Chapter 03: Information Gathering Flashcards
Goal of OSINT
Obtain the information needed to perform an effective pentest
CVE and CWE
Common Vulnerabilities and Exposures
* Identifies vulnerabilities by name, number, and description (CVE-YEAR-NUMBER)
Common Weakess Enumeration
* A community-developed list that shows software weaknesses and breaks them down by research, development, and architectural concepts
Difference Between the Two
* CVE: Identifies specific instances of a vulnerability within a product or system
* CWE: Categorizes the common flaws or weaknesses that can lead to vulnerabilities
Electronic Docs and Metadata
Electronic docs can show you how an org is structured, internal practices, and procedures
Pentesters will also review doc metadata to identify additional useful information
ExifTool is one tool that allows you to quickly look at metadata for individual files
FOCA (Fingerprinting Organizations with Collected Archives) can be used to find specific metadata via search engines
Employees
Troll job posting sites, LinkedIn, or Facebook to find employees
You can find corporate emails, publications, or public records
Social engineering works well here, especially when searching for info on specific people or groups
LinkedIn can also give some indication about the company’s tech stack (look at resume, certs, postings, profiles, etc)
Infrastructure and Networks
One of the first things a pentester will gather with passive searches
External footprinting is part of most passive recon, and it’s aimed at gathering information about the target from external sources (domains, IPs, and routes for the org)
Domains
DNS is often the first stop for gathering info about an org
DNS info is publicly available, and it’s easily connected to the org by simply checking for WHOIS information about the site
From there you can find other sites and hosts to add to your org footprint
WHOIS
IANA manages the DNS root zone, and it’s a good place to start searching
Once you know your regional authority to query, you can select the appropriate site:
* AFRINIC (Africa)
* APNIC (Asia-Pacific)
* ARIN (North America, parts of Caribbean, and North Atlantic islands)
* LACNIC (Latin America and the Caribbean)
* RIPE (Europe, Russia, Middle East, and Parts of Asia)
Each regional NIC provides a WHOIS service that lets you search databases of registered users of domains and IP blocks
Also provides intel about an org or individual based on their registration info
External DNS
This info is provided as part of its WHOIS info, and it’s a good starting point for DNS-based intel gathering
It includes both technical contacts and admin contacts for a domain, which gives key insights into who’s responsible for the domain
This is where you can identify potential social engineering victims and OSINT activities
Historical Domain Info
Domain owners often reduce their visible data after they have registerd the domain
domainhistory.net and whoismind.com can provide historical views into the domain reg info given to WHOIS
DNS and Traceroute Info
DNS lookups are useful for pentesters who want to check for hosts based on an IP range and for IPs based on hostnames
This DNS info can contain key contacts, this is a way to gather intel on responsible parties if the org isn’t using domain registrar security features
nslookup (Windows, Mac, Linux)
SSL and TLS
You can gather info from the TLS certs an org uses for their services, like other domains that might be of interest under the subject alternative name
Also shows info about systems, domain names, and sometimes individuals of an org
They can also show poor system maintainence if you find an out of date cert
Zone Transfers
DNS zone transfers (AXFR) are transactions intended to be used to replicate DNS databases between DNS servers
The information contained in a zone transfer is highly useful to pentesters
Most DNS servers will have zone transfers disabled or well protected as a result
Three common ways to perform a zone transfer:
* host -t axfr domain.name dns-server
* dig axfr @target.nameserver.com domain.name
* nmap -script dns-zone-transfer.nse -script-args dns-zone-transfer.domain< domain > -p53 < hosts >
A zone transfer will show you things like:
* Name server
* Primary contact
* Serial number
* Time between changes
* Minimum TTL for the domain
* MX records
* Latitude and longitude
* Other TXT records
* Service records
* IP address mappings
READ ME: https://www.acunetix.com/blog/articles/dns-zone-transfers-axfr/
Page 72
IP Ranges and Addresses
Once you know the IP address that a system is using, you can look up info about the IP range it resides in
This lets you get things like company or hosting services it uses
IP address and hostname can also be used to gather information about network topology around the system or device that has a given IP address
After you have an IP, do a lookup to see who owns the range on sites like WHOIS, Spur, AbuseIPDB, etc
NOTE: Once you know who owns it, use traceroute or tracert to see the path packets take to the host
Cloud hosted infrastructure makes this all more complex
Pentesters need to verify where the services and systems are hosted, and then ensure you have permission to test them
Routes
The routing info for an org can provide insight into how their external network connectivity is set up
Public BGP route information servers known as BGP looking glasses make that infromation more easily accessible
Wireless Networks
You can use wardriving to scan for wireless networks from a car, bus, walking, etc
The data you get can be matched to data sources like wigle.net
It can also be mapped using triangulation based on the strength of the signal from each access point
Security Search Engines
These provide a way to review hosts, services, and other details without actively probing a network
They don’t always have the most up to date information on them, but they’re highly effective as early steps in passive information gathering and analysis
Shodan
* One of the most popular security search engines
* Provides prebuilt searches as well as categories for ICS, databases, etc
Censys
* Similar to Shodan
* Delivers GeoIP information if available, comprehensive summary of the services the host exposes, and drill-down links for highly detailed info
ZoomEye.org and hunter.io
* Not covered on exam
* Other good options to explore
Google Dorks and Search Engine Techniques
Pentesters need to know how to use search engines to return highly specific information based on queries
The Google Hacking Database can be super useful
Password Dumps and Breaches
Pentesters can use credentials that have been previously breached as part of their testing
Credential reuse is common aong users, and if MFA isn’t required a breach provides a potentially easy way
haveipbeenpwned and pwnedornot provide easy access to existing password dumps
Source Code Repositories
Repos like GitHub , Bitbucket, and Sourceforge are a key passive recon tool
Data leaks that provide passwords or keys occur occasionally, but pentesters are more likely to find information about configs, interfaces, IPs, and domains
Use IaC tools as well:
* CloudFormation
* Ansible
* Puppet
* Chef
* SaltStack
DION NOTES
* Public source code repos contain a lot of valuable data
* EX: You can see the entire source code if it’s misclassified
* EX: Common insecure coding mistakes will sometimes have API keys, hardcoded creds, etc
* NOTE: Deleted data can still exist somewhere on the internet—cached Google pages and Waybackmachine could have that stuff
Passive Enumeration and Cloud Services
Cloud and hosted services present a challenge
It isn’t safe to assume that IPs will remain fixed, that systems or services aren’t shared, or that geographic information you find is the only availability zone or region where services are deployed
Tools like Amazon CloudFront, Cloudflare, Akamai, and other DDoS prevention and CDN can mask the underlying infrastructure and systems
Full knowledge tests can help with this
Partial or zero knowledge tests require that you perform additional recon and validation whenever the underlying infrastructure may not be as simple as it looks, or if third parties are involved
Active Recon and Enumeration
After passive recon is finished
This is where you build and then narrow down the list of hosts, networks, or other targets
DION NOTES
You can conduct active recon with this general flow:
* Conduct discovery scan
* Then, narrow focus on a specific target
* Finally, go down to the specific services found on those hosts
* You move from ping scans to port scans, to port enumeration and fingerprinting
Enumeration digs deep into target systems and links identified components into known vulnerabilities—you can enumerate anything on a network, including:
* Hosts
* Services
* Networks
* User and Groups
* Network Shares
* Domains
* URLs
* Tokens
* and more
Fingerprinting is the identification of an OS, service, or specific software version that’s in use by a host, system, or network
Hosts
Enumerating hosts is the first thing most pentesters will think of when they prepare to assess a target
Active scans can identify many hosts, and while it’s tempting to rely on just those scans, there are many other ways to identify hosts on a network
Combine multiple methods to ensure you don’t miss any systems:
* Leverage central management systems like MS Endpoint Configuration Manager, JAMF Pro, or other tools that maintain and inventory of systems, IPs, etc
* Network logs and config files
* Logs from DHCP servers
* Router logs, ARP tables, and other network information
NOTE: In unknown tests, you might not be able to get this information until later in the test, so port scanning is usually the first technique done early in this type of engagement
Services
Service identification is one of the most common tasks done in active recon
This provides a list of potential targets, including vulnerable services and those you can test using credentials you have available
Often done using a port scanner (nmap)
Port Scanners
Send traffic to remote systems and then gather responses that provide information about the systems and services they include
Port scanners have these features in common:
* Host discovery
* Port scanning and service identification
* Service version identification
* OS identification
Understand common ports and services to take full advantage of port scanners
Ports 0 to 1023 are well-known ports or system ports
Ports 1024 to 49151 are registered ports assigned by IANA when requested
Page 80 for port list
Service and Version Identification
Service identification is done in one of two ways:
1. Connecting and grabbing the banner or connection information provided by the service
2. Comparing its responses to the signatures of known services
OS Fingerprinting
The ability to identify an OS based on the network traffic that it sends
Typically done using TCP/IP stack fingerprinting techniques that focus on comparing responses to TCP and UDP packets sent to remote hosts
The difference in how OS respond, what TCP options they support, the order in which they send packets, etc can often provide a solid guess at what OS you’re probing
nmap
CLI flags for nmap:
* -sS: TCP SYN
* -sT: TCP connect / Full connect
* -sU: UDP-only scan
* -sA: TCP ACK (tests firewall rulesets)
* -p: number ranges (1-65535) or names (http)
* -T0 to -T5: slow to aggressive speeds
* -sV: service version
* -O: OS version
* -Pn: disabling ping
* -iL: input from a target file
* -oX: XML output
* -oN: normal output
* -oG: greppable output (deprecated, XML replaced)
* -oA: all output
Page 82-84 for all of them
Network Topology
Understanding the topology or layout of the network helps you design your scanning and attack process
Topology maps can provide information about what systems and devices are likely to be accessible, and help you make decisions about when to pivot to a different target to bypass security controls
Zenmap GUI for nmap can show topology, but not always accurate
