PASSIVE AND ACTIVE RECONNAISSANCE

In this post we will learn about passive and active reconnaissance. Passive reconnaissance lets us gather information about a target without any kind of direct engagement. Active reconnaissance requires us to make some kind of contact with out target.

Some Passive Reconnaissance tools we will explore:

  • whois
  • nslookup
  • dig
  • DNSDumpster
  • Shodan.io

Some Active Reconnaissance tools we will explore:

  • ping
  • traceroute
  • telnet
  • nc

Passive Reconnaissance

In passive reconnaissance, we rely on publicly available knowledge that can be accessed without directly engaging the target. Passive recon may include:
  • Looking up DNS records from a public DNS server
  • Checking job ads related to the target website
  • Reading news articles about the target company
  • Visiting social media sites of the company or their employees

Whois
Whois is a request and response protocol that follows the RFC 3192 specification. A whois server listens on port 43 for incoming requests. A domain registrar is responsible for maintaining whois records for the domain names it is leasing. The whois server replies with various information related to the domain requested:
  • Registrar: Via which registrar was the domain name registered?
  • Contact information of the registrant.
  • Creation, update and expiration fates
  • Name Server: Which server to ask to resolve the domain name,
Whilst there are online servers that provide whois information, it is generally quicker to use whois in our terminal. Usage is: whois DOMAIN_NAME . See below for an example.


With the above information, we can look for new attack surfaces, such as contact details for social engineering or attacks against the email servers an admin is using. 


nslookup
In order to find the IP address using a domain name, we can use nslookup . Use is as follows: nslookup OPTIONS DOMAIN_NAME SERVER .

  • OPTIONS: contains the query type (for instance IPv4 or IPv6 addresses, A or AAAA respectively) 
  • DOMAIN_NAME: the domain name being looked up
  • SERVER: is the DNS server that we want to query. Visit here for a list of public DNS servers.
An example usage, here we check the IPv4 addresses using the -type=A tag, but it can also be useful to check IPv6 using the -type=AAAA tag.:



In the below example, we use the -type=MX option on order to search for the web servers of a target. We can see that Tryhackme.com's current email configuration uses Google. In this case we would not expect there to be vulnerabilities in the Mail Exchange servers, but it is worth checking a target's Mail Exchange servers (assuming they are within scope).


There are other options that are worth exploring as part of passive reconnaissance, such as -type=txt .


Dig
For more advances DNS queries and functionality, you can use Domain Information Groper ( dig ). Usage is: dig @SERVER DOMAIN_NAME TYPE .
  • @Server (optional): is the DNS server that we want to query.
  • Domain name
  • TYPE: Containts the DNS record type ( MX for Email Exchange Server, for example.)

DNSDumpster
DNS lookup tools, such as nslookup and dig cannot find subdomains on their own. Sometimes subdomains are valuable targets (if within scope) because they may not be updated as regularly as the main site. In order to find these subdomains, we can use https://dnsdumpster.com/.

Below is a graphical view of some of the subdomains and servers found, although there are other ways to view results.



Shodan.io
Shodan.io is a resource that can tell us about a network without actively connecting to it. Shodan.io does this by trying to connect to every device reachable online to build a search engine of connected "things". This can be useful as an attacker or a defender to find which devices in a network are exposed.



From a Shodan.io search result, we can learn things such as:
  • IP Address.
  • Hosting company.
  • Geographic location.
  • Server type and version.

Active Reconnaissance

Active reconnaissance requires us to make some kind of contact with our target. This could be a phone call or a visit to the target company. Alternatively, it can be a direct connection to a target system, whether it be a direct connection to the target system, visiting their website or checking if their firewall has an SHH port open.

Active reconnaissance can be done with many tools, including the following:
  • Web Browser
  • Ping
  • Traceroute
  • Telnet
  • Netcat
Web Browser
A web browser usually connects to TCP ports 80 or 443, HTTP and HTTPS respectively. However, a web browser can connect to other ports by appending the port to an address. For example https://127.0.0.1:4444. witll connect to 127.0.0.1 at port 4444 via HTPS protocol. 

Command tools can be used to examine and potentially modify any JavaScript, cookies and the folder structure of a site.

Some other tools that can be used in browser:

  • FoxyProxy: to quickly change the proxy server we use to access the target website. To be used when using tools such as Burp Suite. FoxyProxy
  • User-Agent Switch and Manager: Gives us the ability to pretend to be accessing the web page from a different web browser or OS. For example, we can pretend to visit a site using an iPhone, when actually using Mozilla Firefox. User-Agent Switcher
  • Wappalyzer: provides insights about the technologies used on the visited websites. Wappalyzer

Ping
The primary purpose of ping is to check network connectivity by checking whether we can reach the a remote system and that the remote system can reach us back. Ping foes this by sending a packet to the remote system and the remote system replies. We can use this to check whether a remote system is online.

Ping falls under ICMP (Internet Control Message Protocol). ICMP supports many types of queries, but we are interested in ping (ICMP echo/type 8) and ping reply (ICMP echo reply/type 0).

Ping may fail if the target is not connected to the network or its firewall is configured to block ping. MS Windows blocks ping by default.

Ping useage: ping OPTIONS TARGET .

Traceroute
The traceroute traces the route taken by the packets from our system 
to the target system. This command also reveals the number of routers between us and the target host. However, note that the route may change as routers use dynamic routing protocols that adapt to network changes.

Usage on Linux is traceroute MACHINE_IP .

There is no direct way to discover the path from your system to a target system. We rely on ICMP to “trick” the routers into revealing their IP addresses. We can accomplish this by using a small Time To Live (TTL) in the IP header field. Although the T in TTL stands for time, TTL indicates the maximum number of routers/hops that a packet can pass through before being dropped; TTL is not a maximum number of time units. When a router receives a packet, it decrements the TTL by one before passing it to the next router. The following figure shows that each time the IP packet passes through a router, its TTL value is decremented by 1. Initially, it leaves the system with a TTL value of 64; it reaches the target system with a TTL value of 60 after passing through 4 routers.

However, if the TTL reaches 0, it will be dropped, and an ICMP Time-to-Live exceeded would be sent to the original sender. In the following figure, the system set TTL to 1 before sending it to the router. The first router on the path decrements the TTL by 1, resulting in a TTL of 0. Consequently, this router will discard the packet and send an ICMP time exceeded in-transit error message. Note that some routers are configured not to send such ICMP messages when discarding a packet.


To summarise:
  • The number of hops/routers between our system and the target system depends on the time we rune the traceroute. If two traceroute commands are run, even at very similar times, there is no guarantee the packets will follow the same route.
  • Some routers return a public IP address. We can examine a few of these routers based on the scope of the penetration test.
  • Some routers don't return a reply.

Telnet
The TELNET (Teletype Network) was developed to communicate with a remote system via a command-line interface (CLI). Hence, the command telnet uses the TELNET protocol for remote administration. The default port used by telnet is 23. Telnet sends all data, including usernames and passwords in cleartext. The secure alternative to to telnet is SSH.

The telnet client relies on the TCP protocol, so can be used to connect to any service and grab its banner. Using IP_ADRESS PORT , we can connect to any service running on TCP and even exchange a few messages unless it uses encryption.

For example, if we wish to discover more information about a web server listening on port 80, we can use: telnet TARGET_IP and then GET / HTTP/1.1 . To get information on any other page than the default page, use GET / HTTP/page.html/1.1 .



Netcat
Netcat, or nc has different applications that can be of great value to a penetration tester. Netcat supports both TCP and UDP protocols. It can function as a client that connects to a listening port, as well as a listener on a port of our choice. 

Can connect to a port with nc IP_ADRESS PORT . For example, nc 10.10.177.51 80 . To get information on the default page via HTTP version 1.1, we input GET / HTTP/1.1 . Finally, we give a hostname host: ANYNAME .

We can also set up a netcat listener to listen on a TCP port and connect to a listening port on another system. On the system-side, we use nc OPTIONS PORT

Notes: 
  • The -p option must appear just before the port we wish to listen on. 
  • The option -n will avoid DNS lookups and warnings.
  • Port numbers less than 1024 require root privileges to listen on.
  • Port number on the server-side and client-side must match.
On the client-side we use SERVER_SIDE_IP PORT

Comments

Post a Comment

Popular posts from this blog

BURPSUITE IN-DEPTH

Image
NOTE: This post will be a much deeper and in-depth dive in to some of the functionality of Burp Suite. If you need a quicker overview, please visit my  Burp Suite Basics  post.  Repeater The repeater function of Burp Suite allows us to take a request captured by Proxy, edit it and send the same request repetitively. This makes repeater ideal for any manual poking around at an endpoint. Basic Usage: The repeater interface can be split in the 6 main sections. Refer to the image above: List of requests that are going through Repeater. Controls for the current request, these allow us to send/cancel a hanging request and go forwards/backwards in a request history. Request/Response view. Requests are edited in the Request view and Responses will show up in the Response view. Allows us to change the layout for the Request and Response view. The inspector allows us to break requests apart and analyse and edit them in a more intuitive way than the raw editor. The IP address o...
Read more

FILE INCLUSION

Image
File Inclusion Vulnerabilities is a vulnerability that often affects web applications when a user is allowed to requests files with poor input sanitation or validation. This becomes a risk if the attacker is able to read, edit, or create files on the server. Web applications can be written to request files on a system, such as images or text files, via parameters. Parameters are query parameter strings attached to the URL that can be used to retrieve data or perform actions based on user input. See below for a breakdown of the essential parts of a URL. In this example the user is requesting a file called userCV.pdf via a GET request. File inclusion vulnerabilities occur when a web application is poorly written. The main area of concern where user input is not sanitized or validated when they user controls them. For example, an attacker could visit http://webapp.tbh/get.php?file=userCV.pdf and if there is no authentication that the user who requested the file is allowed the file (for...
Read more