Gathering Information about targets

Part II

Once the target is identified/determined attackers begin their tasks. Now we must understand, to launch an attack or gather information, they will rely on the available tools and capabilities that they have.

As per my previous post targets are also determined based on the tools that they can buy or create based on their intent, motives and capabilities. Most of the time their motive is financial gain. Below are few tools that are available to sophisticated attackers and script kiddies as well:

  • Kali Linux comes with plethora of tools starting from gathering information to launch attacks.
  • AutoSploit
  • MetaSploit
  • PowerSploit
  • Exploit builders – Available on multiple marketplaces – these are usually for sale/rent.
  • XXXXX-as-a-service – Malware, ransomware, crypto and others. These services are either for sale or rent. Customized services are also available based on requests such as banking injects.
  • Services like BlackTDS – BlackTDS is a multitenant TDS tool that has been advertising its services on underground markets since the end of December 2017. Proofpoint article.
  • Underground forums/marketplaces where the mentioned or other services and/or tools are advertised.
  • Cracked vendor tools
  • Tools/Project available on Github.

Few underground marketplaces :

  • exploit.in
  • antichat.ru
  • cop.su
  • zloy.bz
  • hackersoft.ru
  • darkweb.ws

Why this is important to know? As a target (any organisation or individual users) one should know about the tools that can be used against that. Monitoring such tools and understanding them can assist to prepare against whats coming.

More about information gathering can be found on my previous blog entry : https://fl0x2208.com/2015/11/28/information-gathering-then-now-and-why/

Consider a scenario of phishing users to get the credentials. Now understand when these credentials are collected they are mostly sold on marketplaces.

  1. Motive : Financial Gain
  2. Targets : To phish a user they need to contact them. Its mostly done via their email address or phone.
  3. Getting Emails/phone numbers : Again, this goes back to marketplaces where people sell dumps containing emails and phone numbers from other site. These hacks are mostly done to get vouches and recognition on the underground marketplaces. Other way to get emails/phone numbers are scanning social media sites and other publicly available.
  4. Tools : Bought a phishing kit or created phishing kit. There are document templates and pages available that these actors can use for phishing.
  5. Phishing hosting or compromise a site : Tools mentioned about such as blackTDS, VPS service providers etc helps to host the phishing site. If not attackers looks for vulnerable public sites and host their phishing pages. To compromise they use tools available in Kali for example.
  6. Actions : Mostly the credentials are stored on a database via POST information to php or they are sent to an email address. These credentials are then either used or sold on underground marketplaces.

The cycle continues with number 1 for same scenario or different.

What can we do to stop this?

This can’t be stopped. However, we can make it harder for the phishers or not fall for the phishing by educating ourselves. Being pro-active and notifying phishing attempt to authorities or the organisation that has been phished can also help to take down the phishing site as early as possible.

Following are some links showing some phishing examples:

 

Information Gathering – Then, Now and Why ?

Information gathering is considered first and most important part before launching any types of attacks, hacking or penetration testing.

Information gathering is known by several names – Reconnaissance, Intelligence assessment, surveillance etc. The better an attacker/analyst is in information gathering with regards to the target the better he/she can exploit it.

In cyber world there are multiple techniques for information gathering :

  1. Footprinting – profiling internet or intranet network
  2. Enumeration – Looking for weakness in known services.
  3. Scanning – Determine targets are alive or not – active or passive scan
  4. Social Engineering – The best active and passive technique – will be writing about this and my experience in relation to this in coming posts.
  5. Dumpster diving – going through the garbage and collecting information

Back in 80’s we did not have tools such as nmap, maltego, distros with inbuilt tools to make our life easier and also no complex network deployment and sense of security that we have now a days.

However, good side of this was, information gathering was still being done.  Mostly it was via passive information gathering. Sitting hours and hours using binoculars to spot the target and understand their movement – in military and they still uses it. Understanding the patterns and using your brains to identify weakness or what we now call vulnerabilities. Unfortunately, these days at-least in cyber world, we just run tools and wait for them to show results while you are playing games on your console.

in old days, analysts or attackers used websites and manually catalogue them like a telephone directory. Communications were mostly carried out on telephone network. Using PING and TRACEROUTE to understand network and manually creating network graph. It was challenging but worth it. Some attackers may do dumpster diving.

In past decade, sophistication of these tools for information gathering have definitely increased. Recently nmap announced a new version of itself. I always wonder that new tools does assist in sophisticated information gathering and attacks however, does a person need to be intelligent. Where is out of the box and intelligent thinking going these days ? Why an organisation’s offensive team is failing against those sophisticated tools ? Are the hackers now a days smarter ? or Sense/awareness of security in organisations is just on papers ?

A defender or an organisation should invest smartly in resources to make sure information gathering sweats the attackers. You know when your security controls are just an illusion when your corporate data is an easy search on google. This is likely the reason why hackers are always one step ahead due to organisation’s ignorance towards security but concentrating on selling/marketing their product. This is one of the reason organisations don’t invest on offensive/security team to make sure they are not only secured internally but also from external threats.

I have journeyed from offensive side to defensive and able to understand how an offender or hacker thinks or looks for the ways to get into a system. Beside following standards and deploying expensive hardwares, we must invest in brains that can actually carve the data into meaningful intelligent information and recommend/configure security controls to actually stop the attackers.

As information gathering is the first step in attacks on a target, we must make sure to harden our security controls and understand what information is publicly available and what risks it can pose when used by an attacker.

Comand line use to check IP reputation

Looking for reputation of an IP address is one of the most frequent task of an SOC analyst. There are number of online tools and script that does the task.

However, I always used command line to identify whether a IP address is blacklisted on any blacklist. The reason is number of online tools still show the IP as blacklisted but actual blacklisting parties such as spamhaus has already removed the IP from their blacklist.

Analyst can use either scripts or command line to get the results. nslookup, dig and host can be used to check the IP address against known blacklisting vendors.To check analyst need to know that the information that they are looking should be available by using certain DNS records.

If an analyst is using online tools than he/she can enter actual IP address such as 1.2.3.4. However, for the command line one has to reverse the IP address to be able to match to the blacklists.

samples :

nslookup 4.3.2.1.zen.spamhaus.org
host 4.3.2.1.zen.spamhaus.org
dig -x 4.3.2.1.zen.spamhaus.org

More blacklists to check :
zen.spamhaus.org
xbl.spamhaus.org
pbl.spamhaus.org
spam.abuse.ch
cbl.abuseat.org
virbl.dnsbl.bit.nl
dnsbl.inps.de
ix.dnsbl.manitu.net
dnsbl.sorbs.net
bl.spamcannibal.org
bl.spamcop.net
dnsbl-1.uceprotect.net
dnsbl-2.uceprotect.net
dnsbl-3.uceprotect.net
db.wpbl.info

site to check 1 IP against multiple blacklisting  : http://multirbl.valli.org/