WEBVTT

00:00.000 --> 00:01.350
>> Hey guys. Welcome back to

00:01.350 --> 00:03.090
the Cyber Kill Chain
course on Cybrary.

00:03.090 --> 00:04.365
This is Abdulrahman A. Alnaim.

00:04.365 --> 00:06.120
In this episode,
we're going to start

00:06.120 --> 00:07.274
>> our target attack.

00:07.274 --> 00:09.990
>> Step 1, reconnaissance.

00:09.990 --> 00:11.910
Going back to the kill chain,

00:11.910 --> 00:16.275
we had these seven steps
that we went over.

00:16.275 --> 00:17.610
The first step is
reconnaissance,

00:17.610 --> 00:19.665
and I pointed this before
that reconnaissance

00:19.665 --> 00:22.860
sometimes is overlooked,

00:22.860 --> 00:26.250
especially when it
comes to [inaudible].

00:26.250 --> 00:27.810
However, reconnaissance
is one of

00:27.810 --> 00:31.950
the most important step
in this kill chain,

00:31.950 --> 00:34.020
because reconnaissance
is the base that you

00:34.020 --> 00:36.750
build your whole attack on.

00:36.750 --> 00:38.580
As I said before,
we're going to use

00:38.580 --> 00:40.260
the information
that we gain today,

00:40.260 --> 00:41.910
an organization, delivery,

00:41.910 --> 00:43.260
exploitation, and then

00:43.260 --> 00:47.700
continuously using it until
the end of the attack.

00:47.700 --> 00:51.430
You need to get as much
information as possible.

00:51.430 --> 00:54.120
In reconnaissance,
you want to gather

00:54.120 --> 00:55.250
information on the target

00:55.250 --> 00:57.455
before actually
starting the attack.

00:57.455 --> 01:00.230
There are two ways of
doing reconnaissance;

01:00.230 --> 01:01.970
there's passive, and active.

01:01.970 --> 01:05.080
Passive is the one that you
want to spend your time in.

01:05.080 --> 01:06.645
Because in passive,

01:06.645 --> 01:08.120
the target does not even know

01:08.120 --> 01:10.024
>> that you're actually trying

01:10.024 --> 01:11.930
>> to attack him
because you're looking

01:11.930 --> 01:13.910
for publicly available
information,

01:13.910 --> 01:16.070
you're not interacting
with the target,

01:16.070 --> 01:19.820
you're not trying to
do any network sweeps,

01:19.820 --> 01:20.870
you're not trying to do

01:20.870 --> 01:22.895
any vulnerability
assessments, or anything.

01:22.895 --> 01:26.025
You're just going
through the Internet,

01:26.025 --> 01:29.645
looking for information
that is publicly available.

01:29.645 --> 01:31.820
You can take your
time in passive.

01:31.820 --> 01:33.260
However, when it
comes to active,

01:33.260 --> 01:35.410
and I've seen this before
in a number of companies;

01:35.410 --> 01:37.085
as soon as you ping them,

01:37.085 --> 01:39.230
they will notice that someone is

01:39.230 --> 01:43.010
actually trying to
interact with our systems.

01:43.010 --> 01:45.380
You want to be sure,

01:45.380 --> 01:49.219
>> or the attacker
wants to be sure that

01:49.219 --> 01:52.200
>> he pays more attention, or

01:52.200 --> 01:55.660
he tries to be more
passive than active,

01:55.660 --> 01:58.250
because you don't
want them to know

01:58.250 --> 02:01.360
that you're actually
doing anything,

02:01.360 --> 02:03.740
and that step is too early in

02:03.740 --> 02:06.590
the attack for them to
actually notice you.

02:06.590 --> 02:08.735
In passive, again,

02:08.735 --> 02:10.745
some people call
it footprinting,

02:10.745 --> 02:13.654
you're looking for publicly
available information.

02:13.654 --> 02:16.325
This can be Whois, nslookup,

02:16.325 --> 02:18.230
there's a couple
of other websites

02:18.230 --> 02:20.960
that you can go and visit,

02:20.960 --> 02:23.120
and we're going to go
through them in a minute.

02:23.120 --> 02:27.350
Also social media tend to be
one of the best resources,

02:27.350 --> 02:29.570
because we tend to put

02:29.570 --> 02:31.790
a lot of information
in social media,

02:31.790 --> 02:33.695
LinkedIn is one of
the most popular.

02:33.695 --> 02:35.165
When you go to LinkedIn,

02:35.165 --> 02:36.845
visit your friend's
page on LinkedIn,

02:36.845 --> 02:38.780
you'll find certifications.

02:38.780 --> 02:44.420
When someone is certified in
supporting a Cisco device,

02:44.420 --> 02:46.100
most probably his company

02:46.100 --> 02:48.049
>> uses that Cisco
device itself.

02:48.049 --> 02:49.655
>> The same thing
goes for Linux,

02:49.655 --> 02:51.950
Windows if he is
certified in Red Hat.

02:51.950 --> 02:54.800
Most probably his company,
or the company that he works

02:54.800 --> 02:58.255
for uses Red Hat.

02:58.255 --> 03:01.775
Social media is one of
the things that a lot of

03:01.775 --> 03:05.120
hackers spend time in,
especially in reconnaissance.

03:05.120 --> 03:06.890
It's not only systems,

03:06.890 --> 03:09.980
it's also something that
you might find of interest.

03:09.980 --> 03:11.585
If you go to someone's
Facebook page,

03:11.585 --> 03:13.010
and you find that he's

03:13.010 --> 03:16.730
interested in scuba
diving as an example,

03:16.730 --> 03:17.750
or he's interested in

03:17.750 --> 03:19.790
horseback riding, or
something like that,

03:19.790 --> 03:25.400
you can design a
phishing email, or

03:25.400 --> 03:28.040
a social engineering
campaign direct

03:28.040 --> 03:31.585
to that guy, and
catch his interest.

03:31.585 --> 03:33.590
As a scuba diver,

03:33.590 --> 03:34.870
you would send them
something like,

03:34.870 --> 03:37.835
the Great Barrier Reef is dying.

03:37.835 --> 03:40.370
You need to go there
before it all goes away.

03:40.370 --> 03:42.125
Click here to find

03:42.125 --> 03:44.730
the best deals for the
Great Barrier Reef.

03:45.170 --> 03:49.400
Any diver, when he hears
something like that,

03:49.400 --> 03:50.870
he would be, okay, I have to go

03:50.870 --> 03:54.420
now or the Great
Barrier Reef is going.

03:54.710 --> 03:57.600
Most probably he'll be clicking.

03:57.600 --> 03:59.985
The last thing is
dumpster diving.

03:59.985 --> 04:01.835
Dumpster diving is one of

04:01.835 --> 04:04.610
the most disgusting things
that I've ever heard of.

04:04.610 --> 04:06.740
They actually go to dumpsters.

04:06.740 --> 04:10.325
Basically when companies finish

04:10.325 --> 04:12.860
from a piece of paper,
or something like that,

04:12.860 --> 04:16.860
they don't usually thread

04:16.860 --> 04:21.170
it or get rid of it
in a secure manner.

04:21.170 --> 04:22.810
A lot of companies just
throw it in the garbage,

04:22.810 --> 04:24.125
a lot of employees just

04:24.125 --> 04:26.315
don't think, and just
throw it in the garbage.

04:26.315 --> 04:27.710
All of these documents,

04:27.710 --> 04:32.880
all of these manuals go to
the dumpster at the end.

04:32.880 --> 04:34.625
Someone can jump in there,

04:34.625 --> 04:37.805
look into this
company's dumpster,

04:37.805 --> 04:40.100
and then find out that
they have this manual.

04:40.100 --> 04:42.530
Some people actually
like passwords,

04:42.530 --> 04:44.360
some people like
the configuration

04:44.360 --> 04:45.800
that they actually did,

04:45.800 --> 04:48.470
or if you have a
hardening document, or

04:48.470 --> 04:53.240
a technical configuration
baseline in your company,

04:53.240 --> 04:55.820
someone might have
his hand on it.

04:55.820 --> 05:00.665
Let's do a couple of
passive reconnaissance.

05:00.665 --> 05:04.670
Again, we'll try to spend as
much time here as we can.

05:04.670 --> 05:07.715
The first thing that
I want to do is

05:07.715 --> 05:13.950
go here and just say, whois.

05:13.950 --> 05:17.980
Then let's say cybrary.it.

05:19.910 --> 05:22.605
The first thing that you noticed

05:22.605 --> 05:25.305
is admin contact is hidden,

05:25.305 --> 05:27.030
technical contact is hidden.

05:27.030 --> 05:29.045
There's a lot of
information here.

05:29.045 --> 05:31.025
One was the website created,

05:31.025 --> 05:33.750
the last update, and so on.

05:34.160 --> 05:36.590
In many other organizations,

05:36.590 --> 05:38.970
you'll find the contact
name out there.

05:38.970 --> 05:40.640
You'll find contact email,

05:40.640 --> 05:42.110
you'll find a lot of information

05:42.110 --> 05:44.530
about who's supporting
this website.

05:44.530 --> 05:49.590
That's extremely important
because usually admins,

05:49.590 --> 05:50.660
or web admins, or

05:50.660 --> 05:53.585
system admins have
excessive privileges.

05:53.585 --> 05:58.900
If an attacker wants
to hack someone,

05:58.900 --> 06:01.920
usually go for these
guys, the whales,

06:01.920 --> 06:04.685
the people that actually
make a difference, and have

06:04.685 --> 06:09.030
access to a lot of information.

06:09.030 --> 06:13.580
Who is basically
we're just checking

06:13.580 --> 06:14.704
>> a public database.

06:14.704 --> 06:20.640
>> We did not even
interact with the systems,

06:20.640 --> 06:23.765
with Cybrary IT system,
or anything like that.

06:23.765 --> 06:27.620
The next thing that we're
going to do is nslookup.

06:27.620 --> 06:29.645
Nslookup, what we're doing,

06:29.645 --> 06:32.550
again, we're going
to go to Cybrary.

06:32.550 --> 06:35.150
What we're doing is we're trying

06:35.150 --> 06:37.190
to find out the IPs of nslookup.

06:37.190 --> 06:38.510
From the IP, you can say

06:38.510 --> 06:41.420
which country this is hosted on.

06:41.420 --> 06:45.110
There's a lot of other
information that you can

06:45.110 --> 06:48.665
get such as there
are three servers,

06:48.665 --> 06:50.945
they seem all to be
in the same country.

06:50.945 --> 06:52.850
However, in other websites,

06:52.850 --> 06:55.775
you'll find a lot
more information.

06:55.775 --> 06:58.700
Obviously Cybrary, it

06:58.700 --> 07:00.830
pays attention to these
things, and that's why

07:00.830 --> 07:06.675
they're the best training
center in the world I guess.

07:06.675 --> 07:08.760
We'll go to the next one,

07:08.760 --> 07:13.480
which is the websites
that I was talking about.

07:13.480 --> 07:16.190
We have Censys.

07:16.190 --> 07:19.220
We're skipping here.

07:19.220 --> 07:22.240
The first thing is Censys.

07:22.240 --> 07:25.200
In this case, we're going to
do the same thing exactly,

07:25.200 --> 07:30.480
so cybrary.it, [NOISE]
hit ''Enter''.

07:30.480 --> 07:32.870
Then this website
will give us a lot

07:32.870 --> 07:35.660
of hosts and a lot of
information about Cybrary.

07:35.660 --> 07:38.660
It gives you all of the servers,

07:38.660 --> 07:40.295
where are they hosted,

07:40.295 --> 07:45.060
the URLs, what are the
open ports, and so on.

07:45.080 --> 07:47.480
That's one example.

07:47.480 --> 07:48.740
The other one is Shodan,

07:48.740 --> 07:50.330
which you need an account,

07:50.330 --> 07:51.530
there's a free account and then

07:51.530 --> 07:52.775
there's an upgrade account.

07:52.775 --> 07:54.290
I have a free account.

07:54.290 --> 07:57.210
I'm going to do the
same thing again.

07:58.229 --> 08:01.045
>> Again, what we're doing now,

08:01.045 --> 08:04.615
we're not talking to
the back-end server,

08:04.615 --> 08:05.934
or we're not communicating

08:05.934 --> 08:08.365
to establish server,
or anything.

08:08.365 --> 08:11.740
If we look at this, again,

08:11.740 --> 08:15.130
it would give us
some information

08:15.130 --> 08:18.040
about the technologies
that are used,

08:18.040 --> 08:19.960
the ports that are open,

08:19.960 --> 08:21.775
what are the services available,

08:21.775 --> 08:25.310
they have an SSL
certificate, and so on.

08:25.680 --> 08:28.960
Again, this is a very
high level example.

08:28.960 --> 08:30.520
I did not get into details here.

08:30.520 --> 08:34.260
However, if you take each and

08:34.260 --> 08:36.690
every IP and then
who has this IP

08:36.690 --> 08:39.465
and then who has the other
IP, and do it recursively,

08:39.465 --> 08:42.840
you'll gain a lot of
information that would actually

08:42.840 --> 08:48.860
help you during the attack.

08:49.830 --> 08:54.730
Let's go back to our slides.

08:54.730 --> 09:01.195
This is the passive
reconnaissance footprinting

09:01.195 --> 09:02.800
where we're looking for publicly

09:02.800 --> 09:04.735
available information
on the Internet.

09:04.735 --> 09:06.520
Once again, you want to spend

09:06.520 --> 09:08.005
as much time as you can here,

09:08.005 --> 09:09.550
gather as much
information as you

09:09.550 --> 09:11.290
can here before moving to

09:11.290 --> 09:14.700
the active part of
reconnaissance,

09:14.700 --> 09:16.200
which is more
technical audience,

09:16.200 --> 09:18.450
starting with interaction
with the server.

09:18.450 --> 09:20.010
It can be a vulnerability scan,

09:20.010 --> 09:21.870
it can a web application scan.

09:21.870 --> 09:23.430
The example that
I'm going to show

09:23.430 --> 09:26.505
you is a fingerprint scan.

09:26.505 --> 09:29.405
What we're time to do,

09:29.405 --> 09:32.260
is basically we're
trying to know what

09:32.260 --> 09:34.855
kind of server are
we communicating to.

09:34.855 --> 09:36.475
I got the IP before,

09:36.475 --> 09:39.475
and I know what's the IP
that I'm communicating to.

09:39.475 --> 09:44.005
However, I don't know
what the server is.

09:44.005 --> 09:46.885
I don't know what ports
are exactly open.

09:46.885 --> 09:49.660
I know the web ports that
are open, 80 and 443.

09:49.660 --> 09:51.430
However, I need more information

09:51.430 --> 09:53.755
, and that's fingerprinting.

09:53.755 --> 09:57.430
A great tool to do that is Nmap.

09:57.430 --> 09:59.395
I'm going to leave a link to

09:59.395 --> 10:01.480
Nmap and a couple of
documentation that has to

10:01.480 --> 10:06.040
do with Nmap in the
Resources page.

10:06.040 --> 10:10.120
Then this time we're not
going to [inaudible].

10:10.120 --> 10:13.990
We're going to use
scanme.nmap.org,

10:13.990 --> 10:16.780
which is a public website by

10:16.780 --> 10:18.190
Nmap themselves to test

10:18.190 --> 10:20.155
their scanners and we're
allowed to use it,

10:20.155 --> 10:22.840
but not obviously overuse it.

10:22.840 --> 10:26.650
I'm going to run this. I'm
going to get the dash,

10:26.650 --> 10:28.930
or I'm going to get
the operating system

10:28.930 --> 10:33.890
of the server host
in scanme.nmap.org.

10:34.350 --> 10:37.825
Let's go back to the top,

10:37.825 --> 10:41.080
and I got of the IPs out there.

10:41.080 --> 10:43.450
I have the ports, I have Port 8,

10:43.450 --> 10:44.680
which is basically web,

10:44.680 --> 10:47.875
and then I have
22, which is SS8.

10:47.875 --> 10:50.620
For some people,
this is promising,

10:50.620 --> 10:53.395
you can go and look into it.

10:53.395 --> 10:58.015
Then you have a couple
of other sources.

10:58.015 --> 11:01.870
When you look at OS,

11:01.870 --> 11:06.100
because they don't actually
login to the OS and they

11:06.100 --> 11:10.375
cannot basically run a
command on those OS's,

11:10.375 --> 11:13.240
it's an aggressive OS guessing.

11:13.240 --> 11:17.350
They get a number
of sources that

11:17.350 --> 11:22.420
are basically available
from the outside,

11:22.420 --> 11:25.870
and then based on
that guess, the OS,

11:25.870 --> 11:31.660
so the randomization in
the reply of the ping,

11:31.660 --> 11:33.640
the open ports as an example,

11:33.640 --> 11:34.810
as a search would give you

11:34.810 --> 11:36.925
an indication that
this is more of

11:36.925 --> 11:42.100
a Linux server rather than
a Windows server and so on.

11:42.100 --> 11:45.250
You find a number of
operating system.

11:45.250 --> 11:46.720
Most of them are Linux,

11:46.720 --> 11:48.580
differentiate from
one to another.

11:48.580 --> 11:50.740
But this would give you an idea.

11:50.740 --> 11:54.730
But imagine if there's
an open port here,

11:54.730 --> 11:56.920
and I can go through
the ports one by one.

11:56.920 --> 11:59.515
But imagine if there's
an open FTP port here.

11:59.515 --> 12:01.315
That would give me an idea,

12:01.315 --> 12:02.680
there's an open FTP port,

12:02.680 --> 12:05.410
I can use it later
on in delivery

12:05.410 --> 12:08.680
or in one of the
following stages.

12:08.680 --> 12:10.405
The same thing goes if I have

12:10.405 --> 12:19.525
a VNC port open.

12:19.525 --> 12:21.940
I know that there's
a task that there's

12:21.940 --> 12:26.560
unsecure remote access
available for me to go ahead

12:26.560 --> 12:29.845
and try to either boot
force it or maybe it's just

12:29.845 --> 12:34.420
wide-open or is using
a default password.

12:34.420 --> 12:38.050
That's active reconnaissance.

12:38.050 --> 12:40.330
Moving to the post-assessments
question now.

12:40.330 --> 12:42.310
Now that we've covered

12:42.310 --> 12:44.585
the active and passive
reconnaissance,

12:44.585 --> 12:46.830
what is the purpose
of reconnaissance?

12:46.830 --> 12:48.795
I talked to all
about this in a bit.

12:48.795 --> 12:51.915
I said reconnaissance is
the base of an attack.

12:51.915 --> 12:53.550
We're building the attack based

12:53.550 --> 12:55.350
on the information that we
get from the reconnaissance.

12:55.350 --> 12:57.945
We're trying to get as
much information as we

12:57.945 --> 13:02.485
can and reconnaissance to
help us go through the steps.

13:02.485 --> 13:03.910
So reconnaissance is like

13:03.910 --> 13:08.500
the stop at the beginning of
the race where you want to

13:08.500 --> 13:10.960
get all of your
energy and all of

13:10.960 --> 13:15.595
your excitement for
the upcoming race.

13:15.595 --> 13:18.760
So reconnaissance is one of
the most important steps.

13:18.760 --> 13:21.340
What are the main types
of reconnaissance?

13:21.340 --> 13:23.590
We said there is
passive and active.

13:23.590 --> 13:25.765
Passive reconnaissance is when

13:25.765 --> 13:29.440
you do not interact
with the end system.

13:29.440 --> 13:31.540
Then active
reconnaissance is when

13:31.540 --> 13:33.880
you interact with
the end system.

13:33.880 --> 13:36.640
True or false: Ping and

13:36.640 --> 13:40.660
nslookup are example of
passive reconnaissance.

13:40.660 --> 13:44.140
That's actually false.
Nslookup is passive.

13:44.140 --> 13:47.530
However ping you're communicating
with the end server.

13:47.530 --> 13:50.740
A lot of people use ping
to get the IP, however,

13:50.740 --> 13:54.310
nslookup would give you
the IP as well without

13:54.310 --> 13:59.275
interacting with the end
server or the target server.

13:59.275 --> 14:01.300
How is posting information on

14:01.300 --> 14:03.340
social media help adversaries?

14:03.340 --> 14:05.845
We've talked about
this in a little bit.

14:05.845 --> 14:07.945
We said that any
information that you post

14:07.945 --> 14:11.020
whether your LinkedIn
your certifications or

14:11.020 --> 14:13.510
any interest that
you have can be used

14:13.510 --> 14:17.230
against you in a social
engineering attack.

14:17.230 --> 14:21.684
If you post a
certification supporting

14:21.684 --> 14:27.700
XYZ system on LinkedIn
or on your resume,

14:27.700 --> 14:30.550
I'll be able to know that
your company support

14:30.550 --> 14:33.805
that system or has this system.

14:33.805 --> 14:35.590
If it's a firewall, I
know your company has

14:35.590 --> 14:37.750
a firewall it puts
into a device and

14:37.750 --> 14:39.580
your company has a device that's

14:39.580 --> 14:41.290
a operating system or server

14:41.290 --> 14:43.510
operating system,
I'd know that too.

14:43.510 --> 14:46.915
On the other hand, when it
comes to social aspect,

14:46.915 --> 14:53.650
as a hacker, I

14:53.650 --> 14:56.530
can create a phishing
campaign against

14:56.530 --> 14:57.850
a certain employee using

14:57.850 --> 15:00.100
the information that are
available on his Facebook,

15:00.100 --> 15:02.890
Twitter, or Instagram account.

15:02.890 --> 15:05.245
Using this information,
I can design

15:05.245 --> 15:11.330
a campaign that is targeted
specifically to this guy.

15:12.630 --> 15:16.750
Next, the IP I get from
running an nslookup

15:16.750 --> 15:20.650
on the company's website
is the only one I need.

15:20.650 --> 15:23.995
That's actually not true because

15:23.995 --> 15:27.100
a lot of the IPs
that you get from

15:27.100 --> 15:35.170
nslookup are your load
balancers or your gateway IPs,

15:35.170 --> 15:38.230
and you need to do
more research there.

15:38.230 --> 15:40.390
Again, as I said,

15:40.390 --> 15:42.340
when you go through a census,

15:42.340 --> 15:44.274
>> and [inaudible] and so on,

15:44.274 --> 15:46.300
>> you need to take each and

15:46.300 --> 15:49.045
every IP, and then
search it more.

15:49.045 --> 15:50.500
The resources, I'm going to

15:50.500 --> 15:53.260
>> leave a link to [inaudible],

15:53.260 --> 15:56.780
>> there you can go
and explore yourself.

15:57.330 --> 15:59.810
In this brief lecture,

15:59.810 --> 16:05.155
we discussed the reconnaissance
step of the kill chain,

16:05.155 --> 16:06.880
active, and passive recon.

16:06.880 --> 16:08.210
We went over a couple of

16:08.210 --> 16:10.340
examples of active,
and passive recon.

16:10.340 --> 16:12.770
In the next episode we're
going to talk about

16:12.770 --> 16:16.960
weaponization phase,
and techniques.

16:16.960 --> 16:20.660
Thank you so much, and
see you in weaponization.