Chapter 4 Reconnaissance

Xavier is doing reconnaissance. He is gathering information about a company and its employees by going through their social media content. Xavier is using a tool that pulls information from social media postings that were made using location services. What is the name of this tool?

Echosec

Physical security

Geographical information, entry control systems, employee routines, and vendor traffic

Internet Research Tools

Google Earth:Google Earth is a satellite imagery tool that provides current and historical images of most locations. Images can date back over several decades. Google Maps:Google Maps is a web mapping service that provides a street view of houses, businesses, roadways, and topologies. Webcams:Webcams are online streaming digital cameras that can provide video of places, people, and activity in an area. Echosec:Echosec is a tool that can be used to pull information from social media postings that were made using location services. You can select a location on a map and view all posts that have occurred at that location. These results can be filtered by user, date, or keyword. Maltego:Maltego is an open-source forensics tool that can be used to pull information from social media postings and find relationships between companies, people, email addresses, and other information. Wayback Machine: The Wayback Machine is a nonprofit catalog of old site snapshots. It may contain information that your target thought they had removed from the internet.

Websites

You can research company websites, social media, discussion groups, financial reports, and news articles. If you follow the breadcrumbs, you can find some pretty interesting things about an organization online.

You are in the reconnaissance phase at the XYZ company. You want to use nmap to scan for open ports and use a parameter to scan the 1,000 most common ports. Which nmap command would you use?

nmap -sS xyzcompany.com

Employee social media

Implement policies that restrict the sharing of sensitive company information on an employee's personal social media page. This could include product information, customer or vendor information, employee information, or even pictures of the organization.

Printed materials

Limit the sharing of critical information in press releases, annual reports, product catalogs, or marketing materials.

What's the name of the open-source forensics tool that can be used to pull information from social media postings and find relationships between companies, people, email addresses, and other information?

Maltego

You have found the IP address of a host to be 172.125.68.30. You want to see what other hosts are available on the network. Which of the following nmap commands would you enter to do a ping sweep?

nmap -sn 172.125.68. 1-255

Active information gathering

Active information gathering is a method of directly collecting details about a target. It involves direct engagement with the target, so the chance of detection is higher.

Social networking

After you've located employee names, you can extend your search to LinkedIn, Facebook, Instagram, Twitter or People Search to learn even more information about a company, a vendor, or an employee.

Which of the following information sharing policies addresses the sharing of critical information in press releases, annual reports, product catalogs, and marketing materials?

A printed materials policy

Network Footprinting Tools

Although similar to reconnaissance, footprinting refers more specifically to information that is accidentally shared publicly or that is outdated and has not been properly disposed of. Website and email footprinting can provide details on information flow, operating systems, filenames, and network connections. Depending on the level of security within an organization, it is possible to create a network map without stepping foot into the building. Just as a mailman can find a mailbox using a mailing address, a hacker can find hosts and other objects on a network using DNS network addressing. An IP address can direct you to a network access point such as an email server or a web server. The following table lists several network footprinting tools. Whois: Whois is a utility used to gain information about a target network. It can gather information about ownership, IP addresses, domain name, location, server type, and the date the site was created. The syntax is Whois domain_name. Nslookup: Nslookup is a utility used to query DNS servers to obtain information about the host network, including DNS records and host names. ARIN: ARIN is a website that will provide you with information about a network's name, range, origination dates, and server details.

Which of the following is the difference between an ethical hacker and a criminal hacker?

An ethical hacker has permission to hack a system, and a criminal hacker doesn't have permission.

John, a security specialist, conducted a review of the company's website. He discovered that sensitive company information was publicly available. Which of the following information sharing policies did he discover were being violated?

An internet policy

Employees

Contact names, phone numbers, email addresses, fax numbers, addresses for any individuals associated with the target company

A penetration tester is trying to extract employee information during the reconnaissance phase. What kinds of data is the tester collecting about the employees?

Contact names, phone numbers, email addresses, fax numbers, and addresses

Which of the following services is most targeted during the reconnaissance phase of a hacking attack?

DNS

DNS Countermeasures

DNS is one of the most popular internet services targeted during the reconnaissance phase. It goes without saying that we should harden our servers. Failure to do so could result in far bigger problems than just providing too much information to the outside world. Even the strongest security features are only as good as their implementation, so you'll want to be sure to learn as much as you can about your web server software and verify that you're optimizing your resources to their full potential. After you've set everything up, your work is far from over. Hackers are always working to find new ways to access your system, and you'll want to work just as hard to keep your DNS servers up to date. This means installing patches against known vulnerabilities, cleaning up out-of-date zones, files, users, and groups, and, of course, running your own vulnerability tests. You may also want to consider a split DNS. With the increase in the number of remote access and cloud-based applications, this solution is becoming more common. Using this method, clients accessing the DNS server from the internet receive public IP addresses, and clients inside the company's network receive internal IP addresses. Clients with the internal IP addresses can be granted access to more secure content than the clients with the external IP addresses.

Google Hacking

Despite its name, Google Hacking is legal because all of the results are pulled from public websites. By adding a few operators, you can use the Google search engine to provide filtered information about a specific topic as shown below: info:website - Provides all information about a website. link:website - Lists web pages that contain links to websites. related:website - Displays websites similar to the one listed. index of /keyword - Displays websites where directory browsing has been enabled. intitle:keyword - Shows results in pages that contain the keyword in the title. allinurl:keywords - Shows results in pages that contain all of the listed keywords.

Dumpster diving

Despite our highly technical society, dumpster diving is still an option to consider. Let's be honest; it's not the most glamorous method. But, in some instances, it may be very effective for finding employee names, account numbers, client names, and vendor information.

Which of the following elements of penetration testing includes the use of web surfing, social engineering, dumpster diving, and social networking?

Information gathering techniques

Dan wants to implement reconnaissance countermeasures to help protect his DNS service. Which of the following actions should he take?

Install patches against known vulnerabilities and clean up out-of-date zones, files, users, and groups.

Operations

Intellectual property, critical business functions, and management hierarchy

Vendors

Names, contact information, and account numbers

Whois, Nslookup, and ARIN are all examples of:

Network footprinting tools

Social engineering

Social engineering is an attempt to get to know the employees or the vendors of the company. After-work social gatherings can provide important tidbits of information about an employee and about a company, especially its weaknesses.

Information systems

Operating systems, applications, security policies, and network mapping

Passive information gathering

Passive information gathering is a method of indirectly collecting details about a target. It does not involve direct engagement with the target, so the chance of detection is very low.

Company social media

Provide guidelines regarding the types of posts that are made to the company's social media site.

When a penetration tester starts gathering details about employees, vendors, business processes, and physical security, which phase of testing are they in?

Reconnaissance

Reconnaissance

Reconnaissance is a systematic attempt to locate, gather, identify, and record information about a target.

Internet

Review company websites to see what type of information is being shared about sensitive information. Opt out of archiving sites.

What does the Google Search operator allinurl:keywords do?

Shows results in pages that contain all of the listed keywords.

MinJu, a penetration tester, is testing a client's security. She notices that every Wednesday, a few employees go to a nearby bar for happy hour. She goes to the bar and starts befriending one of the employees with the intention of learning the employee's personal information. Which information gathering technique is MinJu using?

Social engineering

Julie configures two DNS servers, one internal and one external, with authoritative zones for the corpnet.xyz domain. One DNS server directs external clients to an external server. The other DNS server directs internal clients to an internal server. Which of the following DNS countermeasures is she implementing?

Split DNS

Permission and Documentation

The difference between an ethical hacker and a criminal hacker is that the ethical hacker always obtains permission. Before beginning work of any kind, an ethical hacker needs to obtain written documentation granting permission from the customer. They should verify that the agreement specifies the scope of the assessment and any guidelines or limitations that may be in place. As with any technical project, you will need to thoroughly document your findings. Recording information while it's fresh in your mind reduces the potential for errors or missing details.

Iggy, a penetration tester, is conducting a black box penetration test. He wants to do reconnaissance by gathering information about ownership, IP addresses, domain name, locations, and server types. Which of the following tools would be most helpful?

Whois