PASSIVE AND ACTIVE RECONNAISSANCE

In this post we will learn about passive and active reconnaissance. Passive reconnaissance lets us gather information about a target without any kind of direct engagement. Active reconnaissance requires us to make some kind of contact with out target.

Some Passive Reconnaissance tools we will explore:

  • whois
  • nslookup
  • dig
  • DNSDumpster
  • Shodan.io

Some Active Reconnaissance tools we will explore:

  • ping
  • traceroute
  • telnet
  • nc

Passive Reconnaissance

In passive reconnaissance, we rely on publicly available knowledge that can be accessed without directly engaging the target. Passive recon may include:
  • Looking up DNS records from a public DNS server
  • Checking job ads related to the target website
  • Reading news articles about the target company
  • Visiting social media sites of the company or their employees

Whois
Whois is a request and response protocol that follows the RFC 3192 specification. A whois server listens on port 43 for incoming requests. A domain registrar is responsible for maintaining whois records for the domain names it is leasing. The whois server replies with various information related to the domain requested:
  • Registrar: Via which registrar was the domain name registered?
  • Contact information of the registrant.
  • Creation, update and expiration fates
  • Name Server: Which server to ask to resolve the domain name,
Whilst there are online servers that provide whois information, it is generally quicker to use whois in our terminal. Usage is: whois DOMAIN_NAME . See below for an example.


With the above information, we can look for new attack surfaces, such as contact details for social engineering or attacks against the email servers an admin is using. 


nslookup
In order to find the IP address using a domain name, we can use nslookup . Use is as follows: nslookup OPTIONS DOMAIN_NAME SERVER .

  • OPTIONS: contains the query type (for instance IPv4 or IPv6 addresses, A or AAAA respectively) 
  • DOMAIN_NAME: the domain name being looked up
  • SERVER: is the DNS server that we want to query. Visit here for a list of public DNS servers.
An example usage, here we check the IPv4 addresses using the -type=A tag, but it can also be useful to check IPv6 using the -type=AAAA tag.:



In the below example, we use the -type=MX option on order to search for the web servers of a target. We can see that Tryhackme.com's current email configuration uses Google. In this case we would not expect there to be vulnerabilities in the Mail Exchange servers, but it is worth checking a target's Mail Exchange servers (assuming they are within scope).


There are other options that are worth exploring as part of passive reconnaissance, such as -type=txt .


Dig
For more advances DNS queries and functionality, you can use Domain Information Groper ( dig ). Usage is: dig @SERVER DOMAIN_NAME TYPE .
  • @Server (optional): is the DNS server that we want to query.
  • Domain name
  • TYPE: Containts the DNS record type ( MX for Email Exchange Server, for example.)

DNSDumpster
DNS lookup tools, such as nslookup and dig cannot find subdomains on their own. Sometimes subdomains are valuable targets (if within scope) because they may not be updated as regularly as the main site. In order to find these subdomains, we can use https://dnsdumpster.com/.

Below is a graphical view of some of the subdomains and servers found, although there are other ways to view results.



Shodan.io
Shodan.io is a resource that can tell us about a network without actively connecting to it. Shodan.io does this by trying to connect to every device reachable online to build a search engine of connected "things". This can be useful as an attacker or a defender to find which devices in a network are exposed.



From a Shodan.io search result, we can learn things such as:
  • IP Address.
  • Hosting company.
  • Geographic location.
  • Server type and version.

Active Reconnaissance

Active reconnaissance requires us to make some kind of contact with our target. This could be a phone call or a visit to the target company. Alternatively, it can be a direct connection to a target system, whether it be a direct connection to the target system, visiting their website or checking if their firewall has an SHH port open.

Active reconnaissance can be done with many tools, including the following:
  • Web Browser
  • Ping
  • Traceroute
  • Telnet
  • Netcat
Web Browser
A web browser usually connects to TCP ports 80 or 443, HTTP and HTTPS respectively. However, a web browser can connect to other ports by appending the port to an address. For example https://127.0.0.1:4444. witll connect to 127.0.0.1 at port 4444 via HTPS protocol. 

Command tools can be used to examine and potentially modify any JavaScript, cookies and the folder structure of a site.

Some other tools that can be used in browser:

  • FoxyProxy: to quickly change the proxy server we use to access the target website. To be used when using tools such as Burp Suite. FoxyProxy
  • User-Agent Switch and Manager: Gives us the ability to pretend to be accessing the web page from a different web browser or OS. For example, we can pretend to visit a site using an iPhone, when actually using Mozilla Firefox. User-Agent Switcher
  • Wappalyzer: provides insights about the technologies used on the visited websites. Wappalyzer

Ping
The primary purpose of ping is to check network connectivity by checking whether we can reach the a remote system and that the remote system can reach us back. Ping foes this by sending a packet to the remote system and the remote system replies. We can use this to check whether a remote system is online.

Ping falls under ICMP (Internet Control Message Protocol). ICMP supports many types of queries, but we are interested in ping (ICMP echo/type 8) and ping reply (ICMP echo reply/type 0).

Ping may fail if the target is not connected to the network or its firewall is configured to block ping. MS Windows blocks ping by default.

Ping useage: ping OPTIONS TARGET .

Traceroute
The traceroute traces the route taken by the packets from our system 
to the target system. This command also reveals the number of routers between us and the target host. However, note that the route may change as routers use dynamic routing protocols that adapt to network changes.

Usage on Linux is traceroute MACHINE_IP .

There is no direct way to discover the path from your system to a target system. We rely on ICMP to “trick” the routers into revealing their IP addresses. We can accomplish this by using a small Time To Live (TTL) in the IP header field. Although the T in TTL stands for time, TTL indicates the maximum number of routers/hops that a packet can pass through before being dropped; TTL is not a maximum number of time units. When a router receives a packet, it decrements the TTL by one before passing it to the next router. The following figure shows that each time the IP packet passes through a router, its TTL value is decremented by 1. Initially, it leaves the system with a TTL value of 64; it reaches the target system with a TTL value of 60 after passing through 4 routers.

However, if the TTL reaches 0, it will be dropped, and an ICMP Time-to-Live exceeded would be sent to the original sender. In the following figure, the system set TTL to 1 before sending it to the router. The first router on the path decrements the TTL by 1, resulting in a TTL of 0. Consequently, this router will discard the packet and send an ICMP time exceeded in-transit error message. Note that some routers are configured not to send such ICMP messages when discarding a packet.


To summarise:
  • The number of hops/routers between our system and the target system depends on the time we rune the traceroute. If two traceroute commands are run, even at very similar times, there is no guarantee the packets will follow the same route.
  • Some routers return a public IP address. We can examine a few of these routers based on the scope of the penetration test.
  • Some routers don't return a reply.

Telnet
The TELNET (Teletype Network) was developed to communicate with a remote system via a command-line interface (CLI). Hence, the command telnet uses the TELNET protocol for remote administration. The default port used by telnet is 23. Telnet sends all data, including usernames and passwords in cleartext. The secure alternative to to telnet is SSH.

The telnet client relies on the TCP protocol, so can be used to connect to any service and grab its banner. Using IP_ADRESS PORT , we can connect to any service running on TCP and even exchange a few messages unless it uses encryption.

For example, if we wish to discover more information about a web server listening on port 80, we can use: telnet TARGET_IP and then GET / HTTP/1.1 . To get information on any other page than the default page, use GET / HTTP/page.html/1.1 .



Netcat
Netcat, or nc has different applications that can be of great value to a penetration tester. Netcat supports both TCP and UDP protocols. It can function as a client that connects to a listening port, as well as a listener on a port of our choice. 

Can connect to a port with nc IP_ADRESS PORT . For example, nc 10.10.177.51 80 . To get information on the default page via HTTP version 1.1, we input GET / HTTP/1.1 . Finally, we give a hostname host: ANYNAME .

We can also set up a netcat listener to listen on a TCP port and connect to a listening port on another system. On the system-side, we use nc OPTIONS PORT

Notes: 
  • The -p option must appear just before the port we wish to listen on. 
  • The option -n will avoid DNS lookups and warnings.
  • Port numbers less than 1024 require root privileges to listen on.
  • Port number on the server-side and client-side must match.
On the client-side we use SERVER_SIDE_IP PORT

Comments

Post a Comment

Popular posts from this blog

STARTUP

Image
  Startup is a TryHackMe room where there is a fictional new start up company called Spice Hut, their website is under development and they have some security concerns that they wish to test. I began by heading to the website and began manual enumeration of the site. The site had very minimal functionality, I checked the source code and found nothing of interest. There is a contact link, and I was hoping to be able to get an email address by following it, but it was empty. ' I then performed a Gobuster scan to look for any pages that I may be able to access. There is a page with the name files that is of particular interest.  Here I can see there is an FTP folder, upon opening it I can see that it is empty. I made a note of this as I may be able to upload files to it at a later stage, I then opened important.jpg which seemed to be of no particular interest, and notice.txt had the below text. I made a note of the name Maya, which could be a potential user or username in the future.
Read more

NMAP POST PORT SCANS

In this post we will talk about the steps that follow port-scanning, including service detection, OS detection, Nmap scripting engine and saving the scan results. Service Detection Once Nmap discovers open ports, they can be probed to detect running services and therefore for vulnerabilities. Adding the -sV option to an Nmap scan will collect and determine service and version information for the open ports. --version-intensity LEVEL will specify the intensity of the scan, with 0 being lowest and 9 being highest. Using -sV will force Nmap to use the TCP 3 way handshake. This is because Nmap needs to fully communicate with the target to get information and therefore cannot use the stealth scan -sS . NOTE : In order to run -sV we need root privileges.  OS Detection Nmap can detect the OS based on its behaviour and any telltale signs in its responses by using the -O option. Whilst the OS detection is very convenient, many factors affect its accuracy. In order to have an accurate
Read more

BURPSUITE IN-DEPTH

Image
NOTE: This post will be a much deeper and in-depth dive in to some of the functionality of Burp Suite. If you need a quicker overview, please visit my  Burp Suite Basics  post.  Repeater The repeater function of Burp Suite allows us to take a request captured by Proxy, edit it and send the same request repetitively. This makes repeater ideal for any manual poking around at an endpoint. Basic Usage: The repeater interface can be split in the 6 main sections. Refer to the image above: List of requests that are going through Repeater. Controls for the current request, these allow us to send/cancel a hanging request and go forwards/backwards in a request history. Request/Response view. Requests are edited in the Request view and Responses will show up in the Response view. Allows us to change the layout for the Request and Response view. The inspector allows us to break requests apart and analyse and edit them in a more intuitive way than the raw editor. The IP address or domain that is ou
Read more