reconnaissance - usalearning · phase 1 – reconnaissance 8 phase 1 - reconnaissance all you know...

18
Reconnaissance Table of Contents Reconnaissance............................................................................................................................... 2 Phase 1 – Active and Passive Reconnaissance................................................................................ 3 Phase 1 – Reconnaissance .............................................................................................................. 4 Passive and Active Reconnaissance .............................................................................................. 10 Information Gathering .................................................................................................................. 13 Seven Steps of Reconnaissance .................................................................................................... 15 Footprinting .................................................................................................................................. 17 Notices .......................................................................................................................................... 18 Page 1 of 18

Upload: duongphuc

Post on 25-Jul-2018

226 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Reconnaissance - USALearning · Phase 1 – Reconnaissance 8 Phase 1 - Reconnaissance All you know at this point is the name of the organization you have been given as a target

Reconnaissance

Table of Contents

Reconnaissance ............................................................................................................................... 2

Phase 1 – Active and Passive Reconnaissance ................................................................................ 3

Phase 1 – Reconnaissance .............................................................................................................. 4

Passive and Active Reconnaissance .............................................................................................. 10

Information Gathering .................................................................................................................. 13

Seven Steps of Reconnaissance .................................................................................................... 15

Footprinting .................................................................................................................................. 17

Notices .......................................................................................................................................... 18

Page 1 of 18

Page 2: Reconnaissance - USALearning · Phase 1 – Reconnaissance 8 Phase 1 - Reconnaissance All you know at this point is the name of the organization you have been given as a target

Reconnaissance

6

Reconnaissance

**006 So what is reconnaissance?

Page 2 of 18

Page 3: Reconnaissance - USALearning · Phase 1 – Reconnaissance 8 Phase 1 - Reconnaissance All you know at this point is the name of the organization you have been given as a target

Phase 1 – Active and Passive Reconnaissance

7

Phase 1 – Active and Passive Reconnaissance

2 4

31 5

Phase 1 Active and Passive Reconnaissance

Phase 2 Scanning and Enumeration

Phase 3 Gaining Access

Phase 4 Maintaining Your

Access

Phase 5 Covering Your

Tracks

**007 Well, again, we're talking about the first step in the ethical hacking methodology. Again, we're just getting started, and the very first things that we're going to want to do is find something to hack into, and that's what we try to accomplish with reconnaissance.

Page 3 of 18

Page 4: Reconnaissance - USALearning · Phase 1 – Reconnaissance 8 Phase 1 - Reconnaissance All you know at this point is the name of the organization you have been given as a target

Phase 1 – Reconnaissance

8

Phase 1 - Reconnaissance

All you know at this point is the name of the organization you have been given as a target.

Now you must determine• Do they have a presence on the internet? (www.domain.info)• Can I find their IP space? (nslookup; set type=mx; domain.info)• Can I find its employee’s email addresses/phone numbers? • Can I build a hierarchy of the employees?• Can I build a relationship map to other companies?• Can I build an understanding of their security

posture/policies/infrastructure?

**008 And so with the first phase here, as you start in ethical hacking engagement, or as you start a pen test engagement, what do you usually start with? You usually have just a name-- Company X, Government Organization Y-- and you're told, "Go after them, and find out-- be a hacker-- find out what you can access, how many information can you get." And so just armed with that one piece of information, Company X, what do you do? Well, there are a bunch of things that you actually have to go out and try to do, because that's what the attacker's going to do. And so you're

Page 4 of 18

Page 5: Reconnaissance - USALearning · Phase 1 – Reconnaissance 8 Phase 1 - Reconnaissance All you know at this point is the name of the organization you have been given as a target

going to try to find: Do they have an internet presence? Generally everybody is connected to the network. They've got websites full of information that you can use. What is their IP address space? As a hacker, you won't have this information. As an ethical hacker working for your organization, you probably already come armed with your own network IP space. Again, you're a system administrator; you probably know that type of information. But if you don't, there are ways of going about getting that, and we'll talk about this. Can you find employee email addresses, phone numbers, addresses? Why would you think you might need somebody's email address? Again, put on your ethical hacking hats, what would you do with an email address? Student: Send them a phishing email. Chris Evans: Send them a phishing email. Yep. What about their address? Why would you need their address or phone number? Student: It would look like the same as everybody else's. Like everybody else would have the same "at"-- Chris Evans: Oh, like naming conventions. Student: Yes.

Page 5 of 18

Page 6: Reconnaissance - USALearning · Phase 1 – Reconnaissance 8 Phase 1 - Reconnaissance All you know at this point is the name of the organization you have been given as a target

Chris Evans: Yep. So you could get naming conventions from it. Why else? Yes, sir? Student: Guessing passwords. A family dog's name, (inaudible) that type of stuff. Chris Evans: Yep. How many of you use passwords that are related to family members and pets? Of course nobody in this class. But I guarantee that there are a lot of people out there who do. You'd be surprised. I'm from-- I live in Texas. I'm not from Texas. I'm from Los Angeles. Hence my little mascot here. But the password that-- when I was out doing pen tests and vulnerability assessments--"Cowboys01!" You know how many times that password popped up as somebody's password? And these were pen tests done outside of Texas, not just in Texas. I don't know. I suspect Packers would probably be pretty good for a password too. Something to do with Steelers would probably be pretty good here as well. It's amazing what people will use for their password. But why would I need a physical address? Maybe because I want to show up at your office and do some type of social engineering attack against you. We'll talk a little bit about that. Hierarchy of employees, maybe an org chart or something like that so you know where people fit. Let me pick on Michael here. Why would it be important for me to know who Michael's boss is? Again, as an

Page 6 of 18

Page 7: Reconnaissance - USALearning · Phase 1 – Reconnaissance 8 Phase 1 - Reconnaissance All you know at this point is the name of the organization you have been given as a target

ethical hacker. Why would I need to know your boss? What could I do with that information? Student: Useful in a social engineering attack. Chris Evans: What kind? Student: "His boss told me that he needs to do this for him." Chris Evans: Bingo. Student: Something like that. Chris Evans: Yep. I could show up in his office with a work order signed by his boss and say, "Yep, I'm here to do this, and this was approved by your boss." I've done that several times and it works very, very well, because just the implication that your boss has approved this, you're much more likely to agree to whatever it is that I'm selling, even if it might be malicious. Can I build a relationship map to other companies? Understand the principle that various hackers are lazy, and so if I've got two companies and they have a shared intranet between the two-- Company X has really weak security; Company Y has really good security-- how am I going to attack the company with really good security? Am I going to break down the door and try to go after them directly? Probably not. As an ethical hacker, what I would want to do is I would understand that the hackers are lazy and they understand

Page 7 of 18

Page 8: Reconnaissance - USALearning · Phase 1 – Reconnaissance 8 Phase 1 - Reconnaissance All you know at this point is the name of the organization you have been given as a target

that Company X talks to Company Y through some type of privileged or shared VPN or something like that. But this company is the weaker from a security standpoint. So if I can hack into here and then ride that privileged backend to get into the more secure company, that's a lot easier than just breaking down the door at the company with good security. And so understand as an ethical hacker that these are the types of things that the hackers out there are looking for. They're looking for relationships; they're looking for ways to connect-- that companies connect-- and how to get into systems. And the most obvious route of breaking down the front door may not always be the best. There's usually side doors, back doors, ventilation vents and all sorts of other things that are out there that you can take advantage of as a hacker. Can you build an understanding of their security posture, the policies, the infrastructures that they have in place? You'd be surprised to find the amount of information that you can get on a company's security posture just by asking questions, doing Google searches, doing all of this reconnaissance and enumeration that we're talking about here. Why would that be good information? Well, if your job as an ethical hacker is to figure out how those systems can be circumvented, and you understand that the hackers out there are using things like Google and web queries to find this type of information, you can go and start scrubbing that off of

Page 8 of 18

Page 9: Reconnaissance - USALearning · Phase 1 – Reconnaissance 8 Phase 1 - Reconnaissance All you know at this point is the name of the organization you have been given as a target

various websites. You can pull that information off. That might be one of your recommendations is, "Look, I found out that we have network maps out here that show all of our IP addresses, show all of our servers, all of the configurations. All of that is out here on the internet. We probably want to police that up and make sure that it's not available somewhere, or at least available out there to the various hackers." And so if you can build an understanding of your target security posture, number one, you'll anybody go and make solid recommendations at the backend; but two, you're feeding your ability to do the next few phases of the ethical hacking methodology, because you'll be able to take this information that you find here and start targeting individual systems, start attacking individual systems.

Page 9 of 18

Page 10: Reconnaissance - USALearning · Phase 1 – Reconnaissance 8 Phase 1 - Reconnaissance All you know at this point is the name of the organization you have been given as a target

Passive and Active Reconnaissance

9

Passive and Active Reconnaissance

Passive Reconnaissance – gathering information on a target without their knowledge of your actions

• Example: Using the Internet to research a target (domain registrations, web pages, email addresses)

Active Reconnaissance – gathering information on a target where the potential exists that your actions will be seen by the target

• Example: Port scanning the target domain’s network looking for hosts and open services

**009 Passive reconnaissance: We're talking about information that you gather from a target without interacting with it, or at least without directly interacting with it, so that your target has no knowledge of your actions. Again, things like Google queries, Google Maps, Google Earth, that sort of thing. So pulling information off of Google is a good example of a passive reconnaissance step. Active reconnaissance: You're gathering information, but the potential exists that somebody's going to see that. So if you're doing a port scan where you're actually sending packets to a system on your

Page 10 of 18

Page 11: Reconnaissance - USALearning · Phase 1 – Reconnaissance 8 Phase 1 - Reconnaissance All you know at this point is the name of the organization you have been given as a target

target network, somebody might see that. Chances are they're not going to see it because there's so much traffic out there, there's so many port scans going on already that most security administrators look at that and go, "Eh, whatever. I'm being port scanned. It's not a big deal." Although I will tell you that I did a vulnerability assessment at one particular location and fired off our little scanning engine to kind of identify hosts and printers and everything else that was on the network, and probably within 15 minutes I was getting a phone call from a system administrator. They had a-- there was the primary network that everybody used, and then there was this side network that was not a special system, but a different system that was being used for other purposes. And I got a call from the administrator through our point of contact and they said, "So, are you guys scanning stuff?" We're like, "Well, yes." Like, "Why?" It's like, "We're seeing all these port scans and ping sweeps and everything else come in, and it looks like"-- I mean, when we went out and did these vulnerability assessments, it was very rapid, very loud. There was no intent of hiding or anything. But I mean, they'd actually seen all of these scans come in and they had identified that it was coming from this particular room in this particular building, and they were able to track us down.

Page 11 of 18

Page 12: Reconnaissance - USALearning · Phase 1 – Reconnaissance 8 Phase 1 - Reconnaissance All you know at this point is the name of the organization you have been given as a target

After four years of doing pen tests and vulnerability assessments, it was the only place that I ever went that ever saw anything like that, and it was because they had a system administrator who was sitting there looking at traffic coming in. They had a very clear understanding of what their baseline was, so they knew that I shouldn't be seeing ping scans from anybody, because I'm already behind the big firewall. So I'm already inside the network. So if I'm seeing ping scans or port scans or anything else, something is probably wrong-- either a tool is misconfigured or somebody's actually looking for me. And so they just wanted to kind of track us down and figure out whether we were legitimate or not. But again, out of so many pen tests and vulnerability assessments, that was the only place that I had seen do that. So I would say that's the exception rather than the norm. So generally, yeah, there's big warnings about doing active reconnaissance, but is anybody really going to see it? Probably not.

Page 12 of 18

Page 13: Reconnaissance - USALearning · Phase 1 – Reconnaissance 8 Phase 1 - Reconnaissance All you know at this point is the name of the organization you have been given as a target

Information Gathering

10

Information Gathering

Sometimes referred to as open-source intelligence, is the action of searching for publicly available information via the internet, or “open-sources”, to build a map/understanding of the organization, its people/employees, and relationships to other organizations

Main ToolsSearch Engines/Sites – Improve information gathering on a target organization by using search engine tagsDNS (Domain Name System) – Determine IP space

**010 Information gathering: This is another term that you'll see used in combination with reconnaissance and footprinting-- the idea that information gathering is kind of like open source intelligence gathering. You're using public websites or public information to gather or connect information on your target to try to understand who they are, what they do, networks, size and structure, if you can find that, and relationships to other organizations, again, so you can do the: If Company X is weaker than Company Y but they trust each other, then I'm just going to go after the weaker of the two. And so how you would do this: Mainly with a search engine, Google.

Page 13 of 18

Page 14: Reconnaissance - USALearning · Phase 1 – Reconnaissance 8 Phase 1 - Reconnaissance All you know at this point is the name of the organization you have been given as a target

I'll tell you what, Google will pay dividends to you as you go out and do pen tests and everything else. There's a lot of stuff that Google reaches, very little of it that they don't actually reach. So chances are good that if you plug a couple search terms into Google with regard to your target, you're actually going to find something and something useful. The other thing that you can use is DNS, the Domain Name System, and this is a great way to find IP address spaces, network blocks that might be in use by your particular target. It's also a good way to determine what not to scan. Again, having done vulnerability assessments, one of the big things that we had to do every single time was have our authorization letter that said, "You're hereby authorized to do scans, exploits, whatever, against this IP address block and this IP address block only." And so we would make sure that in all of our scanning tools and anything else that we could plug an IP address into, it had to be part of that IP address. If for some reason somebody fat-fingered something and we sent packets towards a different IP address, we'd always turn immediately to DNS and go, "Okay, who does that belong to? Did we just create an international incident?" Fortunately we never did, but DNS can give you information not only on your target but on things that might not be your target that you've hit by accident and you want to go figure out if you need to do damage control.

Page 14 of 18

Page 15: Reconnaissance - USALearning · Phase 1 – Reconnaissance 8 Phase 1 - Reconnaissance All you know at this point is the name of the organization you have been given as a target

Seven Steps of Reconnaissance

11

Seven Steps of Reconnaissance

Unearth Initial Information

Locate Network Range

Identify Active Hosts

Discover Open Ports

Detect Host OS’s

Reveal Running Services

Map the Network

Active

PassiveActive Footprinting

Scanning

Enumerating

**011 The seven steps of reconnaissance. Generally the way this is laid out is you have footprinting, scanning, and enumeration. So footprinting comes in two flavors, passive and active, as we showed about a couple slides ago. Passive, you might be looking at information, or initial information. You might be trying to find a network range-- again, the IP addresses that you're going to go after. With scanning, you're starting to look at individual hosts or trying to find hosts on a network and what those ports are that are open on that. That's a little bit-- well, it's certainly more active than regular footprinting.

Page 15 of 18

Page 16: Reconnaissance - USALearning · Phase 1 – Reconnaissance 8 Phase 1 - Reconnaissance All you know at this point is the name of the organization you have been given as a target

And then you turn to enumerating, where you're actually going after operating systems, you're trying to find users, you're trying to find services that are running. So if you look at this from a standpoint of progression, you're starting here at the top with footprinting where you've got the entire internet. You do footprinting to slim that down to your target network. So it might be, let's say, 1000 IP addresses. And then you're going to do scanning to find out what the alive hosts on there are. So out of those 1000 IP addresses, let's say 200 of them are actually open and have something running on it. And then you go through enumeration, where you're now trying to find particular information from those alive hosts. So if this is a progression, it starts out very broad, and you use footprinting to reduce it; you use scanning to figure out what's relevant to you; and then you enumerate what's actually alive and available to you and what you think might be useful.

Page 16 of 18

Page 17: Reconnaissance - USALearning · Phase 1 – Reconnaissance 8 Phase 1 - Reconnaissance All you know at this point is the name of the organization you have been given as a target

Footprinting

12

Footprinting

Part of the Reconnaissance Phase – often, the terms Footprinting and Reconnaissance are used interchangeably.

Process of gathering information to create a blueprint or map of an organization’s network and systems

Objective is to gain insight into the target – to “know your enemy”

Footprinting is one of three pre-attack phases

Footprinting Scanning Enumeration

**012 And so footprinting, again, it's part of the reconnaissance phase. You'll see it used interchangeably with reconnaissance. Generally you're trying to create a blueprint or a map of the network that you're going against. Again, it goes back to that reduction. You can't scan the entire internet. You can-- it'll take you forever, and it won't give you anything useful. But during a pen test or an ethical hacking engagement, you're going to start off with the internet; you need to whittle it down to what's useful to you, and you do that with footprinting. And it's one of the three pre-attack phases of reconnaissance. Again, it

Page 17 of 18

Page 18: Reconnaissance - USALearning · Phase 1 – Reconnaissance 8 Phase 1 - Reconnaissance All you know at this point is the name of the organization you have been given as a target

goes footprinting, scanning, enumerating. And you're going from big down to what's really useful. That's the whole point behind scanning, reconnaissance and footprinting and enumeration.

Notices

NoticesCopyright 2013 Carnegie Mellon University

This material has been approved for public release and unlimited distribution except as restricted below. This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. Government purposes, the SEI recommends attendance to ensure proper understanding.

NO WARRANTY. THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT® is a registered mark of Carnegie Mellon University..

Page 18 of 18