1. CSCD 434
Lecture 3
Spring 2019
Reconnaissance

2. Attack Stages There are many reasons why attacks happen
Altruistic reasons from white hat hackers to sheer profits from cyber criminals
Serious attackers, accomplish goals in stages
Ed Skoudis, well-known security expert identifies
5 stages of attack
He is a SANS instructor, author of popular book, Counter Hack Reloaded, 2nd Ed.
Step-Step/dp/

3. Attack Stages 1. Reconnaissance 2. Scanning 3. Gaining Access
4. Maintaining Access
5. Covering Tracks and Hiding
Today, look at Reconnaissance ...

4. Reconnaissance
Reconnaissance is probably longest phase, sometimes lasting weeks or months
Learn as much as possible about target business and how it operates, including
Internet searches
Social engineering
Dumpster diving
Domain name management/search services
Non-intrusive network scanning

5. Scanning
Once attacker has enough information to understand how business works and information of value
He or she begins process of scanning perimeter and internal network devices looking for weaknesses, including:
Open ports
Open services
Vulnerable applications, including operating systems
Weak protection of data in transit
Make and model of each piece of LAN/WAN equipment

6. Gaining Access
Gaining access to resources is whole point of a modern-day attack.
Usual goal is to either extract information of value to attacker or use network as launch site for attacks against other targets
Attacker must gain some level of access to one or more network devices
Once access is gained, has to increase his privilege to administrator level so can install applications used to exploit resources

7. Maintaining Access
Having gained access, attacker must maintain access long enough to accomplish his or her objectives
Attacker must be stealthy, so as to not get caught while using host environment
Trojans, Rootkits or other malicious malware is typically used.
Aim to maintain access to target until he accomplished tasks

8. Covering Tracks and Hiding
After achieving his or her objectives, attacker often takes steps to hide intrusion leaves controls left behind for future visits
No thief wants to get caught. A smart hacker always clears evidence so that later, no one will find any traces leading to him
This involves modifying/corrupting/deleting Logs, modifying registry values and uninstalling applications and deleting folders

9. Another Model of Attack Stages
Our book has another attack
model known as
Cyber Kill Chain, Chapter 1
Developed by military contractor,
Lockheed Martin patterned after military process to target and engage an enemy

10. Steps of an Attack Cyber Kill Chain outlines steps of an attack:
1. Reconnaissance - probe for information about the system: type of hardware or software used
2. Weaponization - attacker creates an exploit and packages it into a deliverable payload
3. Delivery - weapon is transmitted to the target
4. Exploitation - after weapon is delivered, the exploitation stage triggers the intruder’s exploit
5. Installation - the weapon is installed to either attack the computer or install a remote “backdoor”
Steps of an Attack
Cyber Kill Chain outlines the steps of an attack:
1. Reconnaissance - probe for information about the system: type of hardware or software used
2. Weaponization - attacker creates an exploit and packages it into a deliverable payload
3. Delivery - weapon is transmitted to the target
4. Exploitation - after weapon is delivered, the exploitation stage triggers the intruder’s exploit
5. Installation - the weapon is installed to either attack the computer or install a remote “backdoor”
CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 10 10

11. Steps of an Attack
Cyber Kill Chain outlines the steps of an attack (cont’d):
6. Command and Control - the comprised system connects back to the attacker so that the system can be remotely controlled by the attacker
7. Action on Objectives - now the attackers can start to take actions to achieve their original objectives
Steps of an Attack
Cyber Kill Chain outlines the steps of an attack (cont’d):
6. Command and Control - the comprised system connects back to the attacker so that the system can be remotely controlled by the attacker
7. Action on Objectives - now the attackers can start to take actions to achieve their original objectives
CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 11 11

12. Reconnaissance

13. Purpose of Reconnaissance
What is the purpose of reconnaissance?
Find out information about target(s)‏
More experienced attackers
invest time and resources
in information discovery
Like bank robbers
Do they just decide one day to rob a bank?
No. At least successful ones
Research vaults, locks, address of bank and map an escape route
Computer Attack – no different

14. Attack Reconnaissance
Sources
Low Technology
Social Engineering
Physical Reconnaissance
Dumpster Diving

15. Attack Reconnaissance
Social Engineering
Employees give away sensitive
information
Most successful are calls to employees
Call help desk as “new” employee for help with a particular task
Angry manager calls lower level employee because password has suddenly stopped working
System administrator calls employee to fix her account ... requires using her password

16. Social Engineering
Social engineering works, because it exploits human vulnerabilities
Desire to help
Hope for a reward
Fear of making a mistake
Fear of getting in trouble
Fear of getting someone else in trouble

17. Social Engineering Most Talented Social Engineer How did he do it?
Kevin Mitnick, served almost five years in prison for breaking into computers and “stealing” data from telecommunications companies
How did he do it?
Built up inside knowledge, developed trust relationships, and lots of patience
To get information needed to complete a hack, Mitnick spent days
Learning internal company lingo
Developing emotional connections with key people
Security personnel and system administrators

18. Social Engineering is Easy
Example
Compare Social Engineering vs. Traditional way to obtain user password
Assume already have user name, Ex. ctaylor
Got it from Web site, news or forum group
Traditional Steps
1. Scan network to identify open ports
2. Assume you got an open port and machine didn't have
latest patches, install a rootkit onto victim network
3. Map entire network, looking for a password file
May be large number of subnets and hosts

19. Social Engineering is Easy
4. Locate and copy encrypted password file
Need to dump password file to your server to process the file
Remain stealth entire time, modifying logs, altering registry keys to conceal when files were accessed
5. Run cracking tools against encrypted file
In privacy of own network, John the Ripper or Cain and Able will crack the file
Takes about a week ...

20. Social Engineering is Easy
Compare Social Engineering vs.
Traditional way to obtain user password
Same goals but now with Social Engineering
1. Make a phone call,
2. Make another phone call, while you are chatting, ask for and receive logon credentials
May be able to do it in one step, if lucky!!

21. Defences for Social Engineering
User Awareness
Train them to not give out sensitive information
Security awareness program should inform employees about social engineering attacks
No reason why a system administrator ever needs you to give him/her your password
Help desk should have a way to verify the identify of any user requesting help
Other ideas?

22. Attack Reconnaissance
Physical Reconnaissance
Several Categories
Tailgaiting, Shoulder Surfing, other tricks
Tailgaiting
Usually easy to look like you belong to an organization
Can sometimes walk through the door
Can pose as someone related to an employee to gain access
Temps, contractors, customers and suppliers all potentially have access

23. Tailgaiting Follow an authorized person into building
Look like you belong, have reason for being there, dress the part and act like you belong
Phone company or other service technician
Once inside, person is not typically challenged
Key, Looks like he belongs
Has company logos, or carries briefcase, toolkit
People take person at face value
Partly social engineering too

24. True Story Person on the right looks like person on the left
Person below walked around
A NIST building in
Washington DC
unchallenged
Guards
even held open doors for
him to enter secure areas

25. Tailgaiting Physical Reconnaissance Defences
Once inside, have access to lots of information
Physical access to internal networks
Passwords, user information, internal telephone numbers, anything you want
Defences
Badges and biometric information
Educate people against letting people into the building
Teach employees to question people they don't know

26. Shoulder Surfing
Another physical method of gaining sensitive information
Coffee shops, airport lounges, hotel lobbies
Many people are completely unaware of being spied upon
What can you learn?
Private sessions, government documents, corporate secrets, user names or passwords
Even classified documents over the shoulder of an unwary government employee
Defense – Be aware of who is around

27. Dumpster Diving Originated by phone phreaks Precursor to hackers
AT&T's monopoly days, before paper shredders became common
Phone phreakers used to organize regular dumpster runs against phone company plants and offices
Their Target
Discarded and damaged copies of AT&T internal manuals
Learned about phone equipment

28. Attack Reconnaissance
Dumpster Diving
In General
Go through someone’s trash
Recover copies of
Credit card receipts,
Reports,
Passwords, usernames and other sensitive information

29. Dumpster Diving EWU Mall in Spokane Student in Spring, 2008 found
SSN number, address and SAT scores of high school student applying to EWU
Mall in Spokane
Another student, Fall 2008
Found little of interest when he staked out a store and had trouble accessing trash
Found some information, not sensitive

30. Defense Against Dumpster Diving
Defence
Shred all paper including post-it notes
Don’t throw away thumb drives, CD’s or other electronic media
Secure trash areas, fence, locked gates

31. Technical Attack Reconnaissance

32. Domain Names Domain Names Registration process provides Registrars
Guarantee of unique name
Enter name in Whois and DNS Databases
Registrars
Before 1999, one registrar, Network Solutions
Now, thousands of registrars compete for clients
complete list of registrars

33. Domain Names Internet Network Information Center
Search for domain name’s registrar
Comes back with registrar and other information

34. Internic.net/whois.html
phptr.com

35. Example from Internic.net/whois
phptr.com

36. Example Whois Query Tryit, Lets enter counterhack.net
Answer is
Domain Name: COUNTERHACK.NET
Registrar: NETWORK SOLUTIONS, LLC
Whois Server: whois.networksolutions.com
Referral URL:
Name Server: NS1.NETFIRMS.COM
Name Server: NS2.NETFIRMS.COM
Status: clientTransferProhibited
Updated Date: 21-jun-2006
Creation Date: 22-jun-2001
Expiration Date: 22-jun-2008

37. Attack Reconnaissance
Whois DB’s
For other countries, use
Military sites, use
Education, use

38. Attack Reconnaissance
Details from the Whois DB
After obtaining the target’s registrar, attacker can obtain detailed records on target from whois entries at registrar's site
Can look up information by
Company name
Domain name
IP address
Human contact
Host or server name

39. Attack Reconnaissance
Details from the Whois DB
If only know Company’s name
Whois DB will provide lot more information
Human contacts
Phone numbers
addresses
Postal address
Name servers – the DNS servers
Network Solutions

40. Counterhack.net Skoudis, Edward 417 5TH AVE FL 11
Registrant:
Skoudis, Edward
417 5TH AVE FL 11
NEW YORK, NY US
Domain Name: COUNTERHACK.NET
Administrative Contact : Skoudis, Edward
Phone:

41. Counterhack.net .. Old Data - 2007
Technical Contact :
Network Solutions, LLC.
13861 Sunrise Valley Drive
Herndon, VA , US
Phone:
Fax:
Record expires on 22-Jun-2008
Record created on 22-Jun-2001
Database last updated on 21-Jun-2006
Domain servers in listed order:
NS1.NETFIRMS.COM
NS2.NETFIRMS.COM

42. Attack Reconnaissance
ARIN DB
In addition to the Whois DB, another source of information is the American Registry for Internet Numbers (ARIN)‏
ARIN maintains Web-accessible, whois-style DB lets users gather information about who owns particular IP address ranges
Can look up IP’s in North and South America, Caribbean and sub-Saharan Africa
Use:
Then, type in IP address at the whois prompt
In Europe use, Re’seaux IP Euorope’ens Network Coordination Centr (RIPE NCC)

43. Attack Recon Whois command
Or, instead of going to the Internet, you can just type whois from the command line of Linux
If the port number is not blocked!!!
$ whois counterhack.net
This will display all of the information available from
the public dns records for that domain

44. Attack Reconnaissance
Domain Name System (DNS)‏
DNS is a worldwide hierarchical DB
Already said ... Organizations must have DNS records for their systems associated with a domain’s name
Using DNS records, attacker can compile a list of systems for attack
Can even discover Operating System

45. Domain Name Hierarchy Root DNS Servers com DNS Servers net DNS Servers
org DNS Servers
counterhack.net DNS Server
Example counterhack.net

46. Attack Reconnaissance
Querying DNS
First, find out one or more DNS servers for a target system
Available from records gathered from the Whois DB
Listed as “name servers” and “domain servers”
One common tool used to query DNS servers is the nslookup command
Included in all Unix flavors and Win NT/2000/XP

47. Attack Reconnaissance
DNS Query
First try to do a Zone transfer
Says “give me all the information about systems associated with this domain”
First use a server command to set DNS server to target’s DNS server
Then set the query up to retrieve any type of information
And finally to do the zone transfer

48. Attack Reconnaissance
DNS Query
Dig command
dig – Unix variations must use this for Linux
$ counterhack.net -t AXFR
This does a zone transfer ... might not work
Excellent reference for dig here
Defences against DNS Queries
Must have DNS records
Need to map between IP addresses plus need to indicate name and mail servers

49. Attack Reconnaissance
Defence against DNS Queries
Restrict Zone Transfers
Only reason you allow Zone transfers is to keep secondary DNS server in sync with primary server
Configure DNS server to only allow Zone transfers to specific IP Addresses
Can also configure Firewalls or router to restrict access to TCP port 53 to back-up DNS server

50. Attack Reconnaissance
General Purpose Reconnaissance Tools
Can also research target through attack portals on the web
Sites allow you to do research and even initiate an attack against the target

51. More Tools ShodanHQ http://www.shodanhq.io/
SHODAN is a search engine that lets you find specific computers (routers, servers, etc.)‏
Using a variety of filters
Some have also described it as a public port scan directory or a search engine of banners

52. More Tools What does SHODAN index?
Bulk of data is taken from 'banners', which are meta-data the server sends back to the client
Information about the server software,
Options the service supports,
Welcome message or other information
Very useful for identifying specific machines

53. More Tools Maltego Comes with Kali Linux
Allows you to enumerate network and domain information like:
Domain Names
Whois Information
DNS Names
Netblocks
IP Addresses
Comes with Kali Linux
Overview
security/maltego-tutorial-for- beginners/
Also allows you to enumerate People information like:
addresses associated with a person's name
Web sites
Social groups
Companies and organizations
Phone numbers

54. Maltego

55. Attack Reconnaissance
Summary
At the end of this phase the attacker has information needed to move on to the next phase
Scanning
At a minimum have
Phone number
List of IPs
Address and domain name
Lucky – has Operating System and Server names

56. References Mark Ciampa Johny Long Kevin Mitnick Ed Skoudis
Security + Guide to Network Security Fundamentals
Johny Long
No Tech Hacking, Syngress, 2008
Kevin Mitnick
The Art of Deception, Wiley, 2002
Ed Skoudis
Counterhack Reloaded, Ch. 5, 2006
Step/dp/ /ref=cm_cr_pr_product_top

57. The End
Lab this week is Background on Nmap and Reconnaissance