CySA Chapter 3

Reconnaissance and Intelligence Gathering

Objective • Domain 1.0: Threat and Vulnerability
Management
• 1.4 Given a scenario, analyze the output
s from common vulnerability assessment
tools.
• Domain 3.0: Security Operations and
Monitoring
• 3.1 Given a scenario, analyze data as part
of security monitoring activities.
Mapping and Enumeration
Processes and Guidelines
• Processes and guidelines for enumeration and reconnaissance are
publicly available from a few sources:
• Open-Source Security Testing Methodology Manual (OSSTMM)
• Penetration Testing Execution Standard
• NIST Special Publication 800-115: The Technical Guide to Information Security
Testing and Assessment
Active Reconnaissance
• Targets are typically provided by information gathered during enumeration
exercises
• Uses host scanning tools to gather information about systems, services, and
vulnerabilities.
• Does not involve exploitation but can provide information about vulnerabilities
that can be exploited.
Mapping Networks and Discovery
Topology
Pinging Hosts
• Pinging a network address is the most basic form of discovery
• It is a low-level network command that sends a packet called an echo request to a
remote IP address
• Ping communications take place using the Internet Control Message Protocol
(ICMP).
Echo Request Example
HPing
• Echo requests can be customized
• This example uses TCP/80 for the
probes
• The –S flag denotes a SYN packet
Port Scanning
• Designed to send traffic to remote systems and then gather responses that
provide information about the systems and the services they provide
• One of the most frequently used tools when gathering information about a
network and the devices that are connected to it
• Often the first step in an active reconnaissance of an organization
Common Features of Port Scanners
• Host discovery
• Port scanning and service identification
• Service version identification
• OS identification
Nmap Introduction
• Nmap is the most commonly used command-line port scanner, and it is a free,
open source tool
• It provides a broad range of capabilities, including multiple scan modes intended
to bypass firewalls and other network protection devices.
• It provides support for operating system fingerprinting, service identification, and
many other capabilities.
Nmap Scan Result
Service and Version Identification
• Service Identification
• By connecting and grabbing the banner or connection information provided
by the service
• By comparing its responses to the signatures of known services
Nmap Service and Version Detection
Nmap of a Windows System
Other Nmap Options
• nmap –A –Pn <IP>
• auto OS detection, version detection, script scanning, traceroute
• nmap –sV <FQDN> --script dns-brute
• Attempts to fetch available subdomains by brute forcing from set of common
subdomain names
• nmap –sA <IP>
• ACK packets will cause stateful firewall to block; ports show up as filtered;
stateless firewalls will not block
• nmap –sW <IP>
• Window scan will also show open and closed ports
Angry IP Scanner
• Multiplatform GUI for port
scanning
• Requires Java to run
• Other security tools often
include port scanning:
Metasploit, Qualys,
OpenVAS, and Nessus as
examples
Observium
• An open source, free and ready to install
network discovery and management
tool for you Linux datacenter servers
Passive Footprinting
aka. Look at your logs
Network Devices
• Network Device Logs
• Often have a log level associated
• Can provide warning of attacks or reveal configuration or system issues
• Network Device Configuration
• Includes details of the network, routes, systems, etc.
• Can provide details about syslog and SNMP servers, administrative and user
account information, and other configuration items
Network Device Logs
Network Device Configuration
Network Devices
• Netflows
• A Cisco network protocol that collects IP traffic information, allowing network
traffic monitoring
• Can help identify service problems and baseline typical network behavior and
be useful in identifying unexpected behaviors
• Netstat
• Gathers local host network information
• Can provide a wealth of information, with its capabilities varying slightly
between operating systems
DHCP Logs and
DHCP Server Configuration Files
• DHCP is a client/server protocol that provides an IP address as well as information
such as the default gateway and subnet mask for the network segment that the
host will reside on
• Can provide a quick way to identify many of the hosts on the network
• Can determine which hosts are provided with dynamic IP addresses and which
hosts are using static IP addresses by combining DHCP logs with others
Linux dhcpd.conf File
DHCP Demo Log
Firewall Logs and Configuration Files
• Often contain information about both successful and blocked connections
• Can provide useful information about what traffic is allowed and can help with
topological mapping by identifying where systems are based on traffic allowed
through or blocked by rules
• Can allow penetration testers to reverse-engineer firewall rules based the
contents of the logs
Cisco Router ACL Example
System Log Files
• Collected by most systems to provide troubleshooting and other system
information
• Can provide information about how systems are configured, what applications
are running on them, which user accounts exist on the system, and other details
• Most log files are kept in a secure location and are not accessible without
administrative system access
Log Types
Harvesting Data from DNS and
WHOIS
• DNS and Traceroute Information
• Domains and IP Ranges
• DNS Entries
• DNS Discovery
• Zone Transfers
• DNS Brute Forcing
• Whois
Harvesting Data from DNS and
WHOIS
• Can search databases of registered
users of domains and IP address
blocks, and provide info about an
organization/individual based on their
registration info
DNS and Traceroute
• Convert domain names to IP addresses by using nslookup

• Nslookup using Google’s DNS with MX query flag

DNS and Traceroute
• Using traceroute to see the path packets take to the host
Other Tools
DNSDumpster
• Need subdomains, but it’s a black-box test? Look no further!!

• Free project from HackerTarget

• Relies on https://scans.io for results

• https://dnsdumpster.com
Other Tools:
Shodan
• THE search engine for vulnerable devices online
• https://shodan.io
Other Tools:
host
• Can provide information about a system’s IPv4 and IPv6 addresses as
well as its email servers by using the host command in Linux
Other Tools:
dig
• dig axfr @digi.ninja zonetransfer.me
• SOA record reveals:
• primary nameserver
• contact email (dots not @)
• current S/N for domain (2019100801 as of 12/24/20)
• time secondary servers should wait between changes (172,800 seconds)
• time for primary to wait upon failed refresh (900 seconds)
• time secondary can claim to have authoritative records (1,209,600 seconds)
• minimum TTL for domain (3,600 seconds)
Other Tools:
Responder
• Python script hybrid between active and
passive scanning.
• Starts passive, then tries to hijack
connections.
• github.com/SpiderLabs/Responder
Domains and IP Ranges
• Five regional Internet registries (RIRs)
• African Network Information Center (AFRINIC) for Africa
• American Registry for Internet Numbers (ARIN) for the United States, Canada,
parts of the Caribbean region, and Antarctica
• Asia-Pacific Network Information Centre (APNIC) for Asia, Australia, New
Zealand, and other countries in the region
• Latin America and Caribbean Network Information Centre (LACNIC) for Latin
America and parts of the Caribbean not covered by ARIN
• Réseaux IP Européens Network Coordination Centre (RIPE NCC) for Central
Asia, Europe, the Middle East, and Russia
Information Aggregation and
Analysis Tools
• theHarvester
• Designed to gather emails, domain information, hostnames, employee
names, and open ports and banners using search engines
• Maltego
• Designed to build relationship maps between people and their ties to other
resources
• Shodan
• Designed for Internet-connected devices and their vulnerabilities
Information Gathering using Packet
Captures
Gathering Organizational
Intelligence
Organizational Data
• Locations
• Relationships
• Organizational Charts
• Document Analysis
• Financial Data
• Individuals
Electronic Document Harvesting
• Websites
• Gather both current and historical information
• Social Media Analysis
• Obtain information about individuals
• Social Engineering
• Exploit the human element of security
Electronic Document Harvesting
• How about eadesmar over at TSB?
• Metadata in files like author, contributors, last edit, etc.
• Photos may have made of phone/camera, location data, etc.
• Exif data (Exchangeable Image File format)
• Can use tools like Document Inspector in Word, Examine Document in
Acrobat, or other metadata scrubbing utilities
Electronic Document Harvesting
• https://github.com/MacroConnections/immersion
Website Scraping
• The Internet Archive (a.k.a. the Wayback Machine)
• Time Travel Service
• Google cache
Social Engineering
• Social media posts
• Social Engineer Toolkit (SET)
• Creepy geolocation (not maintained)
• Metasploit (can tie SET into it)
 Detecting, Preventing, and
Responding to Reconnaissance
Data Sources Packet analysis

Protocol analysis
Network traffic
analysis
Traffic and flow
analysis
Device and system
logs
Wireless analysis
Typical data Port and vulnerability
sources scans

Security device logs

SIEM systems
Data Analysis Methods
• Anomaly analysis: differences between established patterns/behaviour
• Signature analysis: fingerprint or signature based on existing data
• Manual analysis: Analysis that you perform
• Heuristic, or behavioural analysis: detect threats based on their behaviour
• Trend analysis: prediction based on existing data
Preventing Reconnaissance
• Preventing Active Reconnaissance
• Limiting external exposure of services and ensuring that you know your
external footprint
• Using an IPS or similar defensive technology that can limit or stop probes to
prevent scanning
• Using monitoring and alerting systems to notify you about events that
continue despite these preventive measures
Preventing Reconnaissance
• Preventing Passive Reconnaissance
• Blacklisting systems or networks that abuse the service
• Using CAPTCHAs to prevent bots
• Providing privacy services that use third-party registration information instead
of the actual person or organization registering the domain
• Implementing rate limiting to ensure that lookups are not done at high speeds
• Not publishing zone files if possible, but gTLDs are required to publish their
zone files, meaning this works for only some ccTLDs
Video: Sharpen your skills with
OSINT