Gathering Information about targets

Part II

Once the target is identified/determined attackers begin their tasks. Now we must understand, to launch an attack or gather information, they will rely on the available tools and capabilities that they have.

As per my previous post targets are also determined based on the tools that they can buy or create based on their intent, motives and capabilities. Most of the time their motive is financial gain. Below are few tools that are available to sophisticated attackers and script kiddies as well:

  • Kali Linux comes with plethora of tools starting from gathering information to launch attacks.
  • AutoSploit
  • MetaSploit
  • PowerSploit
  • Exploit builders – Available on multiple marketplaces – these are usually for sale/rent.
  • XXXXX-as-a-service – Malware, ransomware, crypto and others. These services are either for sale or rent. Customized services are also available based on requests such as banking injects.
  • Services like BlackTDS – BlackTDS is a multitenant TDS tool that has been advertising its services on underground markets since the end of December 2017. Proofpoint article.
  • Underground forums/marketplaces where the mentioned or other services and/or tools are advertised.
  • Cracked vendor tools
  • Tools/Project available on Github.

Few underground marketplaces :

  • exploit.in
  • antichat.ru
  • cop.su
  • zloy.bz
  • hackersoft.ru
  • darkweb.ws

Why this is important to know? As a target (any organisation or individual users) one should know about the tools that can be used against that. Monitoring such tools and understanding them can assist to prepare against whats coming.

More about information gathering can be found on my previous blog entry : https://fl0x2208.com/2015/11/28/information-gathering-then-now-and-why/

Consider a scenario of phishing users to get the credentials. Now understand when these credentials are collected they are mostly sold on marketplaces.

  1. Motive : Financial Gain
  2. Targets : To phish a user they need to contact them. Its mostly done via their email address or phone.
  3. Getting Emails/phone numbers : Again, this goes back to marketplaces where people sell dumps containing emails and phone numbers from other site. These hacks are mostly done to get vouches and recognition on the underground marketplaces. Other way to get emails/phone numbers are scanning social media sites and other publicly available.
  4. Tools : Bought a phishing kit or created phishing kit. There are document templates and pages available that these actors can use for phishing.
  5. Phishing hosting or compromise a site : Tools mentioned about such as blackTDS, VPS service providers etc helps to host the phishing site. If not attackers looks for vulnerable public sites and host their phishing pages. To compromise they use tools available in Kali for example.
  6. Actions : Mostly the credentials are stored on a database via POST information to php or they are sent to an email address. These credentials are then either used or sold on underground marketplaces.

The cycle continues with number 1 for same scenario or different.

What can we do to stop this?

This can’t be stopped. However, we can make it harder for the phishers or not fall for the phishing by educating ourselves. Being pro-active and notifying phishing attempt to authorities or the organisation that has been phished can also help to take down the phishing site as early as possible.

Following are some links showing some phishing examples:

 

CIF – Feodotracker threat feeds

Good Day guys!!!!!.

Was able to write another yml script to collect feeds from Feodotracker and has been uploaded on my github account and also a project that I am honoured to work on with CSIRT (with guidance of Wes Young) – BEARDED AVENGER. This is a new version of CIF.

Threat feeds is provided in RSS format and therefore RSS parser have been used. YML script is available on my github account – https://github.com/makflwana/CIF-Threat-Feeds-and-parsers

Happy Hunting!!!!!!!

CIF – cleanmx threat feeds

Good Day today indeed. Have finally got some time to work on my skills for CIF and writing configuration (YAML scripts) to fetch open source threat feeds.

Started with a disabled configuration (/etc/cif/rules/disabled/cleanmx.cfg) for cleanmx. The cleanmx.cfg file provided should be referenced for the remote sites and id for cleanmx, that will require to write yml script.

The threat feed is provided in XML format and remote site link can be fetched either from the config file or directly from the cleanmx site (support.clean-mx.de). I will always recommend to check the links for the feeds on the browser regularly to see whether it is responding and whether it is correct link to fetch the feeds. Sometimes they change.

YML script is available on my github account – https://github.com/makflwana/CIF-Threat-Feeds-and-parsers

I will be writing more scripts to fetch open source threat feeds. If you guys have any threat feeds that are open source and not covered yet please let me know.

Happy Hunting!!!!!!!

Information Gathering – Then, Now and Why ?

Information gathering is considered first and most important part before launching any types of attacks, hacking or penetration testing.

Information gathering is known by several names – Reconnaissance, Intelligence assessment, surveillance etc. The better an attacker/analyst is in information gathering with regards to the target the better he/she can exploit it.

In cyber world there are multiple techniques for information gathering :

  1. Footprinting – profiling internet or intranet network
  2. Enumeration – Looking for weakness in known services.
  3. Scanning – Determine targets are alive or not – active or passive scan
  4. Social Engineering – The best active and passive technique – will be writing about this and my experience in relation to this in coming posts.
  5. Dumpster diving – going through the garbage and collecting information

Back in 80’s we did not have tools such as nmap, maltego, distros with inbuilt tools to make our life easier and also no complex network deployment and sense of security that we have now a days.

However, good side of this was, information gathering was still being done.  Mostly it was via passive information gathering. Sitting hours and hours using binoculars to spot the target and understand their movement – in military and they still uses it. Understanding the patterns and using your brains to identify weakness or what we now call vulnerabilities. Unfortunately, these days at-least in cyber world, we just run tools and wait for them to show results while you are playing games on your console.

in old days, analysts or attackers used websites and manually catalogue them like a telephone directory. Communications were mostly carried out on telephone network. Using PING and TRACEROUTE to understand network and manually creating network graph. It was challenging but worth it. Some attackers may do dumpster diving.

In past decade, sophistication of these tools for information gathering have definitely increased. Recently nmap announced a new version of itself. I always wonder that new tools does assist in sophisticated information gathering and attacks however, does a person need to be intelligent. Where is out of the box and intelligent thinking going these days ? Why an organisation’s offensive team is failing against those sophisticated tools ? Are the hackers now a days smarter ? or Sense/awareness of security in organisations is just on papers ?

A defender or an organisation should invest smartly in resources to make sure information gathering sweats the attackers. You know when your security controls are just an illusion when your corporate data is an easy search on google. This is likely the reason why hackers are always one step ahead due to organisation’s ignorance towards security but concentrating on selling/marketing their product. This is one of the reason organisations don’t invest on offensive/security team to make sure they are not only secured internally but also from external threats.

I have journeyed from offensive side to defensive and able to understand how an offender or hacker thinks or looks for the ways to get into a system. Beside following standards and deploying expensive hardwares, we must invest in brains that can actually carve the data into meaningful intelligent information and recommend/configure security controls to actually stop the attackers.

As information gathering is the first step in attacks on a target, we must make sure to harden our security controls and understand what information is publicly available and what risks it can pose when used by an attacker.