Chapter 2 Reconnaissance and Intelligence Gathering Flashcards
- Syslog severity message
- Immediate action is needed
Level 1 Alerts
Tool designed to gather emails, domain info hostnames, employee names, and open ports and banners using search engines
theHarvester
Netstat flag for Linux that shows RAW
-w
Netstat flag for Linux that shows Unix socket connections
-X
Syslog severity message
Normal but significant conditions
Level 5 Notifications
Technique that uses a fingerprint or signature to detect threats or other threats
Signature Analysis
In Windows Event Viewer where logs are captured when applications are installed
Setup logs
- Syslog severity message
- Warning conditions
Level 4 Warnings
Technique where analyst investigates the logs and data himself in order to detect something
Manual analysis
Ways to prevent passive reconnaissance
- Blacklisting systems or Networks
- Using CATCHAs to prevent Bots
- Providing privacy services that use third-party registration info instead of the actual person or organization registering the domain
- Rate-limiting lookups
- Not publishing Zone files
Relies on logs and other existing data not probes to fully identify targets
Passive footprinting
Windows, Mac, and Linux tool used to view all network connections on a localhost
Netstat
- Netstat flag for Windows that shows the process IDs of each connection
- This can be cross-reference with Windows Task Manager
-o
Netstat flag for Windows that provides interface statistics
-e
- System severity message
- Error conditions
Level 3 Errors
Creates a map of an organization networks, systems and infrastructure
Footprinting
Netstat flag for Linux that shows active TCP connections
-ta
Scanning tools are used to gather info about systems, services, and vulnerabilities
Active Reconnaissance
- System severity message
- Informational messages (default level)
Level 6 Informational
Ports from 0 - 1023 are known as
Well-known ports or System ports
Netstat flag for Linux that shows UDP connections
-u
nslookup flag used to look up DNS entries MX, NS, SOA, and Any
-query=(flag)
Search engine for internet-connected devices and their vulnerabilities
Shodan
Ports ranging from 1024 to 49151
Registered ports
- Document info like author’s name, software used to create the document, revisions, edits, etc…
- Used in reconnaissance
Metadata
A geolocation tool that uses social media and file metadata about individuals to provide better information about them
Creepy
- DHCP logs for Linux are typically found where?
- Bonus - In some distros where’s the location
/var/log/dhcp.log
Bonus - journalctl command
Technique used to identify differences from establish patterns or expected behaviors
Anomaly Analysis
Technique used to predict behaviors based on existing data
Trend analysis
- System severity message
- System is unusable
Level 0 Emergencies
- Technique used to detect threats based on behavior
- Can detect unknown threats in the environment
Heuristic or Behavior Analysis
- System severity message
- Critical conditions
Level 2 Critical
- System severity message
- Debugging messages
Level 7 Debugging
What are some ways to prevent active reconnaissance?
- Limit external exposure of services
- Use IPS or similar that can limit or stop Probes
- Use monitoring and alerting to notify you
- In Windows event viewer, events to be forwarded from one host to another and by default, the forwarded event will be stored in the Windows Logs > Forwarded Events folder but a different folder can be specified
- A subscription is then configured on Host A that allows you to collect the forwarded events.
Forwarded Event logs
