Cyber Attack Cycle
What is Reconnaissance?
- the process of gathering information about a target - the best path to a target is identified - gathered information is studied for the attack - the focus should be on vulnerabilities that can be exploited with the least amount of effort
Crunch
- used to create wordlists for brute-force attacks - has an option to set a range of characters has an option to create a template for passwords
Secondary Delivery Goal
avoid detection and blocking by the victim and discovery of attacker-related information
Wordlist Generation
can be downloaded or generated using tools
Delivery Technique Examples
physical access social engineering direct communication malware
Google Advanced search - filetype:
search for a specific file type
Google Advanced search - site:
search in a specific website
Google Advanced search - inurl:
search in the URL
Google Advanced search - intext:
search in the page's text
Google Advanced search - intitle:
search in the page's title
Web App Attack Requirements
specific web app analysis is required
Primary Delivery Goal
successfully transmit a malicious payload from the attacker's machine to the victim's machine
Password Attack Requirements
wordlist generation is required
Google Dorking
- Google Hacking Database (GHDB) - vulnerabilities database that can be found with search commands - commands can be used to find vulnerabilities and collect information
Hydra
- a common and powerful tool for brute force attacks - supports attacks against SSH, FTP, etc - run from a command line or UI
Social Media
- a great source of information on various targets - people will often carelessly publish sensitive information - images, posts, locations, friends, colleagues, and relatives can all be found on it
Search Engines
- a type of passive reconnaissance - a great source of publicly available information - advances search capabilities can yield useful information
WHOis
- can provide useful information about domain names - presents lots of administrative and technical information
Robots.txt
- found in most websites - made for web crawlers to know which paths to index and which not to index - can be used to reveal restricted paths on a server
Delivery Basics
- getting the malicious object to the victim's machine - detection and protection systems need to be bypassed - the method must be chosen carefully - based on information gathered during reconnaissance
Exploitation Basics
- implemented after successful delivery - involves active hacker participation - an exploitable vulnerability must exist - includes steps taken to avoid detection
Cywar Platform
- on demand, self paced learning environment - provides hand's on, scenario based challenges that are updated in real-time - keeps track of account performance
Nmap and Zenmap
- open source network scanners that can be used via CLI or GUI - scan open ports on a device - both create a lot of network and can be detected
Wayback Machine
- presents old versions of websites - in some cases, old versions of websites included sensitive information - can be used to view information that has since been removed
EternalBlue
- remote code execution exploit - created by the National Security Agency (NSA) - the hacker group "shadow brokers" leaked it - exploits Microsoft's SMB protocol
Choosing a Weapon
- should be based on the attack vector - always choose more than one weapon - each type of cyber attack requires different weapons
Weaponization Basics
- technically preparing for an attack - tuning, modifying, and creating tools - based on gathered information - accurate weaponization is a key to success - information gathered during reconnaissance serves as a guide for the appropriate methods and tools
Cyber Kill Chain
A systematic outline of the steps of a cyberattack. Describes how a successful cyber attack is achieved Reconnaissance > Weaponization > Delivery > Exploitation > Installation > Command & Control > Actions on Objects
Hosts
Accounts, groups, OS, architecture (e.g., x86), ports
Common Search Engines
Bing Yahoo Google DuckDuckGo
Password Cracking
Brute force and dictionary attacks are two of the most commonly used techniques
Passive Reconnaissance Methods
Gathering information without the targets knowledge
Personal
ID, phone #, address, relatives, hobbies
Networks
IP addresses, subnets, network topologies
Security Policies
Password requirements, physical security, firewall rules, IDS, IPS
Significant Information
any type of information that can be useful in the attack process, even information that may seem insignificant at first
DDoS Attack Requirements
a large amount of traffic generation is required
Adversary-Controlled Delivery
directly hacking into the system using various methods
Active Reconnaissance Method
higher risk of target awareness due to directly interacting with the target or its infrastructure
Time Investment
information gathering is a long term activity, and time for it should not be limited
Password cracking method
most effective way to gain access to a system that is susceptible to brute-force attack
Adversary Released Delivery
the malware is delivered to the victim via methods such as email, USB drive, and downloadable content