APT Reconnaissance - Chapter 4 PDF

Summary

This presentation covers an approach to reconnaissance, focusing on technical and non-technical data, sources and methods. It details different data types, categories, sources and methods, including those for obtaining information about organizations, including technical data obtained from the internet. It also addresses geolocation information and details of phone systems.

Full Transcript

Chapter 4
part 1
AN APT APPROACH TO
RECONNAISSANCE
Introduction

 Remember from the previous chapter that many of the steps
involved in penetrating an organization are interchangeable and
do not necessary need to be followed in order
 Except one phase that must always be performed first, it is
reconnaissance
 Proper reconnaissance sets the stage for all or your future
attacks.
 One very clear difference between an advanced attacker and
attackers lower on the capabilities pyramid is the amount of time
spent on reconnaissance.
 Every organization has unique challenges, and attacker will
spend the time in this phase to explore all possible vulnerabilities
during reconnaissance.
Reconnaissance Data

There are two main categories of types of data we will be looking for in our
target organization:
1. Technical
2. Non-technical

There are two main sources that we might obtain this information from;
3. Physical
4. Cyber

There are two main methods for obtaining the categories of data from each of the data
sources:
5. Active
6. Passive
Data Categories
Technical
Dat
a Non-Technical
typ
e

Dat
Physical
a
Sou
Digital
rce

Active
Rec
on Passive
Met
hod
Examples of each type of data
include:
 Technical:
 internet-routable subnets in use by the organization
 Antivirus software used by the organization
 Domain Name Service (DNS) records associated with the
organization
 :Non-Technical:
 Geographic locations of the organization
 Major departments within the organization
 Important personnel and their titles at the organization
Data Sources

 Physical Source: it does not mean physically obtained such as a
document or a video source, but anything that is not obtained
automatically over the internet or from technology.
 Sub-categories of data sources:
 Open-source intelligence (OSINT)
 Financial intelligence (FININT)
 Human intelligence (HUMINT)

 It is important to understand that your sources for recon data are
extremely dynamic and change at almost bewildering rate.
Data Methods (Active and
Passive)
 Active Reconnaissance: it involves any activities that can be
detected by your organization.

 Passive Reconnaissance: it involves using sources that the
target does not own, thus making it much harder for them to
detect our reconnaissance.
Technical Data

 The baseline of technical data you should obtain about any
target organization includes:
 Internet registry information: whois information, registered subnets,
and actively used subnets.
 DNS information and records
 Routing and Border Protocol (BOD) information
 User name and e-mail formats
 Remote access or login systems
 Specific technologies in place (e.g., firewalls, routers, antivirus
software, filtering, wireless)
 Analyzing large public data sets.
Registrant Information

 The information includes:
Whois and registrant information
 IPV4 and IPV6 address allocations
 Autonomous System (AS) number allocations
 DNS revers record delegation
Many companies register in the following registries per the region they
located:
- ARIN (American Registry for Internet Numbers)
- AfriNIC (African Network Information Center)
- APNIC (Asia Pacific Network Information Center)
- LACNIC ( Latin America and Caribbean Network Information Center)
- RIP NCC ( Reseaux IP European Network Coordination Center)
Network Allocation

 Any IPV4 and IPV6 address space assigned to customers returned
in our search results will be listed under “Networks” heading.

 The organization has any systems actually using these IP
addresses.

 Many organizations have extremely large range of IP addresses
that are unused.
Autonomous Systems

 We have the Autonomous System (AS) owned by the
organization.
 AS numbers uniquely identify an IP address range or subnet with
a simple 16-bit or 32-bit number.
 These IP addresses are commonly used by the Border Gateway
Protocol (BGP).
 BGP is commonly known “routing protocol of the internet.”. To
ensure that all hosts on the network (the internet) will reach its
destination.
 If the routing fails then an alternative path is identified.
DNS Information and Records

 DNS : (Domain Name System) can provide a treasure trove of useful technical
and non-technical information.
 Valuable information include:
 Start of Authority: which name servers are responsible for a domain, as well as an e-mail
contact for the personal who administers the domain.
 Mail Exchange (MX): this record indicates the mail servers that can be used to send mail
to the target domain
 Pointer Records (PTR): These records return a CNAME record for a given IP address.
 Canonical Name Records (CNAME): this record returns an alias for another host record
 AAAA: the host record for the IPv6 address
 TXT: text or arbitrary “human readable” data
 Sender Policy Framework (SPT): used to indicate legitimate mail sources for a domain to
help fight spam
 Part – 2

APT Approach to
reconnaissance
Domain Harvesting

 Another great way for us to identity as many hosts as possible is
by harvesting DNS names from websites
 There are a number of a handful of tools to help us with this as
well
 Using dnsrecon and the –t goo option, we can scrape Google for
any hostnames found in our target domain.
 We can also use a tool called theharvester to harvest domain
names
 Not only does theharvester allow us to harvest more than just
domain names, but we can search other popular data sources
beside Google for domain names.
DNS Zones

 You should also note that organization can have different DNS
zones and servers for internal and external use for the same
domain.
 This means our target organization could have multiple servers
that claim to handle secure domain names that return different
results.
 Other times, organization will have a separate and distinct
domain names for their internal systems.,
 There might be a third party vendors that can host domain
names belonging to our target
 When we resolve to visit the IP address, we see that it belong to
a third party vendor that specializes in hosted collaboration
software for specific organization.
DNS Cache Snooping

 Another vulnerability that can be used to our advantage is DNS
cache snooping.
 Cache snooping allows us to enumerate websites and systems
that users or systems have requested at our target organization.
 The main caveat here is that the DNS server must be configured
to allow recursive queries, which makes it vulnerable.
 If a DNS server does not have the answer to a query from a
client, it can be configured to respond to a client in one of the
two basic modes: iterative or recursive.
 An iterative query is when the DNS server responds with a list of
other DNS servers that the client can then query directly
 A recursive query occurs when the DNS server asks other DNS
servers for the answer and returns the result directly to the client
 Both of these requests types are demonstrated here
 user@kali: $ dig @8.8.8.8 www.facebook.com A +ncrecrse
Border Gateway Protocol: An
Overview
 The Border Gateway Protocol (BGP) is the primary routing protocol of
the internet
 It allows the decentralized and dynamic exchange of routing
information on the internet.
 For example two ISP providers can provide us the DNS subnet over
their links. The BGP with two different providers.
 Typically, the BGP configuration for target organizations will make it
so that one of the provider connection will be preferred and the
second will only be used if the primary network connection goes
down as shown in the figure drawn for you.
 This is a very important fact, as this means that Firewall 1 and
firewall 2 could potentially have two distinct configurations.
 This information is useful for hackers. One could be less
restrictive firewall than the other. This could be useful for exploit
path
 This backup system of firewall can mean it gets less attention
and less “live” time for the personnel supporting it to notice the
difference in configuration
 Show ip bgp 134.186.15.29 an example as a command
 Whois As1225
 Whois (IP) address
System and Service Identification

 After identifying all of the subnets owned by the target organization, we
will want to identify all of the systems and services exposed to the
internet.
 Performing port scans and ping sweeps is arguably one of the most basic
things we will cover.
 On your way to becoming an APT hacker, you will necessarily have to
maser the technique of effective port scanning. Most useful information
you can find there.
 The most important thing for us is to identify systems, services, and
information that will be used in future attack phases.
 There are some firewall and intrusion prevention systems that may block
our requests or otherwise give us unusable data if it detects our
activities.
 Thus we want to employ two scans: one “slow and low” and
another “hard and fast”.
 The order you choose to employ depends on the organization you
are scanning.
 If you think they might have technologies in place that will detect
or block your port scans you may want to start with the slow and
low approach
 If there are indications that the target organization is like 95
percent of all organizations and won’t notice our scanning, we
can start with a hard and fast scan
 Remember that every organization is constantly being scanned
by automated programs, so our scan probably won’t set off any
alarms.
 Even though we can assume that much of our scanning will go
unnoticed we still want to take the precaution of using a bounce
box or proxy for our scanning.
 Example, for our first quick and dirty scan, we will use the most
basic options of nmap.
 For other advance scan you can use the options with the nmap
commands
 You should not worry about the slow scanning, there are no rules,
it will all depends on you. You should perform as many scans to
get the most useful information.
 The information obtained from port scanning is important for our
next phase of spear phishing
 For example, if the target organization has a remote access
service such as a VPN service, we know that we can most likely
focus on obtaining a valid set of credentials from our phishing
target, which we can then use to VPN into the target
organization.
 On the other hand, if no remote services are available, we might
have to change our attack strategy and focus on delivering a
backdoor to our phishing target that will provide remote access
to their systems.
Web Service Enumeration

 Now that we the information from port scanning our target
network, let us identify a few important services.
 One of the main type of services we want to identify are remote
access services.
 Many times, these systems will operate over a standard web port
or at least some type of helper web service,
 Organizations today are keen on providing end users with a
method to remotely access key systems in a way that is familiar
and easy.
 Many organizations are using Secure Sockets Layer (SSL) or web
VPN systems, web e-mail access, or some related portal system.
 besides just remote access systems, you will find some very
interesting web systems connected to the Internet.
 Identifying these systems can provide some useful information
on our target organizations.
 Some of these system include:
 Teleconference and videoconference systems
 Server and system administration tools
 Security camera systems
 Phone management systems
 First, we want to identify the hosts from our port scan that have common
web services.
 The most common ports to look for are 80, 443, 8080
 For this we will turn to nmap
 You can run grep for each port that you have saved in a file after
scanning.
 You should also review the output of the nmap file to identify many HTTP
related services as possible that might be on nonstandard ports.
Example (grep “open http” nmap.nmap
 In this example, the scan was performed with –A option, which performs
service identification and version enumeration, among other things.
 If you wanted to just perform service versioning and identification, you
could call nmap with the –sV option.
Web Service Exploration

 Using the web systems identification via port scanning and DNS
hostnames from various tools such as theharvester, we can move
to identifying exactly what is being offered by these web
systems.
 There are many tools available for us in Kali to use.
 The example of web cloning we have taken in the lab for the
Facebook is one them where we can get the credentials of our
victims.
Geolocation Information

 Geolocation data is any data regarding the physical location of an
asset owned by or related to a target organization
 Usually, this asset will directly relate to a specific employee,
other times, it might be shared among employee
 There are a few main forms of technical geolocation data: geo-
metadata, geo-IP data, and GPS data.
 There are also non-technical ways of obtaining geolocation data
 One of the most popular places to obtain geolocation data is from
metadata, typically from digital photos.
 Many cameras and smart phones by default will embed the GPS
coordinates and the specific time and data when the picture was
taken.
 GPS (global positioning system) uses satellites in space to
calculate the current location on earth with a roughly three feet
radius measure of accuracy.
 Both real-time and historical geodata can be valuable for us
 For example, by gaining the historical data on where an individual
employee has been in the past week, month, or year, we can identify
where they might be in the future allowing us to target them
remotely or target their homes or work when they are away
 Or by obtaining the real-time geolocation data associated with a
mobile work truck or laptop system, we can likewise determine
where an important persons or asset is currently.
 There are tools such as Geostalker that allows you to grap all the
geolocation metadata from pictures that a specific individual user
has posted an image sharing sites such Instagram, Flicker, and
Twitter, among others.
 Another tool is using the geo-IP data. It allow us to identify a
geographic region that an IP address ultimately routes to.
Data from the Phone System

 There are a myriad of ways to use phones to perform
reconnaissance on our target organization.
 Technology has advanced from manual to automated one
 By using VoIP (voice over the internet) we can get dial
automatically any number of phones
 One tool is the Warvox. It is a nice web interface, making it
extremely easy to use.
 It can scan using many “phone lines” at once to get really great
speed. Not only can use multiple lines, but can also use multiple
providers.
 It can sort and analyze the data. Listen to the audio from any
specific phone call. This could be as simple as a fax machine,
voicemail, a person answering the phone, or a modem or other
computer system.
 It can identify some potentially forgotten modem or remote
access systems.
 We can get a lot of good information about personnel that might
be away on vacation or away on business.