Red Teaming — Part 02
External Reconnaissance
If your engagement is not being kicked off via an “assume breach” methodology and you need to gain initial entry into the target network yourselves, some external reconnaissance will be required. The reconnaissance phase is vital as it provides information that will be leveraged to exploit the target or gain access to data.
There are two main facets of recon
- Organizational
- Technical.
Organizational
During “organizational” recon, you’re focused on collecting information about the organization. This can include the people who work there (names, jobs and skills), the organizational structure, site locations and business relationships.
Technical
During “technical” recon, you’re looking for systems such as public-facing websites, mail servers, remote access solutions, and any vendors or products in use, particularly defensive ones — web proxies, email gateways, firewalls, antivirus etc.
Gathering either type of information can be done “passively” or “actively”.
- Passive — Passive collection relies on 3rd party sources such as Google, LinkedIn, Shodan and social media — where you are not actively touching parts of the target network.
- Active — Active, as it sounds, is directly touching those components which could be as simple as visiting the target’s website, or port scanning their IP ranges. Active recon is inherently riskier than passive, as it provides an organization with their first potential indication that they’re being looked at.
Whilst conducting active recon, consider doing so via a proxy or VPN service to not expose your public IP address.
DNS Records
Domain Name System (DNS) records can provide a wealth of information regarding services that may be exposed to the Internet, but here there be dragons.
Because the lab has no outbound Internet access, you must use your own Kali VM if you want to following along with these steps. But they are optional, so feel free not to.
$ dig cyberbotic.io +short
104.21.90.222
172.67.205.143Performing a whois on each public IP address can show who it belongs to. We can see that it resolves to a 3rd party provider, Cloudflare.
$ whois 104.21.90.222
OrgName: Cloudflare, Inc.
OrgId: CLOUD14
Address: 101 Townsend Street
City: San Francisco
StateProv: CA
PostalCode: 94107
Country: US
RegDate: 2010-07-09
Updated: 2021-01-11
Ref: https://rdap.arin.net/registry/entity/CLOUD14When we browse to cyberbotic.io, we are actually being sent to Cloudflare, which proxies the traffic between us and the webserver. The issue being that we don’t know if the web server is hosted on premise of the target organization, or in another 3rd party cloud service.
This information you must confirm with the client — providers such as Amazon and Azure have specific rules and/or require explicit permission before you are able to carry out any security assessments hosted on, or performed from, their infrastructure.
You may also come across IP addresses that belong to Internet Service Providers (ISPs), as some organizations rent their public address space.
Some Software as a Service (SaaS) offerings require DNS records on the target domain, in order to point towards those services. A notable example includes Microsoft’s Office 365 which can be found at autodiscover.target-domain. If the target uses these SaaS services for email and/or document storage etc, it may be possible to gain access to your objective without ever needing to compromise their network.
Subdomains can also provide insight to other publicly available services, which could include webmail, remote access solutions such as Citrix, or a VPN. Tools such as dnscan come with lists of popular subdomains.
Weak email security (SPF, DMARC and DKIM) may allow us to spoof emails to appear as though they’re coming from their own domain. Spoofcheck is a Python tool that can verify the email security of a given domain.
$ ./spoofcheck.py cyberbotic.io
[+] cyberbotic.io has no SPF record!
[*] No DMARC record found. Looking for organizational record
[+] No organizational DMARC record
[+] Spoofing possible for cyberbotic.io!Social Media
For several years, social engineering and phishing have been the most prolific methods for gaining access to a target environment. To prepare your own campaign, sites such as LinkedIn are a goldmine of information because people expose a lot of professional (and sometimes personal) information about themselves.
We love to demonstrate how good we are at Task X or managing Product Y — and this information is not only useful for knowing what products are being used, but also for generating your pretext. The pretext is the “story” behind why we want our target to open our email and carry out the desired actions.
The pretext can be rather generic and sent to multiple targets or targeted to an individual or small group. Tailoring the pretext to something a user will either relate to or have an interest in, will give us a better chance of success. And there are also emotional characteristics that will statistically result in higher user engagement — in particular, fear, urgency, greed and curiosity.
Two examples could be:
- Human Resources — URGENT: Grievance filed against …
- Accounts Payable — FINAL NOTICE: Invoice 1234 not paid
The following “Google Dork” can be used to quickly scrape LinkedIn for employees of a particular organisation: site:”linkedin.com” “”
Some of the more interesting information you can glean from a LinkedIn profile includes names, current and previous job roles, location (on-site or remote), contact info (websites, social media, email addresses), previous experiences, education, qualifications, certifications, personal interests and 1st, 2nd and 3rd-degree connections.
EXERCISE
Conduct some additional external reconnaissance against the lab targets at https://cyberbotic.io and see if you can find any information that would be useful in a phishing campaign.
