Ethical Hacking and Penetration Testing Lecture 2 PDF

Ethical Hacking and Penetration Testing Lecture 2: Information Gathering Outline  Introduction to Information Gathering  Information Gathering Methods  Open-Source Intelligence (OSINT)  OSINT Types and example tools  Footprinting Framework Step 1 - Information Gathering http://www.pentest-standard.org/index.php/Intelligence_Gathe ring 26/01/2025 Penetration Testing Framework  Information Gathering  Target Scanning  Vulnerability Assessment  Exploiting Weakness  Privilege Escalation  Retaining Access  Covering Tracks Information Gathering  Information Gathering or Intelligence Gathering  Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the following phases, i.e., target scanning, vulnerability assessment and exploitation.  The more information you can gather during this phase, the more vectors of attack you may be able to use in the future. Types of Information Gathering  Competitive Intelligence  Corporate Espionage  Information Warfare  Private Investigation and Others  Pentesting Competitive Intelligence  Relies solely on legal and ethical means to gather data, piece it together to form information, and analyze it to create intelligence for the use of decision-makers  Over 95 percent of the information companies require to compete successfully is available in the public domain  Helps organizations better understand their competitive environment and make sound business decisions Corporate Espionage  “Espionage” - the collection, collation, and analysis of illicitly gained information  “Corporate Espionage” - the theft of trade secrets for economic gain  “Trade Secret” - property right which has value by providing an advantage in business over competitors who do not know the secret  International Trade Commission estimates current annual losses to U.S. industries due to corporate espionage to be over $70 billion How is it done?  Majority of illicit activity involve “Inside Jobs”  Disgruntled employees  Bribes from a competitor  Cleaning crews  Industrial mole  False Pretenses  Companies hire a competitor's employee for their trade knowledge  Applicant interviews only to pump potential employer for information, or vice versa  Spy pretends to be a student, journalist, or venture capitalist Information Warfare  “Information Warfare” – state-sponsored information and electronically delivered actions taken to achieve information superiority in support of national military strategy  Meant to affect enemy information and information systems while protecting our information and information systems  Includes electronic warfare, surveillance systems, precision strike, and advanced battlefield management What’s Useful to an Attacker?  Structure – organization hierarchical structures, departmental diagrams, etc.  Infrastructure – phone system network diagrams, enterprise IT network diagrams, IT groups, support groups, utilities providers (phone/power/water, etc.),  People – Phone directories, e-mail address books, who’s who directories, etc. visitor instructions, new starter induction packs (i.e., everything you need to know to get around!).  Geography – super-imposed on hierarchical structures – where is the IT department, where are the servers, etc. What’s Useful to an Attacker?  Security Enforcing Functions – physical access control, password policy, hardware re-use, firewall / IDS use, e-mail policies, phone-use policies, etc.  Networks – detailed network topologies IP & phone – including firewall, router, and proxy positions.  Software/hardware – what machines are used, operating systems (service pack & hot fix /patch levels), server software, host software, database software, web server server software, and administration policies. Intelligence Gathering Methods  Open-Source Intelligence Gathering Tools  Probing and Target Scanning  Social Engineering (Out of Scope)  Physical Security Analysis (Out of Scope) Open-Source Intelligence (OSINT)  OSINT is a form of intelligence collection, that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence.  Why do it?  We perform OSINT gathering to determine various entry points into an organization.  These entry points can be physical, electronic, and/or human.  Many companies fail to consider what information about themselves they place in public and how this information can be used by a determined attacker.  On top of that many employees fail to consider what information they place about themselves in public and how that information can be used to attack them or their employer. Open-Source Intelligence (OSINT)  What is it not?  OSINT may not be accurate or timely. The information sources may be deliberately/accidentally manipulated to reflect erroneous data.  Information may become obsolete as time passes or simply be incomplete. Wayback Machine  http://web.archive.org/  Shows how various websites have evolved over the years. OSINT forms (OSINT) takes three forms; Passive, Semi-passive, and Active.  Passive Information Gathering: Passive Information Gathering is generally useful if there is a very clear requirement that the information gathering activities should never be detected by the target.  This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet.  This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.  Example: Google search – Google Dorks / Dorking OSINT forms  Semi-passive Information Gathering: The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior.  We query only the published name servers for information  We aren’t running network level port-scans or crawlers, and we are only looking at metadata in published documents and files; not actively seeking hidden content.  The key here is not to draw attention to our activities. Postmortem the target may be able to go back and discover the reconnaissance activities, but they shouldn’t be able to attribute the activity back to anyone.  Example: WHOIS Database Whois lookup  All domain registrars keep records of the domains they host.  These records contain information about the owner, including contact information.  For example, if we run the Whois command line tool on our Kali machine to query for information about bulbsecurity.com, we see that the registrar used private registration, so we might not learn much about the domain. OSINT forms  Active Information Gathering: Active information gathering should be detected by the target as suspicious or malicious behavior.  During this stage we are actively mapping network infrastructure  Actively enumerating and/or vulnerability scanning the open services,  We are actively searching for unpublished directories, files, and servers.  Most of this activity falls into your typical “reconnaissance” or “scanning” activities for your standard pentest.  Example: Ping, Traceroute, Nmap or Banner Grabbing Information Gathering – Covert Gathering Social Engineering  Onsite Information Gathering  Selecting specific locations for onsite gathering and then performing reconnaissance over time (usually for least 2-3 days to detect patterns). The following elements are sought after when performing onsite intelligence gathering:  Physical security inspections  Wireless scanning / Radio frequency scanning  Employee behavior training inspection  Accessible/adjacent facilities (shared spaces)  Dumpster diving  Types of equipment in use External Relationships  Offsite Information Gathering  Identifying offsite locations and their importance / relation to the organization. These are both logical as well as physical locations as per the below:  Data center locations  Network provisioning / provider  Business partners, customs, suppliers, analysis via what is openly shared on corporate web pages, rental companies, etc.  This information can be used to better understand the business or organizational projects. For example, what products and services are critical to the target organization?  Also, this information can also be used to create successful social engineering scenarios. Organisational Chart  Position identification  Important people in the organization  Individuals to specifically target  Transactions  Mapping on changes within the organization (promotions, lateral movements)  Affiliates  Mapping of affiliate organizations that are tied to the business Electronic Document Metadata  What it is? Metadata provides information about the data/document in scope.  E.g., author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc.  For an image, metadata can contain resolution, camera make/type and even the co-ordinates and location information. Electronic  Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents.  This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.  How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like Fingerprinting Organisations with Collected Archives a.k.a FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based).  These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc.  The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface. Electronic Marketing Communications  Past marketing campaigns provide information for projects which might have been retired that might still be accessible.  Current marketing communications contain design components (Colors, Fonts, Graphics etc..) which are for the most part used internally as well.  Additional contact information including external marketing organizations. Infrastructure Assets  Network blocks owned  Network Blocks owned by the organization can be passively obtained from performing whois searches. DNSStuff.com is a one stop shop for obtaining this type of information.  Open-Source searches for IP Addresses could yield information about the types of infrastructure at the target. Administrators often post IP address information in the context of help requests on various support sites.  Email addresses  E-mail addresses provide a potential list of valid usernames and domain structure  E-mail addresses can be gathered from multiple sources including the organizations website.  Groups.google.com Infrastructure Assets  External infrastructure profile  The target's external infrastructure profile can provide immense information about the technologies used internally.  The profile should be utilized in assembling an attack scenario against the external infrastructure.  Technologies used  OSINT searches through support forums, mailing lists and other resources can gather information of technologies used at the target  Use of Social engineering against the identified information technology organization  Use of social engineering against product vendors Information Gathering …ctd  Remote access  Obtaining information on how employees and/or clients connect into the target for remote access provides a potential point of ingress.  Often, links to remote access portal are available from the target's home page  How To documents reveal applications/procedures to connect for remote users  Application usage  Gather a list of known application used by the target organization. This can often be achieved by extracting metadata from publicly accessible files (as discussed previously)  Defense technologies - Fingerprinting defensive technologies in use can be achieved in several ways depending on the defenses in use. Information Gathering …ctd  Passive fingerprinting  Search forums and publicly accessible information where technicians of the target organization may be discussing issues or asking for assistance on the technology in use  Search marketing information for the target organization as well as popular technology vendors  Active fingerprinting  Send appropriate probe packets to the public facing systems to test patterns in blocking. Several tools exist for fingerprinting of specific Web App Framework (WAP) types.  Header information both in responses from the target website and within emails often show information not only on the systems in use, but also the specific protection mechanisms enabled (e.g., Email gateway Anti-virus scanners) Human Capability  Discovering the defensive human capability of a target organization can be difficult. There are several key pieces of information that could assist in judging the security of the target organization:  Check for the presence of a company-wide CERT/CSIRT/PSRT team  Computer Security Incidence Response Team, Computer Emergency Response Team, Public Safety Response Team  Check for advertised jobs to see how often a security position is listed  Check for advertised jobs to see if security is listed as a requirement for non-security jobs (e.g., developers)  Check for out-sourcing agreements to see if the security of the target has been outsourced partially or in its entirety  Check for specific individuals working for the company that may be active in the security community Individuals - Employees  History  Location awareness  Map location history for the person profiled from various sources, whether through direct interaction with applications and social networks, or through passive participation through photo metadata.  Social Media Presence  Verify target’s social media account/presence Individuals - Employees  Internet Presence  Email Address - Email addresses are the public mailbox ids of the users.  Personal Handles/Nicknames  Personal Domain Names registered  Assigned Static IPs/Netblocks  Footprinting  Footprinting, is a phase of information gathering that consists of interaction with the target to gain information from a perspective external to the organization.  Goal is a prioritized list of targets. Individuals - Employees  One excellent way to find usernames is by looking for email addresses on the Internet. You might be surprised to find corporate email addresses publicly listed on parent-teacher association contact info, sports team rosters, and, of course, social media.  We can use a Python tool called theHarvester to quickly scour thousands of search engine results for possible email addresses.  theHarvester can automate searching Google, Bing, PGP, LinkedIn, and others for email addresses. For example, we’ll look at the first 500 results in all search engines for bulbsecurity.com. theHarvester Summary  Introduction to Information Gathering  Information Gathering Methods  Open-Source Intelligence (OSINT)  OSINT Types and example tools  Footprinting This Week’s Lab  Complete Week 2 Lab Activities on Information Gathering using various tools, e.g., Whois, theHarvester, Google Dorks, Wayback Machine Reading List  Google Dorking Cheat Sheet - https://github.com/chr3st5an/Google-Dorking  https://www.securitysift.com/passive-reconnaissance/  http://osintframework.com  https://github.com/enaqx/awesome-pentest#social-engineering-resources Next Week  Target Scanning (and Enumeration) Questions?

Ethical Hacking and Penetration Testing Lecture 2 PDF

Document Details

Tags

Related

Summary

Full Transcript