Chapter 05: Reconnaissance and Intelligence Gathering Flashcards
Asset Discovery
The act of finding devices that have been moved between locations or added without proper process and authorization
Ensures that you always know what’s on your network
Active Reconnaissance
Active recon uses host scanning tools to gather information about systems, services, and vulnerabilities
It doesn’t involve exploitation, but it can provide information about vulnerabilities that can be exploited
Preventing System Issues With Your Scan
Some services may not tolerate scan traffic well, and others may fill their logs or set off security alarms when you scan
Always make sure you have permission from the appropriate authority at your company before conducting active recon–secure youre “Get out of jail free” card
Also touch base with system and network admins to ensure the scans don’t have unintended impact
Scanning systems that belong to someone else without permission is illegal too
Active Scans and Network Topology
As an active scan traverses a network range, it can assess information contained in the responses it receives
This can help you make educated guesses about the topology of the network based on the TTL of the packet it receives, traceroute information, and responses from network and security devices
Topology information can be flawed and may not always match the actual design of the target network because:
* Security and network devices can use differences in the TTL and traceroute information
* Firewalls can make devices invisible to scans
* Wired vs wireless networks
* Virtual networks and environments
* On-premises vs cloud infrastructure
Pinging Hosts
The most basic form of discovery that you can do, with the ping command
It sends an ICMP echo request to a remote IP—if the system receives, it replies with an echo which indicates it’s up and running
A lack of response doesn’t always mean the host is down, because many firewalls block ping requests or individual systems might be configured to ignore ICMP packets
hping
An open source spoofing tool that provides a pentester with the ability to craft network packets to exploit vulnerable firewalls and IDS/IPS
Features
Host/Port Detection and Firewall Testing
Sends a SYN or ACK packet to conduct detection and testing
hping3 -S -p80 -c1 192.168.1.1
* Send 1 SYN packet to port 80 at this IP
hping3 -A -p80 -c1 192.168.1.1
* Send 1 ACK packet to port 80 at this IP
Timestamping
Used to determine the system’s uptime
hping3 -c2 -S –tcp-timestamp 192.168.1.1
* Send 2 SYN packets to port 80 at this IP to determine uptime
Traceroute
Uses arbitrary packet formats, like as a probing DNS ports using TCP or UDP, to perform traces when ICMP is blocked on a given network
Fragmentation
Attempts to evade detection by IDS/IPS and firewalls by sending fragmented packets across the network for later reassembly
* Not effective against modern OS and network appliances
* Can work on some legacy systems or ICS / SCADA
DoS
Can be used to perform flood based DoS attacks from randomized source IPs
* Not effective against modern OS and network appliances
* Can work on some legacy systems or ICS / SCADA
Port Scanners
Tools designed to send traffic to remote systems and then gather responses that provide information about the systems and the services they provide
One of the most frequently used tools when gathering information about a network and the devices connected to it
Because of this, they’re usually the first step in active recon
Common port scanner features:
* Host discovery
* Port scanning and service identification
* Device fingerprinting
* Service version identification
* OS identification
Common Ports and Services
Ports 0-1023 are well-known ports, or system ports
Ports from 1024-49151 are registered ports and assigned by IANA when requested—many are also used arbitrarily for services
Ports 49152-65535 are dynamic ports
Since ports can be manually assigned, simply assuming that a service running on a given port matches the common usage isn’t a smart move
Many SSH and HTTP/S servers are run on alternate ports, either to allow multiple web services to have unique ports or to avoid port scanning that targets 22 and 80/443
Scanning Viewpoint
Your scanning viewpoint for active recon makes a huge difference in the information gathered
Internal scans from a trusted system or network will provide much more information than an external scan of a well-secured network
If you’re attempting to replicate a specific scenario, like scanning by an external attacker who has no access to an internal system, your scanning viewpoint should match
OS Fingerprinting
OS fingerprinting is when you identify an OS based on the network traffic that it sends
It’s typically done with TCP/IP stack fingerprinting techniques that focus on comparing responsese to TCP and UDP packets sent to remote hosts
Differences in how OS and versions of OS respond, what TCP options they support, what order they send packets in, and other details provide a solid guess at what OS the remote system is running
Device Fingerprinting
The collection and correlation of information about a device like the software, services, and OS it runs that allows it to be uniquely identified as a specific type or version of a device
Particularly useful for identifying printers and other networked devices, but can also be used to identify workstations, servers, or any other network connected device if enough unique or typical information can be discovered
Devices that are firewalled and don’t respond to probes can still be fingerprinted given access to their ntwork traffic and to network device logs that are available
Service and Version Identification
Identifying services provides information about potential vulnerabilities and verifies that the service responding on a given port matches the serice that typically uses the port
Service identification is usually done one of two ways:
1. Connecting and grabbing the banner
2. Connection information provided by the service or by comparing its responses to the signatures of known services
Nmap
The most commonly used CLI port scanner that provides a broad range of capabilities, like multiple scan modes built to bypass firewalls and other network protection devices
Additionally, it also provides support for OS fingerprinting, service identification, and more
Default nmap Behavior
* Ping and send TCP ACK packet to ports 80 and 443
* This determines if a host is there and detected, and if so, it will do a port scan against that host to determine what services are running
Nmap Discovery Scan Options:
* -sn: Host discovery
* -sL: List scan to list IPs from supplied target range and perform reverse DNS query to discover any host names associated with the IPs
* -PS: TCP SYN ping to prove specific ports from the given list using a TCP SYN instead of ICMP to conduct the ping
* –scan-delay [TIME]: Sparse scanning issues probes with significant delays to become stealthier and avoid detection by IDS/IPS
* -Tn: Scan timing issues probes with using a timing pattern, with n being the pattern to utilize (n = 0 to 5 / slowest to fastest)
* -sI: TCP idle scan is another stealth method that makes it appear that another machine (a zombie) started the scan to hide the true identity of the scanning machine
* -f or –mtu: Fragmentation is a technique that splits the TCP header of each probe between multiple IP datagrams to make it hard for an IDS/IPS to detect
* Send nmap to files with -oN for normal files, -oX for XML, and -oG for grepable files
Nmap Service Discovery Options
* -sS: TCP SYN conducts a half-open scan by sending a SYN packet to identify the port state without sending an ACK packet afterwards
* -sT: TCP Connect conducts a three way handshake scan by sending a SYN packet to identify the port state and then sending an ACK once the SYN-ACK is received
* -sN: Null Scan conducts a scan by sending a packet with the header bit set to zero, this will flag IDS/IPS
* -sF: FIN Scan conducts a scan by sending an unexpected FIN packet, this will flag IDS/IPS
* -sX: Xmas Scan conducts a scan by sending a packet with the FIN, PSH, and URG flags set to one, lights up like a Christmas tree and will surely get you caught
* -sD: UDP Scan conducts a scan by sending a UDP packet to the target and waiting for a response or timeout
* -p: Port Range conducts a scan by targeting the specified ports instead of the default of the 1k most commonly used ports
Nmap Fingerprinting Scans
* -sV: An intensive port scan that gives basic versioning information
* -A: Another intensive port scan, but is way more intense and discovers more data and information like protocol, app name and version, OS type and version, host name, and device type
* -O: Detect OS version
Indicators of a Windows Host
When scanning, these are indicators that you’re dealing with a remote Windows host:
* Port 135: msrpc (MS Remote Procedure Call)
* Port 139: netbios-ssn (NetBIOS)
* Port 445: microsoft-ds (MS domain services)
* ICSLAP (used for MS internal proxying)
* WSDAPI (Web Services on Devices API, a MS devices API)
Angry IP Scanner
Multiplatform port scanner with a GUI
Unlike nmap, Agnry IP Scanner doesn’t provide dtailed identification for services and OS, but you can turn on different modules called “fetchers” to find ports, TTL, filtered ports, and more
When running Angry IP, configure the ports scanned under Preferences, otherwise no port information will be returned
Requires Java to run, which can be an issue because a lot of systems won’t have Java installed for security reasons
Maltego
An open source tool that focuses on OSINT gathering and connecting data points from social media, DNS, whois queries, etc together via a GUI
The Maltego GUI provides a way to understand and document correlations and hierarchies
It relies on the concepts of transforms, actions taken by a server that provide additional data or procesing about objects and entities
Metasploit
One of the most commonly used tools for pentesting
Includes a broad range of functionality including the ability to scan for ports using TCP, SYN, and other scanning modules
Can also perform web app vulnerability scanning using wmap
NOTE: The exam will focus on MSF for asset discovery and vulnerability management
Recon-ng
A CLI recon tool with search and module selection and installation capabilities that allow you to configure and use it to fit your needs
Built into Kali
Uses a modules marketplace, which is searched with “marketplace search”
Tools like hackertarget can help with OSINT gathering to identify targets
Integrates with Shodan, an OSINT search engine, and active search modules like nmap can be used for active information gathering
Passive Discovery
Passive discovery relies on information that’s available about the org, systems, or netowrk without probing
Typically it relies on logs and other existing data, which may not provide all the information needed to fully identify targets, and the reliance on stored data means it may be out of date
Where active scanning interacts with a host, passive simply observes network activity and draws conclusions
Log and Configuration Analysis
Log files provide a ton of information about systems and networks
If you have access to local system configuration data and logs, you can use the information they contain to build a thorough map of how systems work together, which users and systems exist, and how they’re configured
Network Device Logs
Network device logs have their own activities, status, and events, including traffic patterns and usage
By default, many network devices log messages to their console ports, which means that only a user logged in at the console will see them
Most managed networks also send network logs to a central log server using syslog
Networks can also use SNMP to send device information to a cetnral control system
When focused on intel gathering, these logs aren’t always as useful as the device configuration data—but they can still provide assistance with topology discovery based on the devices they communicate with
During pentests or normal course of security ops work, network device logs can provide useful warning of attacks, or reveal configuration or system issues
Network Device Log Levels
They vary, but tend to be relatively similar to Cisco’s log level
LEVEL: Level Name / Example
- 0: Emergencies / Device shutdown due to failure
- 1: Alerts / Temperature limit exceeded
- 2: Critical / Software failure
- 3: Errors / Interface down message
- 4: Warning / Configuration change
- 5: Notifications / Line protocol up/down
- 6: Information / ACL violation
- 7: Debugging / Debugging message
Network Device Configuration
Config files from network devices are invaluable when mapping network topology
They often include details of the network, routes, systems that devices interact with, and other network details
They also provide details about syslog and SNMP servers, admin and user account information, and other config items useful for information gathering
Page 177 research more about SNMP config on Cisco router
Netflow
A Cisco network protocol that collects IP traffic information, allowing network traffic monitoring
Flow data is used to provide a view of traffic flow and volume
A typical flow capture includes source and destination IP and port for the traffic and the class of service
Netflows and a Netflow analyzer can help identify service problems and baseline typical network behavior, and can be useful in identifying unexpected behaviors
Netstat
Netstat prints network connections, routing tables, interface statistics, masquerade connections, and multicast memberships
It also provides information like:
* netstat -ta: Active TCP and UDP connections, filtered by each of the major protocls: TCP, UDP, ICMP, IP, IPv6, etc
* netstat -o: Which executable file created the connection, or it’s PID
* netstat -e output: Ethernet statistics on how many bytes and packets have been sent and received
* netstat -nr output: Route table information including IPv4/6
Running netstat from a system can provide information about both the macine’s network behavior and what the local network looks like
Knowing what machines a system has or is communicating with can help you understand local topology and services
Page 178 + 179 for more details, research outside of book
DHCP Logs and DHCP Server Configuration Files
DHCP is a client-server protocol that provides IPs, as well as information like the default gateway and subnet mask for the network segment that the host will reside on
During passive recon, DHCP logs from the DHCP server can provide a quick way to identify many of the hosts on the network
If you combine DHCP logs with other logs, like firewall logs, you can determine which hosts are provided with dynamic IP addresses and which are using static IPs
Firewall Logs and Configuration Files
Router and firewall configuration files and logs often contain information about both successful and blocked connections
Analyzing router and firewall ACL and logs can provide useful information about what traffic is allowed and can help with mapping topology by identifying where systems are based on traffic that’s allowed or blocked
Config files make this even easier since they can be directly read to understand how systems interact with the firewall
For pentesters, firewall logs can be reverse engineered based on the contents of the logs
Even without the config files, log files can provide a good view of how traffic flows
And, like other network devices, firewalls often use log levels to separate informational and debugging messages from more important messages
Page 181 + 182 for more detailed exmaples
Firewall and Routers On the Exam
If you encounter firewall or router config files, log files, or rules on CySA+, rewrite them into a language you can more easily read
PAGE 182 TO LEARN HOW
System Log Files
System logs are collected by most systems to provide troubleshooting and other system information
Log information can vary greatly depending on the OS you’re working with, how it’s configured, and what service and apps the system is running
Linux:
* /var/log: The directory that holds most logs, but apps may have their own logging directory
Windows provides several types of event logs:
* Application Logs: Contain events logged by programs or apps,—What’s logged varies from program to program
* Security Logs: Capture login events, resource and rights usage, and files being opened, created, or deleted—Options are set by administrators of the Windows system
* Setup Logs: Captured when apps are set up
* System Logs: Contain events logged by Windows components—Preset as part of Windows
* Forwarded Events Logs: Set up using event subscriptions and contain events collected from remote computers—Specially configured
System log files aren’t on the top of the list for recon
They’re gathered if accessible, but most are kept in a secure location and not accessible without admin system access
Nslookup and Traceroute
If you want basics on them, Page 185
But I feel pretty good about both of these and how they help with passive recon
Domain Name Registrars
The entities that manage domain names
Domain name registrars are accredited by generic top-level domain (gTLD) registries and/or country code top-level domain (ccTLD) registries
This means that registrars work with the domain name registries to provide registration services: the ability to acquire and use domain names
Registrars:
* Provide the interface between customers and registries
* Handle purchase, billing, and day to day domain maintenance
* Handle renewals for domain registrations
* Transfer domains due to sale or when the domain is sent to another registrar
IANA
Internet Assigned Numbers Authority
IANA manages the global IP address space, along with the DNS Root Zone which handles the assignments of both gTLDs and ccTLDs
Regional authority over these resources is handled by five regional internet registries (RIRs):
* Africa: African Network Information Center (AFRINIC)
* US, Canada, Caribbean, Antarctica: American Registry for Internet Numbers (ARIN)
* Asia, Australia, New Zealand, Asia-Pacific: Asia-Pacific Network Information Centre (APNIC)
* Latin America, Caribbean: Latin America and Caribbean Network Information Centre (LACNIC)
* Central Asia, Europe, Middle East, Russia: Reseaux IP Europeens Network Coordination Centre (RIPE NCC)
DNS Entries
DNS entries can provide useful information about systems simply through the hostname
A system named “AD4” is a more likely target for Active Directory exploits and Windows Server scans
Hostnames that reflect a specific app or service can provide both target information and a clue for social engineering and human intelligence activities
DNS Discovery
External DNS information through Whois can be a great starting place for DNS information gathering
Additional DNS servers can be identified as pat of active scanning or passive information gathering, based on network traffic logs or even by reviewing an org’s documentation
This can also be done with a port scan on 53 (TCP or UDP)
Once you find a DNS server, you can query it using dig, or test to see if it supports zone transfers which can make it easy to score organizational DNS data
Zone Transfers
Zone transfers are intended to be used to replicate DNS databases between DNS servers, which makes them a powerful information gathering tool if a target’s DNS server allow them
Dion:
* A method of replicating DNS databases across a set of DNS servers that’s often used during the recon phase of an attack
* Zone transfers can be used to collect DNS information about your servers and give it to an attacker so they can plan attacks
Most DNS servers are set to prohibit zone transfers to servers that aren’t their trusted DNS peers, but it’s highly likely someone will still check
To check, use either host or dig:
* host -t axfr domain.name dns-server
* dig axfr current dns-server attacker domain name
* Windows: nslookup –> set type=any –> ls-d website . com
Page 188 for zone transfer practice
DNS Brute Forcing
If a zone transfer isn’t possible, DNS information can still be gathered from public DNS by brute force
Sending a manual or scripted DNS query for each IP address that the org uses can provide a useful list of systems
this can be partially prevented by using an IDS or IPS with a rule that prevents DNS brute force attacks
Sending queries at a slow rate or from a number of systems can bypass most prevention methods