1 00:00:00,590 --> 00:00:03,259 The reconnaissance phase: I can see you 2 00:00:03,259 --> 00:00:05,690 but you can't see me. So as we look at 3 00:00:05,690 --> 00:00:07,550 the hackers methodology, you remember 4 00:00:07,550 --> 00:00:08,630 that the first step we have is 5 00:00:08,630 --> 00:00:09,980 reconnaissance, and we talked about the 6 00:00:09,980 --> 00:00:11,480 fact that we spend about eighty to 7 00:00:11,480 --> 00:00:13,460 ninety percent of our time in this phase 8 00:00:13,460 --> 00:00:14,570 before we actually begin our 9 00:00:14,570 --> 00:00:16,670 exploitation. During phase one we're 10 00:00:16,670 --> 00:00:17,990 going to perform reconnaissance, this is 11 00:00:17,990 --> 00:00:19,910 our systematic attempt to locate, gather, 12 00:00:19,910 --> 00:00:21,890 identify, and record information about 13 00:00:21,890 --> 00:00:23,869 our target. This is also known as 14 00:00:23,869 --> 00:00:25,789 footprinting, and this is a passive 15 00:00:25,789 --> 00:00:27,740 collection technique. We'll do things like 16 00:00:27,740 --> 00:00:29,689 using open source research, and internet 17 00:00:29,689 --> 00:00:31,550 searches like Google, we'll use social 18 00:00:31,550 --> 00:00:33,649 engineering, dumpster diving, and email 19 00:00:33,649 --> 00:00:35,090 harvesting to collect as much 20 00:00:35,090 --> 00:00:36,320 information as we can about the 21 00:00:36,320 --> 00:00:38,000 organization before we start targeting 22 00:00:38,000 --> 00:00:39,710 the organization for an actual exploit. 23 00:00:39,710 --> 00:00:41,570 So what types of information are we 24 00:00:41,570 --> 00:00:43,760 desiring? Well, we're going to gather any 25 00:00:43,760 --> 00:00:45,140 information we can, but the things we're 26 00:00:45,140 --> 00:00:46,520 really focused on are things like phone 27 00:00:46,520 --> 00:00:48,620 numbers, contact names, email addresses, 28 00:00:48,620 --> 00:00:51,469 security related information, information 29 00:00:51,469 --> 00:00:53,090 systems that are being utilized, things 30 00:00:53,090 --> 00:00:54,559 like we know if they're using Windows or 31 00:00:54,559 --> 00:00:57,739 Linux, job postings, and resumes. So job 32 00:00:57,739 --> 00:00:59,300 postings and resumes may seem like an 33 00:00:59,300 --> 00:01:01,039 odd thing to collect, but the reason why 34 00:01:01,039 --> 00:01:02,329 we collect job posting says there's a 35 00:01:02,329 --> 00:01:03,829 lot of information that we'll find there. 36 00:01:03,829 --> 00:01:06,439 For instance, if I was going after this 37 00:01:06,439 --> 00:01:08,749 company, Technical Innovations, I look at 38 00:01:08,749 --> 00:01:10,279 some of their job postings. In this one 39 00:01:10,279 --> 00:01:12,380 there's a system administrator job. And I 40 00:01:12,380 --> 00:01:13,369 start looking at the knowledge and 41 00:01:13,369 --> 00:01:15,319 skills and abilities. They're looking for 42 00:01:15,319 --> 00:01:16,759 somebody who has two thousand or two 43 00:01:16,759 --> 00:01:18,469 thousand three Microsoft certifications. 44 00:01:18,469 --> 00:01:20,149 That tells me they're probably running 45 00:01:20,149 --> 00:01:22,009 Windows Server 2000 or Windows Server 46 00:01:22,009 --> 00:01:24,200 2003, opening up a whole world of 47 00:01:24,200 --> 00:01:26,749 exploits to me. They're using Unix or 48 00:01:26,749 --> 00:01:29,630 Linux and HP blade systems, again that's 49 00:01:29,630 --> 00:01:31,429 information that we can find useful as 50 00:01:31,429 --> 00:01:33,469 we go through our exploitation. Further 51 00:01:33,469 --> 00:01:35,240 down we see again, there's Windows 52 00:01:35,240 --> 00:01:37,279 Servers. They keep popping up, Windows 53 00:01:37,279 --> 00:01:39,139 Workstations, Windows Servers. That's 54 00:01:39,139 --> 00:01:41,090 going to help me start mapping out what 55 00:01:41,090 --> 00:01:42,679 that network might look like, so I can 56 00:01:42,679 --> 00:01:43,729 start figuring out what kind of attacks I 57 00:01:43,729 --> 00:01:45,649 want to generate. And finally they 58 00:01:45,649 --> 00:01:47,149 mentioned shift work is required. Now 59 00:01:47,149 --> 00:01:49,159 what does that tell me as an attacker? Well, 60 00:01:49,159 --> 00:01:50,569 if shift work is required, that means 61 00:01:50,569 --> 00:01:52,189 that there's people in the building most 62 00:01:52,189 --> 00:01:54,529 likely 24 hours a day. So if I was going 63 00:01:54,529 --> 00:01:56,060 to try to break in from a physical 64 00:01:56,060 --> 00:01:58,039 standpoint, doing it in the overnight 65 00:01:58,039 --> 00:02:00,380 hours may not be as effective as I 66 00:02:00,380 --> 00:02:01,939 thought it might be. Because they're 67 00:02:01,939 --> 00:02:03,229 doing shift work, there's people there, 68 00:02:03,229 --> 00:02:05,479 people can therefore catch me, I want to be 69 00:02:05,479 --> 00:02:06,919 more careful when I do that, and I'll 70 00:02:06,919 --> 00:02:08,239 have to start developing that pattern of 71 00:02:08,239 --> 00:02:09,649 life a little bit better, so I know when 72 00:02:09,649 --> 00:02:11,629 the shift changes happen, and when people 73 00:02:11,629 --> 00:02:13,730 are or are not at work. Some shifts only 74 00:02:13,730 --> 00:02:14,510 work two shifts 75 00:02:14,510 --> 00:02:16,670 in which case they might work 16 hours 76 00:02:16,670 --> 00:02:18,530 of the day, leaving eight hours exposed. 77 00:02:18,530 --> 00:02:20,569 Others work shift work where there's 24-hour 78 00:02:20,569 --> 00:02:21,980 coverage. These are the things we have to 79 00:02:21,980 --> 00:02:23,750 figure out by looking at that pattern of 80 00:02:23,750 --> 00:02:25,549 life before we start an exploit, because 81 00:02:25,549 --> 00:02:26,629 one of the exploits we can do is 82 00:02:26,629 --> 00:02:28,040 actually doing physical break-ins, if 83 00:02:28,040 --> 00:02:29,329 that's within the scope of our 84 00:02:29,329 --> 00:02:30,920 assessment. So the second thing we're 85 00:02:30,920 --> 00:02:32,720 going to look at here is resumes. Now 86 00:02:32,720 --> 00:02:34,940 resumes may be helpful, there's a couple 87 00:02:34,940 --> 00:02:36,829 of reasons. One is if I'm searching for 88 00:02:36,829 --> 00:02:37,940 the name of a company, and not pull up 89 00:02:37,940 --> 00:02:39,920 somebody's resume, I may find an employee 90 00:02:39,920 --> 00:02:41,930 who used to work there who may not be 91 00:02:41,930 --> 00:02:44,060 happy with their job. I can find out 92 00:02:44,060 --> 00:02:46,760 information from them. Secondly I can 93 00:02:46,760 --> 00:02:47,989 look at the type of skills of the people 94 00:02:47,989 --> 00:02:49,790 that they've hired before, so while I 95 00:02:49,790 --> 00:02:51,140 look at this professional summary in the 96 00:02:51,140 --> 00:02:53,810 technical proficiency, that's interesting 97 00:02:53,810 --> 00:02:56,420 but not necessarily too helpful, but when 98 00:02:56,420 --> 00:02:58,280 i get to the second page of his resume i 99 00:02:58,280 --> 00:03:00,769 can see that he has his professional 100 00:03:00,769 --> 00:03:02,269 experience and educational and training. 101 00:03:02,269 --> 00:03:05,030 In this case i can see that ABC energy 102 00:03:05,030 --> 00:03:07,129 company that he worked at, hired him as a 103 00:03:07,129 --> 00:03:09,379 Linux system administrator. He had over 104 00:03:09,379 --> 00:03:12,409 200 Linux systems, he had red hat and 105 00:03:12,409 --> 00:03:13,879 SUSE Linux, that's going to help me 106 00:03:13,879 --> 00:03:15,349 narrow down my scope of exploitation. 107 00:03:15,349 --> 00:03:19,519 Additionally, they use VMware, so that 108 00:03:19,519 --> 00:03:21,109 tells me that they're using virtualized 109 00:03:21,109 --> 00:03:23,389 environments. So, even if I break into a 110 00:03:23,389 --> 00:03:24,919 single box, I'm going to find a way to 111 00:03:24,919 --> 00:03:26,449 break out of that box and into the other 112 00:03:26,449 --> 00:03:29,000 boxes, that can be difficult. So these are 113 00:03:29,000 --> 00:03:30,169 things I want to start looking at. 114 00:03:30,169 --> 00:03:32,750 Additionally he did a migration effort 115 00:03:32,750 --> 00:03:35,660 of windows servers over to Red Hat 116 00:03:35,660 --> 00:03:38,510 version 4. Now I know the exact version 117 00:03:38,510 --> 00:03:39,739 that they were running, at least during 118 00:03:39,739 --> 00:03:41,239 the time he was there. And as you can see in 119 00:03:41,239 --> 00:03:42,739 the resume, he is presently employed 120 00:03:42,739 --> 00:03:44,690 there, so that would tell me something 121 00:03:44,690 --> 00:03:46,400 else. He also has incorporated that into 122 00:03:46,400 --> 00:03:48,410 a two thousand three windows server 123 00:03:48,410 --> 00:03:50,930 Active Directory domain. So again, as I'm 124 00:03:50,930 --> 00:03:52,609 attacking, I go "Oh, he's got windows 125 00:03:52,609 --> 00:03:54,949 server 2003, let me look at exploits that 126 00:03:54,949 --> 00:03:57,949 can break those vulnerabilities." The next 127 00:03:57,949 --> 00:03:59,359 thing I see is that he's using citrix 128 00:03:59,359 --> 00:04:01,340 metaframe. So with Citrix that's another 129 00:04:01,340 --> 00:04:02,840 client that we will be using, and we can 130 00:04:02,840 --> 00:04:04,190 sort target vulnerabilities against 131 00:04:04,190 --> 00:04:05,989 Citrix, if we couldn't get in through 132 00:04:05,989 --> 00:04:08,120 windows or linux. Lots of different 133 00:04:08,120 --> 00:04:09,260 options as I go through this guy's 134 00:04:09,260 --> 00:04:10,639 resume and, figure out where those 135 00:04:10,639 --> 00:04:11,870 vulnerabilities are for this 136 00:04:11,870 --> 00:04:14,569 organization. So what are some tools we 137 00:04:14,569 --> 00:04:16,159 use in reconnaissance? Well, there's lots 138 00:04:16,159 --> 00:04:17,930 of tools that exist. We can use things 139 00:04:17,930 --> 00:04:20,690 like nslookup, traceroute, ping, whois, 140 00:04:20,690 --> 00:04:23,870 domain dossier, email dossier, Google, 141 00:04:23,870 --> 00:04:26,060 social networking, discover, and meltigo 142 00:04:26,060 --> 00:04:27,700 just to name a few. I'm going to 143 00:04:27,700 --> 00:04:28,990 briefly talk about each of these as we 144 00:04:28,990 --> 00:04:31,150 keep going, and in our labs we're going 145 00:04:31,150 --> 00:04:32,350 to actually play with a couple of these 146 00:04:32,350 --> 00:04:34,510 tools as we do a mock reconnaissance 147 00:04:34,510 --> 00:04:36,430 phase. The first one we're going to talk 148 00:04:36,430 --> 00:04:38,500 about is nslookup. Now nslookup stands 149 00:04:38,500 --> 00:04:40,660 for nameserver look up, and it resolves a 150 00:04:40,660 --> 00:04:42,580 fully qualified domain name, to an IP 151 00:04:42,580 --> 00:04:45,160 address. For example, if you have my 152 00:04:45,160 --> 00:04:48,070 website named JasonDion.com, computers 153 00:04:48,070 --> 00:04:49,360 don't understand that, they understand 154 00:04:49,360 --> 00:04:51,760 numbers. So if I did an nslookup of 155 00:04:51,760 --> 00:04:54,280 Jason Dion.com, I'll get back the IP address of 156 00:04:54,280 --> 00:04:58,420 my server. In this case 205.172.19.193. 157 00:04:58,420 --> 00:05:01,810 This is what we call non-interactive 158 00:05:01,810 --> 00:05:03,970 mode. I give it the command, and I give it 159 00:05:03,970 --> 00:05:05,110 the website, and it will give me the 160 00:05:05,110 --> 00:05:07,060 information back. There is also an 161 00:05:07,060 --> 00:05:10,420 interactive mode. In interactive mode, you 162 00:05:10,420 --> 00:05:12,040 just type nslookup and then hit enter. 163 00:05:12,040 --> 00:05:14,380 This brings you up into the interactive 164 00:05:14,380 --> 00:05:16,270 mode. At this point you can set certain 165 00:05:16,270 --> 00:05:19,000 types, and modifiers. For example, on the 166 00:05:19,000 --> 00:05:20,980 screen here you see I set type to MX, 167 00:05:20,980 --> 00:05:24,490 that stands for mail records. By doing 168 00:05:24,490 --> 00:05:26,110 this I can search for the mail records 169 00:05:26,110 --> 00:05:28,750 associated with youtube.com, as you see 170 00:05:28,750 --> 00:05:30,130 there I got those male exchangers 171 00:05:30,130 --> 00:05:32,980 displayed to the screen. So as I 172 00:05:32,980 --> 00:05:33,790 mentioned, there's a lot of different 173 00:05:33,790 --> 00:05:35,950 options for nslookup. If you want to 174 00:05:35,950 --> 00:05:37,300 learn more about it, I'd recommend going 175 00:05:37,300 --> 00:05:38,680 and searching nslookup on the 176 00:05:38,680 --> 00:05:40,660 web, you'll get all the details you'll 177 00:05:40,660 --> 00:05:43,060 need. For the ethical hacker exam, you 178 00:05:43,060 --> 00:05:44,770 will have to know several of these 179 00:05:44,770 --> 00:05:47,050 modifiers. For our reconnaissance efforts, 180 00:05:47,050 --> 00:05:48,250 because we're going to be limited in 181 00:05:48,250 --> 00:05:49,930 scope and our reconnaissance, because 182 00:05:49,930 --> 00:05:51,730 we're using a virtualized lab, you won't 183 00:05:51,730 --> 00:05:53,650 need to know these in-depth. Now another 184 00:05:53,650 --> 00:05:55,060 thing I want to mention here is, when you 185 00:05:55,060 --> 00:05:56,950 do nslookup you're actually doing a look 186 00:05:56,950 --> 00:05:59,350 up from your attack platform, in our case 187 00:05:59,350 --> 00:06:02,530 kali linux, to a dns server to get that 188 00:06:02,530 --> 00:06:04,900 information. Again, if you want to 189 00:06:04,900 --> 00:06:06,910 do this anonymously, there's lots of good 190 00:06:06,910 --> 00:06:09,070 tools out on the web. One of my favorites 191 00:06:09,070 --> 00:06:10,900 is centralops.net. We'll play with that 192 00:06:10,900 --> 00:06:12,730 during our labs as well. And this will 193 00:06:12,730 --> 00:06:14,470 help us remain passive longer during our 194 00:06:14,470 --> 00:06:16,090 reconnaissance phase. So if we use 195 00:06:16,090 --> 00:06:17,860 centralops.net, here's an example of 196 00:06:17,860 --> 00:06:19,720 what that would look like. You fill in 197 00:06:19,720 --> 00:06:21,670 the blanks on the web page, you hit go, 198 00:06:21,670 --> 00:06:23,260 and on the right side you'll see our 199 00:06:23,260 --> 00:06:25,030 answers came back. You can see that for 200 00:06:25,030 --> 00:06:26,650 JasonDion.com I was able to find the a 201 00:06:26,650 --> 00:06:28,570 record, which is its address, their IP 202 00:06:28,570 --> 00:06:30,730 address. I also found its name servers, 203 00:06:30,730 --> 00:06:31,840 which can help me if i'm going to do a 204 00:06:31,840 --> 00:06:34,210 DNS attack, and I found its mail servers 205 00:06:34,210 --> 00:06:36,130 as well. The next tool we're going to talk 206 00:06:36,130 --> 00:06:38,350 about is trace route. And trace route 207 00:06:38,350 --> 00:06:40,540 displays the path between your device, 208 00:06:40,540 --> 00:06:41,460 our Kali work station, 209 00:06:41,460 --> 00:06:43,620 and the destination IP address, 210 00:06:43,620 --> 00:06:46,080 showing each router hop along the way. So 211 00:06:46,080 --> 00:06:47,819 every time I find a router or a firewall, 212 00:06:47,819 --> 00:06:50,430 it's going to display that route. For 213 00:06:50,430 --> 00:06:51,990 instance, if you do trace route and the 214 00:06:51,990 --> 00:06:53,849 IP address, you'll get those routes in 215 00:06:53,849 --> 00:06:55,680 between. If you do trace route and the 216 00:06:55,680 --> 00:06:58,110 domain name, such as google.com, you'll be 217 00:06:58,110 --> 00:06:59,130 able to see all the routers and 218 00:06:59,130 --> 00:07:00,900 firewalls between your computer and 219 00:07:00,900 --> 00:07:03,630 google.com. So the way traceroute works 220 00:07:03,630 --> 00:07:05,039 is it's going to increase your time to 221 00:07:05,039 --> 00:07:06,660 live for every time you send out a 222 00:07:06,660 --> 00:07:08,280 packet. So it's going to send out three 223 00:07:08,280 --> 00:07:10,500 packets with a time to live of one. It'll 224 00:07:10,500 --> 00:07:12,509 go one hop, and then fail, and send back 225 00:07:12,509 --> 00:07:14,160 an error message. Then it will send out 226 00:07:14,160 --> 00:07:15,960 the next three packets with a time to 227 00:07:15,960 --> 00:07:18,000 live of two. They'll go two hops, and 228 00:07:18,000 --> 00:07:19,650 report back with an error message, and it 229 00:07:19,650 --> 00:07:21,030 will keep doing this until it reaches 230 00:07:21,030 --> 00:07:22,919 the destination. This allows it to know 231 00:07:22,919 --> 00:07:24,780 exactly how many hops it takes, how long 232 00:07:24,780 --> 00:07:26,699 each hop takes to get there, and which 233 00:07:26,699 --> 00:07:29,039 route it through the network. Each time 234 00:07:29,039 --> 00:07:31,320 a packet passed through a host, a router, or 235 00:07:31,320 --> 00:07:33,570 firewall, it will decrease the time to 236 00:07:33,570 --> 00:07:35,220 live by one, and forward the packet on. 237 00:07:35,220 --> 00:07:36,810 When that reaches the time-to-live of 238 00:07:36,810 --> 00:07:39,330 zero, it will actually produce a type 11 239 00:07:39,330 --> 00:07:40,740 error, and that pack will be sent back to 240 00:07:40,740 --> 00:07:42,840 the sender. Now, as it does this, and it 241 00:07:42,840 --> 00:07:44,250 goes through all of the hops, it's 242 00:07:44,250 --> 00:07:46,229 collecting all of this data back with 243 00:07:46,229 --> 00:07:48,090 the time to live, and it will combine 244 00:07:48,090 --> 00:07:49,560 that into the report for you to see. 245 00:07:49,560 --> 00:07:51,539 Three times stamp values are returned 246 00:07:51,539 --> 00:07:53,729 for each host along the path, and this is 247 00:07:53,729 --> 00:07:55,110 actually the delay in the latency it 248 00:07:55,110 --> 00:07:56,699 takes, so you can actually determine how 249 00:07:56,699 --> 00:07:58,620 long it took to get from my computer all 250 00:07:58,620 --> 00:07:59,969 the way to Google, and the particular 251 00:07:59,969 --> 00:08:02,400 route it took. Now, what does latency tell 252 00:08:02,400 --> 00:08:03,900 you? It can tell you what kind of 253 00:08:03,900 --> 00:08:05,340 connection that people have. So for 254 00:08:05,340 --> 00:08:07,320 instance, if they have a dial-up modem, I 255 00:08:07,320 --> 00:08:08,849 know this is really old, but some places 256 00:08:08,849 --> 00:08:11,159 still do, you'll have a longer latency, 257 00:08:11,159 --> 00:08:13,650 100 to 150 millisecond. If you have 258 00:08:13,650 --> 00:08:15,750 cellular, it's somewhere around 50 to 150 259 00:08:15,750 --> 00:08:17,849 milliseconds. If using satellite, you'll 260 00:08:17,849 --> 00:08:19,889 have very high latency, around six to 261 00:08:19,889 --> 00:08:21,870 seven hundred milliseconds. If using 262 00:08:21,870 --> 00:08:24,090 fiber-optic, it will be very low latency 5 263 00:08:24,090 --> 00:08:26,070 240 milliseconds, so you'll be able to 264 00:08:26,070 --> 00:08:27,719 tell that as you're doing this traceroute 265 00:08:27,719 --> 00:08:28,800 and it can start giving me some more 266 00:08:28,800 --> 00:08:30,240 information about the victim that you're going 267 00:08:30,240 --> 00:08:32,070 after. And here's just an example of what 268 00:08:32,070 --> 00:08:34,200 a traceroute output looks like. So for 269 00:08:34,200 --> 00:08:35,849 instance here you see traceroute 270 00:08:35,849 --> 00:08:37,890 JasonDion.com, you'll see the first gateway 271 00:08:37,890 --> 00:08:41,279 10.0.2.2, you'll see a couple of series of 272 00:08:41,279 --> 00:08:43,229 stars, that's usually a firewall that's 273 00:08:43,229 --> 00:08:44,820 not reporting back, but it knows there's 274 00:08:44,820 --> 00:08:46,860 something there, and then it continues on 275 00:08:46,860 --> 00:08:48,300 through all of the routers, in this case 276 00:08:48,300 --> 00:08:51,420 starting at Hawaii.RR.com, and going all 277 00:08:51,420 --> 00:08:53,010 the way down to unifiedlayer.com which 278 00:08:53,010 --> 00:08:53,950 is my hosting provider. 279 00:08:53,950 --> 00:08:56,200 Again, going back to centraloffice.net 280 00:08:56,200 --> 00:08:58,330 they have great tools for us, we can 281 00:08:58,330 --> 00:09:00,160 do the same tracer out there, and again 282 00:09:00,160 --> 00:09:01,690 that keeps us at that arm's reach. We're 283 00:09:01,690 --> 00:09:02,980 not actually touching the server, we're 284 00:09:02,980 --> 00:09:04,630 going to we're doing it from centralops 285 00:09:04,630 --> 00:09:06,550 server to the victim, not from our 286 00:09:06,550 --> 00:09:08,890 computer to the victim in this case. Next, 287 00:09:08,890 --> 00:09:10,540 we're going to talk about ping. And ping 288 00:09:10,540 --> 00:09:11,620 is actually used to check the IP 289 00:09:11,620 --> 00:09:13,450 connectivity between two network devices. 290 00:09:13,450 --> 00:09:15,070 And we often use this in network 291 00:09:15,070 --> 00:09:16,420 troubleshooting, but we can also use it 292 00:09:16,420 --> 00:09:18,820 in our hacking efforts. So with linux, 293 00:09:18,820 --> 00:09:20,560 ping is actually gonna go until it's 294 00:09:20,560 --> 00:09:22,240 terminated. When you use it on windows, it 295 00:09:22,240 --> 00:09:24,340 only does a count of four. So we can do 296 00:09:24,340 --> 00:09:26,290 ping and the domain name, or ping in the 297 00:09:26,290 --> 00:09:28,360 IP address, and it will start telling us 298 00:09:28,360 --> 00:09:31,360 is that distant end up? We use as often 299 00:09:31,360 --> 00:09:32,680 in what's called a ping sweep, where 300 00:09:32,680 --> 00:09:34,510 we'll start pinging an entire range of 301 00:09:34,510 --> 00:09:36,610 networks to find out who is up and who 302 00:09:36,610 --> 00:09:38,560 is down in that range of IP addresses. 303 00:09:38,560 --> 00:09:40,990 Here's an example where I'm pinging 304 00:09:40,990 --> 00:09:43,600 again my server, JasonDion.com, I did it 305 00:09:43,600 --> 00:09:44,920 for a count of six and you'll see that 306 00:09:44,920 --> 00:09:47,350 it responded. It send out 64 bytes each 307 00:09:47,350 --> 00:09:50,410 time. It responded back with the IP 308 00:09:50,410 --> 00:09:52,570 address, and the time-to-live decreased by 309 00:09:52,570 --> 00:09:55,270 one, and the time of how long it took, in 310 00:09:55,270 --> 00:09:57,460 this case about ninety nine milliseconds. 311 00:09:57,460 --> 00:10:00,520 And once again, we can go back to central 312 00:10:00,520 --> 00:10:01,660 ops and do this from an arm's length 313 00:10:01,660 --> 00:10:04,180 distance. We can do it the same way well 314 00:10:04,180 --> 00:10:05,590 tell the domain we want to go to or the 315 00:10:05,590 --> 00:10:07,570 IP address, how long to wait for a 316 00:10:07,570 --> 00:10:10,030 timeout, how many hops is too many, how 317 00:10:10,030 --> 00:10:11,800 many packets to send, and the data size. 318 00:10:11,800 --> 00:10:14,020 It will do that information and pop back 319 00:10:14,020 --> 00:10:15,160 the display as you see on the right of 320 00:10:15,160 --> 00:10:17,290 your screen. The next tool we have is 321 00:10:17,290 --> 00:10:19,060 what's called whois. And what whois 322 00:10:19,060 --> 00:10:20,920 does, is it provides information on the 323 00:10:20,920 --> 00:10:23,350 domain name owner. So we can get things 324 00:10:23,350 --> 00:10:25,240 like the server address, the owner's name, 325 00:10:25,240 --> 00:10:27,130 their physical address, their phone 326 00:10:27,130 --> 00:10:29,320 numbers, and how to contact them. Why 327 00:10:29,320 --> 00:10:31,090 might this be helpful to us? We can use 328 00:10:31,090 --> 00:10:32,620 this to develop a successful social 329 00:10:32,620 --> 00:10:34,840 engineering attack against them. For 330 00:10:34,840 --> 00:10:36,340 example, if we know who their web hosting 331 00:10:36,340 --> 00:10:38,140 provider is, we can craft an email to the 332 00:10:38,140 --> 00:10:40,090 owner of the domain that says "your 333 00:10:40,090 --> 00:10:41,740 website domain is going to expire, click 334 00:10:41,740 --> 00:10:43,840 here to renew." if they click there, we can 335 00:10:43,840 --> 00:10:45,460 use as a way to get into their networks. 336 00:10:45,460 --> 00:10:47,650 So here's just a simple whois command: 337 00:10:47,650 --> 00:10:50,650 whois JasonDion.com, and up it pops 338 00:10:50,650 --> 00:10:52,120 with the information. It tells me the 339 00:10:52,120 --> 00:10:53,950 name servers, and some basic information 340 00:10:53,950 --> 00:10:56,470 such as when it does expire. If I want to 341 00:10:56,470 --> 00:10:58,030 get more details I would go to internic.net, 342 00:10:58,030 --> 00:11:00,010 and I can put in the domain name 343 00:11:00,010 --> 00:11:02,410 there, or again we can go to central ops. 344 00:11:02,410 --> 00:11:04,480 And central ops has what's called a 345 00:11:04,480 --> 00:11:07,090 domain dossier. Domain dossier will 346 00:11:07,090 --> 00:11:07,880 actually give us the 347 00:11:07,880 --> 00:11:09,530 whois record for the domain and the 348 00:11:09,530 --> 00:11:11,390 network, the DNS records like we talked 349 00:11:11,390 --> 00:11:13,370 about before, and the traceroute, which we 350 00:11:13,370 --> 00:11:15,050 talked about before, and the addition of 351 00:11:15,050 --> 00:11:17,090 a service scan. We can run all of these 352 00:11:17,090 --> 00:11:18,710 from Central ops server, keeping us more 353 00:11:18,710 --> 00:11:21,410 anonymous. There's also another function 354 00:11:21,410 --> 00:11:23,690 there called the email dossier. And the 355 00:11:23,690 --> 00:11:25,100 email dossier is actually going to provide us 356 00:11:25,100 --> 00:11:26,630 those mail records we looked up before. 357 00:11:26,630 --> 00:11:29,300 It'll do email address validation for us, 358 00:11:29,300 --> 00:11:31,160 and we can get the IP and server 359 00:11:31,160 --> 00:11:33,290 addresses for those emails, as well as an 360 00:11:33,290 --> 00:11:36,500 smtp connection log. So in this example I 361 00:11:36,500 --> 00:11:39,110 have titancipher@gmail.com. This 362 00:11:39,110 --> 00:11:40,610 is an email I use with a lot of hacking 363 00:11:40,610 --> 00:11:42,170 competitions from our students. If you 364 00:11:42,170 --> 00:11:44,060 notice here, we can go in there, click go, 365 00:11:44,060 --> 00:11:45,890 and we'll see what we get. In this case 366 00:11:45,890 --> 00:11:48,170 we see that it has a confidence rating of 367 00:11:48,170 --> 00:11:49,970 three which says that this passed a 368 00:11:49,970 --> 00:11:51,920 validation of the email. It is a real 369 00:11:51,920 --> 00:11:54,080 email address. We could see the MX 370 00:11:54,080 --> 00:11:55,340 records, and then on the right side 371 00:11:55,340 --> 00:11:57,350 you'll see the SMTP session, where the 372 00:11:57,350 --> 00:11:58,670 server from central ops actually 373 00:11:58,670 --> 00:12:01,100 talked to Google server to validate that 374 00:12:01,100 --> 00:12:03,350 that was a good email address. And you 375 00:12:03,350 --> 00:12:04,610 can see the commands that were run there. 376 00:12:04,610 --> 00:12:07,610 Another wonderful resource we have is 377 00:12:07,610 --> 00:12:09,260 Google. Now I know this seems like it's 378 00:12:09,260 --> 00:12:11,270 obvious, but there's a lot of information 379 00:12:11,270 --> 00:12:12,740 on the internet that's just open source. 380 00:12:12,740 --> 00:12:14,600 We can use Google to search press 381 00:12:14,600 --> 00:12:16,100 releases, corporate websites, and 382 00:12:16,100 --> 00:12:18,020 everything else at once, and the way you 383 00:12:18,020 --> 00:12:19,550 craft your commands in Google can really 384 00:12:19,550 --> 00:12:21,350 help you become more efficient as you 385 00:12:21,350 --> 00:12:23,240 search for this information. There have been 386 00:12:23,240 --> 00:12:24,530 numerous books written about google 387 00:12:24,530 --> 00:12:26,540 hacking, including adding things like the 388 00:12:26,540 --> 00:12:28,460 file types, or adding or subtracting 389 00:12:28,460 --> 00:12:30,890 keywords using pluses and minuses and 390 00:12:30,890 --> 00:12:32,930 operators and or operators. There's lots 391 00:12:32,930 --> 00:12:34,580 of ways to do what we call google 392 00:12:34,580 --> 00:12:35,780 hacking and just getting a really good 393 00:12:35,780 --> 00:12:38,120 well crafted search that you can find 394 00:12:38,120 --> 00:12:40,310 the information you want quickly. What 395 00:12:40,310 --> 00:12:41,750 can we find through google? Well let's 396 00:12:41,750 --> 00:12:43,400 get an example of a powerpoint file or 397 00:12:43,400 --> 00:12:45,830 an excel file. I can search for that 398 00:12:45,830 --> 00:12:49,160 company name and a file type of xls, 399 00:12:49,160 --> 00:12:51,380 that'll pop back every spreadsheet that 400 00:12:51,380 --> 00:12:53,540 it can find in google. I can take one of 401 00:12:53,540 --> 00:12:55,580 those, embed malware, and send it out to 402 00:12:55,580 --> 00:12:57,440 an employee as part of a spear phishing 403 00:12:57,440 --> 00:12:59,000 campaign. It's going to look legitimate 404 00:12:59,000 --> 00:13:00,260 because it was a real file from the 405 00:13:00,260 --> 00:13:02,120 company, and it has real information from 406 00:13:02,120 --> 00:13:03,710 the company, but I gave them just a 407 00:13:03,710 --> 00:13:05,360 little something extra, which is how I 408 00:13:05,360 --> 00:13:09,110 can get myself into the network. Social 409 00:13:09,110 --> 00:13:10,820 media, so we all love our social media 410 00:13:10,820 --> 00:13:13,430 but it is truly a treasure trove of 411 00:13:13,430 --> 00:13:15,380 information. We have things like Facebook, 412 00:13:15,380 --> 00:13:18,140 and LinkedIn, Google+, Twitter, Pinterest, 413 00:13:18,140 --> 00:13:20,510 Tumblr, and many others. This is really 414 00:13:20,510 --> 00:13:21,620 useful in doing social 415 00:13:21,620 --> 00:13:22,880 engineering campaigns, and spearfishing 416 00:13:22,880 --> 00:13:25,130 campaigns against employees and we can 417 00:13:25,130 --> 00:13:28,160 really target who we want. For example, if 418 00:13:28,160 --> 00:13:29,930 I can find out that the receptionist has 419 00:13:29,930 --> 00:13:32,000 a child at a particular middle school, I 420 00:13:32,000 --> 00:13:33,830 can send emails crafted as if I'm from 421 00:13:33,830 --> 00:13:35,960 the middle school. If I go to LinkedIn, I 422 00:13:35,960 --> 00:13:38,779 can find resumes and history. If I go to 423 00:13:38,779 --> 00:13:40,339 google plus, I might find some things 424 00:13:40,339 --> 00:13:41,420 about what people like to do in their 425 00:13:41,420 --> 00:13:42,800 off time, and I can use that to create 426 00:13:42,800 --> 00:13:45,110 patterns of life. Again these are all 427 00:13:45,110 --> 00:13:46,430 different ways that we can start getting 428 00:13:46,430 --> 00:13:47,839 more and more information to figure out 429 00:13:47,839 --> 00:13:50,330 how we want to attack this network. One 430 00:13:50,330 --> 00:13:51,320 of the tools we're going to use in our 431 00:13:51,320 --> 00:13:53,360 lab is what's called creepy. And what 432 00:13:53,360 --> 00:13:54,620 crepey allows us to do, is go after 433 00:13:54,620 --> 00:13:56,810 networks like Google+ and Twitter. We can 434 00:13:56,810 --> 00:13:58,880 actually put in a username, or keywords, 435 00:13:58,880 --> 00:14:00,200 and it will find the tweets and the 436 00:14:00,200 --> 00:14:03,500 Google+ entries associated with those. For 437 00:14:03,500 --> 00:14:05,029 example, we're going to use Titancipher, 438 00:14:05,029 --> 00:14:06,470 which again is that made up account that 439 00:14:06,470 --> 00:14:07,970 I have, and where there's a twitter 440 00:14:07,970 --> 00:14:09,800 account associated with it. We can go and 441 00:14:09,800 --> 00:14:11,420 pull all of the tweets that that person has 442 00:14:11,420 --> 00:14:13,339 made, we can geo locate them and start 443 00:14:13,339 --> 00:14:15,080 establishing pattern of life, time of day, 444 00:14:15,080 --> 00:14:17,270 and where they are, and what they do. The 445 00:14:17,270 --> 00:14:18,890 next tool is one that comes inside of 446 00:14:18,890 --> 00:14:20,960 Kali Linux. It's stored in the scripts 447 00:14:20,960 --> 00:14:23,300 folder, and it is a tool written by Lee 448 00:14:23,300 --> 00:14:25,400 Baird, it's called Discover. Discover 449 00:14:25,400 --> 00:14:27,080 combines many information gathering 450 00:14:27,080 --> 00:14:28,910 tools with a single script. It gives you 451 00:14:28,910 --> 00:14:31,250 a menu-driven interface. You can run 452 00:14:31,250 --> 00:14:33,680 discovere.SH, which is a shell script, to 453 00:14:33,680 --> 00:14:35,420 start the script, and then we can start 454 00:14:35,420 --> 00:14:37,040 going through and doing different things 455 00:14:37,040 --> 00:14:38,779 with it, such as our recon for our domain, 456 00:14:38,779 --> 00:14:41,300 our person, or our Salesforce, we can do 457 00:14:41,300 --> 00:14:43,550 scanning. We can use iceweazel to 458 00:14:43,550 --> 00:14:45,290 search websites, we can crack Wi-Fi 459 00:14:45,290 --> 00:14:46,970 passwords, there's a lot of tools, it's 460 00:14:46,970 --> 00:14:49,100 about 15 or 20 tools, all shoved into 461 00:14:49,100 --> 00:14:50,570 this discover script, and it makes your 462 00:14:50,570 --> 00:14:53,180 job much easier. And finally we get to 463 00:14:53,180 --> 00:14:55,610 maltego. Maltego is a graphical tool 464 00:14:55,610 --> 00:14:56,900 that allows you to do some basic 465 00:14:56,900 --> 00:14:59,480 enumeration and reconnaissance. It kind 466 00:14:59,480 --> 00:15:00,650 of combines some more of our step one and step 467 00:15:00,650 --> 00:15:02,420 two steps of the hackers methodology. 468 00:15:02,420 --> 00:15:06,230 Some things we can do is DNS, whois, we 469 00:15:06,230 --> 00:15:07,520 could search Network blocks and IP 470 00:15:07,520 --> 00:15:09,680 addresses, and we can target individuals. 471 00:15:09,680 --> 00:15:12,560 Now the thing I really like about maltego 472 00:15:12,560 --> 00:15:13,880 is it does a really good job of 473 00:15:13,880 --> 00:15:15,830 visually depicting the relationships 474 00:15:15,830 --> 00:15:17,810 between people, information, and the 475 00:15:17,810 --> 00:15:20,089 networks they utilize. So, for example, as 476 00:15:20,089 --> 00:15:21,410 I'm starting to build a network map 477 00:15:21,410 --> 00:15:23,300 based on all the enumeration I'm doing, I 478 00:15:23,300 --> 00:15:25,130 can start putting that in and start 479 00:15:25,130 --> 00:15:26,300 getting a feel for what it looks like. 480 00:15:26,300 --> 00:15:29,540 Maltego does a great job. It also can do 481 00:15:29,540 --> 00:15:31,459 things based on interactions, kind of 482 00:15:31,459 --> 00:15:33,170 like social media. If you think about the 483 00:15:33,170 --> 00:15:35,390 old seven degrees of Kevin Bacon- 484 00:15:35,390 --> 00:15:37,250 I know Joe, and Joe knows Mary, then I 485 00:15:37,250 --> 00:15:39,980 know Mary by two steps removed. Maltego 486 00:15:39,980 --> 00:15:40,760 will start showing you those 487 00:15:40,760 --> 00:15:42,650 relationships. By building that it will 488 00:15:42,650 --> 00:15:44,060 help me craft better social engineering 489 00:15:44,060 --> 00:15:45,960 campaigns, and better exploitation. 490 00:15:45,960 --> 00:15:48,890 Maltego is also included as part of Kali 491 00:15:48,890 --> 00:15:51,590 Linux. So how do we put all this together? 492 00:15:51,590 --> 00:15:53,990 Well, at this point we've collected 493 00:15:53,990 --> 00:15:56,060 examples of emails, names, phone numbers, 494 00:15:56,060 --> 00:15:58,430 server addresses, documents, presentations, 495 00:15:58,430 --> 00:16:00,590 and much more. We've even gotten PDF 496 00:16:00,590 --> 00:16:02,240 files, and word files, and Excel, and 497 00:16:02,240 --> 00:16:04,070 PowerPoint, and we can embed malware into 498 00:16:04,070 --> 00:16:05,930 those. We can use real employee names, 499 00:16:05,930 --> 00:16:07,730 positions, and writing styles to mimic 500 00:16:07,730 --> 00:16:09,980 their emails. We can take all that and 501 00:16:09,980 --> 00:16:11,750 conduct a really realistic spear 502 00:16:11,750 --> 00:16:15,050 phishing attack, or if I have a domain 503 00:16:15,050 --> 00:16:17,420 name, for instance I own TitanCipher.com 504 00:16:17,420 --> 00:16:19,610 for my hacking competitions, I could also 505 00:16:19,610 --> 00:16:22,910 buy Titancypher, with a Y, .com. Now if 506 00:16:22,910 --> 00:16:24,500 I have that one I can use that as a 507 00:16:24,500 --> 00:16:26,360 watering hole. I can make it look just 508 00:16:26,360 --> 00:16:29,000 like the original Titancipher.com, but 509 00:16:29,000 --> 00:16:31,820 embed malware in there, that way when 510 00:16:31,820 --> 00:16:33,500 people come to go to titancipher.com 511 00:16:33,500 --> 00:16:35,150 if they mistype it, they go to the 512 00:16:35,150 --> 00:16:37,010 incorrect site. So, for instance, if you 513 00:16:37,010 --> 00:16:39,530 had google with 3 o's instead of 2 o's 514 00:16:39,530 --> 00:16:42,200 or yahoo with 3 o's instead of 2 o's, 515 00:16:42,200 --> 00:16:44,180 something like that will allow us to 516 00:16:44,180 --> 00:16:45,350 have similar domain names that people 517 00:16:45,350 --> 00:16:48,950 can get mistyped and go over to us. Also 518 00:16:48,950 --> 00:16:50,960 we can identify subdomains. If we find 519 00:16:50,960 --> 00:16:53,150 developer sites, or mail servers, those 520 00:16:53,150 --> 00:16:54,320 are possible keys for exploitation. 521 00:16:54,320 --> 00:16:56,270 Especially if we can find something like 522 00:16:56,270 --> 00:16:57,920 a developer site, because developer sites 523 00:16:57,920 --> 00:16:59,840 tend to run beta software as they're 524 00:16:59,840 --> 00:17:01,490 developing things. Which mean they have 525 00:17:01,490 --> 00:17:03,830 more bugs, and more vulnerabilities. These 526 00:17:03,830 --> 00:17:05,270 are just some of the ways that we can 527 00:17:05,270 --> 00:17:07,730 find a foothold into the network. Next 528 00:17:07,730 --> 00:17:08,690 we're going to put some of these tools 529 00:17:08,690 --> 00:17:10,280 in action, and we're going to play with 530 00:17:10,280 --> 00:17:13,360 them in the lab environment.