December 27, 2015

GHR 103 – Reconnaissance

OBJECTIVES:

There is a 7 step process to information gathering (aka. Reconnaissance). Each step will be broke out into it’s own topic. The seven steps are:

  • Topic 103.1 – Information Gathering.
  • Topic 103.2 – Determine the Network Range.
  • Topic 103.3 – Identify Active Machines.
  • Topic 103.4 – Finding Open Ports.
  • Topic 103.5 – Fingerprinting Operating Systems.
  • Topic 103.6 – Fingerprinting Services.
  • Topic 103.7 – Mapping the Attack Surface.

Topic 103.1 – Information Gathering

  • RULE : Develop a system for profiling targets.
  • RULE : Create a matrix with fields to record the domain name, IP subnets and hosts, DNS servers, employees, email addresses, open ports, and banner details.
  • RULE : Before visiting the organization’s website directly, search for it on google, yahoo, and bing.  Look for URLs that are not only the public domain name that you know about (cnn.com), but also the subdomains like money.cnn.com or support.cnn.com.
  • RULE : While searching, be sure to look for restricted URLs that are not accessible by the public or anonymous users.
  • RULE : A great source of intelligence is the company’s Internal Pages, like:
    • Their news feed.
    • Job postings.
    • Branch Office Addresses.
    • Branch Office Phone Numbers.
    • Internet Usage Policy.
  • RULE : Go to archive.org/web/ to find historical copies of the target website, some leaked information that they have since closed up may still be alive on archive.org.
  • RULE : Searching for the domain also brings back handy things like the organizations social media accounts from which to gather more intelligence from.  Again searching for cnn, brought back twitter, facebook, and youtube links.
  • RULE : Sending an email with a bad email address to the domain, like person-doesnt-exist@cnn.com with bounce back from the email server and leak information to you such as the email server’s IP address and server email application version.
  • RULE : You will want to gather intelligence about the physical layout of the target organizations buildings, parking lots, and security gates to see if an attack against their wireless network is possible.  This is possible with Google Maps and Bing Maps.
  • RULE : As a good defense against job postings leaking infrastructure information, companies should keep their name confidential in the job posting.
  • RULE : If the target organization is using a confidential job posting, then you can get the same information from existing employees resumes, look for what they are saying that they are working on from a technology stand point.
  • RULE : Some job posting sites include:
  • RULE : To find people start by using a few personal information aggregation sites such as these:
  • RULE : Don’t forget to check the social media sites for the employees.  Not only what information they post about with words, but IT employees sometimes take pictures of their handy work with hardware.  You can gain intelligence from the pictures they take in the company’s data center such as which brand of servers, networking gear, and security devices.
  • RULE : If the target organization is a publicly traded company then check the Security and Exchange Commission’s EDGAR database at www.sec.gov and look for Form 10-Q and Form 10-K.
  • RULE : Review the 10-Q and 10-K forms and look for mergers and acquisitions.  The other company listed would be another attack surface.  A lot of times the 2 companies will connect their networks together in order to begin merging data.
  • RULE : Big Brother was a system administration application that will display the vital signs of an organization’s devices and display them in a centralized web page.  Good news for hackers is that the default username of “bb” is well known and Google results will show installations of big brother.
  • RULE : Use Google advanced operators to reveal more details about the target.  Some operators include:
    • FileType,  is the operator to use to direct Google to return only matches against a type of file.  Try searching for targetcorp filetype:xls to return spreadsheets related to targetcorp.
    • Inurl, is the operator to use to have Google return matches for text in the URL.  For instance, to administer a WordPress site, the pages that do that are in the subdirectory named wp-admin so search for targetcorp inurl:wp-admin to get to the login page.
    • Link, is what to use to see which sites link to your target.  Try targetcorp link:www.targetcorp.com to see who links to targetcorp.com.
    • Intitle, is used to find words in the titles of web pages such as targetcorp intitle:"job description" will return the job descriptions targetcorp.com.
  • RULEallinurl:tsweb/default.htm will find web logins for Windows Terminal Servers.
  • RULE : Maltego is an open source intelligence and forensics application but somehow cost $750 from Paterva.
  • RULE : Shodan is a search engine and database of Internet Of Things (IoT) devices.
  • RULE : UseNet is a collection of user discussion groups distributed across usenet servers.  You can browse the content without direct access by using Google Groups.
  • RULE : Cisco type 7 passwords are easily crackable because they use very basic encryption.
  • RULE : Cisco type 5 passwords conveniently use MD5, which is better than the type 7 passwords.
  • RULE : Cisco type 7 passwords can be cracked with Cain and Able or the Cisco Password Decoder website and many other websites.
  • RULE : The Internet Corporation for Assigned Names and Numbers (ICANN) primarily manages IP address space allocation, protocol parameter assignment, and domain name system management.  GoDaddy.com, NetworkSolutions.com, tucows.com, and others do the same thing and sell other stuff as well.
  • RULE : The Internet Assigned Numbers Authority (IANA) is part of ICANN and is a nonprofit private American corporation that oversees global IP address space allocation, autonomous system (AS) number allocation, root zone management in the Domain Name System (DNS), media types, and other IP-related symbols and numbers.
  • RULE : Internet service providers (ISPs) obtain their allocations of IP addresses from a local Internet registry (LIR), National Internet Registry (NIR), or from their appropriate Regional Internet Registry (RIR).  There are 5 Regional Internet Registries (RIR) which are:
    • ARIN, which covers North and South America and oddly enough, sub-Saharan Africa.  Use whois.arin.net if you have an IP address and need to find out who it is or who owns the address space.
    • ARNIC, which covers Asia and Pacific.
    • RIPE NCC, which covers Europe, Middle East, and parts of Africa.
    • LACNIC, which covers Latin America and the Caribbean.
    • AfriNIC, which covers Africa.
  • RULE : On linux and OS X machines, you can perform a whois lookup right from the command line, just type whois targetcompany.com .
  • RULE : On Windows machines, you can buy and download a tool like SmartWhois for $39.  But a better option is to use DomainTools.com or some other site (including ICANN, IANA, and ARIN) for free.
  • RULE : To protect the organization from leaking information via a whois lookup, a domain proxy is used.  GoDaddy.com does this for an annual $7.99 fee and call it Domain Privacy.
  • RULE : A DNS zone transfer is how DNS servers update each other by transferring the contents of their databases.
  • RULE : DNS zone transfers take 4 steps:
    • Step 1, the secondary name server starts by asking for the SOA record for the zone from the primary name server.
    • Step 2, the primary name server checks the list of authorized servers to see if the secondary name server is on that list.  If the secondary name server is on the list of authorized servers, then the SOA record is sent.
    • Step 3, the secondary name server must then check the SOA record to see whether there is a match against the SOA serial number that it already has.  If it matches then nothing else happens since the 2 records are the same.  But if the SOA record that the primary has is a higher serial number than an update of the secondary name server is requested with an All Zone Transfer (AXFR).
    • Step 4, when the primary receives the AXFR, the entire zone file from the primary is sent to the secondary.
  • RULE : There are 13 DNS root servers that are named ‘A’ thru ‘M’ as in m.root-servers.net.
  • RULE : The primary tool for query DNS servers in nslookup, which works on Windows, Linux, and OS X.
  • RULE : IP version 4 DNS records and types are:
    • Record name of ‘Host‘ has a record type of ‘A‘ and is for mapping a domain name to an IP address.
    • Record name of ‘Pointer‘ has a record type of ‘PTR‘ and is for mapping an IP address to a domain name.
    • Record name of ‘Name Server‘ has a record type of ‘NS‘ and is for configuring settings for zone transfers and record caching.
    • Record name of ‘Start of Authority‘ has a record type of ‘SOA‘ and is for configuring settings for zone transfers and record caching.
    • Record name of ‘Service Locator‘ has a record type of ‘SRV‘ and is for locating services in the network.
    • Record name of ‘Mail‘ has a record type of ‘MX‘ and is for locating SMTP servers.
  • RULE : The SOA record has a timeout value.  The attacker will use this to know how long DNS poisoning will last.
  • RULE : DNS zone transfers occur on TCP port 53, while normal lookups happen on UDP port 53.
  • RULE : Another tool for interrogating DNS is dig.

Topic 103.2 – Determine the Network Range

  • RULE : To get the size of the network of a target organization:
    • Step 1, go to the command prompt and do an nslookup or a dig and for the domain, like dig targetcorp.com.
    • Step 2, gather the ip address from the answer section, like 198.217.6.42.
    • Step 3, fire up a browser and go the ARIN site and enter 198.217.6.42 into the whois box.  Remember that whois works for domain names and ip addresses.
    • Step 4, look at the net range section from the results and you can see the range of IP addresses that the target organization has been allocated, like 198.217.6.0 to 198.217.7.255.
  • RULE : Traceroute can be used to determine the path and distance to the target.
  • RULE : Traceroute manipulates the decrementing counter value in the Time-To-Live (TTL) field in the IP header.
  • RULE : When using traceroute, when a device along the path encounters a TTL of 1 it would have to decrement the value is 0 when it sends it along.  Knowing this, the datagram is discarded and that device returns an ICMP type 11 code 0, “time to live exceeded in transit” message since TTL values of 0 can’t be sent.
  • RULE : The Linux version of traceroute sends UDP packets, with high-order port number like 33434, to which the device isn’t expected to be actually listening on, while the Windows version sends ICMP packets.
  • RULE : The Windows version of traceroute, upon reaching the target, will return a successful ping reply which is a ICMP type 0 code 0 packet.
  • RULE : The Linux version of traceroute, upon reaching the target, will return a port unreachable message which is a ICMP type 3 code 3 packet.
  • RULE : The actual executable name of the Windows version of traceroute is tracert because of the old 8.3 naming convention.
  • RULE : If ICMP and UDP are blocked by a firewall, you can use TCPTraceroute on Linux and specify a legitimate port number like 80 which the firewall is already allowing through.
  • RULE : TCPTraceroute uses TCP SYN packets instead of UDP or ICMP so it’s not as easy to detect and block with a firewall.
  • RULE : TCPTraceroute never establishes a TCP connection with the target host.  If the host isn’t listening on the port specified, it will respond with an RST indicating that the port is closed.  If the target actually is listening on that port, it will return a SYN/ACK, normally in the 3-way handshake process an ACK would be expected, but TCPTraceroute sends a RST instead to teardown the attempted connection.
  • RULE : GUI versions of Traceroute include:
    • LoriotPro, is actually a Windwos SNMP GUI, but has he side effect of showing the path between where it is installed and the target site.
    • Trout, performs parallel pinging for speed.
    • VisualRoute, $59.95 for Windows.

Topic 103.3 – Identify Active Machines

  • RULE : The easiest way to see what IP addresses are active, is a Ping sweep.  But that only works if the target organization isn’t blocking ICMP.
  • RULE : The padding in an ICMP request packet is defaulted to 32 bytes but can be customized to other sizes.
  • RULE : The padding in an ICMP packet can be a covert channel of communications such as botnet commands.  Tools such as Loki and icmpsend take advantage of this.
  • RULE : Ping only sends 1 ICMP request at a time to 1 target at a time.  This means ping sweeping a large subnet will take some time.
  • RULE : Programs that do ping sweeps include:
    • Nmap, started in 1997 and is current as of 2015.
    • SuperScan, is for Windows only and hasn’t been updated since 2004 since the Windows XP Service Pack 2 removed raw socket support.
    • Angry IP Scanner, looks like the latest news occurred in 2014.
    • Hping, looks like nothing new since 2006 worked on Linux.
    • and Gingsoft’s very own Battalion Commander from 2010, which is multithreaded and extremely fast.

Topic 103.4 – Finding Open Ports

  • RULE : The 3-way handshake goes like this with regards to the sequence numbers, notice the ACK number increasing by 1:
    • 10.10.10.10 sends SYN with [ SEQ 11c31ee3 | ACK 00000000 ] to 55.55.55.55
    • 55.55.55.55 sends SYN/ACK [ACK 11c31ee4 |SEQ ba723a05] to 10.10.10.10
    • 10.10.10.10 sends ACK with [SEQ 11c31ee4 |ACK ba723a06] to 55.55.55.55
  • RULE : After the 3-way handshake, the ACK numbers will begin increasing their value by their TCP Segment Length (237 for example ) and then adding 1 to that (238 in this case).
  • RULE : The TCP header contains a 1 byte field to contain the flags, look below at the flags for a SYN/ACK packet:
    • 0... .... = Congestion Window Reduced (CWR) bit not set.
    • .0.. .... = ECN-Echo bit not set.
    • ..0. .... = Urgent (URG) bit not set.
    • ...1 .... = Acknowledgment (ACK) bit is set.
    • .... 0... = Push (PSH) bit is not set.
    • .... .0.. = Reset (RST) bit is not set.
    • .... ..1. = Synchronize (SYN) bit is set.
    • .... ...0 = Finish (FIN) bit is not set.
  • RULE : The bit pattern looks like this ..UA PRSF if you take the first letter of the flags and place them where the are in the byte.
  • RULE : To terminate a TCP session there is a 4-way shutdown process:
    • 10.10.10.10 sends FIN/ACK to 55.55.55.55
    • 55.55.55.55 sends ACK to 10.10.10.10
    • 55.55.55.55 sends FIN/ACK to 10.10.10.10
    • 10.10.10.10 sends ACK to 55.55.55.55
  • RULE : Using Nmap, you can scan many different ways:
    • Use nmap -sS to perform a TCP SYN scan.  Which is also referred to as a half-open scan.  This in the most popular and it fast.  The reason it’s called a SYN scan is because nmap will send a SYN packet at a port and see what the answer is.
      • open, means a SYN/ACK was returned.
      • closed, means a RST was returned and the target isn’t listening on that port.
      • filtered, means an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) or no response at all was received after several attempts.
    • Use nmap -sT to perform a TCP Connect scan.  This is the most reliable and the most detectable by IDS. Use this if when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port.
    • Use nmap -sN to perform a TCP Null scan.  No TCP flag bits are set.
    • Use nmap -sF to perform a TCP FIN scan.  Where only the FIN bit is set.  The FIN scan usually only works against Unix machines.
    • Use nmap -sX to perform a TCP Xmas scan.  Where all 3 FIN, PSH, and URG flags are set, lighting the packet up like a Christmas tree.  The Christmas scan doesn’t work against Windows machines.
    • The -sN, -sF, -sX (Null, FIN, Xmas) scans are exactly the same when it comes to detecting open ports.
      • open, means that no response was returned.
      • closed, means that a RST/ACK was received.
      • filtered, means an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received.
    • Use nmap -sA against firewalls it is used to map out firewall access-lists, determining whether they are stateful or not and which ports are filtered. If a firewall is present it will filter packets, which means that ICMP type 3 code 9 or 10 packets will be returned, which is the codes for communication to the network or host is administratively prohibited.  Now if an RST is received, no firewall is present.
  • RULE : You must know nmap scan types inside and out in order to pass the CEH exam.
  • RULE : Not all operating systems implement there TCP/IP stack the same.  In much the same way that the Bible and Qur’an aren’t interpreted the same way by everyone, which is why a FIN and Xmas scans will work on Unix but not Windows.  But SYN and Connect scans work against all systems.
  • RULE : Use nmap -sY to perform a SCTP INIT scan.  SCTP is a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi-homing and multi-streaming.
    • open, means there is the presents of an INIT-ACK chunk.
    • closed, means there was an ABORT chuck.
    • filtered, means an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received or there was no response at all.
  • RULE : Use nmap -sI or nmap -sZ to obscure the attacker’s presence.
  • RULE : Use nmap -sZ to perform an SCTP Echo scan.  This is more advanced than the nmap -sY scan.  It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports, but send an ABORT if the port is closed.
  • RULE : Use nmap -sI to perform a scan from one of your zombie hosts.  The zombie scan uses a unique side-channel attack exploits predictable IP fragmentation ID sequence generation on the zombie host to glean information about the open ports on the target.  However, some versions of Linux set the IPID to 0 or generate random IPIDs, so this scan may not always work.
  • RULE : Use nmap -sO to perform an IP protocol scan.  The protocol scan determines which protocols are supported on the target.
  • RULE : Use nmap -sU to perform a UDP scan.
  • RULE : Use nmap -sW to perform a TCP Window scan. The TCP Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing unfiltered when a RST is returned.  Results may very from system to system so this isn’t very reliable.
  • RULE : Use nmap -sM to perform a TCP Maimon scan.  This technique is exactly the same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK.  A RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel Maimon noticed that many BSD-derived systems simply drop the packet if the port is open.
  • RULE : An FTP Bounce scan, uses an FTP server to bounce packets off of to obscure the attacker.
  • RULE : A RPC scan, attempts to determine whether open ports are RPC ports.
  • RULE : An ACK scan, sends an ACK packet with a random sequence number:
    • open, or unfiltered means that no firewall is in the path because and RST was retured.
    • filtered, means that an ICMP type 3 code 13 was returned and tips you off that a firewall exists in the path.
  • RULE : A TCP Window scan, which is similar to an ACK scan, but checks the TCP window size of the RST packets coming back.  On some operating systems:
    • open, means that a positive window size was returned.
    • closed, means that a window size of 0 was returned.
  • RULE : UDP was meant for speed and is a connection-less protocol, so it doesn’t have flags, or return responses which makes scanning harder.  The only thing to look for an ICMP responses from closed ports, meaning that an ICMP type 3 code 3 was returned.
  • RULE : Nothing will be returned for a UDP scan if the ports are open or filtered by a firewall.
  • RULE : Zenmap is what you use if you prefer a GUI over a command line for nmap.
  • RULE : SuperScan is for Windows and does pinging, TCP/UDP port scanning, and resolves hostnames.
  • RULE : THC-Amap was used for banner grabbing, but was replaced by nmap.
  • RULE : Scanrand is part of the Paketto Keiretsu suite of 5 tools from 1998 time frame.
  • RULE : Scanrand is fast because it uses parallel scanning and seems to be multi-threaded and does not wait for responses.
  • RULE : Scanrand uses inverse SYN cookies, meaning it keeps track of the hashed sequence number that was sent out, and matches with the response when it eventually comes back.
  • RULE : Hping does ping sweeps, port scans, and can be used to craft packets.
  • RULE : Hping works on Windows and Linux.
  • RULE : Hping2 and Hping3 can be used for firewall testing, identifying honeypots, and of course, port scanning.
  • RULE : Hping3 modes:
    • hping3, is the default TCP mode.
    • hping3 -0 and hping3 --rawip, is raw IP mode.
    • hping3 -1 and hping3 --icmp, is ICMP mode.
    • hping3 -2 and hping3 --udp, is UDP mode.
    • hping3 -8 and hping3 --scan, is scan mode.  For example use hping3 -S -8 1-1024, 1434,3389
    • hping3 -9 and hping3 --listen, is listening mode.
  • RULE : You need to know how hping3 switches work.  You set switches for Modes, IP, ICMP, TCP/UDP, scan speed, debugging info, packet count, flood, interval, and many more.
  • RULE : Port knocking is a method of establishing a connection to a host that has closed ports.  By sending packets to the proper sequence of closed ports, a connection to the desired port, like a combination lock.
  • RULE : Port knocking is a good defense against port scanning.
  • RULE : War dialing tools:
    • ToneLoc is a war dialing tool that randomly dials number from an input file that contains the area codes and number ranges.
    • TeleSweep is a distributed war dialing program can use multiple phone lines simultaneously.
    • THC-Scan is an old DOS-based war dialer.

Topic 103.5 – Fingerprinting Operating Systems

  • RULE : There are 2 ways in which to identify the target system:
    • Passive fingerprinting.
    • Active fingerprinting.
  • RULE : Passive fingerprinting is basically listening, not talking.  Which means the attacker just sniffs the traffic traversing the network in order to figure out what the target system operating system is.
  • RULE : Active fingerprinting involves sending malformed packets to the target system to elicit a response.
  • RULE : How the targets reacts to certain packets while actively fingerprinting will be used to identify the target.
  • RULE : Active fingerprinting is noisy and will give away the attackers presence.
  • RULE : Passive fingerprinting is stealthy, but you need to know what to look for.  Each Operating System implements the TCP/IP stack a little differently.  Here are some subtle differences:
    • Check the IP Identifier (IPID).
    • Check the IP TTL value.
    • Check the IP Don’t Fragment flag (DF).
    • Check the IP Type Of Service (TOS) flag.
    • Check the TCP Window Size.
    • Check the TCP flags.
  • RULE : A passive fingerprinting tool is P0f.  The latest version from around 2014 is P0f3.
  • RULE : Active fingerprinting methods might include:
    • A FIN packet is sent to an open port, if a RST is returned then the target OS is Windows.  All other operating systems followed RFC793, and don’t respond.
    • A bullshit flag test.  Typically a SYN flag is set with nothing else, because it’s the initial packet.  When other flags are also set along with a SYN flag, Linux will leave that same flag set on the following packet.
    • Windows has a predictable Initial Sequence Number (ISN) pattern, it only increments the ISN by a small fixed amount.  Other operating systems use truly random ISNs.
    • IPID sampling difference between OS shows that old Windows systems increment the IPID for each packet by 256.  Other operating systems increments a system-wide IPID.
    • Checking the TCP Window size in packets returned from the target system.  Different operating systems will use the same TCP Window size.
    • Checking the ACK value.  Some operating systems will return the previous value, by add 1 to it.  While others use random numbers.
    • Manipulating the ICMP Port Unreachable (type 3 code 3) messages and then checking the Type Of Service (TOS) flags.  Some operating systems will have the flags set to all zeros, others do not.
    • Sending packets with different TCP flags set the responses will reveal the operating system.
    • Different implementation for packet fragmentation.  The MTU can be any value between 68 and 65535 according to RFC 1191.  Again each operating system may have chosen a different MTU size.
  • RULE : Nmap is a great Active fingerprinting tool.  Nmap needs 1 open port and 1 closed port to determine the operating system.
  • RULE : Nmap -O and nmap -A are the options for active fingerprinting.
  • RULE : Nmap -vv might be needed to identify load balancers.
  • RULE : Another active fingerprinting tools is Xprobe2 for Linux.
  • RULE : Xprobe2 uses a mixture of ICMP, TCP, and UDP to avoid IDS detection and get thru firewalls.
  • RULE : WinFingerPrint is another active fingerprinting tool, but as the name implies, it’s for Windows only.
  • RULE : WinFingerPrint can find the NetBIOS shares, disk information, user, groups, services, and service pack installations.

Topic 103.6 – Fingerprinting Services

  • RULE : The easiest way to determine what services are running on open ports is by banner grabbing.
  • RULE : Telnet can be used to grab banners for HTTP, FTP, SMTP, and other ports where services might be hiding.
  • RULE : try telnet darkblueteam.com 80, then use the escape sequence to see the results by typing ^] (shift 6, then right bracket).
  • RULE : HTTPrint is another banner grabber.
  • RULE : NetCat can also be used to grab the banners.
  • RULE : Ports and banners can be changed by the system administrators to fool attackers and OS fingerprint tools.
  • RULE : On Linux systems, change the banner by editing the httpd.conf file.  Change the ServerSignature line to off.
  • RULE : On Windows systems, you can install a tool from Microsoft called UrlScan security tool in order to change or remove the banner on IIS servers.

Topic 103.7 – Mapping the Attack Surface

  • RULE : Automated mapping tools are:
    • NLog, which is a browser based tool that allows you to automate nmap scans and record them in a database.
    • CartoReso, automated mapping tool that can map a large portion of what it can connect to.