/ Work in Progress /
Introduction & OSINT.
Reconaissance is a part of pentesting process.
Information is the key to Strategy, and it happens before attack. In pentesting process, before we can exploit target system, we gather intelligence - both technical and non-technical - and build image of the target organization and it's systems. This will make it easier for us to perform attack, to exploit our target(s).
Types of reconnaissance
- Passive: Intelligence gathering without interaction
- We collect information from public sources
- Active: Interaction with target
- Sending requests and receiving responses
- Login attempts
- Ports scanning
- Nmap
- Nessus
- Nikto
- Interaction will leave tracks, for example in logfiles
- Going beyond scope of test agreed with customer in the pre-engagement phase
(see: PTES phases in previous article) of the pentest is law infringement
Enumeration
- Detailed analysis of services, machines and applications
- Identifying users by iterating
- Active technique
OSINT: Open Source Intelligence
- Also known as: 'White Intelligence'
- Three pillars of OSINT
- Gathering intelligence about target organization
- Obtaining information about infrastructure
- Gathering other data
- Sensitive information leaks
- Passwords
- Email addresses
- Other sensitive data
When we gather intelligence about our target, at first we want to know the target organization.
- What it does?
- Whom it employs?
- Where it is located?
We build general image of the target.
Location:
- Large organization may be located in many cities or even nations
- On web pages and in social media we may find photos of the locations, both inside
and outside
- Sometimes on interior photos we can find sensitive informations
- Employee list
- WiFi password
- Other
- Outside photos can be used to find out where are cameras, which routes can be
taken to enter the building
- There were cases where hackers found camera model on image and used it to
hack the camera, gaining unauthorized admin access
- On interior photos sometimes computers can be seen, with running software
This little bit of information can have serious consequences sometimes
Employees:
- Often on webpages we can find information about employees, which can be a starting
point for social engineering attacks
- Data about employees can also be found in LinkedIn and in other social media
- We can find information about company itself
- Whether target company is large or small
- Whether employees are employed for long, or if there's high rotation of personnel
- This may affect employees morale, and unhappy worker can be easy target for
attacks
- It happens that on LinkedIn - for example - we want to make employer to contact us
easier and we put information about our email address or telephone number in our
profile
- Sometimes on organization's webpage there are documents to download. These files
might contain sensitive informations
- Often file formats contain metadata that can be extracted. This might
contain used software, employee's name or even login, etc.
This information may let us to profile our attack better
- For example, if we notice that employee uses archaic version of
excel program, we might succesfully use specially prepared xls
file to perform an attack
- There's tool called: 'exiftool' that can be used to extract metadata
- Colleecting contact information
- Email addresses
- Phone numbers
- Hunter.io is one of many tools that allow us to find a person by his/her name
and surname
Organization's workings (what/how it does)
- All kinds of sales results
- Operation reports
- Financial reports
- What organization offers
- Services offered
- What kinds of products are sold
- How these products work
- Manuals
- Tutorials
- You Tube films
- Activities of employees in social media
- All kinds of company-related photos
- 'Another day in office'
- Corporate events
Discussion forums where support solves users' problems can be real treasury of informations.
There are services that allows to easily read reports, check connections between organizations or to check person to see connected organizations.
- For example: przeswietl.pl
All of the connected informations are useful, help us to get right image of target organization and to enhance our potential attack surface.
Reconnaissance: Domains & Subdomains.
/ To be continued /
No comments:
Post a Comment