Applying

Reconnaissance
Techniques
CHAPTER 1

CYBERSECURITY ANALYSIS - UCC

Class Objectives
Reconnaissance
Passive vs Active

Packet Capture
Virtualization Technologies
Cloud Computing Security
SAAS
PAAS
IAAS

CYBERSECURITY ANALYSIS - UCC

 Reconnaissance

Information Gathering and getting to know the target systems is the first process in ethical hacking. Reconnaissance
is a set of processes and techniques (Footprinting, Scanning & Enumeration) used to covertly discover and collect
information about a target system.
During reconnaissance, an ethical hacker attempts to gather as much information about a target system as possible,
following the seven steps listed below −
Gather initial information
Determine the network range
Identify active machines
Discover open ports and access points
Fingerprint the operating system
Uncover services on ports
Map the network

CYBERSECURITY ANALYSIS - UCC

C. I. A. Triad
Confidentiality
Integrity
Availability

CYBERSECURITY ANALYSIS - UCC

Sources for Intelligence Gathering (Reconnaissance)

Google – google hacking

CYBERSECURITY ANALYSIS - UCC

Sources for Intelligence Gathering (Reconnaissance)

Internet Registries – Regional Internet Registries (RIR)

Job Sites
Social Media

CYBERSECURITY ANALYSIS - UCC

Sources for Intelligence Gathering (Reconnaissance)

DNS
You can use http://www.whois.com/whois website to get detailed information about a domain
name information including its owner, its registrar, date of registration, expiry, name server,
owner's contact information, etc
WHOIS web service

CYBERSECURITY ANALYSIS - UCC

Whois Result

CYBERSECURITY ANALYSIS - UCC

Footprinting
Creating a map of an organization’s networks, systems, and other infrastructure

Active vs. passive reconnaissance

CYBERSECURITY ANALYSIS - UCC

Active Reconnaissance

Scanning
This is a method that can be used by the adversary to get more detail on your network. This
method are used to find openings on the network and is being used to deduce what devices are
on the other end of the network.
Network Mapping - NMAP
Network Mapping is done to understand the topology of the network, including the perimeter
network, demilitarized zones and key network devices. To understand the topology of the
Network the user or adversary conduct a sweep. The sweep is done by sending a message to
each device and record the response and one of the most popular to tool to get this done is a
Network Mapper or (NMAP).

CYBERSECURITY ANALYSIS - UCC

Active Reconnaissance

The default behavior of NMAP is to send;

ICMP Echo Request
TCP SYN to Port 443
TCP ACK to port 80
ICMP Timestamp request …….. a successful response to any of these is indicative that the
address is in use.

The next step for the adversary is to fill in the details to perform further analysis.

CYBERSECURITY ANALYSIS - UCC

1. Mapping Networks with Zenmap

CYBERSECURITY ANALYSIS - UCC

Ports
This is a list of TCP and UDP port numbers used by protocols of the
transport layer of the Internet protocol suite for the establishment of host-to-
host connectivity.

Well-known ports range from 0 through 1023.

Registered ports are 1024 to 49151.
Dynamic ports (also called private ports) are 49152 to 65535.

CYBERSECURITY ANALYSIS - UCC

 Ports
0 FTP -- Data
156 SQL Server
21 FTP -- Control 161 SNMP
22 SSH Remote Login Protocol 179 Border Gateway Protocol (BGP)
23 Telnet 190 Gateway Access Control Protocol (GACP)
25 Simple Mail Transfer Protocol (SMTP)
194 Internet Relay Chat (IRC)
29 MSG ICP
37 Time
197 Directory Location Service (DLS)
42 Host Name Server (Nameserv) Lightweight Directory Access Protocol
389 (LDAP)
43 WhoIs
49 Login Host Protocol (Login) 396 Novell Netware over IP
53 Domain Name System (DNS) 443 HTTPS
69 Trivial File Transfer Protocol (TFTP)
444 Simple Network Paging Protocol (SNPP)
70 Gopher Services
445 Microsoft-DS
79 Finger
80 HTTP 458 Apple QuickTime
103 X.400 Standard 546 DHCP Client
108 SNA Gateway Access Server 547 DHCP Server
109 POP2
110 POP3

CYBERSECURITY ANALYSIS - UCC

Mapping Networks with
Nmap

CYBERSECURITY ANALYSIS - UCC

2. Port Scanning – NMAP/ Nessus

Port scanners are programs designed to probe a host to determine of ports are opened. The use
of ports are important to for services communicating to a server. However, it allows an attacker
to add details into the network by seeing what ports are open.
A port scan may reveal well-known ports 80 and port 25 running and may determine a web-
based application is running.

PORT Scanning Features

 Open port detection
 OS fingerprinting
 Service and version identification

CYBERSECURITY ANALYSIS - UCC

Service/Version Identification

CYBERSECURITY ANALYSIS - UCC

3. Web App Vulnerability Scanning – Nikto / BurpSuite

The Web application vulnerability scanner is an automated tool used to scan web applications
for security vulnerabilities. These scans are based on preexisting database of known exploits, so
please bear this in mind.
Some of the tests from these scanners relate to SQL injections, command injections, cross-site
scripting and improper server configuration.

Run Nikto in kali Linux.

CYBERSECURITY ANALYSIS - UCC

Capturing Packets (Packet captures) -
Wireshark
Packet capture is a computer networking term for intercepting a data packet that is crossing or moving
over a specific computer network.

Once a packet is captured, it is stored temporarily so that it can be analyzed. The packet is inspected to
help diagnose and solve network problems and determine whether network security policies are being
followed.

Hackers can also use packet capturing techniques to steal data that is being transmitted over a network.

CYBERSECURITY ANALYSIS - UCC

Capturing Packets (Packet captures) -
Wireshark

CYBERSECURITY ANALYSIS - UCC

Capturing Packets (Packet captures) -
Wireshark
The different applications and uses of data capturing include the following:

• Security: Data capturing is used to identify security flaws and breaches by determining the
point of intrusion.
• Identification of Data Leakage: Content analysis and monitoring helps to ascertain the
leakage point and its sources.
• Troubleshooting: Managed through data capturing, troubleshooting detects the occurrence
of undesired events over a network and helps solve them. If the network administrator has full
access to a network resource, he can access it remotely and troubleshoot any issues.
• Identifying Data/Packet Loss: When data is stolen, the network administrator can retrieve
the stolen or lost information easily using data capturing techniques.
• Forensics: Whenever viruses, worms or other intrusions are detected in computers, the
network administrator determines the extent of the problem. After initial analysis, she may block
some segments and network traffic in order to save historical information and network data.

CYBERSECURITY ANALYSIS - UCC

 
SPECIAL CONSIDERATIONS RELATING TO THE NETWORK
TOPOLOGY IN USE
Wired Network Considerations
Wired network is considered more secure than its wireless counterpart because of the fact proximity
considerations.
Taps
For network capture to be done on a wired network a tap can be used to capture packets. Taps can be used
passively and actively. With the passive taps it is better use done on a copper medium and uses no additional
power to perform sniffing. However, if you are using gigabit speed lines, this may be error-prone and it is
suggested an active tap or active relay must be used instead.
The active tap completely terminate the signal in the tap device and then send a copy to the local interface.
Hubs
Alternatively, while we do not use Hubs in most modern organization (because it broadcasts its traffic
through every port without security consideration), we can capture traffic directly from an intermediary
device such as the hub. Because of the nature of how a hub work, where it send traffic through all of its
interfaces, all we need is a monitoring machine to be connected to it and the capturing software installed.
The Hub can then become a vector for attack, where the attacker place a hub in the network and collect all
the traffic data.
CYBERSECURITY ANALYSIS - UCC
 Wired Network Considerations
Switches
To replace hubs, homes and organizations are now using a switch. Within the switch
environment the data units are referred to as frames and forwarded only to the destination they
are meant for.
So, as each frame enters the switch, the switch compares each incoming frame destination MAC
address with its existing lists of addresses and their matching physical ports on the switch. When
it finds a match the switch forwards the data to the appropriate interface and then on to the
destination device.
For the switch to have the list of Media Access Control or MAC addresses we spoke about in its
MAC table it uses a service called Address Resolution Protocol or ARP to populate such a table
or list.

CYBERSECURITY ANALYSIS - UCC

 
Wired Network Considerations
The ARP is how networked devices figure out which MAC address a given IP address is linked to.
Every hosts maintains an ARP table, which maps IP and MAC addresses to each other. Therefore,
whenever a host needs to send a bit of data out to a IP address, it looks up the corresponding
MAC address on its own table and then forward the data onto the wire. The switch then accepts
the data and sends it forward to the right destination interface. So, if the host does not know
the MAC address for a given IP address, it will ask the entire network using an ARP request

CYBERSECURITY ANALYSIS - UCC

 
Wired Network Considerations

CYBERSECURITY ANALYSIS - UCC

Wired Network Considerations

CYBERSECURITY ANALYSIS - UCC

ARP Manipulation
ARP Poisoning
This is one method to sniff traffic from a switch network. This stresses the switch with a stream of ARP replies. That
is, every time the adversary sends an update about a MAC address, the switch adjusts it internal forwarding table to
reflect the change. If this is done often enough the switch then defaults to hub mode and broadcasts all traffic
through all interface.
Another method is to tamper with the ARP table of specific targeted host on the network. This is where the attacker
take advantage of the trust in ARP and between host A and Host B ( page 14) and he send a fake ARP reply to Host B
indicating that host A IP address is now associated with the attackers MAC address, unfortunately this will be
accepted in Host B MAC table, the same is repeated for host B. This is known as Man-In-The-Middle (MITM) attack.
Mirroring
Most switches support this feature; PORT Mirroring occurs when packets are replicated from an individual or
selected range of ports and send these packets to a separate output port on the same device. Port Mirroring is used
to troubleshoot problems or facilitate traffic analysis. However, if an attacker had access he could enable port
mirroring and collect data passing through the switch.

CYBERSECURITY ANALYSIS - UCC

Wireless Network Considerations

Wireless networks use various technologies such as radio frequencies (RF). Because there are no
way to limit the signal it goes beyond the limits of a home or organization’s physical presence
and passerby can easily observe network traffic with the right tools in hand.
If you are already connected to a wireless network and are only trying to record the traffic
between connected devices on the network Wireshark will work well for this situation. Wireless
Network operate on IEEE 802.11 broadcasts.

CYBERSECURITY ANALYSIS - UCC

 Virtualization Technologies

Virtualization is the creation of a virtual -- rather than actual -- version of something, such as an
operating system, a server, a storage device or network resources.
Hypervisors
A hypervisor is a function which abstracts -- isolates -- operating systems and applications from
the underlying computer hardware. This abstraction allows the underlying host machine
hardware to independently operate one or more virtual machines as guests, allowing multiple
guest VMs to effectively share the system's physical compute resources, such as processor
cycles, memory space, network bandwidth and so on. A hypervisor is sometimes also called a
virtual machine monitor.

CYBERSECURITY ANALYSIS - UCC

 Types of hypervisors

Hypervisors are traditionally implemented as a software layer -- such

as VMware vSphere or Microsoft Hyper-V -- but hypervisors can also
be implemented as code embedded in a system's firmware.
There are two principal types of hypervisor.
Type 1 hypervisors are deployed directly atop the system's hardware
without any underlying operating systems or other software.
These are called "bare metal" hypervisors and are the most common
and popular type of hypervisor for the enterprise data center.
Examples include vSphere or Hyper-V.
Type 2 hypervisors run as a software layer atop a host operating
system and are usually called "hosted" hypervisors like VMware Player
or Parallels Desktop. Hosted hypervisors are often found on endpoints
like PCs.

CYBERSECURITY ANALYSIS - UCC

 Containers
Containers use the host operating system as their
base, and not the hypervisor. Rather than virtualizing
the hardware (which requires full virtualized
operating system images for each guest), containers
virtualize the OS itself, sharing the host OS kernel
and its resources with both the host and other
containers.
Containers provide the bare essentials required for
any application to run on a host OS. You could think
of them as stripped down Virtual Machines running
just enough software to deploy an application.

CYBERSECURITY ANALYSIS - UCC

 Cloud Computing

Cloud computing is a general term for the delivery of hosted services over the internet.
Cloud computing enables companies to consume a compute resource, such as a virtual machine
(VM), storage or an application, as a utility -- just like electricity -- rather than having to build and
maintain computing infrastructures in-house.

Cloud computing deployment models

Cloud computing services can be private, public or hybrid.

Types of cloud computing services

Although cloud computing has changed over time, it has been divided into three broad service
categories: infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service
(SaaS).

CYBERSECURITY ANALYSIS - UCC

Cloud service categories

CYBERSECURITY ANALYSIS - UCC

Cloud computing characteristics and
benefits
Cloud computing boasts several attractive benefits for businesses and end users. Five of the main benefits of
cloud computing are:
Self-service provisioning: End users can spin up compute resources for almost any type of workload on
demand. This eliminates the traditional need for IT administrators to provision and manage compute
resources.
Elasticity: Companies can scale up as computing needs increase and scale down again as demands decrease.
This eliminates the need for massive investments in local infrastructure, which may or may not remain
active.
Pay per use: Compute resources are measured at a granular level, enabling users to pay only for the
resources and workloads they use.
Workload resilience: Cloud service providers often implement redundant resources to ensure resilient
storage and to keep users' important workloads running -- often across multiple global regions.
Migration flexibility: Organizations can move certain workloads to or from the cloud -- or to different cloud
platforms -- as desired or automatically for better cost savings or to use new services as they emerge.

CYBERSECURITY ANALYSIS - UCC

Cloud computing security

Security remains a primary concern for businesses contemplating cloud adoption -- especially
public cloud adoption. Public cloud service providers share their underlying hardware
infrastructure between numerous customers, as public cloud is a multi-tenant environment. This
environment demands copious isolation between logical compute resources. At the same time,
access to public cloud storage and compute resources is guarded by account login credentials.
 
Many organizations bound by complex regulatory obligations and governance standards are still
hesitant to place data or workloads in the public cloud for fear of outages, loss or theft.
However, this resistance is fading, as logical isolation has proven reliable, and the addition of
data encryption and various identity and access management tools has improved security within
the public cloud.

CYBERSECURITY ANALYSIS - UCC

 Passive Reconnaissance
In this process, you will not be directly connected to a computer system. This process is used to gather essential
information without ever interacting with the target systems.
Footprinting is a part of reconnaissance process which is used for gathering possible information about a target
computer system or network. Footprinting could be both passive and active. Reviewing a company’s website is
an example of passive footprinting, whereas attempting to gain access to sensitive information through social
engineering is an example of active information gathering.
During this phase, a hacker can collect the following information −
Domain name
IP Addresses
Namespaces
Employee information
Phone numbers
E-mails
Job Information

CYBERSECURITY ANALYSIS - UCC

Preventing Reconnaissance
Limit external service exposure
Use intrusion prevention systems
Use monitoring and alerting
Register domains with privacy settings
Implement rate limiting
Restrict zone transfers

CYBERSECURITY ANALYSIS - UCC

TOOLS of THE TRADE

CYBERSECURITY ANALYSIS - UCC

Nmap (CLI) Zenmap (GUI)
Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and
security auditing.
Many systems and network administrators also find it useful for tasks such as network inventory,
managing service upgrade schedules, and monitoring host or service uptime.
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what
services (application name and version) those hosts are offering, what operating systems (and OS
versions) they are running.
Nmap runs on all major computer operating systems, and official binary packages are available for
Linux, Windows, and Mac OS X.

(https://nmap.org/)

CYBERSECURITY ANALYSIS - UCC

Nikto

Nikto is an Open Source web server scanner which performs comprehensive tests against web
servers for multiple items, including over 6700 potentially dangerous files/programs, checks for
outdated versions of over 1250 servers, and version specific problems on over 270 servers.
It also checks for server configuration items such as the presence of multiple index files, HTTP
server options, and will attempt to identify installed web servers and software. Scan items and
plugins are frequently updated and can be automatically updated.

Nikto is not designed as a stealthy tool. It will test a web server in the quickest time possible,
and is obvious in log files or to an IPS/IDS. 

(https://cirt.net/Nikto2)

CYBERSECURITY ANALYSIS - UCC

OWASP ZED Attck Proxy (ZAP)
(http://www.zaproxy.org/)
 
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is
actively maintained by hundreds of international volunteers.
It can help you automatically find security vulnerabilities in your web applications while you are
developing and testing your applications. Its also a great tool for experienced pen-testers to use
for manual security testing.
 
Installation Video
https://www.youtube.com/watch?v=Xp_PBH7wjiw

CYBERSECURITY ANALYSIS - UCC

 Nessus
Nessus is now proprietary and comes with a Nessus home version
to scan up to 16 IP addresses.
Nessus is a proprietary vulnerability scanner developed by 
Tenable Network Security. It is free of charge for personal use in a
non-enterprise environment.
According to surveys done in 2009 by sectools.org, Nessus is the
world's most popular vulnerability scanner.

(
https://www.tenable.com/products/nessus-vulnerability-scanner
)

CYBERSECURITY ANALYSIS - UCC

Netstat
The netstat command is used to display the TCP/IP network protocol statistics and information.
Netstat Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP
routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6,
TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, netstat displays active TCP
connections.
Syntax
netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval]
Parameters
-a   : Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.
-e   : Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter
can be combined with -s.
-n   : Displays active TCP connections, however, addresses and port numbers are expressed numerically and no
attempt is made to determine names.

CYBERSECURITY ANALYSIS - UCC

Wireshark (GUI)/Tshark (CLI)
Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see
what’s happening on your network at a microscopic level and is the de facto (and often de jure)
standard across many commercial and non-profit enterprises, government agencies, and
educational institutions. 

(https://www.wireshark.org/)

CYBERSECURITY ANALYSIS - UCC

END of Chapter 1 Review

Reconnaisance

CYBERSECURITY ANALYSIS - UCC

END of Chapter 1 Review
Reconnaissance
Passive vs Active

Packet Capture
Virtualization Technologies
Cloud Computing Security
SAAS
PAAS
IAAS

CYBERSECURITY ANALYSIS - UCC