Footprinting: Internal

00:00

Hello and welcome to another penetration. Testing execution Standard discussion. Today we're going to be looking at foot printing or fingerprinting of internal systems. Now a quick disclaimer. Pee Test videos do cover tools and techniques that could be used for system hacking.

00:17

Any tools discussed their used during demonstrations or during our discussions should be researched and understood by the user.

00:24

Please research your laws and regulations regarding the use of such tools in your given area to ensure that you don't have any issues with the law. Now let's talk about the objectives that we're going to be looking through today. So we're going to discuss passive internal reconnaissance.

00:42

We're going to look at identification of customer internal ranges and discuss active internal reconnaissance. So let's go ahead and jump right into passive internal reconnaissance.

00:54

No, um, if the tester has access to the internal network, you can do packet sniffing to provide a great deal of information. You can use P zero F to identify systems potentially on soapy zero f is a passive T c p i. P stat fingerprinting told that attempts to identify

01:12

the system's running on machines that send network traffic to the box that the tool is running on, so

01:19

you could use this in a way to to see what's out there. Usually you'll have to do this in cooperation with the client. And you know, if they want you to go from an external system to an internal system and you don't have access to the internal network, this may not be applicable,

01:37

but it may be beneficial to see what you can pick up passively on an organization's internal network. Now keep in mind we did discuss this in previous discussions that if you do packet sniffing and pack, it captures.

01:52

And the organization uses some type of VoIP technology, which is common in most businesses today. It could be interpreted as one are tapping

02:01

in some areas, and so it would be beneficial to understand again the laws and regulations with respect to pack it catcher activity in your given region. So that'll just ensure that you're protected and you don't do anything that would get you into some hot water.

02:16

Now, when we talk about customer internal ranges when performing internal testing, first in numerator, your local sub net and then you can often extract yah late from their other sub nets by modifying the address slightly.

02:30

Also, you know you can take a look at rounding tables of an internal host, which could be particularly telling if they do have a round table,

02:39

and D. C P servers can provide us not just local information, but also remote ranges and details of important host. So, ah, lot of times they'll provide local i p. Gateway address D. N s information, Windows based networks. You can get the N S servers with the active directory domain controller data.

02:59

And really, you know, you can get a lot of different target information based on

03:05

the i p address information that your systems able to obtain when you're connected into the internal network.

03:12

Now, some other types of things that we can do as far as active internal reconnaissance. It should contain all of the elements as an external one, as well as some of these elements as well.

03:23

So we want to look for directory service is whether we're running active directory, no val et cetera. Internet sites providing business functionality. So if we've got an internal SharePoint site

03:35

or something of that nature, we want to understand where that's located and, you know, try to see if there's anything we can glean from that enterprise applications. So customer resource management, enterprise resource planning, accounting software is whatever the case may be, it's good to understand where those live and what

03:53

you know level of criticality they have to the organization because that could impact the overall goals

03:59

from your standpoint of identifying risk

04:01

and from the client standpoint, have seen if those systems are vulnerable to attack identification of system of sensitive network segments. And so

04:11

there's there's two fold here. If a network is broken down into sub nets than being able to identify those sub nets and rob between those sub nets could be detrimental if the network were attacked.

04:24

But if the network is relatively flat, meaning that there's not a lot of segmentation of the landing, whatever the case may be,

04:31

that can also pose a risk in that if again, a system were impacted and it just does a network sweet and then, you know, pushes its payload across the organization. That could be bad as well.

04:45

So understanding the risk reduction efforts that segmentation conveying to the table as well as if it's done inappropriately, you know the lack thereof that it would provide could be beneficial when you're doing internal scans and

04:58

kind of risk identification activities. Access mapping to production networks. So as far as data centers and things of that nature, what shares are mapped on DDE? What is typically provided, like to accounting versus HR versus technical resource is and management, et cetera.

05:16

VoIP in infrastructure and how that looks in this setup is beneficial. Sometimes you'll have a separate VoIP sub net with VoIP phones. Sometimes they run in line with other data sets. Sometimes they're separate, so it just depends

05:30

authentication provisioning. Whether we're you know, if we're using Kerberos, and then if you can pick up cookie information, etcetera within the environment, that could be beneficial as well. And then proxymed an Internet access management. So if there is proxy in that happens and you know Internet access management is happening in the organization.

05:50

How does that impact risk and what can you do there? And if there's no Prock seen, if there's no access management, the Internet is wide open

05:58

and you can access Let's take command and control servers or things of that nature or you could access, let's say, a listening device that you've placed on an external network that could all be taken into account with respect to the risk profile for the organization and potential attack vectors.

06:15

So let's go ahead and do a quick check on learning. True or false internal active reconnaissance should contain all of the elements of an external one, true or false.

06:29

And so, in this case, as we discussed, internal active reconnaissance should in fact contain all of the elements that an external skin would contain and then some. So this statement does hold true with respect to internal active reconnaissance. Now,

06:46

in summary, we discussed passive internal reconnaissance, looking at maybe using something like a wire shark or P zero f to provide some form of packet sniffing that we can then use to try and extrapolating information or see what kind of data sets

07:05

are being passed along a network. I do know that at times like it, let's just say you've got an internal system that's an SQL database.

07:14

Um, and the client indicates that that information is encrypted across the network, and then you set up a sniffer and you're able to intercept database queries and responses, and you find that, in fact, that is clear text

07:27

that could be a finding. And, you know, that could be of risk to the organization because it may have been set up properly. It may not,

07:33

um, you know, there may be something that they're not doing. So

07:39

Packet sniffing and passive internal reconnaissance can be just as beneficial is active reconnaissance, identification of internal ranges we discussed. And then we looked at active internal reconnaissance

07:49

that includes all of the things that would would do in our external efforts as well.