Reconnaissance is a crucial part of a Red-Teaming operation. As Abraham Lincoln would say:
If I had eight hours to chop down a tree, I’d spend the first six of them sharpening my axe.
And that’s not just well said, but also a key idea which determines the overall outcome of the engagement. Therefore, during a reconnaissance phase it is important to:
- Enumerate target’s technological landscape which helps to prepare the toolkit and avoid detection
- Understand organizational structure and key people allowing to better prepare for social engineering attacks
- Scout the surroundings of physical offices to see if unauthorized access can be gained to the target’s buildings
- Collect as much primary attack material (contact details, target IPs, business intelligence, etc.) as possible
If reconnaissance is done properly, the entry strategy and it’s execution becomes clear.
The reconnaissance can be performed in two ways: collecting pieces of information without actively interacting with the target or obtaining the relevant data by directly approaching the target’s systems, people and physical facilities. So let’s see how these two types differ from each other.
++ Passive Reconnaissance
During a passive reconnaissance the information about the target is gathered by analyzing data that is usually outside of the target’s infrastructure. Examples of such data sources include:
- Social networks can be used for enumerating organizations employees and understanding their life, habits, interests
- Job offerings help to understand what the organization is looking for (maybe some IT security staff, maybe some specific technology engineer, etc.)
- Public and private data breach databases can be looked up for emails related to the target organization (leaked accounts could be used for phishing campaigns or direct compromises if a compromised user reused a leaked password)
- External port scanning and certificate databases allow to understand the target’s IT infrastructure and its exposure to the internet (shodan.io, censys.io, crt.sh are good places to start)
- Any public records related to lawsuits, organization’s stock, etc. could aid in baiting top level management
- Scouting the offices can give an impression on how people interact, where they have lunch, what is the dress code, how badges look like, what’s the entrance protocol, what are the potential third parties involved in administering the building, etc.
- Meta data in email headers, office documents, etc. might leak software used by the target company
The main advantage of the passive reconnaissance is that the likelihood of being detected is very low since the organization being analyzed have little to none means to detect such activity.
++ Active Reconnaissance
During an active reconnaissance the information about the target is gathered by directly interacting with the target infrastructure and people. Examples of such cases include:
- Active port and vulnerability scanning allows to obtain latest information about the target’s infrastructure and potential holes
- Probing mail server for error messages can be used to enumerate valid email addresses
- Scraping company’s website(s) is useful for gathering information about the target’s organizational structure, future plans, news, etc.
- Performing voice calls with a pre-text of arranging a job interview or an “anonymous” poll about technologies used in a particular industry gives additional insights into the inner working of the company
- Exchanging mails with sales or HR department reveals email templates, signatures and additional meta data which can be used in further attacks, such as phishing
- Visiting target’s offices during some kind of a fair, job interview or as a random visitor helps to identify security camera positions, routes of the guards, other situational information which could be later used in attacks like tail gating
Active reconnaissance is more noisy and increases the chances of being detected since it’s more intrusive and, if performed in a reckless manner, could raise alarms pretty quickly.
So after you performed an extensive information gathering during this stage you should already know:
- Target people that are likely to click on links with little to no suspicion (sales people receiving a request for a service, HR people receiving an application for job or maybe an employee who is looking for new opportunities)
- Topics that are hot to majority of the company and thus can be used as a bait in larger scale phishing campaigns
- Email addresses (and maybe mobile phone number) of the majority of employees
- The landscape of externally facing systems which are somewhat vulnerable and could be easily exploited (outdated web applications, login interfaces with potentially weak password policies, unauthenticated or hidden, but publicly accessible resources, etc.)
- Software used internally which could be targeted with malicious files
- Office hours and entry protocols
- Third parties servicing the building of the target (cleaning, package delivery, conditioning maintenance, physical security, etc.)
Having enough information is key for the next step. The more information you have (the sharper the axe), the more likely you are to get in with the first attempt. But even if the first hit is unsuccessful, the gathered intel should allow you to swiftly change the tactic or attack vector and continue with the operation.
In the next section we will analyze how the gathered information can be used to stage the initial compromise.