Reconnaissance 2024 part 1 What is Reconnaissance Reconnaissance, often referred to as 'recon', is the strategic process of gathering information about a target system or network to identify potential vulnerabilities that can be exploited. It is considered the foundational step in both cyber threat intelligence (CTI) and penetration testing, serving as the "Eagle’s Eye" of cybersecurity. Reconnaissance is not a breach or exploit in itself, but it could lead to the path of exploitation if the gathered information is used maliciously. Types of Reconnaissance There are two primary types of reconnaissance: passive and active. Passive Reconnaissance Passive reconnaissance involves gathering information from publicly available sources without actively interacting with the target system or network. This type of recon is characterized by a lower risk of detection and disruption, as well as lower resource requirements. However, it may result in less accurate and comprehensive information and has a limited ability to identify vulnerabilities. Active Reconnaissance Active reconnaissance, on the other hand, involves actively interacting with the target to gather information. This can provide comprehensive and real-time information, including identifying active systems and services. The downside is the increased risk of detection and disruption, as well as higher time and resource investments. Questions: • Would you consider ‘google hacking command’ as passive or active based on the definition above? • Would you consider Shodan research active or passive information gathering? The importance of Reconnaissance in Penetration Testing Reconnaissance is the first phase of a penetration testing engagement and is critical to the process. It allows for early detection of potential threats, enabling organizations to proactively implement defensive measures. The information gathered during this phase is used in subsequent steps of penetration testing, such as scanning, vulnerability assessment, and exploitation & post-exploitation. The final phase involves documenting the findings in a report, which can be used to fix any vulnerabilities and improve the organization's security posture. What are the different steps of the penetration testing methodology describe above: Here is a generic summary of what each method of this penetration test would achive: Stage Enumeration Objectives and Achievements Identification of valid user names, server names, network resources and other potential targets through active connections to systems and iterative querying. This stage aims to gather as much information as possible to understand the environment. Scanning Use of automated tools to map out the network and identify open ports, operating systems, and running services on computers. This stage aims to create a comprehensive overview of the network architecture and defence mechanisms. Vulnerability Detailed analysis and discovery of potential security weaknesses in Assessment the system. Tools and techniques are used to identify known vulnerabilities, misconfigurations, and insecure software practices. Exploitation & Actual attempt to exploit the vulnerabilities to gain access or Postescalate privileges. Following successful exploitation, the postExploitation exploitation phase involves securing access, gathering further data from the target network, and potentially exploiting other connected systems to understand the full extent of the breach. Penetration testers use a variety of tools during the reconnaissance phase, such as Nmap for network scanning, Wireshark for traffic analysis, and the Metasploit Framework for simulating real-world attacks. Social engineering and open-source intelligence (OSINT) are also important aspects of reconnaissance. Open-source intelligence (OSINT) question: define open-source intelligence (OSINT) The goal of OSINT is to gather useful data that can inform decisions or strategies without accessing restricted or private sources. It is particularly valuable in cybersecurity, where it helps identify potential threats and vulnerabilities from information that is freely accessible on the internet. OSINT tools and techniques can aggregate, process, and analyse large volumes of data to extract actionable intelligence effectively Through OSINT (Open Source Intelligence), a wide range of information can be gathered, depending on the objectives and scope of the investigation. Here are some of the key types of information that can typically be obtained: 1. Personal Information: Details about individuals, such as names, addresses, phone numbers, email addresses, and social media profiles. This also includes public records like birth, marriage, and death records. 2. Corporate Information: Data about companies, including business registrations, financial reports, employee details, company news, and industry analyses. This also extends to insights about business strategies, mergers, and acquisitions. 3. Geopolitical and Economic Data: Information on political events, economic indicators, and international affairs, gathered from news outlets, government publications, and expert analyses. 4. Infrastructure Details: Information about physical and digital infrastructures like networks, buildings, roads, and services from maps, satellite imagery, and transport databases. 5. Network and Technical Data: Details about network infrastructures, such as domain registration data, IP addresses, hosting information, and open ports, typically used in cybersecurity for identifying potential vulnerabilities. 6. Social Trends and Public Opinion: Insights gathered from social media platforms, blogs, forums, and news comments, which can provide a sense of public sentiment and emerging trends. 7. Legal and Regulatory Information: Public records and documents that detail legal proceedings, new laws, and regulations which are crucial for compliance and legal assessments. 8. Security Threats and Incident Reports: Information related to security breaches, incidents, and warnings, often found in security blogs, forums, and databases. Let's collect some data using OSINT Go to https://attack.mitre.org/ /* Questions */ How many attacks have been recorded under the reconnaissance section of the Mitre framework? Let's check out Mitre T1595.003 technique : https://attack.mitre.org/techniques/T1595/003/ • • • • • • • • what is the name of the technique Active Scanning: Wordlist Scanning what is the name of the threat actor that has used this technique in a publicly captured attack? ans : Volatile Cedar what are the techniques ID in MITRE that indicates how to prevent “World List Scanning” → ANS: M1042 & M1056 What are the tools name used by the threat actor named in the technique id T1595.003 ? ans: Gobuster & dirbuster ANS: M1042 & M1056 Let's go to kali and search ‘dir’ Let's open ‘dirbuster’ by clicking on our search result DirBuster is an application within the Kali arsenal that is designed to brute force web and application servers. The tool can brute force directories and files. Question: ▪ ▪ ▪ How do you think that brute force against file and folder works? Can you think of the name of directories and files that can be interested to find? What folders or files can give you passwords? ========== Credit to Ray for this section of the tutorial =================== Comprehensive Guide on Dirbuster Tool This tutorial focuses on the transient directory using Kali Linux tool Dibuster and trying to find hidden files and directories within a web server. What is covered here • • • • • • • • • • • • • What is DirBuster Default Mode GET Request Method Pure Brute Force (Numeric) Single Sweep (Non-recursive) Targeted Start Blank Extensions Search by File Type (.txt) Changing the DIR List Following Redirects Attack Through Proxy Adding File Extensions Evading Detective Measures (Requests Per Second) What is DirBuster DirBuster is an application within the Kali arsenal that is designed to brute force web and application servers. The tool can brute force directories and files. The application lets users take advantage of multi-thread functionality to get things moving faster. In this article, we will give you an overview of the tool and its basic functions. Default Mode We start DirBuster and only input http://testphp.vulnweb.com/ in the target URL field. Leave the rest of the options as they are. DirBuster will now auto switch between HEAD and GET requests to perform a list based brute force attack. Let’s hit Start. DirBuster gets to work and starts brute forcing and we see various files and directories popping up in the result window. Questions: In this first step we are using the file ‘apache-user-enum-1.0.txt. What is the content of this file? How can these lists help you in your penetration testing job? Seclists: https://github.com/danielmiessler/SecLists/tree/master SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. GET Request Method We will now set DirBuster to only use the GET request method. To make things go a little faster, the thread count is set to 200 and the “Go Faster” checkbox is checked. Questions: ▪ ▪ ▪ What are the security issues related to the GET method? What are the other HTTP methods? In the graph above, Dirbuster shows the column ‘response’ what are the different HTTP response code and what do they mean? In the Results – Tree View we can see findings. Pure Brute Force (Numeric) DirBuo performs step allows a lot of control over the attack process, in this set we will be using only numerals to perform a pure brute force attack. This is done by selecting “Pure Brute Force” in the scanning type option and selecting “0-9” in the charset drop-down menu. By default, the minimum and maximum character limit are set. In the Results – Tree View we can see findings. Single Sweep (Non-recursive) We will now perform a single sweep brute force where the dictionary words are used only once. To achieve this, we will unselect the “Be Recursive” checkbox. In the Results – ListView we can see findings. Targeted Start Further exploring the control options provided by DirBuster, we will set it up to start looking from the “admin” directory. In the “Dir to start with” field, type “/admin” and hit start. In the Results – Tree View we can see findings. Blank Extensions DirBuster can also look into directories with a blank extension, this could potentially uncover data that might be otherwise left untouched. All we do is check the “Use Blank Extension” checkbox. We can see the processing happen and DirBuster testing to find directories with blank extensions. Search by File Type (.txt) We will be setting the file extension type to .txt, by doing so, DirBuster will look specifically for files with a .txt extension. Type “.txt” in the File extension field and hit start. We can see the processing happen and DirBuster testing to find directories with a .txt extension. Changing the DIR List We will now be changing the directory list in DirBuster. Options > Advanced Options > DirBuster Options > Dir list to use. Here is where we can browse and change the list to “directory-list-2.3-medium.txt”, found at /usr/share/dirbuster/wordlists/ in Kali. We can see the word list is now set. Following Redirects DirBuster by default is not set to follow redirects during the attack, but we can enable this option under Options > Follow Redirects. We can see the results in the scan information as the test progresses. Results in the Tree View. Attack through Proxy DirBuster can also attack using a proxy. In this scenario, we try to open a webpage at 192.168.1.108 but are denied access. We set the IP in DirBuster as the attack target. Before we start the attack, we set up the proxy option under Options > Advance Options > Http Options. Here we check the “Run through a proxy” checkbox, input the IP 192.168.1.108 in the Host field and set the port to 3129. We can see the test showing results. Adding File Extensions Some file extensions are not set to be searched for in DirBuster, mostly image formats. We can add these to be searched for by navigating to Options > Advanced Options > HTML Parsing Options. We will delete jpeg in this instance and click OK. In the File Extension filed we will type in “jpeg” to explicitly tell DirBuster to look for .jpeg format files. We can see in the testing process, DirBuster is looking for and finding jpeg files. Evading Detective Measures Exceeding the warranted requests per second during an attack is a sure shot way to get flagged by any kind of detective measures put into place. DirBuster lets us control the requests per second to bypass this defense. Options > Advanced Options > Scan Options is where we can enable this setting. We are setting Connection Time Out to 500, checking the Limit number of requests per second and setting that field to 20. Once the test initiated, we will see the results. The scan was stopped to show the initial findings. Once the scan is complete the actual findings can be seen. Once you have completed this tutorial you need to apply this to your lab environment ======== start metasploitable 2 virtual machine ================= There is web server running on metasploitable 2 on port 80 Perform an analysis of the web server using ‘Dirbuster’ What sensitive folder have you found? What sensitive files have you found? - If you have a sensitive file, try opening the file and look at the content? anything interesting? default credential for DVUM (admin, password) ------------------- start metasploitable 3 Linux virtual machine ============= Repeat the exercise. What did you find? What’s different about this virtual machine? SQL injection,in payroll_app.php by using admin' or '1'='1 ================================== Let’s explore other tools Let's execute the whois command with warwick.ac.uk as our target. --------------- questions -------------------------what are the two DNS servers used by warwick? extdns1.warwick.ac.uk extdns2.warwick.ac.uk what are the IP addresses associated wit the DNS used by the domain name warwick.ac.uk? 137.205.84.17 137.205.84.18 ------------------------------------------------------Let's execute the whois command against oxford university website What notable difference do you see in both results? hint: look at the name servers, and the IP addresses Let's execute whois command against estad.net =============================== downloading a website offline for analysis Let's install HTTrack: apt-get install webhttrack Question: What are the benefits of analysing a website offline? wget -O output.html Download http://testphp.vulnerable.com. Are you able to browse it? http://testphp.vulnerable.com =============================== I coudn't open it, forbidden with all command event curl Let's discover our target infrastructure using a website link extractor. • =============== gather info about technology Gather the list of technologies and configuration used by any website → https://builtwith.com/ ------------------------- using whatweb to find out what applications run in the website ======== network infrastructure ================= Now let's run one of the most useful command for footprinting and network enumeration As part of the result you get the following sub commands. For each subcommands (intel, enum, viz, track, etc..), we can simply do 'amass enum h" to understand how to use each sub command Let's run this command to search for all public database for domain and subdomains. After a few seconds (sometimes a minute or two) you will see the results appearing on the page. • practice, it's good to save subsequent scan of the same domain in the same folder. To check all our different scan we ran, we will use the command → amass db -dir /home/kali/mywarwick -list • order to run a scan more aggressive, we can use a list of brute force domain =========================== → amass enum -d warwick.ac.uk -src -ip -brute -dir /home/kali/mywarwick • • run the command: amass enum -h what are the meaning of the switches use in the command amass (i.e. -d; -src; ip; -dir) tell amas which domain to focus on then tell it to include ip and src for each findings • == Let's create some digital art =============== let's execute the following command → amass viz -dir /home/kali/mywarwick -d3 Yes another tool Done 9/5/2023
0
advertisement
Download
advertisement
Add this document to collection(s)
You can add this document to your study collection(s)
Sign in Available only to authorized usersAdd this document to saved
You can add this document to your saved list
Sign in Available only to authorized users