4:15 AM
Fabio
Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized during the vulnerability assesment and exploitation phases. The more information you are able to gather during this phase, the more vector of attack you may be able to use in the future.
Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. OSINT takes 3 forms: passive, semi-passive and active:
- Passive Information gathering: it can be used as the very first step of footprinting or when we want to gather info about the target being 100% sure that the target can't identify us. Those info are generally stored or archived by thirdy-party organizations and may be limited, incorrect or out of date.
- Semi-passive Information gathering: the goal for semi-passive information gathering is to profile the target with methods that would appear like normal internet traffic and behaviour. We query only the published name servers for information, we aren't performing in-depth reverse lookups or brute force DNS requests, we aren't searching for servers or directories that aren't public. We aren't running network level portscans or crawlers and we are only looking at metadata in published documents and files ; not actively seeking hidden content. The key here is not to draw attention to our activities. Later the target may be able to discover the reconnaissance activities but not be able to attribute the activity back to anyone.
- Active Information gathering: Active information gathering should be detected by the target as suspicious or malicious behaviour. During this stage we are actively mapping the network infrastructure (IP range scans, port scanning, vulnerabilities enumeration..and so on).
EDGAR: the Electronic Data Gathering, Analysis and Retrieval system is a database of the U.S. Security and Exchanges Commission (SEC) that can be used to retrieve the financial status of a society, the key personnel's names, addresses, legal proceedings against the company and other potentially interesting info.
Social Network (SocNet) Profile: social neworks provide a lot of info about the target, names, photos, relationships, habits about date and time of computer use, frequency, they also can be used to create a psychological profile of the target, discover interests, likes and dislikes of the person, websites visited and so on. Another important thing is the geolocation that is provided by services/websites like Bing Map Apps, Facebook, Foursquare, Google Latitude, Gowalla and Twitter.
Email address: the email address can be used to communicate with the target, send spam, malware, perform phishing and so on. Email addresses can be searched and extracted from various websites, groups, blogs, forums, social networks..a terget may use the same or similar nicknames for multible services so it's easy to widen the research from the first result.
Mobile footprint: phone number, mobile service operator, OS, installed apps, used browser.
Covert Gathering:
On-location gathering:
- Physical security inspections
- Wireless scanning /RF frequency scanning
- Employee behaviour training inspection
- Accessible/adiacent facilities (shared spaces)
- Dumpster diving
- Types of equipment in use
Offsite gathering:
- Data center locations
- Network provisioning/provider
Footprinting (external information gathering):
Passive reconnoissance: WHOIS lookup
Active footprinting:
- ICANN: http://www.icann.org
- IANA: http://www.iana.com
- NRO: http://www.nro.net
- AFRINIC: http://www.afrinic.net
- APNIC: http://www.apnic.net
- ARIN: http://ws.arin.net
- LACNIC: http://www.lacnic.net
- RIPE: http://www.ripe.net
- INTERNIC: http://www.internic.net
Identify protection systems:
- port scanning: it allows to see open ports over TCP or UDP and do a network mapping. The best port scanner available nowadays is Nmap (http://nmap.org/).
- banner grabbing: it allows to discover network version, OS, running services. Tools commonly used for banner grabbing are Telnet, Netcat (http://netcat.sourceforge.net/)and Nmap (http://nmap.org/).
- SNMP Sweeps: they can offer a lot of info about a specific system. The SNMP protocol is stateless and datagram oriented.
- SMTP Bounce Back: it allows the attacker to get info about the victim's SMTP server exploiting the Non Delivery Status Notification.
- Reverse DNS lookup: it allows to translate one or more ip addresses into the DNS if there is a PTR(reverse) DNS record.
- DNS enumeration: it allows to perform an in depth scan of a DNS in order to see whether it is possible to exploit DNS Transfer Zone or discover new hostnames that aren't commonly known.
- Web Application discovery: it allows to scan a target for Web Application vulnerabilities. Please note that often some vulnerabilities aren't located in the web application itself but in its plugins.
- Packet filters
- Traffic Shaping Devices
- DLP Systems
- Encryption / Tunneling
- Host based protections
- Stack / Heap protections
- Application whitelisting
- Identify application protections
- Encoding options
- Potential bypass avenues
- Whitelisted pages
- Storage protections
- HBA - Host level
- LUN Masking
- Storage controller
- iSCSI CHAP Secret
- User Protections
- AV/Spam filtering software
Watch the presentation "Osint Beyond The Basics" by Rick Hayes and Karthik Rangarajan at DerbyCon 2011:
Posted in: DNS,EDGAR,exif tool,FOCA,footprinting,meta-extractor,metagoofil,netcat,nmap,OSINT,port scanning,SET,SNMP,telnet,WHOIS
0 comments:
Post a Comment