Hey, guys, welcome back to the Sabbath. Cult in question savvy. This is at the minimum. And in today's episode, we're going to continue reconnaissance.
Either said before reconnaissance might be one of the most important steps during a targeted attack. The hacker wants to gather as much information as possible during reconnaissance. Reconnaissance will help him in the following six steps.
It would make life a lot easier when you have all of the information handy and you know what to expect
But we only covered the passive kind of the passive type off reconnaissance where we got the I. P s. We got the ah,
you others. We got the, uh, the the user's. We went through social media. We want we know who is the system admin and so on. However we stay
still need more information that would help us, let alone something that would help us and delivery something with Dobson. The solution on dhe even organization. So the passive, uh,
reconnaissance was looking for publicly available information. Now we need to get more active. We need to start interacting with the target. We need to get
this information like from the target, and this can be technical and and technical, keeping in mind that the target is not necessarily a system. So in technical, a vulnerability scanning is one of the most popular activities here, because what you're doing is
you want to find the vulnerability that you would exploit. So running of on abilities can is very popular. During the Constance you will get. What are they available? Service is you'll get. What are the boredom of service is that I use. You also get the vulnerable a less if they're using of ANA below us
something if they're using a Web application or this system is resting up application. Some of these scandals would actually give you the vulnerabilities and the application or the dependencies that are used by the application.
Keeping them under 12. Applications usually are extremely targeted because oftentimes the application server
hosting, though of application, is running as route or administrator.
So if you get access to a vulnerability that would allow you to run code on the application,
you'll run code as route because you're one as the application server running the Web application so vulnerabilities. Canning is kind of crucial. You want to get.
You want to use all of the information that you get from passive V I. P is the links, the others dependencies, All the communication that we got from the passive on Donovan abilities can against it.
Obviously, you want to be as quiet as possible because you don't want the
the target to notice any scanning that is going on.
So the second thing is fingerprinting and fingerprinting. What we're trying to get is what are the open service is what are they available service without the open ports and most important, T. What is Ah, the OS
and one of the most popular
tools as and map, obviously. And map. That's a lot more than that. There's also a virgin of and mop
that is going based and call Gemma. I'm going to leave in the resource pages. Ah, links to and maps and map on resource that would help you get ah, information about and map on dhe Zen map.
So let's go here, and map provides a upset
that is out there to be scan. Obviously you have to be plucked, scanning it and not overdo it over school to scan me that and map dot Oregon.
So let's end this candidacy. What kind of permission? We're getting back. So, as I said, what we want from the scan is the open ports available service is on, most importantly, ah, the OS itself. We don't have this information. The open ports. I know you might say in census or short, and we got
disinformation that 80 and forfeit your open Savary. However, this is obvious because these are Web applications on job applications tend to use 80. And for 40 However, we need to get more information about their politics system here. So we get poor 22 open, which is a set.
And this would give us an indication that was actually a Lennox.
The other thing that they do to guess the S
S T C P sequence. So TCP sequence would actually give the map some sort of,
uh, information that would help them make an educated guess about a deal permitting system. Obviously, we got a number of operating systems. They're all in the nineties. Ah, guessing. Ah, score.
But most all of them actually are Lennox opening systems.
that's a name up. This is the information that we got from Emma.
Sometimes you'll get something like an open FTP port or even avian support that is open. And I've seen this before. Avian sea port was open. When you go to the to your brother and an Evian see, ah,
targeting that port,
you get automatic, gooey based connection to the applicant to the server hosting thing application.
So the next thing is true of application scanning. And, uh, this would give you hidden links It would give you also ah,
if you Spider through an application would give you all the next available. All of the service is available. The dependent dependencies available. You can also look at
if they have a portal for
administrators, a porter for employees. This would be given using Web applications Canada, one of the most important one of the most famous of applications. Scanning tools. Ah,
and map, sir. And I'm up Burke, sweet or eyes up. And these are both proxy scanning.
the other type of active reconnaissance is not technical.
The 1st 1 that is not very popular, however it can happen is physical interaction where a attacker would actually go and communicate with the target again. the target is not necessarily a system, however
they can talk. He can, uh,
meet with him or see him or or follow him
a bar or a compares and elegant and start communicating with him. The other thing. The social media.
Again, it's often used as a help for active reconnaissance. Where a number a message on Facebook or on in male in Newington would be sent,
uh, to one of the target employees or the tiger system admin
information or interesting offered, or something like that
that the hacker got during the passive. Ah,
And then ah, more interaction
between the hacker on the target would give the hacker more information about the targeted system or the target himself.
So we covered the Constance active and passive. We have a number of questions
through our force thing and slick up. Our examples are passively Constance
well, and a slick up his butt. Pink is not because you're communicating with the end server
or the target server, and I've seen a lot of companies with good security operations centers that they actually monitored the pink attack and investigate
any, uh, malicious or something that looks malicious. Even if it was just a pink attack,
however, it and then just look up. What you're doing is you're quitting wth e d Ennis.
Second is how can I determine the west of the target? And as I said, one way is and map
Ah, lot of Elizabeth's candles would actually try to predict the West as well.
Ah, 100% is not usually feasible because this kind of information is hidden.
Three is what would a vote abilities can act? My targeted attack, as I said you would get the valuable service, is you would get,
uh, the open ports you would get
if there's a vulnerability in the application or the dependencies that are used by the application. Finally, how can an attack of the social media and active recon, as I said he can use? The information that used during the power he gathered during the, uh,
the passive reconnaissance
on dhe exceed a targeted campaign? Is spearfishing attack on
a system admin or in employees can get his passwords. You can get
him to click a link that would run something in the decide off the
of the target and so on.
So in today's lecture, we covered Step two, Step one of the sad occult and reconnaissance recovered active reconnaissance. And we went through a number of example of active recon. In the next video, we're going to talk about organization,
Onda weaponization techniques. See you then.