Thursday, December 3, 2015

Reconnaissance

Reconnaissance:
Reconnaissance is the first phase of the cyber exploitation life cycle.
In this phase, hackers focus on collect as much information about the target without getting detected.
1)      Collect Elementary Information:
a.      What is the website look like
b.      What web server are they using
c.      Where are they physically located
d.      Officers of the company
e.      When was the company founded
f.       Where do they start from?
g.      Who is providing the hosting service
h.      No. of offices the company has
2)      Discover OS, Web Servers & Platforms:
a.      What operating system is running in the system exposed
b.      What web server they are using? E.g. apache, ISS etc.
c.      What version they are using
3)      Perform Queries:
a.      Whois
b.      DNS information
c.      Underlying networking information
d.      Routers they are using
e.      Employees Information for social engineering
4)      Discover Vulnerabilities:
a.      Possible vulnerabilities
Why Reconnaissance?
1)      It helps us to understand the security posture of any company. Understand the network infrastructure of the target company as in exposed and possibly internal IP address, what is behind the firewall, which version of DMZ they use etc.
2)      Helps in reducing the attack area. I.e. focused domains, IP address, ports etc.
3)      Helps in building information database to keep track of attack vectors etc.
4)      Layout a network map.
5)      It makes the job easier in the long run
Types of recon:
1)      Passive scanning: Using public available sources to determine as much information about the target e.g. IP address, OS, web servers, services open, access control, IDS etc.
2)      Active Recon: Touching the target e.g. Going to job interview, social engineering, walking through the building
3)      Anonymous: Getting information from unknown/third party sources.
4)      Organization/private: Process of getting info from event calendar, email services etc.,
5)      Internet recon: Using internet sources like passive. Use google to reconnaissance their website etc.
6)      Pseudonymous: Collecting info. From sources that are published but not direct from the employee or company e.g. Government etc.

Goals of Reconnaissance:
1)      What am I looking for:
a.      Network information
                                                    i.     Domain names: child domains etc.
                                                   ii.     Internal domains etc. like .net, .com so .com is used outside but .net internally
                                                  iii.     IP addresses
                                                  iv.     Unmonitored/private websites
                                                   v.     TCP/UDP services
                                                  vi.     IDS/Access controls
                                                vii.     VPN info
                                               viii.     Phone numbers/VoIP
b.      Operating system info.
                                                    i.     User & group names: like how they do system naming
                                                   ii.     Banner grabbing
                                                  iii.     Routing tables how packets are getting router
                                                  iv.     SNMP
                                                   v.     System architecture
                                                  vi.     Remote Systems
                                                vii.     System names like if the name of one of the server is from stars we can try to identify others
                                               viii.     Passwords length etc.
c.      Organization Information
                                                    i.     Organization website
                                                   ii.     Company directory
                                                  iii.     Employee details
                                                  iv.     Location details
                                                   v.     Addresses/Phone Numbers
                                                  vi.     Comments in HTML source code
                                                vii.     Security Policies deployed
                                               viii.     Web server links i.e. Partnering company
                                                  ix.     Background of organization
                                                   x.     News/press releases
Once we get the information, hackers try to create a blueprint of the organization. This helps in identifying the different point of entries to the organization etc.

Tools Used for Reconnaissance:
1)      WinHTTrack (Website Copier)
2)      Webmaster toolkit (Link Extractor)
3)      Whois
4)      Ping
5)      Nslookup
6)      Netstat
7)      Tracert
8)      Netcraft
9)      Wayback machine
10)   PoliteMail
11)   Email Lookup
12)  Nmap
13) Vulnerability Scanners like Nessus, Nexpose etc.
14) Sniffers like Wireshark, Ettercap etc.
15) Packet Crafters like Netcat, Hping etc.

Saturday, November 21, 2015

Useful Sysinternals Tools for Malware Hunting in Windows OS

Some of the tools in Sysinternals suite are very useful for securing as well as for identifying any malicious activities in Windows operating system.

I have listed the tools, that I frequently use for malware hunting.

Download windows Sysinternals suite and explore the listed tools for malware hunting and securing your windows system.

Tools
Description
AccessEnum
This tool shows access permission of user accounts to the directories, files and Registry keys on the system. Users can use it to find ACL permission holes
EFSDump
View information for encrypted files
MoveFile
Schedule file rename and delete commands for the next reboot. This can be useful for cleaning stubborn or in-use malware files
PendMoves
See what files are scheduled for delete or rename the next time the system boots
Process Monitor
Monitor file system, Registry, process, thread and DLL activity in real-time
Psfile
See what files are opened remotely
Sdelete
Securely overwrite your sensitive files and cleanse your free space of previously deleted files using this DoD-compliant secure delete program
ShareEnum
Scan file shares on your network and view their security settings to close security holes
Sigcheck
Dump file version information and verify that images on your system are digitally signed
Ping
Measures network performance
TCPview
Active socket command-line viewer
Whois
See who owns an Internet address
Autoruns
See what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.

Handle
This handy command-line utility will show you what files are open by which processes, and much more
ListDLLs
List all the DLLs that are currently loaded, including where they are loaded and their version numbers. Version 2.0 prints the full path names of loaded 
ProcDump
This new command-line utility is aimed at capturing process dumps of otherwise difficult to isolate and reproduce CPU spikes. It also serves as a general process dump creation utility and can also monitor and generate process dumps when a process has a hung window or unhandled exception
Process Explorer
Find out what files, registry keys, and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process.
Psexec
Execute processes remotely
Pskill
Terminate local or remote processes
Pslist
Show information about processes and threads
Psservice
View and control services
Pssuspend
Suspend and resume processes
Shellrunas
Launch programs as a different user via a convenient shell context-menu entry
Autologon
Bypass password screen during logon
LogonSessions
List active logon sessions
PsLoggedOn
Show users logged on to a system
Psinfo
Obtain information about a system
Strings
Search for ANSI and UNICODE strings in binary images.