TO most information security professionals, reconnaissance is the most boring part of gaining access to a target. All we want to do is fire up our scanners, seek out the subject and use our tools and tricks to break in… with consent and test the security systems of the organization.
In Rootcon XI, the annual hacking conference in the Philippines, held in Tagaytay, the first speaker, a DEFCON regular (the premier hacking conference in the world that happens annually in Las Vegas in the US), and author of Dissecting the Hack, Jayson E. Street, performed an on-the-fly reconnaissance on one of the leading banks in the country. It was a random choice, and without any other tools but only a browser and the Internet at hand, he was able to dissect the bank’s portal and the social media network, down to the officers and staff, contact info and relations. What a way to open up the conference! Of course, it wouldn’t have been fun if no vulnerabilities had been discovered.
Reconnaissance, reconnoiter or in hacking parlance—casing the establishment–is the prelude to a successful penetration testing as well as to an attack. These telltale signs are often the things that one should look for if you are to defend your IT systems. In a shotgun approach usually perpetrated by script kiddies, this becomes an incidental activity and often if they find no useful information at first glance, they merely walk away and move on to the next target.
However, for directed attacks whereby penetration of a specific target of interest is the prime goal, reconnaissance is a very essential step. Organized and dedicated hackers could spend weeks, months and even years casing an establishment just to find that entering wedge to gain a foothold and progress their deed. If someone is really serious about getting into your network, time will be irrelevant—this could work for you actually, if you have the right mindset and tools to detect it—but that’s another article right there.
Footprinting starts off your foray to reconnaissance. This is where search engines like Google and Shodan come into play. You harvest all publicly available information about your target ranging from related companies, merger and acquisition news, phone numbers, contact names and email addresses, policies, links to other servers—information that are easy to get. Domain name servers are of particular interest as it could tell you a lot about the targets’ network configuration. Information that might not seem valuable at first can actually give you subtle clues that you can use later on.
Over the years, the search engines have gotten so powerful that they themselves are actually now an indispensable hacking tool. Case in point, there is an entire book dedicated to Google Hacking. With the right command parameters, your ordinary search engine can be made to dig deep and obtain very specific information about people and entities you wouldn’t normally figure out by just typing the usual items in the search box.
Shodan is a step ahead of Google, as it is the best search engine for all things connected to the Internet. Cameras, routers, anything, as long as it has an Internet connection can be found. Even industrial control systems (ICS/SCADA) are just a button away. It interrogates any device that is connected on the Internet and identifies what type they are using, the banners that they display when connected to.
Next stop is network enumeration and domain queries, in this stage of reconnaissance, you will try to get a sense of how the target’s network is interconnected and who the respective POCs (point of contact) are, you can now practice your social engineering and phishing skills. Domain name registrants such as Network Solutions, GoDaddy will be useful but good ol’ Linux commands like who is and dig does wonders too. If you don’t have the tools handy, your browser is just as powerful. Go to online network tools and you’re on your way! I personally use http://www.network-tools.com where there are chockful of awesome tools not limited to network reconnaissance. Interrogate their DNS servers to find out what servers like Web and Email the entity owns and now you have a set of targets that you can perform your tests on.
As tools have become sophisticated and easily accessible, mainly because of all the ports now done to make it online, attackers have not gotten it so easy to case an establishment. The bulky laptop, complicated OS and programs are now a thing of the past. They can now perform a full-blown reconnaissance run by just using their mobile devices. Did I mention the proliferation of tools as native phone apps now?
Connectivity spawns a lot of trade-offs and now more than ever our consciousness should have a privacy and security mindset. Heck, our culture should be such! With all the data we leave out there, and our reactive attitude, we are short of just giving away the keys to the kingdom, even if unconsciously or inadvertently.
Reconnaissance may be hard to detect. But with a keen eye on the logs and events (and if you are an organization with some budget – an SIEM), an organized hacker’s mindset and some training, you should be able to spot this ‘prelude to an attack’ and give yourself some breathing room to put up your defenses.