2.1 Reconnaissance 1

00:00

Hey, guys, Welcome back to the cybercult. In comparison, Sabri, this is undermanned name on this episode, we're going to start our target attack. Step one. Reconnaissance.

00:10

So going back to the kitchen, we hade these seven steps

00:14

that we went over. So the first step is reconnaissance. And I pointed this before That reconnaissance sometimes

00:21

is overlooked by, ah, lot of special when it comes to Pan Tessa Teamers. However, re Constance is one of the most important,

00:29

uh, step and this cult in because you, Constance, is the base that you build your all attack

00:35

on. So, as I said before, we're going to use the information that we gained today in organization delivery exploitation and then continue continuously using it until the end of the attack. So you need to get as much information as possible

00:51

Reconnaissance. You want to gather information on the target before actually starting the attack. And there are two ways of doing reconnaissance. There's passive and active and passive is the one that you want to spend your time and

01:04

because in passive, the target doesn't even know that you're actually trying to attack him because you're looking for publicly available information you're not interacting with the target you're not to do. Do not trying to do any network sweets. You're not trying to do any vulnerability assessments or anything. You're just

01:23

going through the Internet looking for information that is

01:26

publicly available, and you can take your time and passive. However, when it comes to active and I've seen this before in a number of companies, as soon as you pick them,

01:37

they will notice that someone is actually trying to interact with our systems.

01:42

So you want to be sure, or the tackle wants to be sure that, uh, he pays more attention or he becomes He tries to be

01:53

more passive than active because you don't want

01:57

them to know that Ah, you're actually doing anything

02:00

and that step. It's too early in the attack for them to actually notice you so and passive again. Some people called foot printing. You're looking for publicly available information. This can be who is and this look up. There's a couple of other websites that you're you can go and visit,

02:21

and we're going to go through them in a minute.

02:23

Also, social media tend to be one of the best resource is because we can't put a lot of information. Social Media Lincoln is one of the most popular. When you go to Lincoln Visitor France Patient Lincoln. You'll find certifications when someone s certified in supporting Ah, Cisco

02:43

the device. Most probably his company uses that Cisco device. It's up.

02:47

The same thing goes for Lennox with Windows. If he's a street fighting but hot,

02:52

most probably his company or the company that he works for

02:54

uses Red Hot.

02:58

So Social Media is one of the things that a lot of hackers spend time and especially in a reconnaissance. So it's on Lee Systems, so also something that

03:07

you might find inventor. So if you go to someone's Facebook page and you find that he's interested in in scuba diving gets an example or he's interested in horseback riding or something like that,

03:20

you can design

03:22

a

03:23

phishing email or a Social Indian campaign direct to that guy

03:29

and catch his interest.

03:30

So as a scuba diver you would send them something like the Great Barrier Reef is dying.

03:38

You need to go there before it all goes away. Click here to find the best years of the great man really

03:44

So

03:46

any diver when he

03:47

here's something like that to be okay, I have to go now or the Great Barrier Reef is going

03:53

on. Most probably will be clicking. The last thing is Dumpster diving. Dumpster diving is one of the most disgusting things that I've ever heard up, and they actually go to Dumpsters. So basically, when companies

04:09

finish from a piece of paper or something like that, they don't usually ah, Fred it or or get rid of it in a secure manner. A lot of companies just throw it in the garbage. A lot of employees just don't think and just throw it in the garbage.

04:26

All these documents, all of these manuals

04:29

go to the

04:30

dumpster at the end. Someone can jump in there looking, too,

04:35

this company's dumpster, and then find out that they have this manual. Some people actually like passwords. Some people like the configuration that they actually did. Or if you have a hardening document hitori technical configuration baseline in your

04:50

ah company,

04:53

someone might have his hand on it. So let's let's just let's do a couple of passive

04:59

reconnaissance isn't again.

05:00

We'll try to spend as much time here as we can.

05:03

So the first thing that I want to do

05:06

is go to

05:10

Ah, here and just say

05:12

who is and then let's say 70 30.

05:17

So

05:19

the first thing that you noticed is admin. Contact is hidden in technical Contacted said that there's a lot of information here. When was the watch had created the last update and so on?

05:32

So on and many other organizations you'll find the contact name out there, you'll find contact. He may have put a lot of information about who's supporting this website.

05:44

So

05:45

and that's extremely important because

05:47

usually admin Zorro up admissions or system admits have excessive privileges. And if you want,

05:55

or an attacker wants to hack, someone

05:59

usually go for these guys, the whales, the people that actually make a difference and have

06:04

access

06:05

to a lot of information.

06:08

So who is is basically were just checking a public database? We did not even interact with the

06:16

with the ah,

06:18

with the systems with savagery, I t system or anything like that.

06:23

So the next thing that we're gonna do

06:26

is in a slick up, So in the end, it's look up what we're doing again we're going to go to Savary.

06:32

Well, what we're doing is we're trying to find out the eyepiece of and slick up from the I p can say what country this is hosted on. Ah, there's a lot of, ah, other information that you can get, such as

06:46

there. There are three servers. They seem want to be in the same country, however, and other upset to find a lot of more information. Obviously, Savary is,

06:58

uh it pays attention to these things, and that's why they're the best

07:03

training center in the world. Vegas.

07:05

So we'll go to the next one, which is

07:10

Ah, the websites that I was talking about. So we have a census

07:15

Andre skipping here.

07:18

So the first thing is census. So

07:21

So in this case, we're gonna do the same thing. Exactly. So cyber duty

07:27

that I t

07:29

in tow

07:30

and then this will upset will give us a lot of horse and art of information about savvy.

07:34

So it gives you

07:36

All of the servers were already hosted.

07:40

Ah, the ur girls, What are the open ports and so on?

07:45

So that's one example of the other One is sure the news You need an account, There's a free account. And then there's an upgrade. The count. So I have a free account.

07:54

I'm gonna do the same thing again

07:59

and again. What we're doing now, we're not talking to the, uh, back and server. We're not communicating with Stavros server or anything.

08:07

So if we look at this,

08:11

it again, it would give us a number of, ah, some information about the

08:16

the technology that I used These ports that are open, what are the service is available. They have in a success certificate and so on.

08:24

So

08:26

again, this is a very high level example. I did not get into details here. However, if

08:33

if you take each and every i p and then who is this i p and then who has the other i p and do it requested Lee, you'll gain a lot of information

08:41

that would actually help you

08:43

doing your, uh

08:46

uh during the attack. So

08:50

let's go back to

08:52

our slides. So again, this is the passive

08:56

Ah ah, reconnaissance. Such poor footprint thing.

09:01

We're looking for publicly available information on the Internet on once again. You want to spend as much time as you can hear, gather as much information as you can hear before moving to the active

09:11

part off reconnaissance, which is more technical in starting. The interaction with the server can be able nobility scan can be over applications can. On the example that I'm going to show you is a fingerprint scan. So anything you're printing, what we're trying to do

09:30

is basically we're trying to know what kind of server are we communicating toe? So I got the I p before and I know What's that be that I'm communicating to?

09:39

However,

09:41

I don't know what the servers. I don't know what course are exactly open. So I know the world Portal open 18 for for three. However, I need more information, and that's ah, fingerprinting. So a great tour to do that is en masse,

09:56

and I'm gonna leave a link to end map and a couple of documentation that has to do it and not in the resource is pay in the resources page.

10:05

And then we're going to this time we're not going to savagery. We're going to use canned me.

10:11

That and map that order, which is a public upset by and mapped themselves to test their scanners, and we're allowed to use it, but not obviously overuse it.

10:22

So I'm gonna run this.

10:24

So I'm going to get the Daschle. I'm going to get the opening system

10:28

off the server hosting scan me that map that or

10:35

so let's go back to the top.

10:37

And I got all the eyepiece out there. I have the deports. I have fortitude, which is basically web. And then I have 22 which is a state. And this is

10:48

for some people. This is kind of promising. You can go and look more into it,

10:52

and then you have a couple of other sources. So when you look at

11:00

oh, us

11:01

because they don't actually Logan to the old West and they cannot basically run a command. And those two no sources, it's kind of an aggressive, always guessing. So they get a number off sources

11:16

that are

11:18

basically available from the outside, and then based on that guest

11:24

Ah, the Oso, the random ization and the, uh, the ah reply of the ping the open ports, as an example of such would give you an indication that this is more of a linen server model than a Windows server and so on,

11:41

so you'll find a number off operating system. Most of them are Lennox depreciates from one to another, but this would give you an idea. But imagine if there's a, ah, an open port here,

11:54

Andi, I can go through the postman by one. But imagine if there's an open FT people here, and that would give me an idea that there's an open FTP porter can use later on and delivery or in one of the following stage is the same. Thing goes, if I have a

12:11

Aaaah

12:13

a, uh,

12:16

a V NC er

12:18

port open. So I know that there's a chance that there's insecure remote access available for me to go ahead and and try to either brute force it. Or maybe it's wide open or used using a default password.

12:33

So that's active reconnaissance.

12:37

Moving to the Post assistant question now, now that we recovered the active and passive reconnaissance,

12:43

what is the purpose of reconnaissance? And I talked about this in a bit.

12:48

I said reconnaissance is the base of an attack, so we're building the attack based on the information that we get from the Constance. We're trying to get as much information as we can

12:58

and reconnaissance toe help us go through the steps.

13:01

So the Constance is like they, uh, stop at the beginning of the days where you want

13:07

to get all of your energy and all of your excitement for the upcoming race. So reconnaissance is one of the most important steps. So what are the main types of reconnaissance we said there is passive and active passively. Constance is when

13:26

you, ah, do not interact with Dan system. And then actively, Constance, is when you interact with the insistent

13:33

through our force

13:35

pink and in a slick up our example of passively Constance

13:41

that's actually force and a slick up is passive. However, Ping, you're communicating with the and server. Ah, lots of people use Ping to get the I. P. However, and a slick up would give you the I p as well without interacting with the and server

13:56

for the targets over.

13:58

How is posting information on social media helps adversities. And we talked about this and ah, little bit. We said that that information that you post on your whether you lengthen your configuration certifications or any interest that you have can be used against you

14:13

in a social engineering attack. So again, if you post a certification supporting X Y Z system on

14:24

lengthen,

14:26

pardon us me. I'll be able to know that your company supports that system

14:31

or has this system. So if it's a fire a liner companies, despite all the bits in little device and your company is dishonest, we device if it's a operating system or several braking system. I know that, too.

14:43

On the other hand, when it comes to Social Aspect as a as a, uh, employees I can assert as a hacker, I can

14:54

create a fishing campaign against a certain employees using the information that are available on his Facebook, Twitter or INSTAGRAM account.

15:03

Using this information, I can design a campaign

15:05

that is talked to this guy, our specifically to this guy.

15:13

Next I p I get from running on NS look up on the company's upset is the only one I need,

15:20

and that's actually not true, because a lot of the upset a lot of that piece that you get from in a slick up

15:28

are ah,

15:30

your load balancers or your gateway

15:33

eyepiece, and you need to do more research there

15:37

again. As I said, when you go through a census and showed and so on,

15:43

you need to take 18 every I p and then search it more than the resource is I'm going to leave a link to sense a sansho done that you can go and explore yourself.

15:56

So in this brief lecture, we discussed

16:00

the step, the Constance step of the kill chain active and passive re kon. We went over a couple of examples of active and passive re kon. And the next episode we're going to talk about organization