0201 | Red Team Recon

Red Teaming | Red Team Recon | Summary:

The room provides training on different types of reconnaissance, including WHOIS and DNS-based reconnaissance, advanced searching techniques, and specialized search engines.

Additionally, it delves into specific tools and techniques such as Google Hacking, Recon-ng, and Maltego, offering a comprehensive understanding of the reconnaissance process in a cyber attack or penetration test scenario.

Overall, it aims to equip users with the skills and knowledge necessary to gather valuable information about a target using various reconnaissance methods and tools.

---

Disclaimer

Please note that this write-up is NOT intended to replace the original room or its content, but rather serve as supplementary material for those who are stuck and need additional guidance.

Learning Objectives

• Types of reconnaissance activities
• WHOIS and DNS-based reconnaissance
• Advanced searching
• Searching by image
• Google Hacking
• Specialized search engines
• Recon-ng
• Maltego

1 | Introduction

Reconnaissance (recon) is crucial to launch successful attacks. Reconnaissance involves gathering information about a target without alerting them, and it can be done through various methods such as searching for publicly available information, discovering subdomains, finding email addresses, and locating leaked documents.

Here we focus on passive reconnaissance techniques that don't create "noise" or alert the target, with specific objectives including identifying subdomains, gathering host and IP address info, and finding login credentials.

2 | Taxonomy of Reconnaissance

Reconnaissance is divided into two categories: passive and active recon.

Passive recon

• involves gathering information from publicly available sources without interacting with the target, utilizing Open Source Intelligence (OSINT)
• collecting domain names, IP address blocks, email addresses, employee names, and job posts through DNS record queries or social media profiles

Active recon

• necessitates direct interaction with the target by sending requests and observing responses
• examples of active reconnaissance techniques are using Nmap to scan target subnets and hosts for live services, version numbers, and running servers
• can be further classified into
  • external recon | performed from outside the network
    • running Nikto scans from the Internet
  • internal recon | conducted within the target's network
    • using tools like Nessus on an exploited host inside the target network to scan their internal infrastructure

3 | Built-in Tools

WHOIS VS DNS Records

WHOIS and DNS (Domain Name System) records are both important parts of the internet's infrastructure, but they serve different purposes.

WHOIS is a protocol used for querying databases that store registered users or assignees of a domain name or an IP address. It provides information about the domain registrant, including their name, organization, address, and contact details.

DNS, on the other hand, is a decentralized system that translates human-readable domain names (like www.example.com) into IP addresses (like 192.0.2.1) that computers use to identify each other on the network. DNS records include various types of information, such as A records, MX records, and CNAME records, that help route traffic to the correct servers and provide additional information about the domain.

In summary, WHOIS provides information about the registrant of a domain, while DNS records provide information about how to route traffic to the correct servers for that domain.

WHOIS queries

• WHOIS is a protocol that follows RFC 3912 specifications for requesting and receiving domain registration data
• servers listen on TCP port 43 and store records maintained by registrars leasing the domain names
• whois | to query the WHOIS database
  • example | whois thmredteam.com
• Possible available Information
  • Registrar's WHOIS server and URL
  • Record creation and update dates
  • Contact details (registrant, admin, tech) including names, addresses, and email/phone numbers
  • results may also reveal authoritative name servers for the queried domain

DNS queries

• nslookup (available on Unix-like systems, Windows, and macOS) | uses the default DNS server to fetch A and AAAA records for a given domain
  • example | nslookup cafe.thmredteam.com
• dig (Domain Information Groper) | another Unix-like system tool that offers extensive query options and allows specifying alternative DNS servers
  • example | dig @1.1.1.1 tryhackme.com (using Cloudflare's DNS server)
• host | a versatile DNS lookup utility available on Unix-like systems
  • example | host cafe.thmredteam.com

Route Tracing

• traceroute or tracert (depending on the operating system) | for tracing the route taken by packets from your system to the target host
  • example | traceroute cafe.thmredteam.com
• helps identify intermediate routers (hops) connecting you to the target, though some non-responsive routers may be indicated with an asterisk (*)

In summary, these tools enable querying WHOIS databases and DNS servers for valuable information without raising alarms.

4 | Advanced Searching

Popular Search Operators

• "search phrase" | find results with exact search phrase
• OSINT filetype:pdf | find files of type PDF related to a certain term (OSINT)
  • other filetypes | doc | docx | ppt | pptx | xls | xlsx
• salary site:blog.tryhackme.com | limit search results to a specific site
• pentest -site:example.com | exclude a specific site from results
• walkthrough intitle:TryHackMe | find pages with a specific term in the page title
• challenge inurl:tryhackme | find pages with a specific term in the page URL

Web Interface for Advance Searches

• Google Advanced Search

Search Syntax

• Google Refine Web Searches
• DuckDuckGo Search Syntax
• Bing Advanced Search Options

Search engines index web pages continuously, potentially revealing confidential information such as internal documents, usernames, sensitive directories, server versions, and error messages.

The Google Hacking Database (GHDB) compiles search queries that expose such vulnerabilities

• Footholds | intitle:"index of" "nginx.log" | to discover Nginx logs
• Files Containing Usernames | intitle:"index of" "contacts.txt" | to discover files that leak juicy information
• Sensitive Directories | inurl:/certs/server.key | to find out if a private RSA key is exposed
• Web Server Detection | intitle:"GlassFish Server - Server Running"
• Vulnerable Files | intitle:"index of" "*.php"
• Vulnerable Servers | intext:"user name" intext:"orion core" -solarwinds.com
• Error Messages | intitle:"index of" errors.log

Social Media

• serve as an additional source for gathering information about a target without direct interaction
• users often share extensive details about themselves and their work --> company employee names | password recovery questions | targeted wordlists
• technical staff posts might disclose information about the organization's systems and vendors
  • example | network engineer recently certified by Juniper --> Juniper networking infrastructure

Job Ads

Quote | Retrieving previous versions of a job opening with the Wayback Machine

Note that the Wayback Machine can be helpful to retrieve previous versions of a job opening page on your client’s site.

• can reveal details like names, email addresses, and potential insights into the company's systems and infrastructure, especially for technical positions
• popular job posts can differ by country, so it's beneficial to explore job listing sites in your client's target regions
• examining the company's official website for any published job openings may uncover additional intriguing details

5 | Specialized Search Engines

Beyond standard WHOIS and DNS tools, third-party paid services offer historical WHOIS data for comprehensive analysis. Free advanced DNS services are also available on various websites, which provide rich functionality and detailed information about domains.

WHOIS and DNS Related

• ViewDNS.info | offers reverse IP Lookup, enabling users to find other domain names associated with specific IP addresses, even in cases of shared hosting
  • helps determine that a single IP address may host multiple websites
• Threat Intelligence Platform | requires a domain name or IP address input, launching tests for malware checks, WHOIS queries, and DNS lookups
  • presents results in an easily readable format with additional information such as resolved Name Server (NS) records to their respective IPv4 and IPv6 addresses
  • can provide a list of other domains sharing the same IP address

Specialized Search Engines

• Censys | offers detailed information about IP addresses and domains
  • by searching one of cafe.thmredteam.com's resolving IP addresses, we can determine if it belongs to a third-party company (e.g., Cloudflare) rather than the target organization
  • this distinction is crucial for maintaining ethical scope during investigations
• Shodan | can be used from the command line after creating an account and configuring shodan with your API key using the command shodan init API_KEY
  • different filters are available depending on your Shodan account type
  • the shodan host <IP_ADDRESS> command retrieves geographical location data and open ports for a specified IP address

6 | Recon-ng

Recon-ng is an open-source framework that automates OSINT tasks, offering various functionalities through modules from different authors. Some modules require keys to access online APIs.

• Start Recon-ng | recon-ng or recon-ng -w <WORKSPACE_NAME> (to starts with the specific workspace)

• Create a workspace for your project | workspaces create <WORKSPACE_NAME>

  • example | workspaces create thmredteam

• Input starting information into the database | db insert domains (insert a domain) | db schema (check info in db)

• Search the marketplace for a module and review its details before installation | marketplace search (list all of the available modules)

  • marketplace search KEYWORD | search for available modules with keyword
  • marketplace info MODULE | provide information about the module | marketplace info google_site_web
  • marketplace install MODULE | install the specified module | marketplace install google_site_web
  • marketplace remove MODULE | uninstall the specified module
  • module grouping categories: discovery | import | recon | reporting
  • example | marketplace search domains- (search for modules containing "domains-")
  • * in D --> Dependency | * in K --> require a key

• List installed modules and load one for use

  • modules search | list all the installed modules
  • modules load MODULE | load a specific module to memory | modules load viewdns_reverse_whois
  • CTRL + C | unloads the module
  • info | review the loaded module’s info

• Execute the loaded module to perform OSINT tasks

  • options list | list the options for the loaded module
  • options set <option> <value> | set the value of the option
  • run | run the module
    • when the module is run, it will read values from the database, get new kinds of information, and add them to the database

• Keys (optional)

  • keys list | lists the keys
  • keys add <KEY_NAME KEY_VALUE> | add the key
  • keys remove <KEY_NAME> | remove the key

7 | Maltego

Maltego is an OSINT tool that combines mind-mapping with various transforms to gather information. Key features include:

• Starting entities | Users input a domain, company name, person's name, or email address to initiate the process
• Transforms | These are pieces of code that query APIs for related entity data, potentially returning zero or more entities.
• Transform types | Some transforms may actively connect to target systems, so users should understand their functionality before use, especially for passive reconnaissance.
• Workflow | Users can apply multiple transforms to generate new entities, such as IP addresses from DNS names and vice versa. Maltego organizes the results in a graph format.
• Transform categories | Transforms are grouped by data type, pricing, and target audience. Some require a paid subscription, while others are available for free with Maltego Community Edition (CE).
• Activation | Even CE requires activation, which can be done through the Maltego Transform Hub or by installing and activating Maltego CE on a personal system.
• Integration | Maltego transforms can extract and arrange information from various sources like WHOIS databases and nslookup results.

8 | Summary

The primary objective of reconnaissance in cyber attacks is to gather detailed information about the target. This intel can then be used to inform and refine subsequent attack strategies, making them more effective. By collecting data on hosts, contacts, and other relevant details, attackers can identify vulnerabilities and launch targeted phishing campaigns.

The more intelligence gathered during this phase, the more precise and successful their attack is likely to be.