Reconaissance is a part of pentesting process.
Information is the key to Strategy, and it happens before attack. In pentesting process, before we can exploit target system, we gather intelligence - both technical and non-technical - and build image of the target organization and it's systems. This will make it easier for us to perform attack, to exploit our target(s).
Types of reconnaissance
- Passive: Intelligence gathering without interaction
- We collect information from public sources
- Active: Interaction with target
- Sending requests and receiving responses
- Login attempts
- Ports scanning
- Nmap
- Nessus
- Nikto
- Interaction will leave tracks, for example in logfiles
- Going beyond scope of test agreed with customer in the pre-engagement phase
(see: PTES phases in previous article) of the pentest is law infringement
Enumeration
- Detailed analysis of services, machines and applications
- Identifying users by iterating
- Active technique
OSINT: Open Source Intelligence
- Also known as: 'White Intelligence'
- Three pillars of OSINT
- Gathering intelligence about target organization
- Obtaining information about infrastructure
- Gathering other data
- Sensitive information leaks
- Passwords
- Email addresses
- Other sensitive data
When we gather intelligence about our target, at first we want to know the target organization.
- What it does?
- Whom it employs?
- Where it is located?
We build general image of the target.
Location:
- Large organization may be located in many cities or even nations
- On web pages and in social media we may find photos of the locations, both inside
and outside
- Sometimes on interior photos we can find sensitive informations
- Employee list
- WiFi password
- Other
- Outside photos can be used to find out where are cameras, which routes can be
taken to enter the building
- There were cases where hackers found camera model on image and used it to
hack the camera, gaining unauthorized admin access
- On interior photos sometimes computers can be seen, with running software
This little bit of information can have serious consequences sometimes
Employees:
- Often on webpages we can find information about employees, which can be a starting
point for social engineering attacks
- Data about employees can also be found in LinkedIn and in other social media
- We can find information about company itself
- Whether target company is large or small
- Whether employees are employed for long, or if there's high rotation of personnel
- This may affect employees morale, and unhappy worker can be easy target for
attacks
- It happens that on LinkedIn - for example - we want to make employer to contact us
easier and we put information about our email address or telephone number in our
profile
- Sometimes on organization's webpage there are documents to download. These files
might contain sensitive informations
- Often file formats contain metadata that can be extracted. This might
contain used software, employee's name or even login, etc.
This information may let us to profile our attack better
- For example, if we notice that employee uses archaic version of
excel program, we might succesfully use specially prepared xls
file to perform an attack
- There's tool called: 'exiftool' that can be used to extract metadata
- Colleecting contact information
- Email addresses
- Phone numbers
- Hunter.io is one of many tools that allow us to find a person by his/her name
and surname
Organization's workings (what/how it does)
- All kinds of sales results
- Operation reports
- Financial reports
- What organization offers
- Services offered
- What kinds of products are sold
- How these products work
- Manuals
- Tutorials
- You Tube films
- Activities of employees in social media
- All kinds of company-related photos
- 'Another day in office'
- Corporate events
Discussion forums where support solves users' problems can be real treasury of informations.
There are services that allows to easily read reports, check connections between organizations or to check person to see connected organizations.
- For example: przeswietl.pl
All of the connected informations are useful, help us to get right image of target organization and to enhance our potential attack surface.
Reconnaissance: DNS, Domains, Subdomains & Virtual Hosts.
First part of collecting technical data about attack target is finding domains and subdomains.
Following tools might be useful:
- whois
- dig
- dnsenum
- subfinder
- ffuf
- internet services
- dnsdumpster.com
- crt.sh
- shodan.io
- censys.io
- ...
Information contained in DNS records
- A: IPv4 address
- MX: mail server address
- NS: DNS nameserver address
- TXT: Allows to attach any text to the domain
Virtual hosting
VHOSTing is a method for hosting multiple domain names (with separate handling of each name) on a single server (or pool of servers). This allows one server to share its resources, such as memory and processor cycles, without requiring all services provided to use the same host name. The term virtual hosting is usually used in reference to web servers but the principles do carry over to other Internet services.
One widely used application is shared web hosting. The price for shared web hosting is lower than for a dedicated web server because many customers can be hosted on a single server. It is also very common for a single entity to want to use multiple names on the same machine so that the names can reflect services offered rather than where those services happen to be hosted.
The /etc/hosts file
The /etc/hosts file acts as a static table lookup for hostnames. Users can put IP addresses with hostnames, one line per IP address, in this file.
What is DNS and how it works?
For more details, click this link.
OSINT & Data Leaks.
Sometimes, mostly because of services misconfiguration, sensitive data is indexed by internet search engines and leaks into the internet. As a part of OSINT Reconnaissance we should check what internet search engines 'know' about our organization and whether it's more than our organization would allow.
Google Dorks / Google Hacking - is a skill of forming advanced queries, allows for precise search and inclusion of specific phrases.
Example: We want to search all subdomains of tesla.com webpage.
We use the: 'site: *.tesla.com' phrase.
Example: We want to search for .pdf format files.
We use the: 'filetype: pdf' phrase.
We can combine above phrases with 'normal' search.
Example: 'site: *.tesla.com filetype: pdf cybertruck'
Guideline about indexable file types can be found by searching in google.
(Search for: 'indexable file types').
For more of google search engine's operators, search for: 'operators intitle: google'.
We can use, for example, advanced queries to search for webapp errors.
intext:"mysql_query()" inurl:wp-login
Another use case for google dorks is searching for backups that leaked into the internet.
intitle:"index of" "database.sql.zip" OR "database.sql.gz" OR "db.sql"
-stackoverflow
Summarizing: When doing OSINT Reconaissance ('Open Source Intelligence') it's worth to include techniques of advanced search in google, also called: 'Google Dorks'.
Another tool for OSINT is: 'Grayhatwarfare.com"
Grayhatwarfare.com is a tool that collects data leaked from cloud service sites.
Shortened links ('bit.ly', 'ow.ly', 'tinyurl', ...) also pose threat to organization's confidential data security, can result in data leaks. Shortened links to sensitive data with long urls can be easily shared and/or remembered, so employees sometimes use it because of laziness or for practical reasons. Such links allow for brute force attacks, address space of where such links lead can be enumerated, because idea behind short links is to use as least of characters in shortened url as possible. Such attacks can allow for discovery of confidential data or for discovery of application entry points that were never meant to be exposed.
The greyhatwarfare.com also aggregates shortened links, not only indexing of more or less confidential files.
Another serious data leak is leaking of passwords. Often users use the same password in many places, and when one of such is compromised, there's chance that leaked password will be used in other services. If MFA (Multi-Factor Authentication) is not enabled, then this can prove to be disastrous in consequences. This form of attack is called: 'password reuse'.
Sites as 'dehashed.com' or 'haveibeenpwned.com' can help in learning whether one's passwords leaked.
There are also websites that provide service of dehashing (cracking hashed/encrypted passwords), or just databases of cracked hashes. Examples of these sites are: 'crackstation.net', 'hashes.com'.
When someone really wants to crack some passwords, can just pay someone for providing computational power to crack the password. He/she will succeed, it's just a matter of time and money afterall.
Sites like 'dehashed.com' can also be used to find emails and usernames.
Also worth the note: users might use similar passwords for many services, using some patterns to help to memorize. For example: 'myhardpasswordadobe2024' and 'myhardpasswordgmail2013'. Knowing such patterns might help to break the password for a given service.
At this moment (during the reconnaissance) we just collect the data, but later we can use it to perform the pentest attacks.
Services Fingerprinting.
Fingerprinting is discovery of which technologies target uses, in preparation for an attack. Fingerprints might be responses to requests, specific files and/or response times.
Fingerprinting techniques:
- Banner grabbing: Analysis of server responses to requests. Often servers 'introduce
themselves', telling which server in which version we converse with
- HTTP headers analysis
- Specific responses (to requests) analysis
Wappalyzer is a tool for identifying technologies used in webapp site. Can identify currently over 1500 technologies. It's an extension to the firefox web browser. It's very useful tool for webapp security analysis, so it's worth to learn it & use.
Another useful source of informations about technologies used by company are employment portals like LinkedIn or others. Companies reveal which technologies they use as they inform about job vacancies they need to fill. Cybersecurity job offers are the most valuable information source, and potential attacker might use it to learn what he/she will have to face when performing the attack.
Builtwith.com is advanced technology scanner, that tells what a website is built with, but also tracks changes in technologies used and offers history of what was used earlier. It informs not only about frameworks and libraries used, but also informs about used SSL certificates, hosting, mail servers and analytic systems. It's available by webpage interface or as web browser plugin. It also offers API that can be used to integrate with our own scripts for web reconnaissance.
Commandline tools available in Kali Linux for webpage reconnaissance are:
- curl
- whatweb
Our interaction with server might be quickly blocked with WAF (webapplication firewall) tool.
There are tools as wafw00f that might help us to identify type of used firewalls. Currently it can identify over 100 types of firewalls.
One of more popular of webapplication firewalls is CloudFlare.com. We do not know the IP Address of server we want to interact with, so all of the traffic has to go through the CloudFlare servers. But... if CloudFlare is erroneously configured, then DNS servers might reveal the IP Adress(-es) of our servers, allowing us to bypass the CloudFlare.
There are techniques for bypassing webapp firewalls, but during the reconnaissance we just collect information of whether and of what types of firewalls are installed. Techniques of cheating firewalls are topic for future article(s).
Another web tool for quick webapp reconnaissance is netcraft (sitereport.netcraft.com) that aggregates many varied informations.
Nikto is one of the oldest command-line security scanners available. It can detect potentially dangerous files, obsolete server versions, can identify erroneously written configuration files. It has large database of common vulnerabilities, can help us to detect so-called: 'low hanging fruits', or vulnerabilities that are easy to detect. It's noisy scanner, however, and can leave a lot of traces of our activity in attacked server's logfiles.
It's estimated that about 40% of webpages in the internet uses Wordpress CMS. If we find (for example with wappalyzer) that webpage uses Wordpress, we can use the command line tool specificially tailored for scanning wordpress webapps - wpscan. It can be used with --stealthy mode parameter, for example.
No comments:
Post a Comment