I’m back with another blog on how Reconnaissance is carried out in a Red Teaming Engagement.
What is Reconnaissance ?
- The reconnaissance consists of techniques that involve gathering information related to the target actively as well as passively. The gathered information may include details of the victim organisation, infrastructure or staff/personnel.
ATT&CK Matrix for Enterprise
Gather Victim Identity Information
- Adversaries gather information about the victim’s identity that can be used during targeting.
- Information about identities include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.
- Adversaries gather credentials that can be used during targeting.
- Account credentials gathered by adversaries to be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.
The following tools and website allows the attacker to gather leaked credentials
- DeHashed - DeHashed is described as the largest & fastest data breach search engine, its API Key can be used to integrate with other tools like dehashQuery to download breach results as shown below.
python3 dehashed.py -o -d domain.com -a API-KEY -u firstname.lastname@example.org
- We Leak Info - Have your passwords been compromised? Find out by searching through over 12 billion records and 10,000 data breaches.
- IntelligenceX - Intelligence X is a search engine and data archive. Search Tor, I2P, data leaks and the public web by email, domain, IP, CIDR, Bitcoin address and more.
- Have I Been Pwned? - Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches.
- Adversaries gather email addresses that can be used during targeting even if internal instances exist, organizations have public-facing email infrastructure and addresses for employees.
The following tools and website allows the attacker to gather email addresses
- Hunter.io - Hunter is the leading solution to find and verify professional email addresses.
- EmailHarvester - A tool to retrieve Domain email addresses from Search Engines.
python3 EmailHarvester.py -d google.com -e all
- Infoga - Infoga is a tool that gathering email accounts informations (ip,hostname,country,…) from different public source (search engines, pgp key servers and shodan).
python3 infoga.py --domain vmware.com --source all
- Skymen - Find email addresses of companies and people.
- Adversaries gather employee names that can be used during targeting.
- Employee names be used to determine email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.
The following tools can be used to gather employee names
- linkedin-employee-scraper - Extract all employees from LinkedIn. Especially useful for companies with thousands of pages and employees. Script is run as a userscript, running in e.g. Chromes Tampermonkey or Firefox’s Greasemonkey.
Gather Victim Network Information
- Adversaries gather information about the victim’s networks that can be used during targeting.
- Information about networks include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.
- Information about domains and their properties include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.
The following tool can be used to enumerate domain properties
- AADInternals - AADInternals can gather information about a tenant’s domains using public Microsoft APIs.
# Get login information for a domain Get-AADIntLoginInformation -Domain company.com
- Adversaries gather information about the victim’s DNS that can be used during targeting.
- DNS information include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
The following tools and website allows the attacker to gather DNS information.
- dig - dig is a network administration command-line tool for querying the Domain Name System.
dig google.com -t mx +short #grab mail server information
- host - the host command is a DNS lookup utility, finding the IP address of a domain name.
- dnsenum - dnsenum is a perl script that enumerates DNS information.
dnsenum --no-reverse google.com
- dns-brute-script - Nmap will attempt to enumerate DNS hostnames by brute forcing popular subdomain names.
nmap -T4 -p 53 --script dns-brute google.com
- dnsrecon - Check all NS Records for Zone Transfers. Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT). Perform common SRV Record Enumeration. Top Level Domain (TLD) Expansion.
dnsrecon -d google.com
- dnsx - dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.
- Adversaries gather the victim’s IP addresses that can be used during targeting.
- Public IP addresses to be allocated to organizations by block, or a range of sequential addresses.
- Information about assigned IP addresses include a variety of details, such as which IP addresses are in use.
- IP addresses also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.
The following tools and website allows the attacker to gather IP Addresses.
- NetblockTool - Find netblocks owned by a company
python3 NetblockTool.py -v Google
- Hurricane Electric BGP Toolkit - Hurricane Electric operates the largest Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) transit networks globally, as measured by the count of peering interconnections to other networks.
- SurfaceBrowser - Know the external Internet surface area of any company through a simple web-based interface.
- ipinfo.io - Comprehensive IP address data, IP geolocation API.
Search Open Technical Databases
- Adversaries search freely available technical databases for information about victims that can be used during targeting
- Information about victims available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.
- Adversaries search public WHOIS data for information about victims that can be used during targeting
- WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.
The following tools and website allows the attacker to gather whois information.
- whois - whois is a widely used Internet record listing that contains the details of who owns a domain name and how to get in touch with them.
- ICANN Lookup - The ICANN registration data lookup tool gives you the ability.
- Adversaries search public digital certificate data for information about victims that can be used during targeting.
- Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content.
- These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.
The following website allows the attacker to gather digital certificate information.
- crt.sh - crt.sh is a web interface to a distributed database called the certificate transparency logs.
- Adversaries search content delivery network (CDN) data about victims that can be used during targeting.
- CDNs allow an organization to host content from a distributed, load balanced array of servers.
- CDNs also allow organizations to customize content delivery based on the requestor’s geographical region.
The following tools allows the attacker to gather CDN information.
- findcdn - findCDN is a tool created to help accurately identify what CDN a domain is using.
findcdn list asu.edu -t 7 --double
- Adversaries search freely available websites and/or domains for information about victims that can be used during targeting.
- Information about victims available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.
The following tools and website allows the attacker to gather subdomain information.
- subfinder - Subfinder is a subdomain discovery tool that discovers valid subdomains for websites.
subfinder -d google.com -all -v
- assetfinder - Find domains and subdomains related to a given domain.
assetfinder --subs-only google.com
- knockknock - A simple reverse whois lookup tool which returns a list of domains owned by people or companies.
knockknock -n google.com -p
- findomain - The complete solution for domain recognition. Supports screenshoting, port scan, HTTP check, data import from other tools, subdomain monitoring, alerts via Discord, Slack and Telegram, multiple API Keys for sources and much more.
findomain -t google.com
- hakrevdns - Small, fast tool for performing reverse DNS lookups en masse.
prips 18.104.22.168/24 | hakrevdns -d
- Amass - In-depth Attack Surface Mapping and Asset Discovery.
amass intel -org 'Sony Corporation of America' #fetch ASN & CIDR IP Range of a Company
amass intel -active -asn 3725 -ip #enumerate subdomains & IP Address from ASN
amass intel -active -asn 3725 #enumerate subdomains only from ASN
amass intel -active -cidr 22.214.171.124/23 #enumerate subdomains from cidr range
amass intel -asn 3725 -whois -d sony.com #enumerate subdomains using asn & whois
amass enum -d sony.com -active -cidr 126.96.36.199/24,188.8.131.52/23 -asn 3725 #enumerate subdomains using cidr & asn
- Google Certificate transparency - this tools allows the user to gather domains & subdomains from SSL Certificate.
python3 googlecertfarm.py -d google.com
- Adversaries execute active reconnaissance scans to gather information that can be used during targeting.
- Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
- Adversaries scan victim IP blocks to gather information that can be used during targeting.
- Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
The following tools allows the attacker to scan IP Blocks information.
- mapcidr - A utility program to perform multiple operations for a given subnet/cidr ranges.
mapcidr -cidr 184.108.40.206/24
- nmap - Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.
nmap -v -A scanme.nmap.org #basic scan for detection
- naabu - A fast port scanner written in go with a focus on reliability and simplicity.
naabu -host 220.127.116.11
- massscan - TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
masscan 18.104.22.168 -p0-65535
- Smap - a drop-in replacement for Nmap powered by shodan.io.
smap -sV ipaddress
- Adversaries scan victims for vulnerabilities that can be used during targeting
- Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
The following tools allows the attacker to perform vulnerability scanning.
- nuclei - Fast and customizable vulnerability scanner based on simple YAML based DSL.
- reNgine - reNgine is a web application reconnaissance suite with focus on highly configurable streamlined recon process via Engines, recon data correlation, continuous monitoring, recon data backed by database and simple yet intuitive User Interface.
- Osmedeus - A Workflow Engine for Offensive Security.
- Sn1per Professional - Discover the attack surface and prioritize risks with our continuous Attack Surface Management (ASM) platform.
Reconnaissance, Tactic TA0043 - Enterprise | MITRE ATT&CK
Red Team Reconnaissance Techniques
Red Team Assessment Phases: Reconnaissance
Red Teaming Toolkit Reconnaissance
Thanks a lot for reading !!!.