1 hour 41 minutes
Hey, guys, Welcome back to the cybercult. In comparison, Sabri, this is undermanned name on this episode, we're going to start our target attack. Step one. Reconnaissance.
So going back to the kitchen, we hade these seven steps
that we went over. So the first step is reconnaissance. And I pointed this before That reconnaissance sometimes
is overlooked by, ah, lot of special when it comes to Pan Tessa Teamers. However, re Constance is one of the most important,
uh, step and this cult in because you, Constance, is the base that you build your all attack
on. So, as I said before, we're going to use the information that we gained today in organization delivery exploitation and then continue continuously using it until the end of the attack. So you need to get as much information as possible
Reconnaissance. You want to gather information on the target before actually starting the attack. And there are two ways of doing reconnaissance. There's passive and active and passive is the one that you want to spend your time and
because in passive, the target doesn't even know that you're actually trying to attack him because you're looking for publicly available information you're not interacting with the target you're not to do. Do not trying to do any network sweets. You're not trying to do any vulnerability assessments or anything. You're just
going through the Internet looking for information that is
publicly available, and you can take your time and passive. However, when it comes to active and I've seen this before in a number of companies, as soon as you pick them,
they will notice that someone is actually trying to interact with our systems.
So you want to be sure, or the tackle wants to be sure that, uh, he pays more attention or he becomes He tries to be
more passive than active because you don't want
them to know that Ah, you're actually doing anything
and that step. It's too early in the attack for them to actually notice you so and passive again. Some people called foot printing. You're looking for publicly available information. This can be who is and this look up. There's a couple of other websites that you're you can go and visit,
and we're going to go through them in a minute.
Also, social media tend to be one of the best resource is because we can't put a lot of information. Social Media Lincoln is one of the most popular. When you go to Lincoln Visitor France Patient Lincoln. You'll find certifications when someone s certified in supporting Ah, Cisco
the device. Most probably his company uses that Cisco device. It's up.
The same thing goes for Lennox with Windows. If he's a street fighting but hot,
most probably his company or the company that he works for
uses Red Hot.
So Social Media is one of the things that a lot of hackers spend time and especially in a reconnaissance. So it's on Lee Systems, so also something that
you might find inventor. So if you go to someone's Facebook page and you find that he's interested in in scuba diving gets an example or he's interested in horseback riding or something like that,
you can design
phishing email or a Social Indian campaign direct to that guy
and catch his interest.
So as a scuba diver you would send them something like the Great Barrier Reef is dying.
You need to go there before it all goes away. Click here to find the best years of the great man really
any diver when he
here's something like that to be okay, I have to go now or the Great Barrier Reef is going
on. Most probably will be clicking. The last thing is Dumpster diving. Dumpster diving is one of the most disgusting things that I've ever heard up, and they actually go to Dumpsters. So basically, when companies
finish from a piece of paper or something like that, they don't usually ah, Fred it or or get rid of it in a secure manner. A lot of companies just throw it in the garbage. A lot of employees just don't think and just throw it in the garbage.
All these documents, all of these manuals
go to the
dumpster at the end. Someone can jump in there looking, too,
this company's dumpster, and then find out that they have this manual. Some people actually like passwords. Some people like the configuration that they actually did. Or if you have a hardening document hitori technical configuration baseline in your
someone might have his hand on it. So let's let's just let's do a couple of passive
reconnaissance isn't again.
We'll try to spend as much time here as we can.
So the first thing that I want to do
is go to
Ah, here and just say
who is and then let's say 70 30.
the first thing that you noticed is admin. Contact is hidden in technical Contacted said that there's a lot of information here. When was the watch had created the last update and so on?
So on and many other organizations you'll find the contact name out there, you'll find contact. He may have put a lot of information about who's supporting this website.
and that's extremely important because
usually admin Zorro up admissions or system admits have excessive privileges. And if you want,
or an attacker wants to hack, someone
usually go for these guys, the whales, the people that actually make a difference and have
to a lot of information.
So who is is basically were just checking a public database? We did not even interact with the
with the ah,
with the systems with savagery, I t system or anything like that.
So the next thing that we're gonna do
is in a slick up, So in the end, it's look up what we're doing again we're going to go to Savary.
Well, what we're doing is we're trying to find out the eyepiece of and slick up from the I p can say what country this is hosted on. Ah, there's a lot of, ah, other information that you can get, such as
there. There are three servers. They seem want to be in the same country, however, and other upset to find a lot of more information. Obviously, Savary is,
uh it pays attention to these things, and that's why they're the best
training center in the world. Vegas.
So we'll go to the next one, which is
Ah, the websites that I was talking about. So we have a census
Andre skipping here.
So the first thing is census. So
So in this case, we're gonna do the same thing. Exactly. So cyber duty
that I t
and then this will upset will give us a lot of horse and art of information about savvy.
So it gives you
All of the servers were already hosted.
Ah, the ur girls, What are the open ports and so on?
So that's one example of the other One is sure the news You need an account, There's a free account. And then there's an upgrade. The count. So I have a free account.
I'm gonna do the same thing again
and again. What we're doing now, we're not talking to the, uh, back and server. We're not communicating with Stavros server or anything.
So if we look at this,
it again, it would give us a number of, ah, some information about the
the technology that I used These ports that are open, what are the service is available. They have in a success certificate and so on.
again, this is a very high level example. I did not get into details here. However, if
if you take each and every i p and then who is this i p and then who has the other i p and do it requested Lee, you'll gain a lot of information
that would actually help you
doing your, uh
uh during the attack. So
let's go back to
our slides. So again, this is the passive
Ah ah, reconnaissance. Such poor footprint thing.
We're looking for publicly available information on the Internet on once again. You want to spend as much time as you can hear, gather as much information as you can hear before moving to the active
part off reconnaissance, which is more technical in starting. The interaction with the server can be able nobility scan can be over applications can. On the example that I'm going to show you is a fingerprint scan. So anything you're printing, what we're trying to do
is basically we're trying to know what kind of server are we communicating toe? So I got the I p before and I know What's that be that I'm communicating to?
I don't know what the servers. I don't know what course are exactly open. So I know the world Portal open 18 for for three. However, I need more information, and that's ah, fingerprinting. So a great tour to do that is en masse,
and I'm gonna leave a link to end map and a couple of documentation that has to do it and not in the resource is pay in the resources page.
And then we're going to this time we're not going to savagery. We're going to use canned me.
That and map that order, which is a public upset by and mapped themselves to test their scanners, and we're allowed to use it, but not obviously overuse it.
So I'm gonna run this.
So I'm going to get the Daschle. I'm going to get the opening system
off the server hosting scan me that map that or
so let's go back to the top.
And I got all the eyepiece out there. I have the deports. I have fortitude, which is basically web. And then I have 22 which is a state. And this is
for some people. This is kind of promising. You can go and look more into it,
and then you have a couple of other sources. So when you look at
because they don't actually Logan to the old West and they cannot basically run a command. And those two no sources, it's kind of an aggressive, always guessing. So they get a number off sources
basically available from the outside, and then based on that guest
Ah, the Oso, the random ization and the, uh, the ah reply of the ping the open ports, as an example of such would give you an indication that this is more of a linen server model than a Windows server and so on,
so you'll find a number off operating system. Most of them are Lennox depreciates from one to another, but this would give you an idea. But imagine if there's a, ah, an open port here,
Andi, I can go through the postman by one. But imagine if there's an open FT people here, and that would give me an idea that there's an open FTP porter can use later on and delivery or in one of the following stage is the same. Thing goes, if I have a
a V NC er
port open. So I know that there's a chance that there's insecure remote access available for me to go ahead and and try to either brute force it. Or maybe it's wide open or used using a default password.
So that's active reconnaissance.
Moving to the Post assistant question now, now that we recovered the active and passive reconnaissance,
what is the purpose of reconnaissance? And I talked about this in a bit.
I said reconnaissance is the base of an attack, so we're building the attack based on the information that we get from the Constance. We're trying to get as much information as we can
and reconnaissance toe help us go through the steps.
So the Constance is like they, uh, stop at the beginning of the days where you want
to get all of your energy and all of your excitement for the upcoming race. So reconnaissance is one of the most important steps. So what are the main types of reconnaissance we said there is passive and active passively. Constance is when
you, ah, do not interact with Dan system. And then actively, Constance, is when you interact with the insistent
through our force
pink and in a slick up our example of passively Constance
that's actually force and a slick up is passive. However, Ping, you're communicating with the and server. Ah, lots of people use Ping to get the I. P. However, and a slick up would give you the I p as well without interacting with the and server
for the targets over.
How is posting information on social media helps adversities. And we talked about this and ah, little bit. We said that that information that you post on your whether you lengthen your configuration certifications or any interest that you have can be used against you
in a social engineering attack. So again, if you post a certification supporting X Y Z system on
pardon us me. I'll be able to know that your company supports that system
or has this system. So if it's a fire a liner companies, despite all the bits in little device and your company is dishonest, we device if it's a operating system or several braking system. I know that, too.
On the other hand, when it comes to Social Aspect as a as a, uh, employees I can assert as a hacker, I can
create a fishing campaign against a certain employees using the information that are available on his Facebook, Twitter or INSTAGRAM account.
Using this information, I can design a campaign
that is talked to this guy, our specifically to this guy.
Next I p I get from running on NS look up on the company's upset is the only one I need,
and that's actually not true, because a lot of the upset a lot of that piece that you get from in a slick up
your load balancers or your gateway
eyepiece, and you need to do more research there
again. As I said, when you go through a census and showed and so on,
you need to take 18 every I p and then search it more than the resource is I'm going to leave a link to sense a sansho done that you can go and explore yourself.
So in this brief lecture, we discussed
the step, the Constance step of the kill chain active and passive re kon. We went over a couple of examples of active and passive re kon. And the next episode we're going to talk about organization
phase on dhe techniques. Thank you so much and see you an organization.