Reconnaissance

Most of all attacks on your network will begin with them trying to gain as much information about you as possible. With the amount of data readily accessible on the web and even the dark web, it's almost child's play to get information. Sometimes the most straightforward and the most effective way to get information is to fake an interview. I had a recent interview where the lead DevOps engineer gave away his entire infrastructure and all the security holes they hoped to fill. I will not talk about how to do this, but you as a company or security professionals should be aware not everyone is not honestly interviewing for the position. Some banking customers rob their bank, so whos to say that a potential employee doesn't have other means besides actually providing their expertise. See my post on social engineering to better understand how to protect your company from this type of threat. Aside from using social engineering attackers have an arsenal of tools that allow them to probe and scan your network to extract data about your systems. Let's review them and how to prevent these tools from harming your network.

Whois

When registering your company domain, you provide the registrar information concerning your postal address, phone numbers, a point of contact, and authoritative domain name servers. Most of this information can be used to conduct social engineering and scanning attacks. Whois is easily accessible from the web or on UNIX systems from the terminal. Another useful bit of information whois provides is if your organization was assigned a block of IP addresses. These IP addresses can be used to scan and probe your network for openings. Even if the only thing they get is your DNS, this is very useful for the next phase of the attack.

Defense

Sadly you have very little real defense here, and unfortunately, you're forced to accept this is the way the internet is. You can choose to use fake information to register your domain to prevent social engineering but what and if there is an emergency and someone needs to contact you? Some companies allow you to register through them and enter their contact information instead of yours. The possible negative here is incident handlers often rely on whois to contact each other quickly when there is an incident. Time is not on our side, so this gives the attacker more time for an attack. The only best solution is to use your company's organization name in replace of real names for contact. This abstraction limits the value for social engineers, however, be sure to have someone who can respond to any request via whois. You want to limit social engineering but allow someone to get to an incident handler when it's necessary.

Dig and nslookup

Domain name systems are full of useful information about a target. An attacker will use tools like dig or nslookup to discover as many IP addresses as possible. If an attacker is allowed to complete a zone transfer, they can dump all the records associated with a particular domain.

Windows

Using PowerShell complete the following commands to perform a zone transfer and dump the records.

# executes the nslookup application in windows
nslookup
# changes the default server to the specified DNS domain.
server $DNS_ip_addres_or_name_youre_trying_to_attack
# changes the resource record type for the query.
set type=any
# lists information for a DNS domain. -d is equal to set type=any
ls -d $target_domain
# dump packets using port 53 using TCP dump
# -nn means to not resolve IP addresses and to include port numbers
tcpdump -nn port 53 and host $DNS_IP

NSLOOKUP Command Line | Windows Command Line.

Useful tip: if you have a list of IP addresses you would like to target code a for-loop to iterate over each DNS and execute the following and export your results in a text file.

Unix

Using shell use the following command to initiate a zone transfer

# -t AXFR sets query type to zone transfer
dig @$DNS_Server_IP $domain_name -t AXFR

Perform TCP dump and iterate over a list of IPs if you have multiple targets

Defense

  • Only allow zone transfers from your secondary DNS
  • Secondary DNS should not allow zone transfers from anyone
  • Use split DNS
    • External names should be on your external DNS
    • Internal names should be on your internal DNS

Web searches and Google Hacking

Corporate websites almost always contain contact information like phone numbers and computing platforms or architecture. This information is useful for social engineering attacks and knowing which exploits to use against your system. Search engines are also helpful for searching for information about a target. Job boards are too precious in gathering information about a company's infrastructure and platforms. An attacker could then try his/ her luck in applying and talking to HR to collect even more information. Google hacking is an entire subject within its self and will not be discussed in this post, however, google dorks is an excellent tool for beginners to get the idea.

Other Tools

PIPL

PIPL is a great tool to find users and their associated accounts. Most people use the same username for all of their accounts so from there you can use NAMECHK to see what other accounts they may have to craft an email spoofed as XM Radio asking to update their account information with a link to malicious code.

NAMECHK

Namechk searches for a particular username and returns all accounts associated with those usernames. The tool was originally designed to allow users to chose a username that will be unique to them.

Pushpin

Pushpin is personally the greatest tool for social engineering. You can track peoples social media post and location. You could craft a text message or email asking how the concert was or pose as a friend they may have made. Another great feature is it returns photos they post to social media. You could clone badges or on the defense side to see if an employee is leaking serial numbers or other secrets.

Defense

  • Limit and control information
  • Perform risk analysis on public information
  • Generalize employment ads
  • Determine what sites are linking to yours
  • Look for web spiders and crawlers in web application logs

Web tools

Shodan

Shodan is an online based tool that crawls the internet and indexes service banners. By indexing service banners shodan can keep records of which services are running, open ports, vendor information, and version numbers. In some ways, Shodan is like traditional scanners such as NESSUS. Shodan can allow an attacker to know your network without actually touching it.

Nmap, Network mapping

Nmap is a favorite network-analysis tool used for mapping a network and finding open ports. Nmap maps the network by sending ICMP echo request. If there is a response, Nmap assumes the host is up and if not the host is down. After Nmap confirms the host is up, it begins identifying which ports are open. Because different applications respond to request differently, Nmap can determine the version of the software. For better understanding, I have listed the types of request that can be sent to the responding system.

  • SYN Synchronize
  • ACK Acknowledge
  • FIN Finilize or end connection
  • RESET End unestablished connection
  • URG Urgent Data is included
  • PUSH Data should be pushed through the TCP stack

Nmap allows the attacker to perform various types of scans using these types of request. Below illustrates the types of scans and what makes them unique. I have only listed common and most useful types of scans below. For detailed information please refer to Nmap documentation.

  • Ping sweeps
    • ICMP echo request
  • SYN scans
    • Only sends the initial SYN and waits for the SYN-ACK response. Very quick and hard to detect because the 3-way handshake never completed
  • ACK scans
    • Useful in getting through router based firewall rules if it allows established connections.
  • FIN scans
    • Sends packets with only the FIN control bit to bypass firewalls
  • UDP scans
    • Sends packets with an empty payload with the exception to some ports
      • Application appropriate payloads to ports (53, 111, 161, ...)
  • TCP seq prediction
    • Useful in spoofing attacks.

Below are some useful examples

#Nmap defaults to common ports only

# Scan a single IP
nmap $targetIP
# Scan a host www.somehostname.com
nmap $somehostname
# Scan a range of IPs 192.168.1.1-20
nmap $IPRange
# Scan a subnet 192.168.1.0/24
nmap $subnet
# Scan targets from a text file list-of-ips.txt
nmap -iL $someTextFile

# Scan a single Port    
nmap -p $port $targetIP
# Scan a range of ports 1-255
nmap -p $port-range $targetIP

# Scan using TCP connect
nmap -sT $targetIP
# Scan using TCP SYN scan (default)
nmap -sS $targetIP
# Scan UDP list of ports 123,161,162 192.168.1.1
nmap -sU -p $comma_delimiter_ports $targetIP

# Detect OS and Services
nmap -A $targetIP
# Standard service detection
nmap -sV $targetIP

# Save default output to file
nmap -oN outputfile.txt $targetIP
# Save results in a format for grep
nmap -oG outputfile.txt $targetIP
# Detect Heartbleed vulnerability
nmap -sV -p 443 --script=ssl-heartbleed $targetIPSubnet

Defense

  • Close all unused ports
  • Utilize stateful packet filters
  • Use proxy firewalls
  • Utilize IDS
  • Inspect logs for connection attempts

Use of netstat for checking open ports

netstat is available on Windows and UNIX machines to determine which ports are in use and their associated applications.

On windows, you can use a GUI application called TCPView to monitor port activity. The two basic commands on windows are as follows

# Shows ports and associated process ID
netstat -nao
# Shows EXE and DLLs associated with ports
netstat -nab

Unix machines by default give more information than their windows counterparts. Use the following commands to check for ports.

# Show ports and associated process IDs and program names
sudo netstat -- P
# To get full detail run
sudo lsof -i
# Run this command to get more information on a particular PID
sudo lsof -p $process_ID

Windows guide to disabling services using admin PowerShell
PowerShell

kill the process

wmic process $process_ID delete

disable the service

sc query
sc stop $service_name
sc config $service_name start= disable #inlcude the space

Linux guide to disabling services. Youll need to edit the xinetd file and rc files.

```bash
#comment out lines
sudo nano /etc/inetd.conf
#add "disabled=yes"
sudo nano /etc/xinetd.d
# disable service
systemctl list-units --type service
systemctl disable $service

OSX guide to disabling services

# list of current services aka daemons
launchctl list
# stop the service
sudo launchctl stop $service_name
# remove the service
sudo launchctl remove $service_name

Takeaways

Whois

Remember attackers can leverage who is information to orchestrate an attack.

  • Contact Social engineering, deceiving users into giving up useful information
  • Phone Numbers War dialing, find unsecured modems
  • Postal Address Wardriving, finding unsecured wireless access points or poor physical security
  • IP Addresses Scanning

DNS Dangers

Remember if you don't correctly configure the DNS an attacker can gather internal IP addresses to start probing.

  • Zone Transfers Only allow zone transfers on your secondary DNS
  • Split DNS Split your DNS into external and internal

Web searches and Tools

Remember attackers can use not only your website but sites linking to yours as information about your environment.

  • Website Contact information & sensitive documents
  • Pipl & Pushpin Allows attackers to find people in your organization, locate them, exploit wifi systems or your people via social engineering
  • Shodan Check shodan frequently as a reference to your network and what the public knows about it
  • Google Hacking Use google to find sensitive information before the bad guys do.

Remember once its posted online it's online forever. Tools like web-archive keep a history of your website and all the changes you make.

Port scanning

Remember to close all unused ports and disable and remove all un-needed processes to those ports.

  • Nmap Used to map your network and check ports
  • Ports Any open port raises risk for intrusion

One of the main cyber-risks is to think they don’t exist. The other is to try to treat all potential risks.

Surveillance is going to happen, and there is not a lot you can do about it. Do your best to harden your system and make the correct configurations and do your best at handling real threats.

If this has been helpful to you, please support this blog by buying a coffee