What is hacking actually looks like when it is not in the movie “Wargames” in which a middle schooler magically log in theirs school’s “vulnerable”grading system as a high privilege user after insert a floppy disk into a big-head computer in his bedroom so he can change his biology grade from F to C in a snap? It is not that easy, it needs patience, strategy, it takes time, might as long as two terms of two different presidents of United State (See how Iran nuclear plant being exploited by Stuxnet Malware). However, there also is a common strategy that being used by most of cyber attack — Cyber Kill Chain.
This blog will dig into how first stage of Cyber Kill Chain — Reconnaissance works in a technical way from an attacker perspective. Which information is wanted specifically and which tools can be used to achieve that? And some of my personal experience and preferences when I dealing with those tools will be provided so this article won’t just boring like a man page.
- Getting to know the weakest spot of your target —Human
When we look back on the successful exploitations conducted by elite APT hacker groups, one thing in common is human is most likely be the first one who get exploited and compromised so attackers can gain theirs first access into the system. It’s not impossible for attackers to crack the credentials of a public facing SSH server or router by brute force in order to get initial access, there is a possibility in there and this actually happened in a company I dealt with before. But comparing with strategy like brute force which not only consumes ridiculously amount of processing power but also makes a loud noise that can makes you easily expose yourself, social engineering is definitely a shortcut to take. In the end, this most essential information to make this phishing exploitation happens seem simple— Email Addresses.
“theHarvest” tool comes in handy when you want to automatically extract a list of email from the website of your target. By giving the website of your target and the source you want to use to search for email addresses, theHarvest will enumerate email addresses for you.
Syntax:
theHarvest -d <taget website> -d <source>
example: theHarvest -d zwduck.com -d google
Tips: Don’t limit the power of theHarvest within google, theHarvest supports many other resources, sometimes bing or duckduckgo or Linkedin might have a better result.
2. Scan Network from outside
Hands are tied when scanner is placed outside of the network, there are firewalls, DMZ, bastions, and not to say IT guys are doing their job. But we should also believe that human make mistakes. I have seen a VPN router using default credentials has been left 443 port open to public and after authenticated there is a built in cmd tool which is able to open a shell of router’s operating system for you. Anyway, scanning from outside is not a “low hanging fruit” which can provides a quick result, but who knows.
When we start scanning, we may think of the most essential and widely-used scanner—Nmap, but there is no need to jump on Nmap right now because there are couple of preparation steps need to be done before we bring Nmap out.
First step is find what IP range of your target using, If there is a big name company we are talking about, bgp.he.net will help you identify the IP range for you, if it is a small company whose IP range is relatively small and not publicly available, social engineering might works at its best.
Second step is after IP range is identified, the IP addresses that are accessible for us need to be extracted from this list. “Ping Sweep” is what we want and “netdiscover” is the enumeration tool can be used in this stage
Syntax:
netdiscover -r <subnet address>
example: netdiscover -r 192.168.1.0/24
Third step is where Nmap comes to play, Nmap is able to detect opening port, potential operating system and even conduct a vulnerability scan. Since Nmap has numerous functions and being called a Swiss Army Knife of network utilities, I will only pick some tips and tricks of Nmap.
1)Don’t forget there is might still have a firewall in between of you and your target, so use SYN scan to make it stealthy. A regular scan will get blocked by firewall or IPS for most of time, but I SYN Scan can bypass them.
Syntax:
nmap -sS <Target IP address>
2) A loud banner scan will provide you a much more detailed information including version number of running service, but it will also get you blocked. It is a tradeoff but still worth a try.
Syntax of banner scan I prefer
nmap -sV -sT <Target IP address>
3) Identify the operating system using fingerprinting: Result of this scan is mainly for reference use since the result it not 100% accurate. If OS is a router’s OS, you target probably is a VPN router, if OS is a Linux box, your target might be a web server. Making a good guess is absolutely a critical part of hacking.
Syntax:
nmap -O <Target IP address>
4) Don’t give up on unpopular ports: By default, Nmap will go through top 1000 popular ports. But some hidden gem may running on a random port. I have heard a company migrates mysql port from 3306 to a higher port. Scanning all ports can be a dreadful and hideous project, but enumeration is the key to find vulnerability.
Last step is be persistent, picking up your methodology of network scanning and set it up as a cronjob to run it on daily basis because you never know what going to happen tomorrow. Make a bash script, run you scanner, and then compare the output with output from yesterday. All you need to do is check the different between today and yesterday.
Next part of Reconnaissance will discuss about the result of port scanning, when we looking at an opening port, what should we think about and what need to be done, and what can be done.
Thank you!!1