Which of the following terms involves activities that gather information about the organization and its network?

A Methodology for Reconnaissance

At a high level, reconnaissance can be divided into five phases as listed in Table 2.1. We will cover most of these in this chapter; however, the final phase of vitality checking will be covered in Chapter 3, Scanning and Enumeration, as it can involve scanning and enumeration activities.

Table 2.1. Five Phases of Reconnaissance

The first four phases in Table 2.1 are reiterative; that is, we repeat them in sequence over and over again until no new information is added, at which point the loop should terminate. This can take a very long time and can be as detailed as you need depending on your specific purposes. If you reach a point where you feel that you have gathered sufficient information for successfully performing your penetration test, feel free to terminate your reconnaissance. Reconnaissance’s value decreases after you have reached the point where further actions should be performed or when no further useful information can be gathered. That said, if you find additional details about the target during future penetration testing activities which could be further expanded upon through addition reconnaissance, it may be worthwhile to go through the reconnaissance methodology using those new details as input.

For the remainder of this chapter, we will examine four of the reconnaissance phases in detail: intelligence gathering, footprinting, human recon, and verification. Each of these uses specific core technologies which we will leverage using a variety of open source tools. For each phase, we will be going over the core technologies that we will be using, the general approach, and how to use open source tools to utilize that technology effectively in our reconnaissance activities.

Create a Doppleganger

A doppelganger in folklore is a ghostly copy of an individual. It is common practice to develop a persona before beginning reconnaissance in the social media world. It is usually not effective to conduct research on a target using the profile of a security expert or penetration tester. If the penetration tester is able to establish social interactions with individuals from the organization through social media it would be far more effective if the penetration tester had a persona that claims to have once worked in the target organization or went to the same college as the CEO that the penetration tester is trying to connect with on LinkedIn. Obviously the penetration tester must be wary of completely taking over a real person’s identity an act that could lead some believe that identity theft has occurred, but it is not uncommon for two people to have similar names. For example developing a fictions persona with the name of John Smith that went to Wisconsin University and a background totally made up is not the same as stealing the identity of the actual John Smith that went there. In any case ensure your persona does not bleed over into identity theft or fraud. This means, among other things, not filling out that credit card application that arrives with your personas name on it or using this persona for entering into legal agreements with the persona.

The lines for using a doppelganger should be specified early in the engagement and if social engineering is allowed the doppelganger should be developed that will be effective when social engineering comes into play. When filling out registration for social media sites the penetration tester should pay attention to the usage policy to ensure policies, rules, or in the worst case laws are not being broken by using a doppelganger persona.

Reconnaissance Attacks

Reconnaissance attacks are used to gather information about a target network or system. Such attacks may seem harmless at the time and may be overlooked by security administrators as “network noise” or pestering behavior, but it is usually the information gained through reconnaissance attacks that is used in subsequent Access or DoS attacks.

Several means may be used to gather information about an organization and could include automated and manual technological attacks as well as human social attacks. Examples might include ICMP ping sweeps against a network or SNMP walking techniques to gather network map and device configuration data. Likewise, application-level scanners could be used to search for vulnerabilities such as web server CGI or ASP weaknesses.

No specific damage may be caused by the reconnaissance attack, but it is akin to burglars staking out a neighborhood, watching for times of inactivity, and occasionally testing windows and doors for access.

Reconnaissance attacks are quite common and should be considered a serious threat to an organization as they may give potential attackers the information required to perform access or DoS attacks.

Publisher Summary

Reconnaissance, also known as information gathering, is classified as active and passive reconnaissance. Active reconnaissance includes interacting directly with the target. It is important to note that during this process, the target may record IP address and log activity. Passive reconnaissance makes use of the vast amount of information available on the web. When one is conducting passive reconnaissance, one is not interacting directly with the target and as such, the target has no way of knowing, recording, or logging activity. The reconnaissance is aimed at collecting as much information as possible on a target. At this point in the penetration test, no detail should be overlooked regardless of how innocuous it may seem. While one is gathering information, it is important to keep the data in a central location. Reconnaissance begins by closely reviewing the target's website. In some cases, a tool called HTTrack is used to make a page-by-page copy of the website. The copied website will include all the pages, links, pictures, and code from the original website; however, it would resides on local computer. An excellent tool to use in reconnaissance is The Harvester. The Harvester is a simple but highly effective Python script written by Christian Martorella at Edge Security. This tool allows quickly and accurately catalogs both e-mail addresses and subdomains that are directly related to the target.

Reconnaissance

Reconnaissance is neither new nor revolutionary in both practical execution and concept. In fact, it is quite old as anthropologists and historians alike would (and do) tell us—often during the context of a broader discussion or dialogue on the topic of humanity, its patterns, and behaviors. As such, one might argue that reconnaissance is and has always been an elementary aspect of human life and our evolution on the planet. We perform reconnaissance on a daily basis in the modern world when we seek out new environments which we visit and perhaps live in. We check the surroundings to see if any opposition—natural or otherwise—might be encountered and make decisions on whether or not to proceed as a result. Similarly, as we see in anthropological studies, human beings have leveraged reconnaissance in a manner that can only be described as integral toward its survival. In hunting, gathering, and in the course of making war, humanity has valued and will always value reconnaissance.

Reconnaissance in modern parlance is the execution of exploratory activities in order to seek and gain information. It enables one party to determine the intention(s) of another party by collecting and gathering salient information about the other party's composition and capabilities in addition to other pertinent information—environmental conditions such as logistics, position, activities, defensive positions, and so on. In military tradition, this work occurs directly or indirectly, via elite, highly trained scouts and intelligence units trained in critical surveillance and observation. During the Vietnam War, the United States Marine Corps Force Reconnaissance developed two primary mission functions in order to expand on and perfect this function. They first focused on what had less to do with altercation and confrontation of hostile enemies. United States Marines refer to these types of reconnaissance missions as “keyhole” or “green” ops. These missions and the associated tactics and techniques utilized during the course of the operation and mission were created in order to conduct deep reconnaissance tactics.

The mission was clear: identify, gather, and collect all pertinent intelligence of military importance while observing, identifying, and reporting adversaries and salient details pertaining to them. The secondary sets of mission functions developed by these United States Marine Corps Force Reconnaissance units were developed with the intention of actively seeking out and engaging enemy forces. They were and are, considered to be the inverse of “keyhole” or “green ops” missions where operators in the field actively attempt to avoid contact or engagement with enemy forces focusing themselves on more passive, observationally relevant activity rather than combat. These types of reconnaissance missions were referred to as “sting ray” or “black ops” and required, as previously stated, direct action (DA) as opposed to passivity.

Black operations (often conducted in unison with or on behalf of intelligence community representatives) rely heavily on the inclusion of shock and awe or rapid dominance. These doctrines are on the basis of the use and employment of overwhelming force and power in parallel to dominant battlefield awareness maneuvers in addition to spectacular demonstrations of strength in order to paralyze the adversary's perception of the battle, the battlefield, and their opponent, culminating in the destruction of the enemy's willingness to fight.

Electronic intelligence reconnaissance and surveillance is, in many respects, not different from direct in-country deep reconnaissance or DA-based operations. Fields of battle change as do theaters of operation. Adversaries come and go; however, their missions remain clear to both the aggressor and defenders. Bearing this in mind, we should be well-versed in all tactics and strategy—defensive, offensive, conventional, and unconventional—in order to ensure our preparedness to assume either role depending on need and circumstances. Whether state sponsored, subnational, independent, criminal, or otherwise, there are many who are fully qualified in reconnaissance and surveillance operations in the traditional sense and that associated with the cyber realm.

Reconnaissance Techniques

Reconnaissance involves collecting the maximum possible information about the victim before starting the attack. Usually, this technique is associated with hacking. In the following, we list some reconnaissance techniques [21]:

Social engineering: This technique involves looking for reasoning to gain sensitive information or text by stimulating an individual mind or sense of social norms.

Dumpster diving: This technique involves obtaining sensitive information from trash locations.

Usenet tools: This technique depends on gathering data from company websites, gathering information from employees' social networks, or collecting some useful information from business partners.

Domain name system (DNS) reconnaissance–zone transfer: A DNS server can be a good place for hackers to harvest important information such as an address of a mail server, an address of a web server, operation system information, and even comments.

Reconnaissance Tools

Reconnaissance tools, as should be clear from the name, are those that we use to gather information, usually in a passive state, about the networks and systems that we might plan to take action against in a logical sense. Such efforts may include gathering information from public websites, looking up Domain Name System (DNS) server records, collecting metadata from accessible documents, retrieving very specific information through the use of search engine, or any of a number of other similar activities. For reconnaissance, we may use information gathered from sources such as:

Websites.

Search engines.

Google hacking.

WHOIS searches/DNS queries.

Metadata.

Specialized search tools such as Maltego.

Terms and attacks

Oftentimes the terms used in a data processing environment migrate over to the VoIP systems. The reason is simple; the VoIP system is computer driven, software based, and connects to the LAN, just like the data processing equipment. A router handling the packets of voice performs the same as a router for strictly data. However, many routers (gateways, switches, etc.) handle both the voice and the data packets. Therefore, the same terms and risks exist for VoIP.

Thus, when looking at some of the terms used in the industry as seen in Table 1.5, the same terms have been around for many years in the data environment.

Table 1.5. Common Terms Used in Data and VoIP Systems

Moreover, beyond the terms used, the names of attacks fall under one of the following:

Structured

Unstructured

Internal

External

Some of the kinds of attacks on a VoIP system include such things as:

Reconnaissance attacks

Access attacks

DoS attacks

Data manipulation attacks

Each of the above-mentioned four categories is an issue that covers other forms of service problems. The VoIP system should be designed and tested to protect against such kinds of attacks as shown in Table 1.6.

Table 1.6. Typical Types of Attacks on a VoIP System

Reconnaissance attacks shown in Figure 1.14 [note the five example points selected (arrows point to the example point) to perform the reconnaissance], as the name implies, are a form of intelligence gathering. Typically the networks are probed at various points to determine any openings and vulnerabilities. Some of the methods used to perform a reconnaissance attack include call walking and port scanning. Call walking is a term used in reconnaissance attacks whereby the attacker initiates a lot of calls to a block of telephone numbers (say 100 numbers) in hopes of obtaining some identification of the resources used to service these calls. Some people will remember the term “war dialing” used in the movie called WarGames where a modem was used to dial sequentially to a block of numbers (10,000) to discover any modems that would answer and then create a target list. The call walking is a newer version of the war dialing program. The first action undertaken by an attacker when attempting to penetrate a network is to perform a reconnaissance attack like call walking probe. A successful probe would determine how the network equipment, users, and services perform as a means to be exploited or disrupted. This information could then be used to launch a structured attack against the network. This could then lead to one or more of the following:

Dictionary attack

Stealing presence of a SIP user

Single user flood (UDP flood or number of calls flood)

Multiuser flood (UDP flood or number of calls flood)

Call walking

Playing a SPAM message in audio format

Some of the commonly used reconnaissance tools are given as follows:

NMAP

Nessus

Port scanner (advanced port scanner)

Strobe

WHOIS

Ping

Nslookup

Trace

Access attacks include password crackers as means of gaining access either through MIM or through a form of reconnaissance attack. Table 1.7 lists a sampling of the password crackers used by evildoers. One cannot underestimate the tools that are readily available on the web.

Table 1.7. Sampling of Password Cracker Tools

One thing that should also be taken into account is the fact that social engineering can nullify all the benefits of a VoIP security plan. Regardless of what techniques are used, a social engineering (a different form of access) attack will virtually wipe out all the benefits of:

Authentication of the end user

VPN connections

Firewalls and VoIP-enabled firewalls

Network monitoring

Newspaper articles regarding the social engineering attacks abound. It is natural for an employee to feel somewhat intimidated when a person posing as a senior executive calls and says that they lost their password or their log-on. Either they are granted access by the employee looking it up or they are given a default access. This is an access attack in which the hacker gains unauthorized access as seen in Figure 1.15. Note the arrow pointing to where the unauthorized access occurs.

Information Reconnaissance

Reconnaissance activity performed by an adversary is another means by which sensitive information can be exposed. This is important to recognize because attacks on national infrastructure will always include some form of reconnaissance. It can be done at arm's length using remote access over the Internet; it can be done using compromised or planted insiders with access to critical local data; it can be done using social engineering techniques; it can be done via deliberate theft, remote hacking, or quiet sabotage, and so on. Regardless of the technique or vantage point, reconnaissance is used to plan and prepare for attacks on infrastructure.

Adversarial attacks are rarely spontaneous; some amount of planning goes into each attack.

Reconnaissance Planning Levels

Three levels of reconnaissance are followed in most instances of cyber attack planning:

The first level involves broad, wide-reaching collection from a variety of possible sources. This can include web searches, personal contact, and business interaction.

The second level of reconnaissance involves targeted collection, often involving automation to provide assistance. Network scanning is the most common functional support for this second level of reconnaissance.

The third level involves direct access to the target. A successful hacking break-in to some system, followed by the collection of targeted data, is an example.

One possible scenario that strings the three phases together might involve broad reconnaissance, where something found on the Internet would prompt more targeted reconnaissance, which would involve the scanning activity to find something that could then be used in the third phase for direct access to a target (see Figure 7.5).

This three-stage model suggests that at each layer of information collection by an adversary the opportunity exists for security engineers to introduce information obscurity. The purpose of the obscurity would be to try to prevent a given type of information from being disclosed through the reconnaissance activity. The specific types of security-related national infrastructure information that should be obscured are as follows:

Attributes—This is information about seemingly nonsecurity-related features, functions, and characteristics of the computing, networking, applications, and software associated with national infrastructure. It could include equipment type, vendor name, size and capacity, and supported functionality. Adversaries often covet this type of information because it helps provide context for a given attack.

Protections—This is information related to the security protection of a national asset. It can range from technical configuration or setup data about systems to nontechnical contact information for key security administrative staff. The value of this information should be obvious; when obtained, it provides a roadmap for the type of countermeasures an adversary must consider in planning a successful attack.

Vulnerabilities—This is information related to exploitable holes in national infrastructure. It can range from well-known bugs in commercial operating systems to severe vulnerabilities in some national asset. Adversaries will seek this type of information from any possible source. This can include the national infrastructure management team, relevant technology or service vendors, or even the general public. The hacking community is also a rich source of vulnerability information, especially as it relates to national assets.

Of these three attributes, vulnerability information tends to dominate most discussions about the types of information an adversary might desire. Go to the technical section of any bookstore, for example, and you can find thick tomes chronicling the exploitable holes in virtually any technology you can imagine. This gives you some idea of how difficult it really is to obscure vulnerability information. This should not discourage the operators of national infrastructure; when serious problems are discovered that can degrade essential services, the only responsible action is to work toward some sort of fix with the responsible parties before the information is shared to the rest of the world, which obviously includes the adversary.

Although truly obscuring vulnerability information is likely an impossibility, security managers should strive for discretion and privacy on this point whenever possible.

Reconnaissance

Reconnaissance involves finding out information, normally public information, about an organization to better understand how they operate and is used to identify people or potential points of compromise that can be used to successful exploit an organization. What is interesting is many traditional attacks, for example worms, actually perform little reconnaissance and play the numbers games. They know that there are enough systems that will be vulnerable and unpatched and they do not care which organizations they get into as long as they break into some. Essentially if an attacker is going after quantity not quality, moving directly to step three, exploitation is fine. However, if you want to target a specific organization, identify vulnerabilities and have a high chance of compromise, performing reconnaissance is critical.

One of the questions that often gets asked is why does the APT have such a high-success rate and almost always able to get into an organization they target. The reason is reconnaissance. The more information that is collected through reconnaissance, the easier it is to break into an organization. The amount of information on the Internet is tremendous and with the introduction of social media, information is growing at an exponential rate. If you gather enough information and perform enough reconnaissance, the chances of an attack being successful increase dramatically.

The idea of reconnaissance is not new and has always been performed by attackers. Even in the 1960s and 1970s if someone was going to rob a house, they would drive through a neighborhood and see which houses did not have any lights turned on to indicate that someone might be on vacation. They would also look and see if there were newspapers piled outside the door which indicated that someone was not home for a few days. All of the subtle information can be quite valuable if it is correlated and gathered in a proper manner. Today cyber reconnaissance via the Internet, allows anyway (including an adversary) to gather and correlate a large amount of information with relative ease.

Let’s look at a brief example to show the value of reconnaissance. A publicly traded company is performing state-of-the-art research on a new project and there is information on their Website about how the company is going to change the way business is performed. For various reasons a foreign government wants to find out what they have discovered and obtain the research. Since it is a publicly traded company, they can go to the SEC public Website and pull down the financial reports that the company is required to file by law. In the findings they realize that the company has had a pretty flat year and business has been tough. The company is doing fine but they are going to have to look at ways to cut expenses and be more lean. The attacker also finds out that the organizations fiscal year ends in June. The attacker now begins to search the Web on the company name and finds out that one of the senior engineers on the project is giving a presentation on another topic at an upcoming conference. The presentation is on how to roll out technology X across the enterprise. After the presentation, the slides are available and by going through the slides the attacker can see that the company is planning on rolling out Phase II of this project next fiscal year. By going through social media sites, they are able to locate other people who work at the company, including the name and email address of the CIO, who this person reports to. The attacker now crafts an email in April to the senior engineer and spoofs the from field to be the CIO’s email address. The subject line is budgetary constraints for Project X Phase II. The email states that the company is finalizing their budget for next year. While the CIO did everything possible to protect the project, because of tough economic times, budgets are being cut and reallocated. The CIO asks the engineer to please review the attached spreadsheet and confirm that the updated numbers will still allow Phase II of the project to be rolled out. Is there anyone who would not open the attachment? Because the attacker did such a good job on reconnaissance, the likelihood of compromise is almost guaranteed. When it comes to compromising an organization everyone wants to jump the gun and go right to exploitation. However by doing your homework and gathering information about the adversary, it can make the attack easier and the chance of success much higher. The APT knows and understands this and is one of the reasons why, they might take 4 months to perform reconnaissance to increase their chances of success but at the end, it is well worth the effort.

An interesting exercise is to perform analysis and determine what information and threat intelligence is publicly available on the Internet. Many times announcements, news articles, and press releases can inadvertently mention an organization or a person in an organization and put the organiztion at risk. However, many organizations do not even realize the information is out there. While you cannot stop the information from being published, if you know it is out there you can build a better defense and recognize you are going to be targeting. With many clients, once you know how the adversary targets an organization using public information, you can start to predict with a high level of accuracy who is going to be targeted. Knowledge is power and the more you know the more effective defenses you can build. Threat intelligence is a critical component of understanding an organization’s exposure and building a proper defense against the APT.