WEBVTT

00:00.000 --> 00:02.400
>> Hey, guys, welcome back to

00:02.400 --> 00:04.680
the Cyber Kill Chain
course in Cybrary.

00:04.680 --> 00:07.035
This is Abdulrahman Alnaim
and in today's episode,

00:07.035 --> 00:09.090
we're going to start
our targeted attack.

00:09.090 --> 00:11.265
First step is reconnaissance.

00:11.265 --> 00:13.290
As I've said before
and we discussed,

00:13.290 --> 00:15.675
there are seven steps of
the cyber kill chain.

00:15.675 --> 00:18.240
The first step,
and as they said,

00:18.240 --> 00:20.370
the most important step
is reconnaissance.

00:20.370 --> 00:22.650
Because you can think
of reconnaissance as

00:22.650 --> 00:24.030
the base of the attack when

00:24.030 --> 00:25.500
you have good reconnaissance,

00:25.500 --> 00:29.730
it would make the next
few steps a lot easier.

00:29.730 --> 00:33.020
You want to have good
reconnaissance to

00:33.020 --> 00:37.270
build a successful targeted
attack on top of this.

00:37.270 --> 00:40.760
In reconnaissance, we gather
information on the target

00:40.760 --> 00:42.010
before the actual attack

00:42.010 --> 00:43.825
That's the whole goal
of reconnaissance.

00:43.825 --> 00:47.030
There are a number of ways
or types of reconnaissance.

00:47.030 --> 00:50.265
There's passive and
active reconnaissance.

00:50.265 --> 00:52.400
Passive, what we're
doing is we're looking

00:52.400 --> 00:54.725
for publicly available
information on the Internet.

00:54.725 --> 00:56.900
We're not interacting
with the target.

00:56.900 --> 00:58.880
We are trying to
keep our distance.

00:58.880 --> 01:01.490
In this phase, you
can take your time

01:01.490 --> 01:03.860
because the other side does

01:03.860 --> 01:05.825
not really know that
you're actually

01:05.825 --> 01:08.765
started a targeted
attack on them.

01:08.765 --> 01:10.805
However, on active,

01:10.805 --> 01:13.490
there's an interaction
with the other side.

01:13.490 --> 01:16.220
They can discover the
reconnaissance going

01:16.220 --> 01:19.115
on and then their
defense based on that,

01:19.115 --> 01:20.870
I've seen a number
of companies that

01:20.870 --> 01:22.610
monitor ping attacks
to their server.

01:22.610 --> 01:24.500
As soon as they
get a ping attack,

01:24.500 --> 01:27.860
they would actually
investigate that ping attack,

01:27.860 --> 01:29.840
where did it come
from and what is

01:29.840 --> 01:34.530
the intention of
that ping attack.

01:34.750 --> 01:38.665
Let's start with
passive reconnaissance.

01:38.665 --> 01:40.759
A lot of people call
this footprinting

01:40.759 --> 01:42.800
>> because what we're
doing is we're looking for

01:42.800 --> 01:44.870
>> publicly available
information on the Internet.

01:44.870 --> 01:48.440
We're not yet there while
we communicate with

01:48.440 --> 01:54.315
the target of this attack.

01:54.315 --> 01:57.320
There's a number of
techniques that are used

01:57.320 --> 02:00.395
during reconnaissance or
passive reconnaissance.

02:00.395 --> 02:04.170
The first one is Whois [NOISE]
and Whois would actually

02:04.170 --> 02:08.525
give us a lot of information
about the target.

02:08.525 --> 02:10.220
Let's say we're going to

02:10.220 --> 02:14.850
cybrary.it and this would
give us the website.

02:14.850 --> 02:17.720
It would also give us
the admin of the website

02:17.720 --> 02:21.925
and this information might
not seem that interesting,

02:21.925 --> 02:24.980
however, admins usually have

02:24.980 --> 02:26.525
excessive privileges
and if you're

02:26.525 --> 02:28.475
planning on doing
a social attack,

02:28.475 --> 02:30.665
that's the guy you
want to go for.

02:30.665 --> 02:32.335
Because usually, he has

02:32.335 --> 02:34.290
system admin beautiful
was the next

02:34.290 --> 02:39.100
and he has these privileges
that no one else might have.

02:40.420 --> 02:42.920
The first thing is
Whois, we covered that.

02:42.920 --> 02:44.435
The second thing is nslookup.

02:44.435 --> 02:45.695
Let's say you have

02:45.695 --> 02:48.695
cybrary.it but you don't
actually know the IP.

02:48.695 --> 02:51.800
A lot of people would do is
they're going to ping it,

02:51.800 --> 02:53.780
but otherwise they're
just said ping is

02:53.780 --> 02:56.780
considered to be
an active attack,

02:56.780 --> 02:58.840
an active reconnaissance because

02:58.840 --> 03:00.740
you're actually communicating
with end device.

03:00.740 --> 03:02.945
However, nslookup is not

03:02.945 --> 03:04.370
because what you're
actually doing,

03:04.370 --> 03:07.940
in nslookup, you're
querying the DNS,

03:07.940 --> 03:10.775
you're not actually communicating
with the end device.

03:10.775 --> 03:13.165
I'm going to copy this.

03:13.165 --> 03:16.260
We're going to use it
in the next example.

03:16.260 --> 03:17.820
Let's go to the next one.

03:17.820 --> 03:21.814
Censys. Censys is a website
that is publicly available

03:21.814 --> 03:23.690
and has a lot of information

03:23.690 --> 03:27.450
about websites
around the Internet.

03:27.450 --> 03:30.645
You'll get a lot of
information from Censys

03:30.645 --> 03:33.690
that would help you
during this phase.

03:33.690 --> 03:35.810
Let's paste the IP
that we just copied

03:35.810 --> 03:39.260
here and look at the
permission that would give us.

03:39.260 --> 03:41.270
It would give us the IP address.

03:41.270 --> 03:44.390
It would give us the
routing of the IP address.

03:44.390 --> 03:45.755
It would give us the location

03:45.755 --> 03:47.510
of the server who's hosting it.

03:47.510 --> 03:49.145
What is the version of TLS.

03:49.145 --> 03:50.900
We would actually
show with us the

03:50.900 --> 03:53.555
[inaudible] is
disabled and so on.

03:53.555 --> 03:56.450
You want to spend
more time here,

03:56.450 --> 04:00.760
because if I type cybrary.it,

04:00.760 --> 04:05.570
I would get pages and pages
and pages of host IPs

04:05.570 --> 04:12.410
and addresses that are
somewhat related to cybrary.

04:12.410 --> 04:15.275
The other example that I want
to show you this Shodan,

04:15.275 --> 04:17.510
and I'm going to do
the exact same thing.

04:17.510 --> 04:19.145
I'm going to paste the IP first,

04:19.145 --> 04:20.570
keeping in mind that

04:20.570 --> 04:22.445
that's not the only
IP that there is,

04:22.445 --> 04:24.125
we just saw three IPs.

04:24.125 --> 04:25.580
If I go back to Censys,

04:25.580 --> 04:27.140
I'm going to get a lot more

04:27.140 --> 04:30.440
IPs than the ones
that I get in Whois.

04:30.440 --> 04:33.680
[NOISE] It would
actually give us

04:33.680 --> 04:35.720
this map and open ports and

04:35.720 --> 04:38.824
>> services that are available.

04:38.824 --> 04:41.690
>> Let's look at cybrary.it and

04:41.690 --> 04:45.815
then we'll look at
what output do we get.

04:45.815 --> 04:47.720
We get a number
of outputs is not

04:47.720 --> 04:49.935
the only single one
that we get before.

04:49.935 --> 04:52.140
Most of them are in
the United States.

04:52.140 --> 04:54.035
This is the same
information, however,

04:54.035 --> 04:56.465
I'm getting the technology
that they're using.

04:56.465 --> 04:59.520
I know they're using
Ruby on Rails and so on.

05:00.530 --> 05:02.480
The next thing that I want

05:02.480 --> 05:07.650
>> to talk about
is social media.

05:07.659 --> 05:11.905
>> Social media is a good thing

05:11.905 --> 05:13.950
when you look at
the big picture.

05:13.950 --> 05:15.710
We started communicating
with each other.

05:15.710 --> 05:17.920
We started to learn more
using social media.

05:17.920 --> 05:19.940
However, sometimes
we tend to share

05:19.940 --> 05:22.325
a lot more than we
should on social media.

05:22.325 --> 05:23.930
There are two examples here.

05:23.930 --> 05:26.960
The first one is the
technologies that I'm using.

05:26.960 --> 05:28.940
Let's say I work
for the company and

05:28.940 --> 05:31.730
then I add to my
LinkedIn account,

05:31.730 --> 05:34.775
saying that I can support

05:34.775 --> 05:42.610
Cisco model XYZ and
Brocade Switch XYZ2.

05:42.610 --> 05:45.650
What happens is basically I'm

05:45.650 --> 05:48.560
telling the attackers
or the hackers,

05:48.560 --> 05:53.170
my company uses this
and this models.

05:53.170 --> 05:55.400
This model is their
firewall and this model is

05:55.400 --> 05:59.100
their switch or a lot that
they're actually using.

05:59.900 --> 06:03.785
This might not seem
like something that

06:03.785 --> 06:08.480
is interesting to
the hacker, however,

06:08.480 --> 06:10.820
it really is because
when you give him

06:10.820 --> 06:11.929
>> this information,

06:11.929 --> 06:15.260
>> he knows exactly what
basically vulnerabilities

06:15.260 --> 06:17.420
you might have in the future.

06:17.420 --> 06:20.245
Or if you ever have a zero day,

06:20.245 --> 06:22.725
trust me, he'll be the
first to jump on it.

06:22.725 --> 06:25.700
The other aspect
is social media,

06:25.700 --> 06:27.520
this is the social
aspect of social media.

06:27.520 --> 06:29.960
If you go to a less
professional type

06:29.960 --> 06:32.510
of social media like
Facebook or any app,

06:32.510 --> 06:34.130
the Instagram or any of

06:34.130 --> 06:36.305
these less professional
than LinkedIn,

06:36.305 --> 06:38.420
where we share our
personal information

06:38.420 --> 06:40.910
rather than our
professional information.

06:40.910 --> 06:44.000
You'll find a lot of
information that would

06:44.000 --> 06:47.060
help an attacker to build
a profile on someone.

06:47.060 --> 06:49.400
You would know if
he's interested

06:49.400 --> 06:52.460
in scuba diving or
in horseback riding

06:52.460 --> 06:53.690
>> or he loves cars,

06:53.690 --> 06:56.180
>> or soccer or football
or something like that.

06:56.180 --> 07:00.050
Then you can build a
profile about this guy.

07:00.050 --> 07:02.240
Imagine if this guy was
the admin that we just

07:02.240 --> 07:05.180
saw on Whois and he was

07:05.180 --> 07:06.680
interested in something
that you were

07:06.680 --> 07:08.840
able to catch his interest

07:08.840 --> 07:13.895
using one social
engineering attack.

07:13.895 --> 07:15.920
The last thing that I
want to talk about here

07:15.920 --> 07:17.530
is dumpster diving and

07:17.530 --> 07:21.350
it's the most disgusting of
the passive reconnaissance,

07:21.350 --> 07:24.590
but it's also the only one
that is actually physical.

07:24.590 --> 07:26.600
A lot of companies disposed

07:26.600 --> 07:29.270
their information in
not so secure way.

07:29.270 --> 07:31.610
What they do is they just
throw it in the garbage

07:31.610 --> 07:33.980
and then from the garbage
back to the dumpster.

07:33.980 --> 07:35.720
What hackers can do is jump into

07:35.720 --> 07:38.060
this dumpster and collect
this information.

07:38.060 --> 07:39.425
If they have any manuals,

07:39.425 --> 07:41.180
if they have any contracts,

07:41.180 --> 07:42.770
if they have any information

07:42.770 --> 07:45.274
>> that they don't really want

07:45.274 --> 07:50.435
>> to share with
anyone out there,

07:50.435 --> 07:52.670
the hacker or the
attacker would have

07:52.670 --> 07:55.630
access to it through
their dumpster.

07:55.630 --> 07:59.800
We covered reconnaissance
and passive reconnaissance.

07:59.800 --> 08:02.450
Let's go back and
answer these questions.

08:02.450 --> 08:04.885
What is the purpose
of reconnaissance?

08:04.885 --> 08:07.160
The purpose of
reconnaissance is to build

08:07.160 --> 08:10.235
the base of a successful
targeted attack

08:10.235 --> 08:12.860
by collecting and gathering
as much information

08:12.860 --> 08:15.905
as possible that would
help me in later stages.

08:15.905 --> 08:18.860
Second is what are
the two main types

08:18.860 --> 08:20.240
of reconnaissance
and we covered this.

08:20.240 --> 08:22.745
There's the active
where you interact with

08:22.745 --> 08:25.460
the target and
there's the passive

08:25.460 --> 08:28.295
which we covered and
you don't interact

08:28.295 --> 08:30.140
and try to gather information

08:30.140 --> 08:32.330
publicly available
on the Internet.

08:32.330 --> 08:34.640
Third is how is
posting information

08:34.640 --> 08:36.380
on social media
help adversaries?

08:36.380 --> 08:37.640
As we said, we're

08:37.640 --> 08:39.785
giving a lot more
information than we should.

08:39.785 --> 08:41.270
What systems that we support?

08:41.270 --> 08:47.245
What are the interest of
system admins and so on?

08:47.245 --> 08:49.710
The last question
is the IP I get

08:49.710 --> 08:51.740
from running nslookup on
the company's website,

08:51.740 --> 08:53.210
there's only one I need.

08:53.210 --> 08:55.520
That's actually not true
because there's a lot

08:55.520 --> 08:58.180
of links that are hidden from

08:58.180 --> 09:01.550
Whois or nslookup
because they're sublinks

09:01.550 --> 09:07.010
>> or they're not available
for nslookup because

09:07.010 --> 09:10.110
>> they're not supposed
to be accessed directly.

09:10.160 --> 09:12.560
In today's video, we covered

09:12.560 --> 09:15.875
the step 1 of the cyber
kill chain reconnaissance.

09:15.875 --> 09:17.985
We talked about passive
reconnaissance,

09:17.985 --> 09:19.430
and we went through a couple of

09:19.430 --> 09:21.885
example of passive
reconnaissance.

09:21.885 --> 09:23.180
In the next video,

09:23.180 --> 09:24.770
we're going to talk about

09:24.770 --> 09:27.095
active reconnaissance phase and

09:27.095 --> 09:30.840
active reconnaissance
technique. See you then.