WIXLIB

ReconnaissanceTable of ContentsReconnaissance . 2Phase 1 – Active and Passive Reconnaissance. 3Phase 1 – Reconnaissance . 4Passive and Active Reconnaissance . 10Information Gathering . 13Seven Steps of Reconnaissance . 15Footprinting . 17Notices . 18Page 1 of 18

ReconnaissanceReconnaissance6**006 So what is reconnaissance?Page 2 of 18

Phase 1 – Active and Passive ReconnaissancePhase 1 – Active and Passive ReconnaissancePhase 2Phase 4Scanning andEnumerationMaintaining Your241Access35Phase 1Phase 3Phase 5Active and PassiveGaining AccessCovering YourReconnaissanceTracks7**007 Well, again, we're talking about thefirst step in the ethical hackingmethodology. Again, we're justgetting started, and the very firstthings that we're going to want to dois find something to hack into, andthat's what we try to accomplish withreconnaissance.Page 3 of 18

Phase 1 – ReconnaissancePhase 1 - ReconnaissanceAll you know at this point is the name of the organization youhave been given as a target.Now you must determine Do they have a presence on the internet? (www.domain.info)Can I find their IP space? (nslookup; set type mx; domain.info)Can I find its employee’s email addresses/phone numbers?Can I build a hierarchy of the employees?Can I build a relationship map to other companies?Can I build an understanding of their securityposture/policies/infrastructure?8**008 And so with thefirst phase here, as you start inethical hacking engagement, or asyou start a pen test engagement,what do you usually start with? Youusually have just a name-- CompanyX, Government Organization Y-- andyou're told, "Go after them, and findout-- be a hacker-- find out what youcan access, how many informationcan you get." And so just armedwith that one piece of information,Company X, what do you do?Well, there are a bunch of things thatyou actually have to go out and try todo, because that's what theattacker's going to do. And so you'rePage 4 of 18

going to try to find: Do they have aninternet presence? Generallyeverybody is connected to thenetwork. They've got websites full ofinformation that you can use. Whatis their IP address space? As ahacker, you won't have thisinformation. As an ethical hackerworking for your organization, youprobably already come armed withyour own network IP space. Again,you're a system administrator; youprobably know that type ofinformation.But if you don't, there are ways ofgoing about getting that, and we'lltalk about this. Can you findemployee email addresses, phonenumbers, addresses? Why wouldyou think you might needsomebody's email address? Again,put on your ethical hacking hats,what would you do with an emailaddress?Student: Send them a phishingemail.Chris Evans: Send them a phishingemail. Yep. What about theiraddress? Why would you need theiraddress or phone number?Student: It would look like thesame as everybody else's. Likeeverybody else would have the same"at"-Chris Evans: Oh, like namingconventions.Student: Yes.Page 5 of 18

Chris Evans: Yep. So you couldget naming conventions from it. Whyelse? Yes, sir?Student: Guessing passwords. Afamily dog's name, (inaudible) thattype of stuff.Chris Evans: Yep. How many ofyou use passwords that are related tofamily members and pets? Of coursenobody in this class. But I guaranteethat there are a lot of people outthere who do. You'd be surprised.I'm from-- I live in Texas. I'm notfrom Texas. I'm from Los Angeles.Hence my little mascot here. But thepassword that-- when I was outdoing pen tests and vulnerabilityassessments--"Cowboys01!" Youknow how many times that passwordpopped up as somebody's password?And these were pen tests doneoutside of Texas, not just in Texas. Idon't know. I suspect Packers wouldprobably be pretty good for apassword too. Something to do withSteelers would probably be prettygood here as well. It's amazing whatpeople will use for their password.But why would I need a physicaladdress? Maybe because I want toshow up at your office and do sometype of social engineering attackagainst you. We'll talk a little bitabout that.Hierarchy of employees, maybe anorg chart or something like that soyou know where people fit. Let mepick on Michael here. Why would itbe important for me to know whoMichael's boss is? Again, as anPage 6 of 18

ethical hacker. Why would I need toknow your boss? What could I dowith that information?Student: Useful in a socialengineering attack.Chris Evans: What kind?Student: "His boss told me that heneeds to do this for him."Chris Evans: Bingo.Student: Something like that.Chris Evans: Yep. I could show upin his office with a work order signedby his boss and say, "Yep, I'm hereto do this, and this was approved byyour boss." I've done that severaltimes and it works very, very well,because just the implication that yourboss has approved this, you're muchmore likely to agree to whatever it isthat I'm selling, even if it might bemalicious.Can I build a relationship map toother companies? Understand theprinciple that various hackers arelazy, and so if I've got two companiesand they have a shared intranetbetween the two-- Company X hasreally weak security; Company Y hasreally good security-- how am I goingto attack the company with reallygood security? Am I going to breakdown the door and try to go afterthem directly? Probably not. As anethical hacker, what I would want todo is I would understand that thehackers are lazy and they understandPage 7 of 18

that Company X talks to Company Ythrough some type of privileged orshared VPN or something like that.But this company is the weaker froma security standpoint. So if I canhack into here and then ride thatprivileged backend to get into themore secure company, that's a loteasier than just breaking down thedoor at the company with goodsecurity. And so understand as anethical hacker that these are thetypes of things that the hackers outthere are looking for. They're lookingfor relationships; they're looking forways to connect-- that companiesconnect-- and how to get intosystems. And the most obvious routeof breaking down the front door maynot always be the best. There'susually side doors, back doors,ventilation vents and all sorts of otherthings that are out there that you cantake advantage of as a hacker.Can you build an understanding oftheir security posture, the policies,the infrastructures that they have inplace? You'd be surprised to find theamount of information that you canget on a company's security posturejust by asking questions, doingGoogle searches, doing all of thisreconnaissance and enumeration thatwe're talking about here. Why wouldthat be good information? Well, ifyour job as an ethical hacker is tofigure out how those systems can becircumvented, and you understandthat the hackers out there are usingthings like Google and web queries tofind this type of information, you cango and start scrubbing that off ofPage 8 of 18

various websites. You can pull thatinformation off. That might be oneof your recommendations is, "Look, Ifound out that we have networkmaps out here that show all of our IPaddresses, show all of our servers, allof the configurations. All of that isout here on the internet. Weprobably want to police that up andmake sure that it's not availablesomewhere, or at least available outthere to the various hackers."And so if you can build anunderstanding of your target securityposture, number one, you'll anybodygo and make solid recommendationsat the backend; but two, you'refeeding your ability to do the nextfew phases of the ethical hackingmethodology, because you'll be ableto take this information that you findhere and start targeting individualsystems, start attacking individualsystems.Page 9 of 18

Passive and Active ReconnaissancePassive and Active ReconnaissancePassive Reconnaissance – gathering information on a targetwithout their knowledge of your actions Example: Using the Internet to research a target (domainregistrations, web pages, email addresses)Active Reconnaissance – gathering information on a targetwhere the potential exists that your actions will be seen by thetarget Example: Port scanning the target domain’s network looking forhosts and open services9**009 Passive reconnaissance: We'retalking about information that you gatherfrom a target without interacting withit, or at least without directlyinteracting with it, so that your targethas no knowledge of your actions.Again, things like Google queries,Google Maps, Google Earth, that sortof thing. So pulling information off ofGoogle is a good example of apassive reconnaissance step.Active reconnaissance: You'regathering information, but thepotential exists that somebody'sgoing to see that. So if you're doinga port scan where you're actuallysending packets to a system on yourPage 10 of 18

target network, somebody might seethat. Chances are they're not goingto see it because there's so muchtraffic out there, there's so many portscans going on already that mostsecurity administrators look at thatand go, "Eh, whatever. I'm beingport scanned. It's not a big deal."Although I will tell you that I did avulnerability assessment at oneparticular location and fired off ourlittle scanning engine to kind ofidentify hosts and printers andeverything else that was on thenetwork, and probably within 15minutes I was getting a phone callfrom a system administrator. Theyhad a-- there was the primarynetwork that everybody used, andthen there was this side network thatwas not a special system, but adifferent system that was being usedfor other purposes. And I got a callfrom the administrator through ourpoint of contact and they said, "So,are you guys scanning stuff?" We'relike, "Well, yes." Like, "Why?" It'slike, "We're seeing all these portscans and ping sweeps andeverything else come in, and it lookslike"-- I mean, when we went outand did these vulnerabilityassessments, it was very rapid, veryloud. There was no intent of hidingor anything. But I mean, they'dactually seen all of these scans comein and they had identified that it wascoming from this particular room inthis particular building, and they wereable to track us down.Page 11 of 18

After four years of doing pen testsand vulnerability assessments, it wasthe only place that I ever went thatever saw anything like that, and itwas because they had a systemadministrator who was sitting therelooking at traffic coming in. Theyhad a very clear understanding ofwhat their baseline was, so theyknew that I shouldn't be seeing pingscans from anybody, because I'malready behind the big firewall. SoI'm already inside the network. So ifI'm seeing ping scans or port scansor anything else, something isprobably wrong-- either a tool ismisconfigured or somebody's actuallylooking for me. And so they justwanted to kind of track us down andfigure out whether we werelegitimate or not. But again, out ofso many pen tests and vulnerabilityassessments, that was the only placethat I had seen do that. So I wouldsay that's the exception rather thanthe norm.So generally, yeah, there's bigwarnings about doing activereconnaissance, but is anybody reallygoing to see it? Probably not.Page 12 of 18