ICT2212-Lecture 2-Reconnaissance 2024.pdf

Full Transcript

SIT Internal

ICT2204
Ethical Hacking

Reconnaissance
A/Prof Guo Huaqun (Linda)
 SIT Internal

Acknowledgement

This set of slides is based on
A version from Dr. Raymond Chan (Some slides developed by
Dr Peter Loh)

2
 SIT Internal

(Ethical) Hacking Process Review

Scanning and
Reconnaissance Enumeration

Cover Gain
Tracks Access

Keep
Access
Phases can be repeated till target is reached – Lateral Movement
3
 SIT Internal

What is Reconnaissance?

Which house contains
the valuables you are
looking for?

How am I getting in?

4
 SIT Internal

Why Do Reconnaissance? – 1
Objective -> Damage reputation of Company X
How do you even start?
 What is the most publicized reputable asset?
 Where is it located? Is the location found, exact?
 What technologies are used to host it?
If you cannot answer these questions, how will you attack?

Gain as much information about target before attacking - profiling
Can determine attack(s) techniques and tools to use
How best to launch attack(s) successfully without raising alerts?
5
 SIT Internal

Why Do Reconnaissance? - 2
If you know the enemy and know yourself,
you need not fear the result of a hundred
battles.
If you know yourself but not the enemy,
for every victory gained you will also suffer
a defeat.
If you know neither the enemy nor
yourself, you will succumb in every battle.
—Sun Tzu, The Art of War

To be an effective security pentester, you need to
know a system’s vulnerabilities and understand an
attacker’s mindset.
— ICT 2204 Ethical Hacking
6
 SIT Internal

Introduction to Reconnaissance
Find out all you can about target:
 Location, neighbours
 Technologies
 People
 Scope – overlaps with next phase

Reconnaissance techniques and tools:
 Whois databases
 Netcraft
 Shoulder Surfing
 Dumpster Diving
 Social Engineering
 Google Hacking
 Doxing

7
 SIT Internal

Reconnaissance Techniques and Tools

WHOIS DATABASES
 SIT Internal

Whois Databases
Web-based Info Harvesting Technique
Evolved from Unix OS
Can be found in other OSs and hacking toolkits:
 Download at https://docs.microsoft.com/en-us/sysinternals/downloads/whois
Output contains:
 Domain name
 Registrant (domain owner)
 Name servers for domain name in question
 Names and contact info of admin, technical staff etc.
Some links for Whois reconnaissance
 https://hexillion.com/asp/samples/AutoWhois.vbs.asp
 http://www.whois.com/whois/
 https://who.is/
 http://whois.domaintools.com/
 http://www.hacking-tutorial.com/online-tools/online-whois-lookup-tool-free/
9
 SIT Internal

Whois Online – Example

http://www.whois.com/whois/
The WHOIS service is not a single, centrally-operated database; the data is managed by
independent entities known as registrar and registry
Any entity that wants to become a registrar must earn Internet Corp for Assigned Names and
Numbers (ICANN) accreditation; Similarly, registries are under contract with ICANN to operate a
generic top level domain, such as.COM,.ORG
A Domain Name Registry, like Verisign, is an organisation that holds the database of all registered
domain names in a certain Top Level Domain (TLD) such as.com
10
 SIT Internal

Whois Online – Example 1 Output

11
 SIT Internal

Whois Online – Example 2 Output
https://hexillion.com/asp/samples/AutoWhois.vbs.asp

WHAT INFO IS USEFUL?

http://www.whois.com/whois/

12
 SIT Internal

Whois Online – Example 3 Output
The registrar will check if
domain name is available
and create a WHOIS record
with the domain name
registrant's information

The registrant is the legal
owner of the domain

Social engineering or
phishing target

Name servers help map DNSSEC helps
domain names to IP prevent cache
addresses poisoning & MITM
13
 SIT Internal

How Does Whois Work? - Domains

A domain is a logical region of the Internet. Domain names consist of one or several
parts separated by periods, eg. “singaporetech.edu.sg.“
Top-Level Domain (TLD) name – rightmost portion of the domain name, eg. “.sg”
A Second-Level Domain (SLD) – next portion of a domain name (right to left), eg.
“.org”. Some domain names may belong to different level domains, e.g. “.edu”
All computers that share the rightmost portion of the name are in the same
domain, for example: “ibm.com”, “Microsoft.com”
14
 SIT Internal

How Does Whois Work? – DNS Query

DNS – Domain Name System
Each computer is assigned a unique IP address, a hostname is an alias for this IP,
e.g. “SIT-NB-X220-456”
Whenever you type a domain name into your browser, name servers provide the IP
address of the domain web server to your browser
15
 SIT Internal

How Does Whois Work? – Whois Query

The WHOIS is a query/response protocol that is used to query servers, operated by
Regional Internet Registries, which hold information about internet resources such
as domain names and IP address allocations
A WHOIS query needs to contact server of domain name registrar
The WHOIS protocol is a TCP-based protocol designed to work on the port 43
ICANN is the authoritative registry for all Top-Level Domain (TLD) registries
16
 SIT Internal

ICANN-Accredited Registrars

Internet
Corporation for
Assigned Names
and Numbers

InterNIC (Internet Network Information Center)
A registrar offers domain name registration services
List of current ICANN-accredited registrars: http://www.internic.net/regist.html
17
 SIT Internal

ICANN Registries

HAS
ICANN
BEEN
HACKED?

Right-most label in a domain name (e.g..com in www.google.com) is referred to
as its top-level domain (TLD)
An ICANN Registry is an organisation that holds the database of all registered
domain names in a certain Top Level Domain (TLD) such as.com
Registry Listing: https://www.icann.org/en/resources/registries/listing
18
 SIT Internal

ICANN HACKED - 1

What would happen if ICANN got hacked?

Access to all the zone files of the world's generic top-level domains
TLD Zone Files contain info needed to resolve domain names to Internet
Protocol (IP) numbers
19
 SIT Internal

ICANN HACKED - 2

Unauthorised person gained access to usernames, email addresses, and encrypted
passwords for profile accounts on ICANN.org public website
It was believed that leaked information includes harmless information such as user
preferences, public biographies, interests, newsletters, and subscriptions
20
 SIT Internal

Reconnaissance Techniques and Tools

DNS DATA VIEW, NSLOOKUP, DIG
 SIT Internal

DNS Data View – Extract DNS records

Retrieve DNS records of specified domains – (MX, NS, A, SOA)
DNS records are basically mapping files that tell DNS server which IP address each
domain is associated with, and how to handle requests sent to each domain
MX – Mail Exchange record (list of mail exchange servers, preference - priority)
NS – Name Server record (list of name servers)
A – Address Mapping record (gives IP address of domain)
CNAME – used to create aliases for domain names
SOA – Start of Authority record (zone admin info)
22
 SIT Internal

Kali Linux nslookup – Extract DNS records

nslookup – name server lookup; used to query internet name servers interactively
It can translate a domain name to an IP address or vice versa (also try dig)
23
 SIT Internal

Reconnaissance Techniques and Tools

NETCRAFT AND BUILTWITH
 SIT Internal

Netcraft
Provides internet security and data mining services
Located at: https://www.netcraft.com/
Can be used to footprint a website
Output contains:
 Domain name owner (registrant)
 E-mail addresses
 Name servers for domain name in question
 Names and contact info of admin, technical staff etc.
 Web server technologies similar to whois, but provide more information

25
 SIT Internal

Builtwith
Web-based reconnaissance tool
Located at: https://builtwith.com/
Find out what technologies a website is built with
Outputs include:
 Analytics and Tracking
 Frameworks
 Content Delivery Network
 JavaScript Libraries and Functions
 Email Hosting Providers
 SSL Certificates
 Web Hosting Providers
 Web Servers

26
 SIT Internal

Reconnaissance - Purpose
Ethical hackers do comprehensive reconnaissance
Many script kiddies skip this step
DNS Data View, nslookup and dig are OS-specific reconnaissance
tools
Whois, Netcraft and Builtwith are useful browser-based
reconnaissance tools
Tools provide useful preliminary reconnaissance info on target
Serve as useful inputs for subsequent social engineering as well as
scanning and enumeration

Is the info enough? – What else can we do?

27
 SIT Internal

Other Reconnaissance Techniques
Sometimes the most effective technique is the
simplest one (may not even require a computer):
 Shoulder Surfing }
 Dumpster Diving } No Tech Hacking
 Social Engineering }

28
 SIT Internal

Shoulder Surfing
Physical method of gaining private information based on
stealth:
 Observational attack – with or without technology support
 Used anywhere - offices, airport lounges, hotel lobbies
 Many people are completely unaware of being spied upon
 Information you can gather:
 Private email sessions, classified documents, corporate secrets, user
names or passwords
 Even classified documents over the shoulder of an unwary government
employee
 Credit card numbers and passwords over phone
29
 SIT Internal

Automated Shoulder Surfing

30
 SIT Internal

Automated Shoulder Surfing
Steal your passcode with a glance:
 Software used custom-coded video recognition algorithm tracks
shadows from finger taps
 Software analyses video recorded by google glass and manages
to identify 4-digit PIN codes up to 3 meters away

31
 SIT Internal

Defence Against Shoulder Surfing
Defense:
 Awareness of physical environment – ATMs, working on laptops, phone conversations
 Security screens, privacy filter
 Biometrics authentication
3M ePrivacy Filter Example:

32
 SIT Internal

Defence Against Shoulder Surfing - 2
Defense:
 Google’s AI privacy app – for smartphones
 Detects stranger glancing at mobile over shoulder
 Light weight machine learning model for rapid gaze detection
Google Electronic Screen Protector:

33
 SIT Internal

Dumpster Diving Overview
Discarded records of important info.
Originated by phone phreaks
 Precursor to hackers
AT&T's monopoly days, before paper
shredders became common
 Phone phreakers used to organize regular dumpster
runs against phone company plants and offices
Target: discarded and damaged copies of AT&T
internal manuals
 Learned about phone equipment

34
 SIT Internal

Dumpster Diving Technique
Go through someone’s trash
Recover copies of:
 Credit card receipts
 Bank account statements
 Passwords, usernames and other sensitive information
 Can be personal info (spoofing)
Complements Social Engineering Tech
Information obtained facilitates access

35
 SIT Internal

Defence Against Dumpster Diving
Defences
 Destroy hard drive before discarding
 Destroy media (degaussing is not
enough – inadequate scrambling)
 Shred paper with cross-cut shredder
 Physical security for trash

36
 SIT Internal

SOCIAL ENGINEERING
 SIT Internal

Social Engineering

Range of malicious activities designed to psychologically
manipulate users into making mistakes concerning security
Can work with or without technology
It works because it exploits human vulnerabilities:
 Desire to help or tendency to trust
 Hope for a reward
 Fear of making a mistake or getting into trouble
 Fear of getting someone else in trouble
38
 SIT Internal

Social Engineering Example 1

39
 SIT Internal

Social Engineering Example 2

40
 SIT Internal

Social Engineering Example 3

41
 SIT Internal

Social Engineering Attacks – 1/2
Phishing:
 Seek to obtain personal/financial information, such as names, addresses and credit card information
 Use link shorteners (https://bitly.com/, https://tinyurl.com/) or embed links that redirect users to
suspicious websites in URLs that appear legitimate
 Incorporates threats, fear and a sense of urgency in an attempt to manipulate the user into acting
promptly
 Commonly pair malware as payload with phishing attacks
Pretexting:
 Attackers focus on creating a good pretext, or a fabricated scenario
 Pretend to need certain info from target to confirm identity
 More advanced attacks will also try to manipulate their targets into performing an action that enables
them to exploit the structural weaknesses of an organization or company (e.g. tailgating,
impersonation)
 Unlike phishing emails, which use fear and urgency to their advantage, pretexting attacks rely on
building a false sense of trust with the victim e.g. thru sympathy, appeal to sense of empathy

42
 SIT Internal

Social Engineering Attacks – 2/2
Baiting:
 Similar to phishing attack but distinguishing factor is the use of enticement (e.g. free game download
for login credentials)
 Not restricted to online schemes. Attackers can also focus on exploiting human curiosity via the use of
physical media (e.g. dropped USB with malware)
Quid Pro Quo:
 Promise a benefit in exchange for information; benefit usually in the form of a service
 E.g. “IT admin” provides a quick fix in exchange for the employee disabling their AV program and for
installing “software update”
Tailgating (Piggybacking):
 Attacks involve someone who lacks the proper authentication following an employee into a restricted
area (also known as “piggybacking”)
 attackers can strike up conversations with employees and use this show of familiarity to successfully
get past the front desk
 https://www.todayonline.com/singapore/car-park-fee-evasion-rife-private-operators-lack-options-
against-offenders
43
 SIT Internal

Social Engineering Skills
Hacker Talented at Social Engineering:
 Able to use charm and influence effectively to manipulate and
exploit human weaknesses
 Builds up insider knowledge and develops trust relationships
 Requires lots of patience

A proficient attacker may spend days just to get
information needed to complete a hack:
 Learning internal company lingo and culture
 Developing good connections with key people - security
personnel and IT system support staff
https://pdfs.semanticscholar.org/9974/68975ffba55ada70b3ac3a13b5ae6853a80f.pdf

44
 SIT Internal

Techniques and Tools
Most successful are calls to employees:
 Call help desk as new employee for help with a particular task
 Angry manager calls lower-level system admin because password has suddenly stopped working
 System admin calls employee to fix her account... requires using her password
 Employee in the field calls another employee for help with remote access
Tools:
 Call spoofing (https://www.spoofcard.com/ , http://crazycall.net/index.php )
 https://www.police.gov.sg/media-
room/news/20220224_police_advisory_reemergence_of_phishing_scam_involving_impersonation_
of_spf_officers#

45
 SIT Internal

The Social Engineering Toolkit

46
 SIT Internal

Telephone Spoof Example

47
 SIT Internal

Defence against Social Engineering
Hard to defend against:
 Weaknesses rooted in human nature
 Many legitimate uses of “social engineering” (police,
sales people, etc.)
User awareness education helps:
 Do not give out sensitive info (e.g. usernames, passwords)
 No reason a sysadmin would need your password
 Do not trust caller ID, etc.
Helpdesk should have better verification system
 Ask for full name, employee ID, designation, office tel no. etc.
 Check and call back, never take at face value
 Adhere to best practices/policies
48
 SIT Internal

Summary
Objectives of Reconnaissance – find out all you can about target
Reconnaissance Techniques and Tools: - Tech and No Tech
Tech Techniques and Tools:
 Whois, DNS Data View, Nslookup and Dig
 Netcraft and Builtwith sites
 Need to explore and try to see which (combination) is best
No Tech Techniques and Tools:
 Shoulder Surfing – can be used almost anywhere; user must be alert
 Dumpster Diving – need physical access to trash; must have proper policies
and practices regarding document and information disposal
 Social Engineering – exploits human weaknesses; need user awareness,
education and proper authentication policies and practices

Next Lecture – Google Hacking
49
 SIT Internal

GOOGLE HACKING
 SIT Internal

Google Hacking Introduction
Using Google to help in Reconnaissance
 Not hacking Google
Main benefits:
 Low profile and passive – little or no exposure for attacker
 Ranked google results
Search to be reasonably precise – specific keywords ≤ 10
Use search operators (basic and advanced)

Attacker has password encrypted your file and only the
hashed password value is known
 Cannot reverse because hashes are one way functions
 What can you do?!
51
 SIT Internal

Google Hacking Passwords
Google it!
Even hashes from passwords:
 Google the (MD5) hash value
 http://www.miraclesalad.com/webtools/md5.php (Hash generator)
 https://10015.io/tools/md5-encrypt-decrypt (Hash generator & cracker –
limited)
 Try with 20f1aeb7819d7858684c898d1e98c1bb (Anthony),
83ec45960b80c035a0068df1d9df5aa8 (technology)
Note that there are other hash functions:
 SHA-1 (https://10015.io/tools/sha1-encrypt-decrypt)
 SHA-256 (https://crackstation.net/ ; https://passwordrecovery.io/sha256/)
Hash crackers work based on lookup tables

52
 SIT Internal

Basic Search Operators
Literal match (“ ”)
 Search for exact phrase in quotes; e.g. “metamorphic engines”
 Wildcards represented by * e.g. “* institute of technology”
 Google search is not case-sensitive

NOT (-): Filter out sites that include term (-term or -”term”)
AND (+): Include sites that contain term(s)
OR (|): Include sites that contain one or more term(s)
Synonym (~):
 Searches for target word and includes words with similar meaning e.g.
~inexpensive shops in Singapore, ~evasive malware
Range (..):
 Specify search range e.g. singapore pre-owned car ($100000..$150000)
53
 SIT Internal

Advanced Search Operators
Google group operators include:
 allintitle: restricts results to those containing all the query terms you specify in the title e.g. allintitle:
hacking atm
 group: allows you to find specific groups related to a given topic e.g. group:*.hacking.*
 related: allows you to find web pages similar to the specified web page e.g. related:”password
sniffing” ( no space after : )
 intext: restricts results to documents containing specified term in the text e.g. intext:bank password
( no space after : )
 inurl: restricts results to those containing term in URL e.g. inurl:”password list” ( no space after : )
 filetype: restricts results to those containing file type specified e.g. passwd filetype:txt ( no space
after : )

Reference URL: http://www.googleguide.com/advanced_operators_reference.html
https://www.freecodecamp.org/news/google-dorking-for-pentesters-a-practical-tutorial/
54
 SIT Internal

Google Hacking Example 1

Some logins
can be
bypassed
with SQLI

55
 SIT Internal

Google Hacking Example 2

What is ext?

56
 SIT Internal

Google Hacking Exercise 3

Spend 5 minutes on this simple exercise

ext:txt inurl:passwd

ext:txt inurl:password

ext:csv inurl:passwd

ext:xlsx inurl:password

57
 SIT Internal

Google Hacking Example 4

Search for directory containing
accounts
Get files potentially containing
account records
intitle:index.of.accounts
 SIT Internal

Google Dorks
A google dork is a search query:
 Search string that uses advanced search operators
 Find info not readily available on website via basic search
Google Dorking:
 Info retrieved not for public
 Info available because not adequately secured
Google Hacking Database (GHDB):
 https://www.exploit-db.com/
 https://www.exploit-db.com/google-hacking-database/
 Try out these dorks in your e-learning labs

59
 SIT Internal

Google Hacking Example 5: Google Cache

60
https://webcache.googleusercontent.com/search?q=cache:h_HPg1aUUX4J:https://www.straitstimes.com/&cd=2&hl=en&ct=clnk&gl=sg
 SIT Internal

Google Cache

Why do we Google cache??
61
 SIT Internal

Google Hacking Example 6
inurl:"viewerframe?mode=motion”
This dork finds wireless camera that is accessible
from the web
 http://61.211.241.239/ViewerFrame?Mode=
Motion&Resolution=640x480&Quality=Standa
rd&Interval=30&Size=STD&PresetOperation=
Move&Language=1
The interesting part is that some of these cameras
do not allow users to change the default
administrative
username and pass.

62
 SIT Internal

Google Hacking Example 6

Watch the real-time monitoring video
63
 SIT Internal

Google Hacking Example 7 - intitle:"webcamxp 5"

64
 SIT Internal

Google Hacking Exercise 8
 http://vroomshoopwebcam.mine.nu/

65
 SIT Internal

Google Hacking Tools
 Wayback Machine – The Wayback Machine is a digital archive of the World Wide Web
that allows users to access and view snapshots of websites as they appeared at various
points in the past. It's maintained by the Internet Archive, a nonprofit organization
dedicated to preserving and providing access to digital content; Firefox addon from:
https://addons.mozilla.org/en-US/firefox/addon/save-to-the-wayback-machine/

 Advanced Dork – AdvancedDork is a Firefox extension designed to give quick access to
Google’s Advanced Operators. Firefox addon from: https://addons.thunderbird.net/en-
us/firefox/addon/advanced-dork/?src=cb-dl-toprated

 Wikto – Wikto is a Windows based web server assessment tool that uses the Google
hacking database (GHDB). It checks for vulnerabilities in web servers. This tool requires
a Google developer license. Needs.NET; download from:
https://github.com/sensepost/wikto
66
 SIT Internal

Wayback Machine

67
 SIT Internal

Advanced Dork Demo
Click “+ Add to Firefox” (may not be compatible)

68
 SIT Internal

Wikto

Download Google Hacking Database from: https://sourceforge.net/directory/os:windows/?q=ghdb
69
 SIT Internal

Maltego

Maltego is an
open source
intelligence and
graphical link
analysis tool for
gathering and
connecting
information for
investigative
tasks

70
 SIT Internal

Google Hacking Uses
 Information Disclosure – Google can gather sensitive and private information and
contents as well as intellectual property assets (also try e-learning lab exercise)
 Vulnerability Assessment – Google allows you to identify vulnerable resources
published on the Internet. These mainly affect web-based devices such as web
servers, application servers and network devices with a web-based interface (also
try e-learning lab exercise)
 Social Engineering – Google can also be used to map information from the virtual
world to the real world in order to perform social engineering testing

Supplement with other tools like Wikto and Maltego
71
 SIT Internal

Online Social Engineering
Google Dork query may reveal useful info:
 Employee contact info
 Clues about corporate culture/lingo
 Business partners
 Recent mergers and acquisitions
Why they are useful?
 Signatures (that can be forged)
 Financial information (competitor’s edge)

72
 SIT Internal

Internet-connected devices
Shodan: search engine for
Internet-connected devices
https://www.shodan.io/
 SIT Internal

Defences Against Google Hacking
Use Google hacking techniques to uncover your own security
problems (recall use of google hacking as vulnerability assessment)
Proper configuration for web-based devices
 Use strong authentication not defaults
Have a good corporate security policy e.g., policy for asset protection
 Removing sensitive info does not help
 Google cache ( )
 Wayback Machine (opt out e.g., Quora)
Educate users – best practices
Use robots.txt so Web pages not indexed
 Well-behaved crawlers will respect these, but…
 Also a sign to attackers of sensitive data
Use a combination of the above
74
 SIT Internal

The spam

75
 SIT Internal

DOXING
 SIT Internal

What is Doxing?
Doxing is the process of gathering
or deducing information about
someone using sources on the
internet.

Its name is derived from ‘Document
Tracing’

Information could include name,
age, email, address, telephone
number, photographs etc.
E.g. Whose camera did I hack?
Some sites support a degree of Is person X masquerading as
automation person Y?
77
 SIT Internal

Doxing Tools
Personal information:
 Multi-lookup: http://illmob.org/bookmark.html
 People Search: https://pipl.com/ , http://www.peekyou.com/ , http://com.lullar.com/ , http://whitepages.sg/ ,
http://webmii.com/
 Photo Search: http://tineye.com , http://images.google.com/
 Find contact: http://411.com , http://whitepages.com (USA)

IP - Address information:
 Address from IP: http://whatismyipaddress.com/ip-lookup
 Geolocation: https://www.iplocation.net/

Open Source Intelligence:
 Maltego Chlorine: download from http://www.paterva.com/web6/products/download.php
 Board Reader: http://boardreader.com/ (posts made by or involving name)
78
 SIT Internal

Doxing Demo 1
http://tineye.com

79
 SIT Internal

Doxing more info

What is its url? https://haveibeenpwned.com/
80
 SIT Internal

Doxing Demo 2
http://whatismyipaddress.com/ip-lookup

81
 SIT Internal

Reconnaissance Summary
Technique Tools / URLs
Preliminary Reconnaissance Whois, Netcraft, DNS Data View, nslookup, dig, Wayback
Machine, Wikto
Shoulder Surfing, Google Glass, Telespoof
Dumpster Diving,
Social Engineering
Google Hacking http://www.googleguide.com/advanced_operators_refere
nce.html
https://www.exploit-db.com/google-hacking-database/ ,
Wikto, Wayback Mach
Doxing – Personal Info https://pipl.com/
http://www.peekyou.com/
http://com.lullar.com/ , http://whitepages.sg
http://tineye.com
Doxing – IP Address Info http://whatismyipaddress.com/ip-lookup
82
 SIT Internal

Summary
Google Hacking – stealthy reconnaissance
Google search – basic and advanced search operators
Search strings with advanced operators - dorks
 Private and sensitive corporate and personal information
 Control of internet-connected devices
Uses of Google Dorking
 Information Disclosure, Vulnerability Assessment and Social Engineering
Defences against Google Hacking
 Strong authentication, proper configuration, good security policies, user
education, robots.txt
Doxing – reconnaissance on people and places to support social
engineering
Next Lecture – Scanning and Enumeration
83
 SIT Internal

QUESTIONS OR COMMENTS?