Dancing with the Firewall – Analyzing Reconnaissance Tactics
Hacker methodologies are multi step processes taught in every class from GPEN to CISSP. They are important and give meaning to your madness as you put every sploit(short for exploit, which is short in 31337 hacker skillz) in Metasploit in a while loop and point it at the customer’s IP space hoping something sticks. Today we will be analyzing the first step in our hacker methodology, Reconnaissance and the tactics behind the steps you thought you knew.
First, we are going to establish the goal of the reconnaissance phase. Reconnaissance was a word invented by the French in the 19th century before they became the laughing stock of the military world, it originally mean: To recognize the enemy. As always, our goals are directly opposed to the network defenders. The goal of the reconnaissance phase is to gather the information we need to move on to the next step, establishing a foothold. We will collect intelligence from a plethora for sources and examine the defenses of those sources as well as ways to counter those defenses. Status of Forces
Next, we are going to establish the current status of forces that are opposed against us so we can dredge them for information target IP space to exploit. If they were kind, they may have provided us with a list of internet facing servers such as web servers, DNS servers, and mail servers. If they weren’t kind enough to provide us with either, I’m questioning if you actually got a signed customer agreement to conduct a penetration test, maybe you should look into that. In either case, we can assume that any company with a technological footprint is going to have a forward-facing web server, DNS server, and mail server. They will likely have an internal network where sales data, human resources information, and business planning data is stored. During the reconnaissance phase we expand the status of forces list with an emphasis on finding data that can lead us towards gaining a foothold.
Initial Tactical Engagement
In our initial tactical engagement phase we are going to go over 3 separate reconnaissance tactics and paint the picture of our engagement, our adversaries counter tactics, and how we react to their counter tactics. We will be taking a closer look at ‘whois’ lookups, google hacking, and active scanning. At this point, we have enough information to begin our first engagement with our adversary. This is exciting stuff, the sexy hacker things we see in movies, this is where we show the world what we are about, we are going to do our first ‘whois’ lookup of the target domain to find a plethora of information about an adversary including a registered email, phone number, and DNS servers. This may seem trivial, but this is our first engagement with our adversary. We are attempting to gain as much information about our adversary from this lookup and they are trying to hide it and trivialize it. This is a limited engagement with few counter tactics but the goal of this blog is to get people to view everything they do as a tactical engagement between you and your adversary. In an ideal world we will get detailed information from our ‘whois’ lookup including administrator contacts,
technical contacts, fax numbers, emails to spear phish, etc. In the next section we will go over adversary counter tactics to our ‘whois’ lookup.
Next, we will have our engage our adversary with google hacking. Google hacking is an exciting step in intelligence recon because it gives us an opportunity to find tons of juicy information that may or may not be useful to our penetration test. We have the opportunity to find pay information about employees, network maps, and everything that a company may store on a potentially unprotected web portal. We will search for exposed password files, administrator pages, and potentially exposed footholds. This engagement targets internet facing websites and has the potential to give us everything we need to move on to Phase 2, establishing a foothold. In the next section, we will explore how our adversary denies us with the feared and loathed robots.txt file. Lastly, we are going to actively scan the target IP space that our customer definitely provided to us because we are most assuredly professional penetration testers and not lawless hackers. Ideally in this phase, we are going to directly hit every single end node and find every port open to us. The world is at our fingertip and we are going to fan the hammer on Metasploit, pwn this network, and be done with this assessment 3 weeks early. Nothing can stop us, unless…
Adversary Counter Tactics
No good plan survives contact with the enemy, and reconnaissance is no exception. In this section we will go over the adversary counter tactics that prevent us from smooth sailing to domain administrator and beyond. Many of the following tactics are going to look like standard networking practices. They have become the standard because they are universally exploited during reconnaissance. Ideally, you will think that these counter tactics are obvious but hopefully you will learn a thing or two about how they are subverted along the way.
The counter tactics for the ‘whois’ lookup are simple and elegant. Don’t offer any information than is absolutely necessary. The most exciting thing a hacker can get his hands on is the administrator’s email address and phone number. This will make the administrator a prime target for phishing calls and emails and there is nothing a penetration tester likes more than to tell an embarrassing story about phishing an admin during an exit interview. Luckily enough for the network defenders, this can be generic information and is not even necessary. There are separate tactics that can be used to gain this information if penetration testers aren’t lucky enough to find it in a ‘whois’ lookup. If we are looking for email addresses, we can query the mail server and attempt to illicit useful email addresses with he ‘vrfy ’ command. If we are attempting to exploit layer 8, we can look at Linkedin for users posting their company email addresses to the site. Once we have a hit on a single users email address, we can spot patterns about the format that may include .@domain.com. Mixing this information with Linkedin profiles on administrators may yield phish-able targets.
Google hacking a website has a simple, yet elegant defense in the robots.txt file. A single ‘Disallow: /’ can prevent search engines from indexing a specific website. However, if an adversary were to disallow access to only specific, sensitive sections of their website in the file, robots.txt shines a spotlight on a treasure trove of information companies do not want hackers to look at. In addition to using robots.txt for the exact opposite of its intended purpose, we can spider the website without a search engine by ourselves using tools like burp suite. We can then look for the same strings that are in the google hacking database in the index we just created on our own. Robots.txt only prevents good robots from doing bad things and we are not good robots.
Active scanning has one mortal enemy, the firewall. A wall of literal fire that burns packets to ash on the network. This device is used to prevent access to sensitive internal network ports. Without a firewall, we would be able to access exploit ridden ports such as 135 and 445 and gain valuable information about what devices were sitting in the network by probing these usually windows only ports. Now that network defenders have come up with cutting edge technology like the firewall, we are forced to resort to more complex reconnaissance methods. If we are trying to get a count of how many IP addresses are active in the customer’s IP space we can attempt to do a DNS zone transfer from the adversary’s DNS server using the ‘Dig’ command. If we are lucky enough to have access to the border router outside the adversary’s network we can create a span port that sends a copy of all the traffic to our passive scanner. In a last ditch effort, we may have to delay active scanning of the internal network until we get a foothold inside the network. The firewall has many weaknesses, but he most prominent weakness the firewall has is the ‘allow’ vulnerability. It is so promiscuous that some vendors have even labeled it as a ‘feature’. The allow vulnerability lets hackers actively send traffic to and receive traffic back from certain IPs and Ports, PREPOSTEROUS! On a serious note, many companies employ a DMZ which has more relaxed firewall rules that we can actively scan. A common counter tactic to the firewall is to exploit services in the DMZ and then scan from the DMZ into the internal network.
The end state of our reconnaissance phase will leave us with the information we will use in our phase debrief. Did we achieve our goal? Do we have enough information to begin establishing a foothold on the adversary’s network? During the debrief we will establish what tactics worked against an adversary and what went wrong with the tactics that did not. We will answer questions on whether operators need additional training or tools to conduct reconnaissance. We will answer questions on how the adversary is defending against us. In the debrief we may find that we do not have enough data to begin phase 2 and that additional reconnaissance is needed.
Pro-tip, if you find that you are stumped and unable to move on to phase 2, do not hesitate to congratulate the customer on their win and have them set you up with the reconnaissance information you need to move on to phase 2. Nothing is worse than facing a customer with 4 weeks of reconnaissance work and leaving them with dozens of internal network vulnerabilities that could have been addressed after exhausting all of your tricks in the first week. There are many goals to exploiting a network but the end goal for a penetration test is to always leave your customer with an accurate view of their network security posture.