified. DNS Information and Records  DNS : (Domain Name System) can provide a treasure trove of useful technical and non-technical information. Part – 2 APT Approach to reconnaissance Domain Harvesting  Another great way for us to identity as many hosts as possible is by harvesting DNS names from websites  There are a number of a handful of tools to help us with this as well DNS Zones  You should also note that organization can have different DNS zones and servers for internal and external use for the same domain.  This means our target organization could have multiple servers that claim to handle secure domain names that return different results.  Other times, organization will have a separate and distinct domain names for their internal systems.,  There might be a third party vendors that can host domain names belonging to our target  When we resolve to visit the IP address, we see that it belong to a third party vendor that specializes in hosted collaboration software for specific organization. DNS Cache Snooping  Another vulnerability that can be used to our advantage is DNS cache snooping.  Cache snooping allows us to enumerate websites and systems that users or systems have requested at our target organization.  The main caveat here is that the DNS server must be configured to allow recursive queries, which makes it vulnerable.  If a DNS server does not have the answer to a query from a client, it can be configured to respond to a client in one of the two basic modes: iterative or recursive.  An iterative query is when the DNS server responds with a list of other DNS servers that the client can then query directly  A recursive query occurs when the DNS server asks other DNS servers for the answer and returns the result directly to the client Border Gateway Protocol: An Overview  The Border Gateway Protocol (BGP) is the primary routing protocol of the internet  It allows the decentralized and dynamic exchange of routing information on the internet.  For example two ISP providers can provide us the DNS subnet over their links. The BGP with two different providers.  Typically, the BGP configuration for target organizations will make it so that one of the provider connection will be preferred and the second will only be used if the primary network connection goes down as shown in the figure drawn for you.  This is a very important fact, as this means that Firewall 1 and firewall 2 could potentially have two distinct configurations.  This information is useful for hackers. One could be less restrictive firewall than the other. This could be useful for exploit path  This backup system of firewall can mean it gets less attention and less “live” time for the personnel supporting it to notice the difference in configuration System and Service Identification  After identifying all of the subnets owned by the target organization, we will want to identify all of the systems and services exposed to the internet.  Performing port scans and ping sweeps is arguably one of the most basic things we will cover.  On your way to becoming an APT hacker, you will necessarily have to maser the technique of effective port scanning. Most useful information you can find there.  The most important thing for us is to identify systems, services, and information that will be used in future attack phases.  There are some firewall and intrusion prevention systems that may block our requests or otherwise give us unusable data if it detects our activities.  Thus we want to employ two scans: one “slow and low” and another “hard and fast”.  The order you choose to employ depends on the organization you are scanning.  If you think they might have technologies in place that will detect or block your port scans you may want to start with the slow and low approach  If there are indications that the target organization is like 95 percent of all organizations and won’t notice our scanning, we can start with a hard and fast scan  Remember that every organization is constantly being scanned by automated programs, so our scan probably won’t set off any alarms.  Even though we can assume that much of our scanning will go unnoticed we still want to take the precaution of using a bounce box or proxy for our scanning.  Example, for our first quick and dirty scan, we will use the most basic options of nmap.  For other advance scan you can use the options with the nmap commands  You should not worry about the slow scanning, there are no rules, it will all depends on you. You should perform as many scans to get the most useful information.  The information obtained from port scanning is important for our next phase of spear phishing  For example, if the target organization has a remote access service such as a VPN service, we know that we can most likely focus on obtaining a valid set of credentials from our phishing target, which we can then use to VPN into the target organization.  On the other hand, if no remote services are available, we might have to change our attack strategy and focus on delivering a backdoor to our phishing target that will provide remote access to their systems. Web Service Enumeration  Now that we the information from port scanning our target network, let us identify a few important services.  One of the main type of services we want to identify are remote access services.  Many times, these systems will operate over a standard web port or at least some type of helper web service,  Organizations today are keen on providing end users with a method to remotely access key systems in a way that is familiar and easy.  Many organizations are using Secure Sockets Layer (SSL) or web VPN systems, web e-mail access, or some related portal system.  besides just remote access systems, you will find some very interesting web systems connected to the Internet.  Identifying these systems can provide some useful information on our target organizations.  Some of these system include:  Teleconference and videoconference systems  Server and system administration tools  Security camera systems  Phone management systems  First, we want to identify the hosts from our port scan that have common web services.  The most common ports to look for are 80, 443, 8080  For this we will turn to nmap Web Service Exploration  Using the web systems identification via port scanning and DNS hostnames from various tools such as theharvester, we can move to identifying exactly what is being offered by these web systems. Geolocation Information  Geolocation data is any data regarding the physical location of an asset owned by or related to a target organization  Usually, this asset will directly relate to a specific employee, other times, it might be shared among employee  One of the most popular places to obtain geolocation data is from metadata, typically from digital photos.  Many cameras and smart phones by default will embed the GPS coordinates and the specific time and data when the picture was taken.  GPS (global positioning system) uses satellites in space to calculate the current location on earth with a roughly three feet radius measure of accuracy. Data from the Phone System  There are a myriad of ways to use phones to perform reconnaissance on our target organization.  Technology has advanced from manual to automated one  By using VoIP (voice over the internet) we can get dial automatically any number of phones

Chapter 4 - APT Reconnaissance - PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue