A Hackers

Reconnaissance Report
Sample Report

Philip Maher
Philip.Maher@gcicom.net

www.gcicom.net

Page | 1
Contents
1 Executive Summary ........................................................................................................................... 3
2 Risk & Impact Summary .................................................................................................................... 4
3 Advanced Domain & Website Information Gathering..................................................................... 5
4 DNS ...................................................................................................................................................... 7
5 Passive Reconnaissance ................................................................................................................. 10
6 Website Social Engineering ............................................................................................................ 11
7 Social Media Reconnaissance ........................................................................................................ 12
8 Dark Web Filtering ............................................................................................................................ 13

2
gcicom.net
1 Executive Summary
Introduction

Reconnaissance is the technique used by attackers to gather information about a target, this is split up into two
sections, passive and active.

Active Reconnaissance is when the hacker will actively engage with your network or employees through various
techniques such as Vulnerability Scanning, Social engineering and probing your network. The successfulness of
active reconnaissance in most occasions come from good passive reconnaissance. A hacker will often spend large
amounts of times doing reconnaissance and the successfulness of good reconnaissance provided greater chance of
exploiting your network and/or users.

Passive Reconnaissance is when an attacker can gain information about a company or a member of staff using
information available without making contact with your network or a member of staff.

This report will identify any hidden or publicly available company or employee information available on the internet or
the dark web that ultimately will give an attacker the advantage in forging intelligent and learnt attack vectors against
your organisation. Attackers could utilise information found to craft social engineering campaigns, targeting your
employees through phishing emails, attempting to acquire personal information or use information to aid any attempt
to breach your network.

A high-level summary of the tasks we have taken are as follows;

• Advanced domain and website Information gathering – highlighting how attackers would select an attack vector
e.g. website certificate, DNS admin, hosting provider or encryption used
• Review Public DNS records for information useful for an attacker, ensure DNS Zone transfer is refused and any
other email security layers within your external DNS are secure
• Passive reconnaissance techniques to obtain sensitive company information on the real web
• Social Media Reconnaissance via Facebook/Instagram/Twitter/LinkedIn to identify if your social media presence
is giving away any information beneficial to a hacker
• Social Engineering Reconnaissance on your website to identify potential targets and information on the company
or network
• Utilise GCI dedicated TOR sandbox environment to create safe passage to the dark web
• Filtering known malicious sharing sites on the dark web
• Search the internet and the dark web for any exposed account credentials
• Check executive email addresses against any historic data breaches
• Analyse information and data gathered, provide recommendations and complete the reconnaissance report

3
gcicom.net
2 Risk & Impact Summary
When carrying out the reconnaissance tasks, GCI identified only a small number of concerning risks however those
identified have a High Severity associated with them. These risks would be great advantage for an attacker to gain
access to accounts with breached account data meaning the hard work has already been done for them if these
credentials are still valid, with this in mind there is potentially other accounts exposed which we advise a broader
search in this area. We also see an area within the DNS which needs immediate action against it to help prevent
attackers spoofing your domain.

Your current security posture on the internet and the dark web, requires some immediate remediation to improve.
Though there are lower severity risks we have found, please review them to see if any changes can be made and/or
users are educated in Cyber Security issues around their emails such as Phishing.

Section Pass / Fail Risk Impact Summary

Advanced Domain & Website Information Gathering Pass Low Minor recommendations

DNS Pass High Open to spoofing

Passive Reconnaissance Pass Low Minor improvement advised

Website Social Engineering Pass Low Minor improvement advised

Social Media Reconnaissance Pass Low Minor improvement advised

Dark Web Filtering Fail High Account credentials have been breached

4
gcicom.net
3 Advanced Domain & Website Information Gathering
Within this section GCI focus on one some of the primary areas covered by an attacker when performing
reconnaissance on an organisation’s domain. The information found in this section will help direct the hacker to which
area they can target first or do further reconnaissance on.

UKNOC Customer
Site https://www.sample.com Netblock Owner
Address Space
Domain Sample.com Nameserver ns1.***dns.com
Domain expiry 02/04/2020
IP address 81.19.185.127 DNS admin hostmaster@****dns.com
Top Level Domain Commercial entities (.com) Reverse DNS Unknown
Nameserver
Domain registrar ******DNS S.A. whois.*****dns.com
organisation
Organisation Sample Ltd Hosting company UK Dedicated

Domain Control Validated; Hosted by Subject Alternative www.Sample.com,

Organisational unit
Secure S******* L****** Name sample.com
From Dec 16 2016 to Mar 15 2020
Cert Validity period Matches hostname Yes
(38 months, 4 weeks, 2 days)
Server Apache Public key algorithm rsaEncryption
Protocol version TLSv1.2 Public key length
2048
sha256WithRSAEncryptio
Certificate check Ok Signature algorithm
n
0x3182250ecbeb414e924b29996aa ECDHE-RSA-AES128-
Serial number Cipher
2a*** GCM-SHA256
RFC4*** server name,
RFC5*** renegotiation
Next Protocol Supported TLS info, RFC4*** EC point
Not present
Negotiation Extensions formats, RFC5*** session
ticket, RFC4**6 status
request
Issuing organisation SSL.com Issuer common name SSL.com DV CA
Certificate http://crl.ssl.com/SSLcomDVCA_2.cr zkMX3Uz6BckCYI36****+
Certificate hash
Revocation Lists l Ggvb**
Public Key Hash 585995c07b3f4****7168edee10bd5d****2726ae7e7bb5eb7e71af23*****
OCSP servers http://ocsp.ssl.com - 100% uptime in the past 24 hours
Certificate Signed Certificate Timestamps (SCTs)
transparency
Source Log
Certificate No SCTs received or issuer unknown
Certificate
SSlv3/POODLE This site does not support the SSL version 3 protocol.
The site did not offer the Heartbeat TLS extension prior to the Heartbleed disclosure, and
Heartbleed
so was not exploitable.

5
gcicom.net
HOSTS AND SUB DOMAINS

The GCI security engineer will obtain a list of Hosts/sub domains that attackers would look to exploit and identify any
vulnerabilities.

Hosts/ Sub Domains Found

Valuation.sample.com 94.**.154.203
autodiscover.sample.com 52.**.139.184
com-ex01.sample.com **.242.132.24
mail.sample.com 195.128.***.105
newsdesk.sample.com 54.***.231.154
portal.sample.com 195.***.138.161
ssl.sample.com 195.128.138.***
valuation.sample.com 94.**.154.203
www.sample.com **.19.185.127

RISKS & RECOMMENDATIONS

Risk Identified Recommendation Actions Impact Impact Summary Agreed Action

Common host names Use uncommon names for hosts Low Dictionary bruteforce can be
found where possible used to obtain your
hostnames and will
become the first targets
Ensure commonly Test whether any open ports are Low Hosts exposed to the
exposed ports are not required and if not close internet are often scanned
open on these hosts to for known vulnerable
the internet services and if are open
they will be attacked

6
gcicom.net
4 DNS
Your DNS will be part of reconnaissance focus against your domain as this can point out what products you may or
may not use which would aid an attacker in the choice of attack. Your DNS can be a very valuable for a hacker and
even more so if they are able to do a successful DNZ zone transfer to dump your Internal DNS records.

In this section GCI perform several checks against your external DNS to check either the functionality is working as
desired and to ensure its not providing any information favourable for a hacker.

DNS Servers
ns1.***dns.com. 204.74.66.130 AS12008 NeuStar, Inc.
ns1.****dns.com United States
ns2.****dns.com. 204.74.110.130 AS12008 NeuStar, Inc.
ns2. .****dns.com United States
ns3.****dns.com. 204.74.67.130 AS12008 NeuStar, Inc.
ns3. .****dns.com United States
ns4.****dns.com. 204.74.111.130 AS12008 NeuStar, Inc.
ns4. .****dns.com United States
MX Records
AS199291 Sample Data Systems
40 gw4.SampleDataSystems.uk.com. 188.20.35.64 Limited
United Kingdom
AS199291 Sample Data Systems
30 gw3.Sample DataSystems.uk.com. 195.128.138.61 Limited
gw3.SampleDataSystems.uk.com United Kingdom
AS199291 Sample Data Systems
20 gw2.SampleDataSystems.uk.com. 185.20.**.63 Limited
United Kingdom
AS199291 Sample Data Systems
10 gw1.SampleDataSystems.uk.com. 195.***.138.63 Limited
United Kingdom
AS199291 Sample Data Systems
40 gw4.SampleDataSystems.uk.com. 185.20.35.64 Limited
United Kingdom
AS199291 Sample Data Systems
30 gw3.SampleDataSystems.uk.com. 194.128.138.61 Limited
gw3.SampleDataSystems.uk.com United Kingdom
TXT Records
"v=spf1 include:spf.protection.outlook.com include:spf.exclaimer.net mx ip4:81.19.185.126/31 -all"
"fVijW4abSxLflDvdW5hRIPhWUfoCgXMaU5T6vny7jhunuI8g501eiISi33v9pHUKd39jePHoGQtdeCUdZ6dTiw=="
"MS=ms13273042"
Host Records (A)
portal.sample.com 193.128.138.16** AS199291 Sample Data Systems
Limited
United Kingdom
ssl.sample.com 19*.128.138.*** AS199291 Sample Data Systems
Limited
United Kingdom
ep.sample.com 8*.19.185.1** AS34282 UKDedicated LTD
United Kingdom
HTTP: Apache
HTTPS: Apache
FTP: 220---------- Welcome to Pure-FTPd [privsep]
[TLS] ----------//220-You are user number 1 of 50
allowed.//220-Local time is now 22:20. Server port:
21.//220-This is a private system - No anonymous
login//220-IPv6 connections are also welcome on
this server.//220 You will be disconnected after 15
minutes of inactivity.//
FTP Server found in Global Scan data (Passive)

SSH: SSH-2.0-OpenSSH_5.3
www.sample.com 81.19.185.127 AS34282 UKDedicated LTD
United Kingdom
HTTP: Apache
HTTPS: Apache
FTP: 220---------- Welcome to Pure-FTPd [privsep]
[TLS] ----------//220-You are user number 1 of 50
allowed.//220-Local time is now 22:20. Server port:
21.//220-This is a private system - No anonymous
login//220-IPv6 connections are also welcome on

7
gcicom.net
 this server.//220 You will be disconnected after 15
minutes of inactivity.//
SSH: SSH-2.0-OpenSSH_5.3
mail.sample.com 195.128.138.105 AS199291 Data Systems Limited
mail.sample.com United Kingdom
mx1.sample.com 87.86.189.179 AS4589 Sample Data Systems
Global Services
mx1.sample.com United Kingdom
DKIM
v=DKIM1; k=rsa;
p=MIGfMA0GCSqGS*******AQUAA4GNADCBiQKBgQCVQP0u3pmY0i12IJOKYl3rmGgDJa4JykRbr1ofVU7guhtNgH2pMl5vFAGuaiwuh4X5Xf/M
3ma4G6R36fma7SkCYdNj/krrh4uIjlpuP3tTu0tifL5hp0svQ4******89cIN6hwZveVIZhW6GpPFVh0115ckIkI+IYqwDkmVrOVwIDAQAB;
n=1024,149373****,1
v=DKIM1; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBi******77rnDY622M12BgM2SnJhTOdFqGx760etzCvBRJxNeCQ5w2uvFSiowMMMQmexjELPR
+OOomWmWQX********K/zBGOhkb9Se6Z/QfYe7ZU5Jk2RCA92vqzzCeMZ1H4MmTlFoRQ********BKK7o0a8oiYmUFbjvruyC+2UTvzHNwIDAQ
AB;
DMARC
v=DMARC1;p=none;pct=100;rua=mailto:postmaster@sample.com

One of the first steps an attacker will do is look at your external DNS to look for potential targets and services before
touching your network.

DNS Checks

General view of host locations and hosting IP block owners retrieved at the time of the checks. Please note these can
change periodically unless they are static. This information is useful to a hacker as they can see where your hosts are
located and look to use IP addresses local to these countries, it is important within any investigation and whitelisting
that activity from these countries are not overlooked.

External Domain map gathered through automation at the time of the check. Please note these can change
periodically unless they are static.

This information gives the hacker an advantage in DDOS and other attack vectors as it can use IP addresses located
in these locations to mask their malicious intent and to make spotting a malicious geographical location harder.

RISKS & RECOMMENDATIONS

8
gcicom.net
 DNS Check Status Risk Identified Impact Recommendation
DNS Zone Transfer Refused Pass N/A Choose an item. N/A

No sensitive information Pass N/A Choose an item. N/A

available on the public DNS

SPF Pass N/A Choose an item. N/A

DKIM Fail DKIM keys have not been rotated Low Rotate keys every month or
quarter as a minimum

DMARC Fail DMARC in reporting mode, this High Review feedback presented from
does nothing with SPF and DKIM DMARC and change to quarantine
failures. Leaving your domain still or reject.
open to spoofing.
Exchange is with O365 Pass N/A Choose an item. N/A

9
gcicom.net
5 Passive Reconnaissance
In this section we look to obtain information about the company without having to step foot within the domain and
leave a footprint. This can be through such vectors like sensitive documents available on the websites that may
contain detailed information about the internal infrastructure or even sensitive information within the company which
could be used to create a social engineering attack in the form of a phishing email to target end users. Trust is
implicitly built through the disclosure of sensitive information.

Here we have manipulated available search engines with our own code to do the below checks, a tick indicates that
no results have been found and a cross means we have been able to find something which we believe would be of
interest to an attacker. Though we have used some of the common terms used in our code to perform these searches
an attacker can use, these are only the most common searches.

PASSIVE RECONNAISSANCE CHECKS, RISKS AND RECOMMENDATIONS:

Passive
reconnaissance Status Risk Identified Impact Recommendation
checks
Indexed websites Pass N/A Choose N/A
pages with admin an item.
in them
Indexed pages with Pass N/A Choose N/A
passwords in them an item.
Personal sensitive Pass N/A Choose N/A
documents an item.
available to the
Internet
Company sensitive Fail Company document publicly available which also contains personal Medium Review ensure this
documents data on; should all be publicly
available to internet available and
http://planningdocs.sample.gov.uk/NorthgatePublicDocs/00044418.pdf necessary protection
for phishing and
spoofing s in place/
Sensitive Pass N/A Choose N/A
documents about an item.
the internal IT
system, policies or
network
infrastructure
Indexed pages with Pass N/A Choose N/A
login in URL an item.
(Favorable login
pages which an
attacker may try
buteforce)

Indexed pages with Pass N/A Choose N/A

mobile numbers on an item.
them
Indexed pages with Fail Website contains information on all staff, this will be helpful to an Produce contact form
sensitive email attacker choosing the right target Low and provide further
addresses in them https://www.sample.com/our-office/ details to those that
need it
Various emails on
http://www.samplemem.info/srch?q=kentish@sample.com

HR email and contact on https://www.youtube.com/watch?v=K*****jd-

xo

Logs exposed to Pass N/A Choose N/A

the internet an item.
Data dump of Pass N/A Choose N/A
contact information an item.
to other websites
(Not Dark Web)

10
gcicom.net
6 Website Social Engineering
In this section we look specifically at your company’s website presence to see if we are able to find any sensitive
information which can be used in social engineering attacks. Such information can include High Value target email
addresses or other contact details, information on your network and your company’s internal policies.

Hackers will perform a number of search queries to obtain this information, please also be aware that sometimes
hackers will actively engage with your employees found on your website to obtain such information. Ensure your
employees are aware of this and cautious about what information is published.

Passive reconnaissance
Status Risk Identified Impact Recommendation
checks
High Value Targets – Fail Website contains information on Low Produce contact form and provide
contact information all staff, this will be helpful to an further details to those that need it
attacker choosing the right target
https://www.sample.com/our-
offices/
Organizational structure Fail Same as above this can be used Low Produce contact form and provide
to map out your organizational further details to those that need it
structure
Vulnerable information about Pass N/A Choose an item. N/A
the network

Internal policies Pass N/A Choose an item. N/A

Job roles for High value Pass N/A Choose an item. N/A
targets IT administrators,
CFO
Information on internal Pass N/A Choose an item. N/A
procedures

11
gcicom.net
7 Social Media Reconnaissance
In this section we look specifically at your companies Social Media presence to see if we are able to find any sensitive
information which can be used in social engineering attacks. Such information can include High Value target email
addresses or other contact details, information on your network and your company’s internal policies.

Hackers will perform a number of search queries to obtain this information, please also be aware that sometimes
hackers will actively engage with your employees on social media to obtain such information. Ensure your employees
are aware of this and cautious about what they post about the company on social media and/or what information they
share with others.

Passive reconnaissance
Status Risk Identified Impact Recommendation
checks
High Value Targets – Pass N/A Choose an item. N/A
contact information

Organizational structure
Vulnerable information about
the network
Fail Linkedin contains information on Low If this is required, ensure only
the organizational structure standard skills and roles are
published without great detail
within your online CV
Pass N/A Choose an item. N/A

Internal policies Pass N/A Choose an item. N/A

Job roles for High value
targets IT administrators,
CFO
Information on internal
procedures
Pass N/A Choose an item. N/A
Fail LinkedIn contains information on Medium If this is required, ensure only
internal procedures. If research standard skills and roles are
through Linkedin was done, they published without great detail
would see who looks after your within your online CV
accounts and some of the task
they deal knowing who to attack
and the type of information to
obtain.

Linkedin profiles for;

Christina ***** FD
Linda and James from accounts

Social Media Recon Evidence

Snippets of LinkedIn profiles with job titles, highlighting finance department or accounts as an example.

12
gcicom.net
8 Dark Web Filtering
The Dark Web with all its uses is often used to publish/ sell company or personal data. There are several
websites/markets which have such data for sale if you are looking for it. Although anyone can access the Dark Web
with right tools browsing the Dark Web without the relevant Security knowledge and setup will leave you wide open to
attackers and malicious sites.

At GCI we have specialist TOR Networks setup in a safe segregated environment which our Security Specialists are
fully equipped with the right knowledge and skills to scrape the Dark Web for leaked data about set individuals or
companies. Below are the Dark Website we have visited and performed thorough checks for any company data;

Dark web filtering checks Status Risk Identified Impact Recommendation

Not Evil Fail Accounts previously on account breach High Linked to previous
paste breaches similar to
https://hss3***2hsxfogfq***.ion.to
https://nzxj65****h2fkhk.onion.to/pnlkybezo ghostproject.
link is no longer valid.
DuckDuckGo Pass N/A Choose an
item.
https://3g2up*****6kufc4m.*8ion/
0day Pass N/A Choose an
item.
http://qzbkwswfv****oj5d.**ion/
AHMIA Pass N/A Choose an
item.
http://msydqs*****kzerdg.onion/
Candle http:// Pass N/A Choose an
item.
gjobqjj7wyc***ie.onion/
HayStak Pass N/A Choose an
item.
http://haystak*****7wbk5.o*8on/
OnionLand Pass N/A Choose an
item.
http://3bbaa****8cbdddz.onion/
Onion URL Repository Pass N/A Choose
http://32rfc****8lf4dlv.oinion an item
Searx http://5plvrsgyd***e.onion/ Pass N/A Choose
an item
Torch Pass N/A Choose
http://xmh57jrz***6insl.o**n/ an item

PASTE BIN/ GHOST PROJECT

A pastebin is a type of online content hosting service where users can store data in plain text such as source code
snippets for code review via Internet Relay Chat (IRC) or a middle ground to host data which can then be used again
in a number of ways for i.e. a script that pulls data from your pastebin data. We have search the database and found 0
matches on Keaton.com

Ghost Project is a database that contains leaked username and password pairs. Company emails have been checked
and any signs of leaked data are detailed below.

We have spot checked on several users to see if any accounts have been breached previously and found the
following, please note these could be historic or current passwords.

Rupert.bear@sample.com:123*****
Howard.duck@sample.com:kan*****
Tweety.pie@sample.com:K#Lea*****

With the above in mention I would advise that further actions are took on this. This could be either checking a list of
staff or doing a companywide password reset.

Conditions & Disclaimer

13
gcicom.net
 Conditions

The contents of this report remain the property of and may not be reproduced in whole or in part without the
express permission of GCI. This report should only be distributed by secure methods to individuals on a Need-to-
Know basis. Paper copies should be locked away when not in use and electronic copies should only be stored
offline in a secure area.

Disclaimer

This report covers some of the main areas used by attackers to gain information about your company and its
employees. Please be aware that these are not the only techniques and methods that can be used. We have
searched selected areas of the Dark Web which we know can show leaked data however due to the size of the
Dark Web and the amount of the website on there not being indexed we cannot cover the whole Dark Web.

14
gcicom.net