WEBVTT

00:00.000 --> 00:01.110
>> Hey guys.

00:01.110 --> 00:01.950
>> Welcome back to this

00:01.950 --> 00:03.659
>> cyber kill chain
course in Cybrary.

00:03.659 --> 00:04.980
>> This is Abdulrahman Alnaim

00:04.980 --> 00:05.880
>> and in today's episode

00:05.880 --> 00:07.874
>> we're going to
continue reconnaissance.

00:07.874 --> 00:09.480
>> As I said before,

00:09.480 --> 00:10.860
reconnaissance might be one of

00:10.860 --> 00:14.010
the most important steps
during a targeted attack.

00:14.010 --> 00:15.390
The hacker wants to gather

00:15.390 --> 00:18.285
as much information as possible
during reconnaissance.

00:18.285 --> 00:20.100
Reconnaissance will help him,

00:20.100 --> 00:22.155
in the following six steps.

00:22.155 --> 00:24.210
It would make life a lot easier

00:24.210 --> 00:26.880
>> when you have all of
the information handy,

00:26.880 --> 00:30.120
>> and you know what to
expect during an attack.

00:30.120 --> 00:32.130
Well, we only
covered the passive

00:32.130 --> 00:36.450
>> type of reconnaissance

00:36.450 --> 00:37.740
>> where we got the IPs,

00:37.740 --> 00:40.620
>> we got the URLs,

00:40.620 --> 00:44.160
we got the users.

00:44.160 --> 00:45.600
We went through social media,

00:45.600 --> 00:48.170
we know who's the system
admin, and so on.

00:48.170 --> 00:51.170
However, we still
need more information

00:51.170 --> 00:52.654
>> that would help us later on.

00:52.654 --> 00:54.740
>> Something that would
help us in delivery,

00:54.740 --> 00:56.660
something that would
help us in installation,

00:56.660 --> 00:59.485
and even in organization.

00:59.485 --> 01:03.980
The passive reconnaissance
was looking

01:03.980 --> 01:05.450
>> for publicly
available information,

01:05.450 --> 01:07.610
>> now we need to
get more active

01:07.610 --> 01:09.380
>> we need to start
interacting with the target.

01:09.380 --> 01:11.574
>> We need to get
this information,

01:11.574 --> 01:13.905
but from the target.

01:13.905 --> 01:15.935
This can be technical
and non-technical,

01:15.935 --> 01:17.000
keeping in mind that

01:17.000 --> 01:19.190
the target is not
necessarily a system.

01:19.190 --> 01:21.260
In technical, a vulnerability

01:21.260 --> 01:23.885
scanning is one of the most
popular activities here.

01:23.885 --> 01:25.310
Because what you're doing

01:25.310 --> 01:27.830
>> is you want to find
the vulnerability

01:27.830 --> 01:29.104
>> that you would exploit.

01:29.104 --> 01:30.950
>> Running a
vulnerability scan is

01:30.950 --> 01:32.510
very popular during
reconnaissance.

01:32.510 --> 01:34.910
You will get what are
the available services.

01:34.910 --> 01:36.080
You'll get what
are the vulnerable

01:36.080 --> 01:37.475
services that are used.

01:37.475 --> 01:41.880
You'll also get
the vulnerable OS

01:41.880 --> 01:43.905
if they're using
a vulnerable OS,

01:43.905 --> 01:46.380
something they're using
a web application

01:46.380 --> 01:49.094
>> or the system is
hosting a web application.

01:49.094 --> 01:51.990
>> Some of the scanners
would actually give you

01:51.990 --> 01:53.690
>> the vulnerabilities
end of application

01:53.690 --> 01:57.039
>> or the dependencies that
are used by the application.

01:57.039 --> 01:59.300
>> Keeping in mind
that web applications

01:59.300 --> 02:01.730
usually are extremely targeted.

02:01.730 --> 02:06.110
Because oftentimes the
application server

02:06.110 --> 02:07.970
hosting the web application is

02:07.970 --> 02:10.295
running as root
or administrator,

02:10.295 --> 02:13.685
so if you get access
to a vulnerability

02:13.685 --> 02:18.110
that would allow you to run
code on the application.

02:18.110 --> 02:20.180
You will run code as root

02:20.180 --> 02:22.940
>> because you will run
as the application server

02:22.940 --> 02:25.879
>> or running the
web application.

02:25.879 --> 02:28.190
>> Vulnerability
scanning is crucial.

02:28.190 --> 02:31.010
You want to use all
of the information

02:31.010 --> 02:33.439
>> that you get from
passive, the IPs, the links,

02:33.439 --> 02:35.345
>> the URLs dependencies,

02:35.345 --> 02:39.020
or the communication that
we got from the passive

02:39.020 --> 02:41.314
>> and run a vulnerability
scan against it.

02:41.314 --> 02:44.426
>> Obviously, you want to
be as quiet as possible

02:44.426 --> 02:47.900
>> because you don't
want the target

02:47.900 --> 02:52.269
>> to notice any scanning
that is going on.

02:52.269 --> 02:56.475
>> The second thing
is fingerprinting.

02:56.475 --> 02:57.780
In fingerprinting,

02:57.780 --> 03:00.420
>> what we're to get is
what are the open services.

03:00.420 --> 03:01.580
>> What are the
available services?

03:01.580 --> 03:02.930
What are the open ports?

03:02.930 --> 03:07.285
Most importantly,
what is the OS?

03:07.285 --> 03:10.815
One of the most
popular tools is nmap,

03:10.815 --> 03:12.800
obviously nmap does a
lot more than that.

03:12.800 --> 03:14.885
There's also a virgin up nmap

03:14.885 --> 03:17.570
that is GUI-based
and called Zenmap.

03:17.570 --> 03:19.880
I'm going to leave in
the resource pages,

03:19.880 --> 03:21.740
>> links to nmap, Zenmap

03:21.740 --> 03:24.154
>> and resources
that would help you

03:24.154 --> 03:29.370
>> get information
about nmap and Zenmap.

03:29.370 --> 03:31.290
Let's go here.

03:31.290 --> 03:33.730
>> Nmap provides a offset

03:33.730 --> 03:37.284
>> that is out there
to be scanned.

03:37.284 --> 03:38.890
>> Obviously, you'll
have to be polite

03:38.890 --> 03:40.780
scanning it and not overdo it.

03:40.780 --> 03:45.220
Overscore the scanme.nmap.org.

03:45.220 --> 03:47.235
Let's run the scan and see what

03:47.235 --> 03:48.780
information we're getting back.

03:48.780 --> 03:50.160
As I said, what we want

03:50.160 --> 03:52.314
>> from the scan
is the open ports,

03:52.314 --> 03:53.590
>> the available services

03:53.590 --> 03:57.460
>> and most importantly,
the OS itself.

03:57.460 --> 03:59.275
>> We don't have
this information.

03:59.275 --> 04:01.045
The open ports, I know,

04:01.045 --> 04:03.640
you might say and sensors
or shouldn't we got

04:03.640 --> 04:06.280
this information that 80 and 443

04:06.280 --> 04:07.600
>> were opened in Cybrary.

04:07.600 --> 04:10.780
>> However, this
is obvious because

04:10.780 --> 04:14.510
>> these are web applications
and web applications

04:14.510 --> 04:16.400
>> tend to use 80 and 443.

04:16.400 --> 04:18.050
However we need to
get more information

04:18.050 --> 04:19.580
about the operating system here.

04:19.580 --> 04:23.695
We get Port 22 open,
which is a subset.

04:23.695 --> 04:25.820
This would give us an indication

04:25.820 --> 04:27.485
that is actually a Linux.

04:27.485 --> 04:29.570
The other thing that they do

04:29.570 --> 04:33.214
>> to guess the OS
is TCP sequence.

04:33.214 --> 04:37.240
>> TCP sequence would
actually give the nmap

04:37.240 --> 04:43.820
some information that
would help them make

04:43.820 --> 04:47.120
>> an educated guess about
the operating system.

04:47.120 --> 04:49.250
>> Obviously, we got a
number of operating systems.

04:49.250 --> 04:54.505
They're all in the
90s guessing score.

04:54.505 --> 04:59.935
But all of them actually are
Linux operating systems.

04:59.935 --> 05:01.680
That's nmap.

05:01.680 --> 05:03.980
>> This is the information
that we got from nmap.

05:03.980 --> 05:06.800
>> Sometimes you'll get
something like an open FTP port

05:06.800 --> 05:09.469
>> or even a VNC
port that is open.

05:09.469 --> 05:12.500
>> I've seen this before
a VNC port was open.

05:12.500 --> 05:15.230
When you go to your
browser and run

05:15.230 --> 05:20.825
any VNC application
targeting that port,

05:20.825 --> 05:25.925
you get automatic
GUI based connection

05:25.925 --> 05:30.270
to the server hosting
the application.

05:30.770 --> 05:33.650
The next thing is web
applications scanning

05:33.650 --> 05:36.770
and this would give
you hidden links.

05:36.770 --> 05:37.940
It would give you also

05:37.940 --> 05:41.150
>> a few [inaudible]
through an application

05:41.150 --> 05:42.590
>> would give you all
the links available,

05:42.590 --> 05:43.880
all of the services available,

05:43.880 --> 05:46.130
the dependencies available.

05:46.130 --> 05:47.600
You can also look at

05:47.600 --> 05:52.340
>> if they have a portal
for administrators,

05:52.340 --> 05:54.230
>> a portal for employees.

05:54.230 --> 05:58.160
This would be given using
web applications scans.

05:58.160 --> 06:01.670
One of the most
famous applications

06:01.670 --> 06:09.510
scanning tools are
burp Suite or ZAP,

06:09.510 --> 06:14.260
and these are both proxy
scanning the tools.

06:14.260 --> 06:17.428
The other type of
active reconnaissance

06:17.428 --> 06:18.634
>> is not technical.

06:18.634 --> 06:21.110
>> The first one that
is not very popular,

06:21.110 --> 06:23.824
>> however, it can happen
is physical interaction,

06:23.824 --> 06:27.002
>> where an attacker
would actually go

06:27.002 --> 06:28.280
>> and communicate
with the target.

06:28.280 --> 06:31.220
>> Again, the target is
not necessarily a system.

06:31.220 --> 06:34.170
However, they can talk.

06:34.170 --> 06:38.360
He can meet with him or see him

06:38.360 --> 06:43.670
>> or follow him
to a bar or a cafe

06:43.670 --> 06:43.671
>> or something like that,

06:43.671 --> 06:46.189
>> and start
communicating with him.

06:46.189 --> 06:48.370
>> The other thing
is social media.

06:48.370 --> 06:51.965
Again, it's often used as a hub

06:51.965 --> 06:56.910
for active reconnaissance
to where a message on

06:56.910 --> 06:59.540
Facebook or an email
in LinkedIn would be

06:59.540 --> 07:03.200
sent to one of the
target employees

07:03.200 --> 07:06.799
>> or the target
system admin with

07:06.799 --> 07:10.235
>> an interesting information

07:10.235 --> 07:12.424
>> or interesting Garfield
or something like that,

07:12.424 --> 07:14.480
>> that the hacker got during

07:14.480 --> 07:18.485
the passive
reconnaissance space.

07:18.485 --> 07:22.670
Then more interaction between

07:22.670 --> 07:24.500
the hacker and the target

07:24.500 --> 07:26.884
>> would give the hacker
more information about

07:26.884 --> 07:31.890
>> the targeted system
or the target himself.

07:32.300 --> 07:36.280
We covered reconnaissance,
active and passive.

07:36.280 --> 07:38.485
We have a number of questions.

07:38.485 --> 07:40.330
True or false.

07:40.330 --> 07:42.790
Ping and NSlookup
are examples of

07:42.790 --> 07:44.304
>> passive reconnaissance.

07:44.304 --> 07:46.200
>> Well, NSlookup is but ping

07:46.200 --> 07:47.770
is not because
you're communicating

07:47.770 --> 07:52.904
>> with the Nserver
or the target server.

07:52.904 --> 07:55.060
>> I've seen a lot
of companies with

07:55.060 --> 07:59.380
good security operations
centers that they actually

07:59.380 --> 08:01.990
monitored the ping
attack and investigate

08:01.990 --> 08:06.100
any malicious or something
that will look malicious,

08:06.100 --> 08:08.695
even if it was just
a ping attack.

08:08.695 --> 08:11.590
However, in NSlookup
what you're doing is

08:11.590 --> 08:14.590
you're querying the DNS.

08:14.590 --> 08:18.190
The second is how can I
determine the OS of the target?

08:18.190 --> 08:21.220
As I said, one way as Nmap,

08:21.220 --> 08:23.200
a lot of vulnerability
scanners would

08:23.200 --> 08:26.150
actually try to predict
the OS as well.

08:26.150 --> 08:29.440
A 100 percent is not
usually feasible

08:29.440 --> 08:32.930
>> because this
information is hidden.

08:33.659 --> 08:37.154
>> In three years what
would a vulnerability scan

08:37.154 --> 08:38.844
>> add to my targeted attack?

08:38.844 --> 08:41.410
>> As I said, you would get
the vulnerable services,

08:41.410 --> 08:44.170
you would get the open ports,

08:44.170 --> 08:46.750
you would get if
there's a vulnerability

08:46.750 --> 08:49.288
>> in the whole application
or the dependencies

08:49.288 --> 08:52.239
>> hat are used by
the application.

08:52.239 --> 08:54.250
>> Finally, how can
an attacker use

08:54.250 --> 08:56.910
social media in active recon?

08:56.910 --> 08:59.060
As I said, he can
use the information

08:59.060 --> 09:02.235
that he gathered during

09:02.235 --> 09:05.510
the passive reconnaissance

09:05.510 --> 09:09.350
>> and create a
targeted campaign

09:09.350 --> 09:13.790
>> as peer phishing
attack on a system admin

09:13.790 --> 09:16.850
>> or an employee can
get his passwords.

09:16.850 --> 09:19.835
>> He can get him to click
a link that would run

09:19.835 --> 09:27.480
something inside of
the target and so on.

09:27.800 --> 09:32.270
In today's lecture
we covered Step 1

09:32.270 --> 09:34.264
>> of the cyber kill
chain reconnaissance.

09:34.264 --> 09:36.170
>> We covered active
reconnaissance

09:36.170 --> 09:36.774
>> and we went through

09:36.774 --> 09:39.214
>> a number of examples
of active recon.

09:39.214 --> 09:40.535
>> In the next video,

09:40.535 --> 09:43.770
we're going to talk
about weaponization.

09:43.770 --> 09:46.740
The phase and
weaponization techniques.

09:46.740 --> 09:48.670
>> See you then.