QuickStart Recon

all right well uh for those of you that are sticking with track one so i appreciate you guys for hanging in there um and um send through uh we're gonna talk about reconnaissance so another one of the areas that i'm very passionate about um so if if you heard the industrial control talk earlier that's definitely one of the the main focuses and passions i have have these days and um you know and also reconnaissance penetration testing is something that that i've been involved with in for a very long time and um you when we look at reconnaissance really is that first phase of of a penetration test that and to me it's one of the most if not

the most important uh phase of pen testing uh maybe beside that we include writing the report right that we're going to turn around and deliver to the the client at the end of an engagement but this is this is actually based off of part of what part of a section i have on reconnaissance in the the two-day pin test class that i teach about once a year and so i actually took some of that content and put it into one of my greenville tech classes i actually have two different pen testing classes in the the cyber security program that we have there which is really exciting so we have a the first class or first course maps out basically

to the pen test plus or i think certified ethical hacker certifications and then the second one is more we talk about advanced pin testing or part of it is more realistic pin testing and uh not not that pin test plus doesn't do a good job of aligning with with realistic content for the most part but also you know getting realistic pin testing and kind of almost see it as a how to prep to like take the oscp course as well so to give give students a head start on on this kind of like everything i wish i knew before taking the oscp class so and then and then some so so we'll talk about writing buffer overflows and manual

exploitation so so i've added all of that to the the two day pen test class as well and renewed some of the the uh other sections but so with quick start recon the idea is i always i'm a big fan of the 80 20 rule right or paradise principle where you depending on what we're looking at right we can always kind of bring up the 80 20 rule if you know if you work in a business right if you maybe own your own business they always talk about 80 of your profits come from 20 of your clients which is an interesting way to to look at it or if i'm doing a a pen test right and i'm doing

reconnaissance that i think well 80 of the relative results you know the results i need that relate to the target that i'm i'm working with right is comes from about 20 of of the work yeah where the way i look at it is i can spend let's say 10 hours doing reconnaissance using a handful of tools like we're going to talk about here um to find probably really even 90 95 of the information that's out there could i spend another 10 or 20 hours or 40 hours finding more information sure but the more time i spend then i'm it's a very little return on investment and so it takes a long much longer to find little pieces of information that

more than likely aren't going to pay off in in the long run so not to say don't do that if you have the time but uh most of us aren't going to have the time especially with pin performing penetration tests that you know we're under the gun right we only have a limited amount of time to get in and find what we're looking for uh be able to exploit that the target gain access and meet our objectives or missions and then turn around and report for for our clients and so again this talk really is and it's part demo and and i realized also there's a lot of great other tools out there so you for

those of you that that um they are familiar with the tools if you're using those tools be sure to to put them in the discord channel you know this is not a meant to be um a comprehensive list in any stretch of the imagination uh if anything erase it's supposed to be quite the opposite right it's here's a few tools right that we can use to perform reconnaissance against an organization maybe you know we should be also performing reconnaissance against our own organization to see what's exposed to the internet that we don't know when i do pen tests for clients outside of my floor work it's i've never had a client where i didn't find something that they

weren't worried you know that they were not aware about you know maybe it's an old website that they spun up 10 years ago and they didn't realize it was still out there maybe it was the client that their system admin was hosting you know their web server at his house instead of the data center that they thought they were paying for or maybe it is that industrial control system that you have connected directly to the internet there's always something that that an organization isn't aware about because they're not doing their own reconnaissance so that's another idea behind this quick start you know process is that it can act as that little cheat sheet right to help

organizations right and and you working for your company to to perform your own reconnaissance right when we talk about hack ourselves right to see right where our exposures are so the first place will typically start is the the target's main domain and so of course i work at flora i know where all the i guess the proverbial skeletons are are buried at least the the ones that have been been buried in the last 10 years that i've worked with yeah i'm very familiar i run vulnerability management and [Music] penetration testing and incident detection response so i know all of the systems that are connected to the internet but we're always continually looking for new ones because somebody

could turn turn something up in in the environment and we wouldn't know about we actually had an employee i was probably about two years ago that thought it would be great to stand up a windows server in amazon and expose remote desktop to the outside world it was for you know for a project and that was something you know we caught you know within probably about 24 hours because we are doing reconnaissance on a regular basis and so you know go go shadow id right so somebody was definitely it was a corporate security policy violation uh issued for that to say to say the least right but anyways so talking about you know reconnaissance i always

you know we do this in class and and we'll go through this um exercise you can see our b size event dashboard for but um looking at i always will always go to the fortune 500 list and just to get an idea of targets now you can look at sure for small medium-sized environments there's just typically you know it's kind of hit or miss whether they have a lot to actually look at so it's a lot easier if you use a larger company i don't like using floor we're we're still fortune 200 um but at the same time it's you know it's again it's one i'm very familiar with so it's almost like cheating um we'll typically go

let's go um you know maybe pick um i've seen a couple of these um any suggestions maybe off of this list i'll just leave it here don't do wells fargo because that one didn't have a lot of hits on the homework okay hey sean see one of my students [Music] but why don't i know somebody actually did disney i saw disney in there um that was me there's hillary so how about uh so cisco my there's there's cisco and then there's cisco which is funny because i used to know the the gentleman that ran uh sales for all of cisco and we used a joke that he worked for this cisco which is the the food distribution company

so we kept asking hey can you give us like some free free cans of uh like corn you used to hate that does um if amazon i think amazon owns twitch and twitch is on um on the spotlight right now you want to do you mean twitch is amazon fire right now yeah it's one of those that's too big though um maybe allstate like allstate's my insurance provider let's look at that let's see look at that one um and they're probably and you can see right i'll allstate.com comes up because yeah i go and had to pay my you know insurance bill yesterday this is the one i don't have on uh direct deposit or direct

automatic payments right so we know we already have a domain name the nice thing is most organizations have at least one main domain name that they focus with right because that's their point of presence to everyone in the world on the internet right it's probably in social media right there's probably at allstate.com everywhere and you know on all the social media platforms uh all of the employee email addresses probably come from something at allstate.com now it doesn't mean that there aren't other domains out there right this it just means that this is going to be our starting place like floor if you look at yeah my email address is at floor.com but we actually have a lot of other domains that we use

like fdnet.com would be would be one that you would see if you perform reconnaissance against floor that's a very popular domain for um for us to use on those external facing systems but again it's not one you're going to know about unless you're doing the reconnaissance it's itself right um and it's not a charter yet the isps can be tricky because you have the corporation and then you have the the actual kind of internet backbone that they're responsible for and handing out so for these types of conversations it gets a little bit tricky so that's why i decided not to to go there right but yeah we're going to start with the the main domain and i know allstate's not

that exciting but so um but yeah we're looking for yeah we know at right allstate.com it's going to be used for employees right again it's that mean starting point again keep in the back of your mind there could be other domains out there right we want to also perform reconnaissance against those as we find them but we'll focus on again as a starting point the main domain itself and so dns linux is a tool uh that i use a lot in doing whether it's reconnaissance or in incident detection and response where i want to find out oh here's an ip address that looks like it's attacking me or maybe i have a you know an outbound connection to an ip

address and i wonder what the heck is that then i'll use dns linux so let's go ahead and use dns lytics and and probably some of you if you have you know other again other sites out there that you use definitely throw them into the chat channel which which are great uh but in this case yeah we'll do allstate.com and just click search right and this is a starting point we'll come back to dns lytics for a couple of different things because you can see in the search field they can actually take domain names ip addresses and so you can see and version four versus six and then autonomous system numbers that we're also going to be

talking about right and you can see that okay we found allstate.com it's actually a fairly popular website on the internet right fairly large company with a lot of users or a lot of clients and then we can start looking at some of their dns records right and do me a favor and use the discord and not the the zoom chat especially once i get into the demos but so we can see the the a records and then the aaa records so what's the aaa record for anybody want to throw it in discord for a giveaway prize

yeah it's ip version six don't put a question though say it with conviction right yeah it's for ipv version six so with with a single like ipv4 right which is 32 bits long right ipv6 is four times as long so they thought they're being funny and quadruple a like okay i get it right anyways right so we see a couple of records right and basically it's just saying oh this 167 address right is probably their main website and what we can do is the nice thing about dns linux it says hey there's two different domains that are hosted on or associated with that ip address and you can see oh yeah there's allstate.com which is that

main starting point and now we already found another domain that we want to look at because here's one called allstate emarketing.com right that's something we didn't know about 30 seconds ago and it's another domain that we can do further reconnaissance on and find out more information because it could lead to other systems and those systems could lead to services and those services and applications could lead to vulnerabilities and that's what those vulnerabilities are what could lead us to gaining access to their network so that's one of the great features of dns linux i i love dns like so we even have a user paid account in fact actually i think i have to renew it but

we can see sure there's the dns servers for allstate uh now this is an interesting thing we're already seeing that we're going to come back and talk about i don't want to jump too far ahead and then we see the mx records right so these are mail servers so if you're sending to anybody at allstate.com you're sending to these iep addresses but it's not servers hosted directly on the allstate network right because you see it's actually going through proofpoints so they're using proofpoint for email security and so and then you can find some who is information down below so you can see who is it registered to so you can see there's you know some email addresses

this dsa like dns admin at allstate.com there's a phone number right here's an address right so we could probably look at you know is this the same address as well look at how about allstate you know corporate headquarters address right i think if you just do like i'll say it will actually pop up their their headquarters right and you can actually see you know is this probably going to be a match for um either their corporate headquarters which is going to be more important a little bit later on in our conversation so this looks i don't know if we actually got usually they actually give you the address on it there's gonna will [Music] address for all state

[Music] recorders okay so 2775 sanders and well there's three zero seven five sanders so we're in the right neighborhood right so yeah it's definitely associated with with allstate and again there's there is a reason we're going to come back and and want to try to physically tie in the ip addresses and the domain names uh to those those locations so we have the domain name again we started to find other domain names and we started to find physical locations associated with these domains right and and ideally then we're going to start working with you know ip addresses as well and those iep addresses that can also be part of autonomous system numbers which we're going to talk about

if you're not familiar with with the concept right all right so we talked about reverse ip lookups right where it found like other domains here's the example for floor where we might have you know 50 domains on a single ip address right but now let's look at another favorite tool uh dns dumpster i didn't come across this till i don't know probably two and a half years ago and i couldn't believe i hadn't heard about it before then it's actually created by the folks at hacker target and and so we can go back and put in allstate.com as our target domain and you can see it takes all of a few seconds to come back and create a

list of well yeah here's a hundred hosts that we found and then oh we found a couple of posts in proof point which we already saw earlier right and so yeah we see again there's the the dns records we see oh there's their their mail records right pointing to to prove point right we see a bunch of text records so a lot of times you can see the tech text records if anything can show relationships between one company and and other companies so you can see like flex area is a product so they use flex area probably flex net in some way shape or form right there's some tie-in with apple right and so on and and so

forth right i think they use webex right so we have a lot of tie-ins with with text records you're to see not necessarily what we're looking for there but it's all important information to have what we're looking for from dns dumpster really is the host records and we want to look for patterns as we're going through the the page looking in not only patterns in the host names but also and potentially other domain names but also the ip addresses you know on the right hand side the autonomous system and now they're not showing us the number but they're showing us the name that's associated with that autonomous system number which again we're going to come back and talk about in just one sec

but if i'm scrolling through the idea is i already see a pretty obvious pattern here which is what yeah i see allstate insurance company right all everything ends in allstate.com but what's in particular about the ip addresses they're all part of the same um subnet they're all part of the same subnet yeah they all in this case you can see there's oh 167.127.142 there's 167.127. right so it looks like everything's starting with 167.127 so they might especially as a large company have a full class b range but we can check that by let's just take one of these ip addresses go back to dns lytics which i'll go ahead and open it up in a different window

i can do a search and then we go back to the who is information the great information about the who is not only tells us sure it's registered with this party but it actually tells us here's the net range that's associated with the the isp and here in particular is the range that is assigned to the company so yeah so allstate has an entire class b address so you can have over 64 000 ip addresses that are possible in this range this is just like floor we actually have a class b anytime you see anything that starts with 141.197 that's going to be before so so we're going to take this ip range that we've confirmed right

and just copy that for now because we know anything in that range is associated with allstate and the kicker is now let's see if we keep scrolling through the allstate records so allstate actually is probably an interesting case study [Music] because yeah they really are so what we kind of get into is this idea everything that we see so far except for their mail servers that are hosted or at least they're we should say the email gateway right that's hosted as proofpoint it looks like everything else is hosted on the actual allstate network now they're going to be other hosts that are out there and more than likely they are because you can see by default hacker

target only will give you in dns dumpster 100 records now the really cool thing is if you have used tools like recon ng recon ng has a plug-in called actual hacker target and if you use it and you do the same query for allstate.com it'll actually give you up to 500 hosts so if you want more than that you have to pay for it so i guess i didn't stipulate the whole part of the quick start whole point of the quick start recon process is also using free resources right so we don't have to pay for any tools but so in this case you can see right that we have all of these resources that appear

again on the surface that they're all hosted on the allstate network i don't see any other cloud hosted uh services like you know website that might be hosted like floor hosts you know our main website like at akamai right so somebody wanted to break into the floor network are they really going to target a web server hosted in akamine probably not they want to find those resources that are exposed and connected directly to [Music] the target network so all of these could be again on the surface these all look like they're attached to the allstate network and that's partly reconfirmed by what we call this autonomous system number so i want to go back and look at

this real quick because you can see oh well here's akamai and it has this asn called 20940 or yeah allstate has a asn called as11520 the thing is and you see like floor has an autonomous system number think of like a company like floor right we're a global organization we have ip addresses all around the world we have 250 firewalls alone spread out around the world and some of them most of them are in the 141.197 range but then there's others that are also another range and so what we can do is we can say that hey all of these ip addresses from all these different subnets belong to this one company called floor and so we pull them all together in one

autonomous system number right just at a high level for reconnaissance purposes right now and so when we look at that asn right that's specific to allstate any ip addresses or domain names that are associated with this autonomous system number belong to our friends in allstate and so then you can go back and now look at what we're finding we're not only finding ip subnet ranges right that we saw earlier like 167.127 but hey we see oh 12.26.124 and it's now it's slipped as answer financial so then it's like well what's the tie-in there right that would be something worth investigating right we see allstate all-state all-state all-state you know seeing if we see anything new

right oh there's answer financial again right american heritage life you know is there a connection or maybe this is dns lytics just screwing up but there's probably a connection somewhere right that we need to verify like let's verify that answer financial is in the same autonomous system number and you can it looks like it is and so there's some if you we probably look up that company there's some connection to allstate insurance right so it could be another target for us in our penetration test if it your client didn't give it to you though as a target right make sure you get authorization from them before you start targeting them in your attack so but

all right um i just wanna make sure we're on track for time as well all right so dns dumpster is a great utility right though so we can look for patterns we can also it'll identify you know if there's cloud you know hosted resources you know that use an allstate.com domain sure and then right we can start looking at all the host names themselves and so you can see like vap 0 1 2 0 interesting but there's some naming convention there that we haven't figured out yet but because then we see that 0 130 that 1240 right they obviously mean something they see sbc lab test 40 right we'd love to see lab or tests

connected to the internet because chances are those systems aren't as up-to-date as production system right we see owa blah blah blah owa we typically start thinking of like outlook web access right and maybe it is maybe it's not but then you can also see there's a sro there's a s h u and then pull right so maybe you know those are like location names or indicators there's you know there's a pattern there then we just have to decipher it gd 11 right gateway maybe maybe it's a vpn appliance right there's lots of interesting uh scenarios that we come up to to see and then we also see right some other names right we can sometimes also see oh

there's a web server exposed and then oh there's actually here's a you know an operating system or web server exposed right we see there's a big ip let's see what else if there's any other more interesting findings here oh there's nginx right for s3 dot allstate.com so that could bear further investigation here's smtp3 right a mail server probably so after your email that you're sending to allstate goes through proofpoint it's probably coming to one of these mail servers like like smtp3 which is hosted on the allstate network again which at least it appears to be hosted on the allstate network right and so on and so forth so we can look for again we're looking for those

looking for those interesting names that would make interesting targets right because it's all about finding those hosts and to find the services and applications running on those hosts to then find vulnerabilities in those applications and services to exploit to gain access so again we got a hundred and again that gave us a lot if anything from this at a very high level right we found yeah we had 197 or 167.127 so the next place we would actually go then is one of my favorite places to go in the world is is showdown so we can log in and then we can do a search once you have even a basic free account right we can do a search for a net block

like we found allstate has everything in 167.127 so we're telling showdown right show me everything you know of in this range because showdan will scan if you're not familiar scans the entire internet now they only scan it for a couple of dozen ports so they're not looking for all 65 535 tcp ports which would take forever but they're scanning for a couple of dozen ports and so you can see in that one range that we were looking at it found 1224 hosts so do you think as a penetration tester or as an attacker if i had a 1224 hose to choose from we could find a vulnerability to exploit that many hosts probably right chances are i mean it's

just a very large environment with a lot of hosts exposed to the internet and the nice thing about showdown you can see it even gives us a breakdown of those top ports and you can click on the more and says oh okay well we see 765 web servers running https there's eight or 444 non-encrypted web servers so could be interest right and there's probably a lot of overlap right a lot of these could redirect right to encrypted versions right we could see four mail servers four dns servers three ssh are those admin interfaces that are exposed to the internet or maybe like you know we got written up for a pen test one time that that said we had a

ssh interface to the internet but they didn't look at it closely enough it was actually an sftp server that was exposed but so something that we would look at right there's ftp like probably clear text right plain text ftp servers and then there's also two sites running on 8443 right one of those alternate web server ports so those would be also of interest for us to look at and see hey what's here right and so we can go back and and we also see you know give us the products right or like the web servers that are running um those different websites so we can look for things like older web servers right that could might

not have have been patched and we can start looking through the results to see if there's anything of interest that pops out again looking for patterns looking for keywords right or names right i might look at this well what the heck is this life fortress es login sounds kind of interesting so that might be something that's very relevant as as an attacker right i can see oh it's an asp.net page so it's going to be running you can see iis10 so it's fairly up-to-date so you know but it still could be a web application i could target and that we also you know showdown does this great job it also pulls down the ssl certificate on

any encrypted sites so now we see here's the certificate information and now we see oh yeah here's the name for the site on the certificate so we see all app client dot and now right allstate at work.com so now there's another domain and so then it just becomes a cyclic process right so we can go back to dns dumpster right and we can go take allstate stall state at work right allstate at work.com and then run that search and then see now how many resources wow there's like 25 that are out there right and so we can see oh yeah there's qc so probably quality control that's another one it's like putting lab or test environment

right perf right maybe like performance right and then oh normally we have perf dot allstate at work.com but now we have perf dot easy bill online dot and no allstatebenefits.com right so there's another domain right and so on and so on and so forth right so again it especially with those large companies right we never probably ever run out of um things to test right we just run out of time that's why we like to use the larger companies and probably the less exciting companies to to to do reconnaissance from that kind of that so to learn at least the the first time right we can see here in this case it looks like oh there's a ftp

server right that's running at this ip address and it even tells us in the banner oh well here's right the the type of ftp server it looks like it's robo ftp version 3.5 right so that might be something that we go to google right and just type in software and exploit to see you know is there you know a this is not robo right so we have to make sure it includes right you know is there a vulnerability associated with this software right and sometimes as attackers or pen testers we get lucky and we find an exploit so that we can use it doesn't look like there is for that software so good for allstate

otherwise we probably have to send them an email and so that's a whole part about this you know the reconnaissance process and using just a few tools though to find right all of the just all the different resources we have exposed to the internet we should do this for our own companies if anything define what are the attackers looking at right we don't have a way almost ever to know if attackers are doing reconnaissance against our company right i don't know if somebody's using google to find out information about floor but at the same time i'll see what information about floor is exposed to google one time i even just one of the common queries we do is you have floor

confidential file type pdf and what we found out was one of our potential clients that we had sent a you know 100-page proposal with engineering diagrams and and cost and you know the the proposed cost for for this project which was you know hundreds of millions of dollars they had actually posted it in a directory on their company website that was actually being indexed by google along with all the other proposals from all the other companies bidding for that work like oops or again going back to when chris is you know presentation talking about ransomware right the attackers are always continually looking for systems that are exposed to the internet and they're not protected and they're

connected to your network like all of these are connected to the allstate network it appears and all i have to do as an attacker is break into one of these systems and then i have access to that entire network and i get ransomware on one and ransomware on the other right or now right they'll get on the network they'll sit on one machine stealthily gain access to the other one without deploying ransomware yeah right they're looking for the data copying the data exfiltrating the data and then installing ransomware and then if you don't pay them for the decryption key then they come back and say oh yeah well we also stole all of your information here's some samples and

if you don't want us to publish it to the entire internet you still need to pay us right it's just that you know evolving conversation so we have to find out as ourselves right what do we have or again if we're an organization and we're not performing this type of work and they're performing their reconnaissance against ourselves you need to invest and pay someone like a pen testing consultant right to come in and do this for you to understand where your exposures are and get those items fixed right find the issues before the attackers do and get them fixed i would say find the issues before the attackers or the auditors do right and and get them fixed for sure

the other thing just to mention just to kind of wrap up that's interesting if you haven't seen showdown before they also have a images section so as they index the entire internet you can see the two common things that pop up well here's remote desktop which give us a lot of great information because we can see things like if we pull up one of these right we see the oh that's not the one that they had index you can see things like or maybe it was i just clicked on it you can see names right of users sometimes you can also see domain names right some of these you can see like 50 different accounts which are

which are crazy and then you see webcams and if you want to limit it you can actually do something like oh just http so that's going to be like all the webcams and so you can see crazy things right so maybe somebody at you know they have maybe this almost looks like a pharmacy right and so they have a camera watching maybe they don't trust the people behind the desk right so here's an interest at somebody's apartment or maybe office right i love when they have like the the cameras where there's you know multiple cameras that you can look from from one one interface and the number of webcams is just exploding because another thing i was

maybe some type of industrial control environment right um here's some some pylons you can see for uh offshore uh wind turbines right you could the other thing i'm always looking for is you can also find industrial control systems going back to our earlier talk that are actually exposed to the internet where they have web page interfaces where you can control them um that are exposed used to see them all the time you don't see them it could take a while to find one not because they're being removed from the internet it's just because the number of webcams is exploding here's one but so not only do we have all these webcams and you can see oh here's a church

right or or maybe that's a synagogue or a mosque right but it's some you know some type of um place of worship right um if someone's bedroom that's always always scary but and then yeah concerning is what is this hmi doing connected to the internet and even if it's in only read-only modes i mean is that a good thing to have exposed especially when i think see things like oven control i mean this could be an oven maybe this is just that panera bread right or what if this oven right is you know an oven that's five stories tall there's a there's a difference but from a controlled perspective it it looks the same it's really interesting to see all the

things that we can find on the internet especially through through showdown right oh and and it also has remote desktop open great so this is an interesting one i would love to do a little bit more research on this one but hopefully you get an idea with that quick start recon process we can use just a simple couple of sites like or starting with a main target site and using tools like like dns dumpster and dns lytics and showdown to find all the interesting hosts and services that are exposed to the internet because those are the hosts and the services that the attackers are looking for and we have to assume they're out there targeting us

and so we need to find those issues and those vulnerabilities before they do i appreciate everybody for for hanging out and taking the talk taking the time to sit through the talk i know we actually don't have a speaking slot in the position so i do have there's time for a couple questions if anybody has any questions i haven't been keeping an eye on the um the track but i appreciate it again everybody for uh taking the time so all right so with that um we'll call it uh an end at least temporarily for track one and then i'll definitely encourage you guys to go check out um the talks in in track two um where we have

power shells return to power and in the governance track and track 3 there's [Music] mr kirby's talking about using pci as a general cyber security framework which i think is a great idea which i've preached about for for many years because especially for small medium-sized businesses it's a great platform for being able to you know allow those companies to get up and running with the cyber security program in a very probably simple straightforward way so a couple other great talks so thanks everybody and uh hopefully we'll uh you know one of the other tracks we'll see you back here for the ransomware round table that will wrap up um and then hopefully over at uh

tipsy taco if you guys are in the area so thank you again and we'll see you guys over there all right bye

you