Chapter 05: Reconnaissance and Intelligence Gathering

Question 1

Asset Discovery

Answer 1

The act of finding devices that have been moved between locations or added without proper process and authorization

Ensures that you always know what’s on your network

Question 2

Active Reconnaissance

Answer 2

Active recon uses host scanning tools to gather information about systems, services, and vulnerabilities

It doesn’t involve exploitation, but it can provide information about vulnerabilities that can be exploited

Question 3

Preventing System Issues With Your Scan

Answer 3

Some services may not tolerate scan traffic well, and others may fill their logs or set off security alarms when you scan

Always make sure you have permission from the appropriate authority at your company before conducting active recon–secure youre “Get out of jail free” card

Also touch base with system and network admins to ensure the scans don’t have unintended impact

Scanning systems that belong to someone else without permission is illegal too

Question 4

Active Scans and Network Topology

Answer 4

As an active scan traverses a network range, it can assess information contained in the responses it receives

This can help you make educated guesses about the topology of the network based on the TTL of the packet it receives, traceroute information, and responses from network and security devices

Topology information can be flawed and may not always match the actual design of the target network because:
* Security and network devices can use differences in the TTL and traceroute information
* Firewalls can make devices invisible to scans
* Wired vs wireless networks
* Virtual networks and environments
* On-premises vs cloud infrastructure

Question 5

Pinging Hosts

Answer 5

The most basic form of discovery that you can do, with the ping command

It sends an ICMP echo request to a remote IP—if the system receives, it replies with an echo which indicates it’s up and running

A lack of response doesn’t always mean the host is down, because many firewalls block ping requests or individual systems might be configured to ignore ICMP packets

Question 6

hping

Answer 6

An open source spoofing tool that provides a pentester with the ability to craft network packets to exploit vulnerable firewalls and IDS/IPS

Features
Host/Port Detection and Firewall Testing
Sends a SYN or ACK packet to conduct detection and testing

hping3 -S -p80 -c1 192.168.1.1
* Send 1 SYN packet to port 80 at this IP

hping3 -A -p80 -c1 192.168.1.1
* Send 1 ACK packet to port 80 at this IP

Timestamping
Used to determine the system’s uptime

hping3 -c2 -S –tcp-timestamp 192.168.1.1
* Send 2 SYN packets to port 80 at this IP to determine uptime

Traceroute
Uses arbitrary packet formats, like as a probing DNS ports using TCP or UDP, to perform traces when ICMP is blocked on a given network

Fragmentation
Attempts to evade detection by IDS/IPS and firewalls by sending fragmented packets across the network for later reassembly
* Not effective against modern OS and network appliances
* Can work on some legacy systems or ICS / SCADA

DoS
Can be used to perform flood based DoS attacks from randomized source IPs
* Not effective against modern OS and network appliances
* Can work on some legacy systems or ICS / SCADA

Question 7

Port Scanners

Answer 7

Tools designed to send traffic to remote systems and then gather responses that provide information about the systems and the services they provide

One of the most frequently used tools when gathering information about a network and the devices connected to it

Because of this, they’re usually the first step in active recon

Common port scanner features:
* Host discovery
* Port scanning and service identification
* Device fingerprinting
* Service version identification
* OS identification

Question 8

Common Ports and Services

Answer 8

Ports 0-1023 are well-known ports, or system ports

Ports from 1024-49151 are registered ports and assigned by IANA when requested—many are also used arbitrarily for services

Ports 49152-65535 are dynamic ports

Since ports can be manually assigned, simply assuming that a service running on a given port matches the common usage isn’t a smart move

Many SSH and HTTP/S servers are run on alternate ports, either to allow multiple web services to have unique ports or to avoid port scanning that targets 22 and 80/443

Question 9

Scanning Viewpoint

Answer 9

Your scanning viewpoint for active recon makes a huge difference in the information gathered

Internal scans from a trusted system or network will provide much more information than an external scan of a well-secured network

If you’re attempting to replicate a specific scenario, like scanning by an external attacker who has no access to an internal system, your scanning viewpoint should match

Question 10

OS Fingerprinting

Answer 10

OS fingerprinting is when you identify an OS based on the network traffic that it sends

It’s typically done with TCP/IP stack fingerprinting techniques that focus on comparing responsese to TCP and UDP packets sent to remote hosts

Differences in how OS and versions of OS respond, what TCP options they support, what order they send packets in, and other details provide a solid guess at what OS the remote system is running

Question 11

Device Fingerprinting

Answer 11

The collection and correlation of information about a device like the software, services, and OS it runs that allows it to be uniquely identified as a specific type or version of a device

Particularly useful for identifying printers and other networked devices, but can also be used to identify workstations, servers, or any other network connected device if enough unique or typical information can be discovered

Devices that are firewalled and don’t respond to probes can still be fingerprinted given access to their ntwork traffic and to network device logs that are available

Question 12

Service and Version Identification

Answer 12

Identifying services provides information about potential vulnerabilities and verifies that the service responding on a given port matches the serice that typically uses the port

Service identification is usually done one of two ways:
1. Connecting and grabbing the banner
2. Connection information provided by the service or by comparing its responses to the signatures of known services

Question 13

Nmap

Answer 13

The most commonly used CLI port scanner that provides a broad range of capabilities, like multiple scan modes built to bypass firewalls and other network protection devices

Additionally, it also provides support for OS fingerprinting, service identification, and more

Default nmap Behavior
* Ping and send TCP ACK packet to ports 80 and 443
* This determines if a host is there and detected, and if so, it will do a port scan against that host to determine what services are running

Nmap Discovery Scan Options:
* -sn: Host discovery
* -sL: List scan to list IPs from supplied target range and perform reverse DNS query to discover any host names associated with the IPs
* -PS: TCP SYN ping to prove specific ports from the given list using a TCP SYN instead of ICMP to conduct the ping
* –scan-delay [TIME]: Sparse scanning issues probes with significant delays to become stealthier and avoid detection by IDS/IPS
* -Tn: Scan timing issues probes with using a timing pattern, with n being the pattern to utilize (n = 0 to 5 / slowest to fastest)
* -sI: TCP idle scan is another stealth method that makes it appear that another machine (a zombie) started the scan to hide the true identity of the scanning machine
* -f or –mtu: Fragmentation is a technique that splits the TCP header of each probe between multiple IP datagrams to make it hard for an IDS/IPS to detect
* Send nmap to files with -oN for normal files, -oX for XML, and -oG for grepable files

Nmap Service Discovery Options
* -sS: TCP SYN conducts a half-open scan by sending a SYN packet to identify the port state without sending an ACK packet afterwards
* -sT: TCP Connect conducts a three way handshake scan by sending a SYN packet to identify the port state and then sending an ACK once the SYN-ACK is received
* -sN: Null Scan conducts a scan by sending a packet with the header bit set to zero, this will flag IDS/IPS
* -sF: FIN Scan conducts a scan by sending an unexpected FIN packet, this will flag IDS/IPS
* -sX: Xmas Scan conducts a scan by sending a packet with the FIN, PSH, and URG flags set to one, lights up like a Christmas tree and will surely get you caught
* -sD: UDP Scan conducts a scan by sending a UDP packet to the target and waiting for a response or timeout
* -p: Port Range conducts a scan by targeting the specified ports instead of the default of the 1k most commonly used ports

Nmap Fingerprinting Scans
* -sV: An intensive port scan that gives basic versioning information
* -A: Another intensive port scan, but is way more intense and discovers more data and information like protocol, app name and version, OS type and version, host name, and device type
* -O: Detect OS version

Question 14

Indicators of a Windows Host

Answer 14

When scanning, these are indicators that you’re dealing with a remote Windows host:
* Port 135: msrpc (MS Remote Procedure Call)
* Port 139: netbios-ssn (NetBIOS)
* Port 445: microsoft-ds (MS domain services)
* ICSLAP (used for MS internal proxying)
* WSDAPI (Web Services on Devices API, a MS devices API)

Question 15

Angry IP Scanner

Answer 15

Multiplatform port scanner with a GUI

Unlike nmap, Agnry IP Scanner doesn’t provide dtailed identification for services and OS, but you can turn on different modules called “fetchers” to find ports, TTL, filtered ports, and more

When running Angry IP, configure the ports scanned under Preferences, otherwise no port information will be returned

Requires Java to run, which can be an issue because a lot of systems won’t have Java installed for security reasons

Question 16

Maltego

Answer 16

An open source tool that focuses on OSINT gathering and connecting data points from social media, DNS, whois queries, etc together via a GUI

The Maltego GUI provides a way to understand and document correlations and hierarchies

It relies on the concepts of transforms, actions taken by a server that provide additional data or procesing about objects and entities

Question 17

Metasploit

Answer 17

One of the most commonly used tools for pentesting

Includes a broad range of functionality including the ability to scan for ports using TCP, SYN, and other scanning modules

Can also perform web app vulnerability scanning using wmap

NOTE: The exam will focus on MSF for asset discovery and vulnerability management

Question 18

Recon-ng

Answer 18

A CLI recon tool with search and module selection and installation capabilities that allow you to configure and use it to fit your needs

Built into Kali

Uses a modules marketplace, which is searched with “marketplace search”

Tools like hackertarget can help with OSINT gathering to identify targets

Integrates with Shodan, an OSINT search engine, and active search modules like nmap can be used for active information gathering

Question 19

Passive Discovery

Answer 19

Passive discovery relies on information that’s available about the org, systems, or netowrk without probing

Typically it relies on logs and other existing data, which may not provide all the information needed to fully identify targets, and the reliance on stored data means it may be out of date

Where active scanning interacts with a host, passive simply observes network activity and draws conclusions

Question 20

Log and Configuration Analysis

Answer 20

Log files provide a ton of information about systems and networks

If you have access to local system configuration data and logs, you can use the information they contain to build a thorough map of how systems work together, which users and systems exist, and how they’re configured

Question 21

Network Device Logs

Answer 21

Network device logs have their own activities, status, and events, including traffic patterns and usage

By default, many network devices log messages to their console ports, which means that only a user logged in at the console will see them

Most managed networks also send network logs to a central log server using syslog

Networks can also use SNMP to send device information to a cetnral control system

When focused on intel gathering, these logs aren’t always as useful as the device configuration data—but they can still provide assistance with topology discovery based on the devices they communicate with

During pentests or normal course of security ops work, network device logs can provide useful warning of attacks, or reveal configuration or system issues

Question 22

Network Device Log Levels

Answer 22

They vary, but tend to be relatively similar to Cisco’s log level

LEVEL: Level Name / Example

• 0: Emergencies / Device shutdown due to failure
• 1: Alerts / Temperature limit exceeded
• 2: Critical / Software failure
• 3: Errors / Interface down message
• 4: Warning / Configuration change
• 5: Notifications / Line protocol up/down
• 6: Information / ACL violation
• 7: Debugging / Debugging message

Question 23

Network Device Configuration

Answer 23

Config files from network devices are invaluable when mapping network topology

They often include details of the network, routes, systems that devices interact with, and other network details

They also provide details about syslog and SNMP servers, admin and user account information, and other config items useful for information gathering

Page 177 research more about SNMP config on Cisco router

Question 24

Netflow

Answer 24

A Cisco network protocol that collects IP traffic information, allowing network traffic monitoring

Flow data is used to provide a view of traffic flow and volume

A typical flow capture includes source and destination IP and port for the traffic and the class of service

Netflows and a Netflow analyzer can help identify service problems and baseline typical network behavior, and can be useful in identifying unexpected behaviors

Question 25

Netstat

Answer 25

Netstat prints network connections, routing tables, interface statistics, masquerade connections, and multicast memberships

It also provides information like:
* netstat -ta: Active TCP and UDP connections, filtered by each of the major protocls: TCP, UDP, ICMP, IP, IPv6, etc
* netstat -o: Which executable file created the connection, or it’s PID
* netstat -e output: Ethernet statistics on how many bytes and packets have been sent and received
* netstat -nr output: Route table information including IPv4/6

Running netstat from a system can provide information about both the macine’s network behavior and what the local network looks like

Knowing what machines a system has or is communicating with can help you understand local topology and services

Page 178 + 179 for more details, research outside of book

Question 26

DHCP Logs and DHCP Server Configuration Files

Answer 26

DHCP is a client-server protocol that provides IPs, as well as information like the default gateway and subnet mask for the network segment that the host will reside on

During passive recon, DHCP logs from the DHCP server can provide a quick way to identify many of the hosts on the network

If you combine DHCP logs with other logs, like firewall logs, you can determine which hosts are provided with dynamic IP addresses and which are using static IPs

Question 27

Firewall Logs and Configuration Files

Answer 27

Router and firewall configuration files and logs often contain information about both successful and blocked connections

Analyzing router and firewall ACL and logs can provide useful information about what traffic is allowed and can help with mapping topology by identifying where systems are based on traffic that’s allowed or blocked

Config files make this even easier since they can be directly read to understand how systems interact with the firewall

For pentesters, firewall logs can be reverse engineered based on the contents of the logs

Even without the config files, log files can provide a good view of how traffic flows

And, like other network devices, firewalls often use log levels to separate informational and debugging messages from more important messages

Page 181 + 182 for more detailed exmaples

Question 28

Firewall and Routers On the Exam

Answer 28

If you encounter firewall or router config files, log files, or rules on CySA+, rewrite them into a language you can more easily read

PAGE 182 TO LEARN HOW

Question 29

System Log Files

Answer 29

System logs are collected by most systems to provide troubleshooting and other system information

Log information can vary greatly depending on the OS you’re working with, how it’s configured, and what service and apps the system is running

Linux:
* /var/log: The directory that holds most logs, but apps may have their own logging directory

Windows provides several types of event logs:
* Application Logs: Contain events logged by programs or apps,—What’s logged varies from program to program
* Security Logs: Capture login events, resource and rights usage, and files being opened, created, or deleted—Options are set by administrators of the Windows system
* Setup Logs: Captured when apps are set up
* System Logs: Contain events logged by Windows components—Preset as part of Windows
* Forwarded Events Logs: Set up using event subscriptions and contain events collected from remote computers—Specially configured

System log files aren’t on the top of the list for recon

They’re gathered if accessible, but most are kept in a secure location and not accessible without admin system access

Question 30

Nslookup and Traceroute

Answer 30

If you want basics on them, Page 185

But I feel pretty good about both of these and how they help with passive recon

Question 31

Domain Name Registrars

Answer 31

The entities that manage domain names

Domain name registrars are accredited by generic top-level domain (gTLD) registries and/or country code top-level domain (ccTLD) registries

This means that registrars work with the domain name registries to provide registration services: the ability to acquire and use domain names

Registrars:
* Provide the interface between customers and registries
* Handle purchase, billing, and day to day domain maintenance
* Handle renewals for domain registrations
* Transfer domains due to sale or when the domain is sent to another registrar

Question 32

IANA

Answer 32

Internet Assigned Numbers Authority

IANA manages the global IP address space, along with the DNS Root Zone which handles the assignments of both gTLDs and ccTLDs

Regional authority over these resources is handled by five regional internet registries (RIRs):
* Africa: African Network Information Center (AFRINIC)
* US, Canada, Caribbean, Antarctica: American Registry for Internet Numbers (ARIN)
* Asia, Australia, New Zealand, Asia-Pacific: Asia-Pacific Network Information Centre (APNIC)
* Latin America, Caribbean: Latin America and Caribbean Network Information Centre (LACNIC)
* Central Asia, Europe, Middle East, Russia: Reseaux IP Europeens Network Coordination Centre (RIPE NCC)

Question 33

DNS Entries

Answer 33

DNS entries can provide useful information about systems simply through the hostname

A system named “AD4” is a more likely target for Active Directory exploits and Windows Server scans

Hostnames that reflect a specific app or service can provide both target information and a clue for social engineering and human intelligence activities

Question 34

DNS Discovery

Answer 34

External DNS information through Whois can be a great starting place for DNS information gathering

Additional DNS servers can be identified as pat of active scanning or passive information gathering, based on network traffic logs or even by reviewing an org’s documentation

This can also be done with a port scan on 53 (TCP or UDP)

Once you find a DNS server, you can query it using dig, or test to see if it supports zone transfers which can make it easy to score organizational DNS data

Question 35

Zone Transfers

Answer 35

Zone transfers are intended to be used to replicate DNS databases between DNS servers, which makes them a powerful information gathering tool if a target’s DNS server allow them

Dion:
* A method of replicating DNS databases across a set of DNS servers that’s often used during the recon phase of an attack
* Zone transfers can be used to collect DNS information about your servers and give it to an attacker so they can plan attacks

Most DNS servers are set to prohibit zone transfers to servers that aren’t their trusted DNS peers, but it’s highly likely someone will still check

To check, use either host or dig:
* host -t axfr domain.name dns-server
* dig axfr current dns-server attacker domain name
* Windows: nslookup –> set type=any –> ls-d website . com

Page 188 for zone transfer practice

Question 36

DNS Brute Forcing

Answer 36

If a zone transfer isn’t possible, DNS information can still be gathered from public DNS by brute force

Sending a manual or scripted DNS query for each IP address that the org uses can provide a useful list of systems

this can be partially prevented by using an IDS or IPS with a rule that prevents DNS brute force attacks

Sending queries at a slow rate or from a number of systems can bypass most prevention methods