Reconnaissance

The term Reconnaissance by definition comes from the military warfare strategy of exploring beyond the area occupied by friendly forces to gain information about the enemy for future analysis or attack. Reconnaissance of computer systems is similar in nature, meaning typically a Penetration Tester or hacker will attempt to learn as much as possible about a target's environment and system traits prior to launching an attack. This is also known as establishing a Footprint of a target. Reconnaissance is typically passive in nature and in many cases not illegal (however, we are not lawyers and cannot offer legal advice) to perform as long as you don't complete a three-way handshake with an unauthorized system.

Examples of Reconnaissance include anything from researching a target on public sources such as Google, monitoring employee activity to learn operation patterns, and scanning networks or systems to gather information, such as manufacture type, operating system, and open communication ports. The more information that can be gathered about a target brings a better chance of identifying the easiest and fastest method to achieve a penetration goal, as well as best method to avoid existing security. Also, alerting a target will most likely cause certain attack avenues to close as a reaction to preparing for an attack. Kali's official slogan says this best:

"The quieter you become, the more you are able to hear"

Reconnaissance objectives

• Target background: What is the focus of the target's business?
• Target's associates: Who are the business partners, vendors, and customers?
• Target's investment in security: Are security policies advertised? What is the potential investment security, and user security awareness?
• Target's business and security policies: How does the business operate? Where are the potential weaknesses in operation?
• Target's people: What type of people work there? How can they become your asset for the attack?
• Define targets: What are the lowest hanging fruit targets? What should be avoided?
• Target's network: How do the people and devices communicate on  the network?
• Target's defenses: What type of security is in place? Where is it located?
• Target's technologies: What technologies are used for e-mail, network traffic, storing information, authentication, and so on? Are they vulnerable?

Kali Linux contains an extensive catalog of tools titled Information Gathering specified for Reconnaissance efforts. It could fill a separate book to cover all tools and methods offered for Information Gathering. This chapter will focus on various web application Reconnaissance topics and relate the best tools found on the Internet as well as that offered by Kali Linux.

Initial research

Reconnaissance should begin with learning as much as possible about people and business associated with the target.

As a Penetration Tester, you need to know your target. If your target happens to be a website, you should look at all aspects of that website. It will give you a better understanding of how the site is maintained and run. Great Reconnaissance returns more possible vulnerabilities.

It is scary how much information is available on public sources. We have found the unimaginable, such as classified documents, passwords, vulnerability reports, undesirable photography, and access to security cameras. Many Penetration Testing project objectives start with leveraging information off public sources. Here are some starting points for gathering information from public sources.

Company website

There is a lot of valuable information that can be obtained from a target's website. Most corporate websites list their executive team, public figures, and members from recruiting and human resource contacts. These can become targets for other search efforts and social engineering attacks.

The Robots.txt file is publicly available and found on websites that gives instructions to web robots (also known as search engine spiders), about what is and not visible using the Robots Exclusion Protocol. The Disallow: / statement tells a browser not to visit a source; however, a Disallow can be ignored by giving a researcher intelligence on what a target hopes to not disclose to the public.

 

Web history sources

There are archived versions of most public websites available on sources such as the WayBack Machine at archive.org. Interesting information can be found in an older version of a target's website, such as outdated organizational charts, phone numbers, customer intelligence, systems information listed in fields, such as view source or /robots.txt, older business partnerships, vulnerabilities fixed in later versions, and other useful data, the target doesn't want on the current website version. It is important to understand that the publicly available information is hard to remove completely, making historical sources a valuable place for Reconnaissance research. To access the WayBack Machine, open up the web browser and navigate to  http://archive.org, you will see the Internet Archive WayBack Machine in the middle of the page

As a Penetration Tester, this is a valuable tool, because it doesn't leave evidence of Reconnaissance on your target. In fact, your target is never even touched using this tool. All the information has been archived online in the Wayback Machine.

Social media resources

Social media is everywhere, and in most cases, publicly accessible. Most people have a Facebook, LinkedIn, blogs, or other forms of cloud accounts containing valuable information. This information can be used as a means of social engineering intelligence from a target's current or previous staff. An example is searching Glassdoor.com to identify previous employees that are disgruntled, based on feedback.

There are many people finding web resources such as Maltego (found in Kali Linux) that can comb popular social media, public records, and job recruiting websites to fingerprint an individual based on limited information, such as a first and last name. A researcher could gather information such as everywhere an individual has lived, done business, people with which they socialize, special interests, favorite sport teams, and other useful data for future research and social engineering attacks.

Trust

Most people are naturally trusting and assume information posted on public sources is real. To test this concept, the writers of this book created a fake person through social media and pretended to be a new hire for a target company. The fake person would become friends with associates of our target, post fake holiday cards that are linked to a BeEF system designed to compromise vulnerable Internet browsers (using BeEF is covered later in this book), and captured sensitive information from compromised systems. We were able to map out the entire organization, obtain network information, and even had hardware shipped to us without an internal e-mail or phone number.

Our fake person, Emily Williams isn't real, yet received job offers, was provided inside information, and access to events hosted by the target. Information is power, and people will give it to a requester who seems like they can be trusted. More information on this project can be found at: http://www.thesecurityblogger.com/?p=1903

Job postings

Job postings contain a wealth of knowledge about a target's environment. Job listings can provide details on what type of systems are installed, who manages them, how large the staff is, and the staff's skill level. Human Resource representatives are typically eager to share information with a potential new hire, which can be used as an avenue to inside information. An example is targeting a job posting for a Oracle developer to understand the hardware, version of Oracle, names of existing and previous administrators, existing operation issues, security gaps, and methods to access such as asking "can administrators work from home, and how do they access the systems?"

Glassdoor.com is an example of a popular source for this type of data.

Location

The investment in cyber security for a target can typically be determined based on the level of physical security. One would assume a building with fences and armed guards would have a higher investment in cyber security than a target located within a public building. Online mapping sources such as Google maps can help identify where physical security is implemented, and trends on how people move to and from the target. Other areas of interest are identifying where a Penetration Tester could camp out to scan for wireless networks, and possible methods to bypass access controls, such as attire and badges used to obtain physical access.

Shodan

Shodan is a search engine that can identify a specific device, such as computer, router, server, using a variety of filters, such as metadata from system banners. For example, you can search for a specific system, such as a Cisco 3850, running a version of software such as IOS Version 15.0(1)EX.

http://www.shodanhq.com/

Google hacking

Google hacking is the most common form of search engine Reconnaissance of web applications. Google hacking uses advanced operations in the Google search engine to locate specific strings of text within search results. Search filters can zero in on specific versions of vulnerable web applications such as Powered by Apache in the intitle:"index of" operator or identify log files such as ws_ftp.log, containing sensitive IP information. The following few screenshots demonstrate using a Google search for Linksys to find publicly available Linksys cameras. The first screenshot shows the search command followed by some example results from issuing the search.

The last screenshot shows a camera feed that could be found using this technique.

 

Some example search queries are as follows:

• Identifies sensitive documents: intext: classified top secret
• Identifies Linksys Camera Management GUIs (caution: you may not like what you find): inurl:main.cgi
• Identifies Nessus reports to find vulnerable systems: inurl:NESSUSXXXXXXXX

For more information on Google hacking, check out a very good book titled Google Hacking for Penetration Testers by Johnny Long, as well as his website at http://johnny.ihackstuff.com.

Google Hacking Database

The Google Hacking Database (GHDB) created by Johnny Long of Hackers For Charity (http://www.hackersforcharity.org/), is the definitive source for Google search queries. Searches for usernames, passwords, vulnerable systems, and exploits have been captured and categorized by Google hacking aficionados. The aficionados who have categorized the Google searches are affectingly known as Google dorks. To access the GHDB, navigate to http://www.exploit-db.com/google-dorks/. You will see the latest GHDB searches listed on the web page. You can click on any of the search queries yourself.