Threat Actor Thinking

Security Operations Course

Module 3: Threat Actor Thinking

1. Hacking Lifecycle
1. Subject (Arial 20)

2. Footprinting & Reconnaissance

3. Scanning

4. Enumeration
Hacking Lifecycle
The Hacking Lifecycle

Reconnaissance

Clearing
Scanning
Tracks

Maintaining Gaining
Access Access
Hacking Lifecycle
Reconnaissance

• When an attacker seeks to gather information about a target prior to an attack.

• Target ranges may include the target organisations clients, employees, operations, networks
systems or third parties.
Hacking Lifecycle
Scanning

• Pre-Attack Phase:
Refers to the phrase that the attacker scouts the scans the network for specific information based
on information gathered during reconnaissance.

• Port Scanner:
Scanning can include use of dialers, port scanners, network mappers, ping tools or vulnerability
scanners.

• Extract Information:
Attackers extract information such as live machines, ports, port status, OS details, device type,
system uptime and vulnerabilities
Hacking Lifecycle
Gaining Access

• The stage where the attacker obtains access to the OS or applications on the computer network

• The attacker is able to escalate privileges to acquire complete control of the system
Hacking Lifecycle
Maintaining Access

• Refers to when the attacker tries to retain their newly acquired ownership of the system.

• Attacker may prevent the system from being owned by other attackers by securing their exclusive
access with Backdoors, Rootkits or Trojans.

• Attackers can upload, download or manipulate data, applications and configurations on the owned
system.

• Attackers use the compromised system to launch further attacks.

Hacking Lifecycle
Clearing Tracks

• Hide:
Cover tracks carried out by attacker to hide malicious acts.

• Intention:
Continual access to the victim systems.
Remain unnoticed.
Delete evidence that might lead to prosecution.

• Overwrite:
Overwrite the server, system and application logs to avoid suspicion.
Hacking Lifecycle
What we’ve covered so far

• Recon

• Scanning

• Gaining access

• Maintaining access

• Clearing tracks
Hacking Lifecycle
Pop Quiz

Answer the following:

1. Calling tech support at your target – what is this an example of?

2. What is exploiting a vulnerability to install a Remote Access Trojan (RAT) an example of?

3. What is disk wiping an example of?

Hands up in Teams once you’re done!

Questions?
Module 3: Threat Actor Thinking
1. Hacking Lifecycle

2.2 Footprinting & Reconnaissance

. Subject – only capitalise the first word

3. Scanning

4. Enumeration
Footprinting & Reconnaissance
Recon Types

• Passive:
Involves acquiring information without directly interacting with potential target.
Example: Public records or press releases

• Active:
Involves interacting with the potential target directly by any means.
Example: telephone calls, technical departments.
Footprinting & Reconnaissance
Reconnaissance Activities

• Search engines/ Shodan • WHOIS search

• Websites • DNS search

• Email • Social engineering

• Competitive intelligence • Social networking

• Google Dork
Footprinting & Reconnaissance
Reasons they’re effective

• Company unaware • Digital Dirt

• Public Information • Hard to Detect

• Browser Friendly • Human Error

Footprinting & Reconnaissance
Preventing their abuse

• Physical Security

• Training

• Audits
 LinkedIn Learning
Footprinting and Reconnaissance
35 Minutes

Section 1 + Quizzes
https://www.linkedin.com/learning/ethical-hacking-footprinting-and-reconnaissance/footprinting-and-reconnaissance-2?
u=78163626
 Lab Exercise
Footprinting & Reconnaissance

Google hack, Time Machine and Dig

Reconnaissance is easy if you know how to look.

Question:

1. Why is any of this useful to non-hackers?

Hackers use this information to plan and achieve their initial objectives
to break into systems.
 Lab Exercise
Footprinting & Reconnaissance

Instructor led: 192.Com and Netcraft.com

Information on people and places is sat somewhere online.

There are a lot of multi-role tools out there – but don’t forget about
defense-in-depth and the need for having different vendors’ tools
 Lab Exercise
Footprinting & Reconnaissance

Shodan
Google for hackers

Vast amounts of information that can be illegal to make use of

Businesses and organisations that find their information on Shodan can

use this to better secure their networks!
Footprinting & Reconnaissance
What we’ve covered so far

• Passive recon • Dig commands

• Active recon • DNS record types

• Tools and activities in order to perform • Passive recon in practice

recon
• Shodan
• Why they’re effective

• How to prevent those methods being

leveraged against us
Footprinting & Reconnaissance
Pop Quiz

Answer the following:

1. A, AAAA and MX are examples of what kind of records?

2. What is using Google to find very specific information often referred to?

3. What is social engineering via email generally called?

Hands up in Teams once you’re done!

Questions?
Module 3: Threat Actor Thinking
1. Hacking Lifecycle

2. Footprinting & Reconnaissance

3. 3.
Scanning
Subject

4. Enumeration
Scanning
Scanning Types

• As with reconnaissance, scanning can also be put into two main categories:

• Active

• Passive
Scanning
Scan types

• Ping Sweeps

• Vulnerability Scanners

• Banner Grabs

• Network Scanning

• Idle Scans

• Port scans

• Fragmented
Scanning
Reasons they’re effective

• Discover live systems

• Discover OS’s

• Firewall evasion

• Very easy

• Can be anonymous
Scanning
Preventing their abuse

• Fire walls

• Monitoring systems

• Audits
Scanning
Three-way Handshake

Client Server

SYN

SYN/ACK

ACK

Connection Established
Scanning
Idle Scan
1 RST Packet
IPID = 31335
IPID Probe
SYN/ACK Packet

4 RST Packet
IPID = 31337

36
3 13
=
ID
IP
Sp 2 ke
t
oo T Pa
c
3
SY fed RS
K
Pa N C
ck N /A t
et e
SY a c k
P
Scanning
Let’s not get into any trouble…

• Scanning without permission can get you into a lot of trouble.

• Military and other governmental IP ranges should be avoided at all costs.

• Do not scan random IP addresses “For fun”.

• In a lot of cases, scanning is illegal – especially against military and governmental

sites/addresses.
 LinkedIn Learning
Footprinting and Reconnaissance
1 Hour 45 Minutes

Section 1, 3 - 6 + Quizzes
https://www.linkedin.com/learning/security-testing-nmap-security-scanning/mapping-networks-with-nmap?u=78163626
Scanning
NMAP scanning results

• Unfiltered:
The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is
open or closed.

• Open|Filtered:
Nmap places ports in this state when it is unable to determine whether the port is open or filtered.

• Closed|Filtered:
This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only
used for the IP ID idle scan.
 Lab Exercise
Scanning

NMAP
A powerful yet simple to use scanning tool

Question:

1. Who would use NMAP in a business setting?

2. Why?

Hackers, security researchers, network admins and engineers

will use tools such as NMAP to test or troubleshoot target networks
Scanning
What we’ve covered so far

• Ping sweeping • TCP Three-way Handshake (Full Connect)

• Vulnerability scanning • Idle scanning in-depth

• Banner grabbing • NMAP scan result niches

• Port scanning • Basic NMAP flags

• Idle scanning

• Fragmented scans
Scanning
Pop Quiz

Answer the following:

1. What three requirements are needed for a chosen zombie to be ideal for an idle scan?

2. When is a SYN packet sent from a machine, and for which protocol?

3. What is the –sV flag called/used for when NMAP scanning?

Hands up in Teams once you’re done!

Questions?
Module 3: Threat Actor Thinking
1. Hacking Lifecycle

2. Footprinting & Reconnaissance

3. Scanning

4. Enumeration
4. Subject
Enumeration
Recon-ng

• Recon-ng 25 is a web reconnaissance framework written in Python

• Complete with independent modules, database interaction, built in convenience functions,

interactive help, and command completion.

• Recon-ng provides a powerful environment in which open-source, web-based reconnaissance can

be conducted quickly and thoroughly.

• Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for
leveraging the framework.
 Lab Exercise
Enumeration

Recon-ng
All-in-one dashboard

Various modules for an array of security needs

Question:

What could you utilise Recon-ng to discover?

There are a lot of multi-role tools out there – but don’t forget about
defense-in-depth and the need for having different vendors’ tools
Enumeration
DNS Enumeration

• DNS source for active information gathering.

• DNS offers a variety of information about public (and sometimes private!) organization servers,
such as IP addresses, server names and server functionality.
Enumeration
DNS Enumeration

• A DNS server will usually divulge DNS and mail server information for the domain it has authority
over.

• This is a necessity, as public requests for mail and DNS server addresses make up the basic
Internet experience.

• For example, let’s examine the fdmgroup.com domain. We’ll use the host command, together with
the- t (type) parameter to discover both the DNS and mail servers for the fdmgroup.com domain.
Enumeration
DNS Zone Transfers

• A zone transfer is similar to database replication between related DNS servers.

• This process includes the copying of the zone file from a primary DNS server to a secondary
server.

• The zone file contains a list of all the DNS names configured for that zone. Zone transfers should
usually be limited to authorized slave DNS servers.

• Unfortunately, many administrators misconfigure their DNS servers, and as a result, anyone
asking for a copy of the DNS server zone will receive one.

• This is equivalent to handing a hacker the corporate network layout on a silver platter. .
Enumeration
DNS Sinkholing

• A sinkhole server, Internet sinkhole or Blackhole, DNS is a DNS server that gives out false
information to prevent the use of a domain name.

• Network-level disabling:
A sinkhole is a standard DNS server that has been configured to hand out non-routable addresses
for all domains in the sinkhole, so that every computer that uses it will fail to get access to the real
website.
The higher up the DNS resolution chain the sinkhole is, the more requests it will block as it will
supply answers to a greater number of lower NS servers that in turn will serve a greater number of
clients. Some of the larger botnets have been made unusable by TLD sinkholes that span the
entire Internet.

• Host-level disabling:
By default, the local hosts file on a Microsoft Windows, Unix or Linux computer is checked before
DNS servers, and can also be used to block sites in the same way.
 Lab Exercise
Enumeration

DNS Enum and DNS Recon

All-in-one dashboard.

Question:

1. What information/record type is DNS Recon grabbing?

There are a lot of multi-role tools out there – but don’t forget about
defense-in-depth and the need for having different vendors’ tools
Enumeration
Server Message Block

• The Server Message Block (SMB) protocol’s security track record has been poor for over a
decade, due to its complex implementation and open nature.

• From unauthenticated SMB null sessions in Windows 2000 and XP, to a plethora of SMB bugs and
vulnerabilities over the years, SMB has seen its fair share of action.

• That said, the SMB protocol has also been updated and improved in parallel with Windows
Operating Systems releases.
Enumeration
SMB Versions

• Here is a quick list to clarify SMB version numbers, and their related Windows Operating system
versions:

• SMB1- Windows 2000, XP and Windows 2003

• SMB2- Windows Vista SP1 and Windows 2008

• SMB2.1- Windows 7 and Windows 2008 R2

• SMB3- Windows 8 and Windows 2012

 Lab Exercise
Enumeration

Scanning for NetBIOS, NMAP to File and NMAP SMB Script

All-in-one dashboard

Various modules for an array of security needs

There are a lot of multi-role tools out there – but don’t forget about
defense-in-depth and the need for having different vendors’ tools
Enumeration
SNMP

• Simple Network Management Protocol (SNMP) is a poorly understood protocol by many network
administrators.

• This often results in SNMP misconfigurations, which can result in a dramatic information leakage.

• SNMP is based on UDP and is therefore susceptible to IP spoofing, and replay attacks. In
addition, the commonly used SNMP protocols 1, 2 and 2c offer no traffic encryption, meaning
SNMP information and credentials can be easily intercepted over a local network.

• Traditional SNMP protocols also have a weak authentication schemes, and are commonly left
configured with default public and private community strings.

• MIB values
Enumeration
What we’ve covered so far

• Recon-ng

• DNS enumeration

• DNS Zone Transfers

• DNS Sinkholing

• SMB

• SNMP
Enumeration
Pop Quiz

Answer the following:

1. Give three examples of what SMB enables within a network.

2. What is SNMP primarily used for?

3. When should a DNS Zone Transfer be permitted?

Hands up in Teams once you’re done!

Questions?
Have a good evening

and

see you tomorrow!