Chapter 03: Information Gathering

Question 1

Goal of OSINT

Answer 1

Obtain the information needed to perform an effective pentest

Question 2

CVE

Answer 2

Common Vulnerabilities and Exposures

Identifies vulnerabilities by name, number, and description (CVE-YEAR-NUMBER)

Question 3

CWE

Answer 3

Common Weakess Enumeration

A community-developed list that shows software weaknesses and breaks them down by research, development, and architectural concepts

Question 4

Electronic Docs and Metadata

Answer 4

Electronic docs can show you how an org is structured, internal practices, and procedures

Pentesters will also review doc metadata to identify additional useful information

ExifTool is one tool that allows you to quickly look at metadata for individual files

FOCA (Fingerprinting Organizations with Collected Archives) can be used to find specific metadata via search engines

Question 5

Employees

Answer 5

Troll job posting sites, LinkedIn, or Facebook to find employees

You can find corporate emails, publications, or public records

Social engineering works well here, especially when searching for info on specific people or groups

LinkedIn can also give some indication about the company’s tech stack (look at resume, certs, postings, profiles, etc)

Question 6

Infrastructure and Networks

Answer 6

One of the first things a pentester will gather with passive searches

External footprinting is part of most passive recon, and it’s aimed at gathering information about the target from external sources (domains, IPs, and routes for the org)

Question 7

Domains

Answer 7

DNS is often the first stop for gathering info about an org

DNS info is publicly available, and it’s easily connected to the org by simply checking for WHOIS information about the site

From there you can find other sites and hosts to add to your org footprint

Question 8

WHOIS

Answer 8

IANA manages the DNS root zone, and it’s a good place to start searching

Once you know your regional authority to query, you can select the appropriate site:
* AFRINIC (Africa)
* APNIC (Asia-Pacific)
* ARIN (North America, parts of Caribbean, and North Atlantic islands)
* LACNIC (Latin America and the Caribbean)
* RIPE (Europe, Russia, Middle East, and Parts of Asia)

Each regional NIC provides a WHOIS service that lets you search databases of registered users of domains and IP blocks

Also provides intel about an org or individual based on their registration info

Question 9

External DNS

Answer 9

This info is provided as part of its WHOIS info, and it’s a good starting point for DNS-based intel gathering

It includes both technical contacts and admin contacts for a domain, which gives key insights into who’s responsible for the domain

This is where you can identify potential social engineering victims and OSINT activities

Question 10

Historical Domain Info

Answer 10

Domain owners often reduce their visible data after they have registerd the domain

domainhistory.net and whoismind.com can provide historical views into the domain reg info given to WHOIS

Question 11

DNS and Traceroute Info

Answer 11

DNS lookups are useful for pentesters who want to check for hosts based on an IP range and for IPs based on hostnames

This DNS info can contain key contacts, this is a way to gather intel on responsible parties if the org isn’t using domain registrar security features

nslookup (Windows, Mac, Linux)

Question 12

SSL and TLS

Answer 12

You can gather info from the TLS certs an org uses for their services, like other domains that might be of interest under the subject alternative name

Also shows info about systems, domain names, and sometimes individuals of an org

They can also show poor system maintainence if you find an out of date cert

Question 13

Zone Transfers

Answer 13

DNS zone transfers (AXFR) are transactions intended to be used to replicate DNS databases between DNS servers

The information contained in a zone transfer is highly useful to pentesters

Most DNs servers will have zone transfers disabled or well protected as a result

Three common ways to perform a zone transfer:
* host -t axfr domain.name dns-server
* dig axfr @target.nameserver.com domain.name
* nmap -script dns-zone-transfer.nse -script-args dns-zone-transfer.domain< domain > -p53 < hosts >

A zone transfer will show you things like:
* Name server
* Primary contact
* Serial number
* Time between changes
* Minimum TTL for the domain
* MX records
* Latitude and longitude
* Other TXT records
* Service records
* IP address mappings

Page 72

Question 14

IP Ranges and Addresses

Answer 14

Once you know the IP address that a system is using, you can look up info about the IP range it resides in

This lets you get things like company or hosting services it uses

IP address and hostname can also be used to gather information about network topology around the system or device that has a given IP address

After you have an IP, do a lookup to see who owns the range on sites like WHOIS, Spur, AbuseIPDB, etc

NOTE: Once you know who owns it, use traceroute or tracert to see the path packets take to the host

Cloud hosted infrastructure makes this all more complex

Pentesters need to verify where the services and systems are hosted, and then ensure you have permission to test them

Question 15

Routes

Answer 15

The routing info for an org can provide insight into how their external network connectivity is set up

Public BGP route information servers known as BGP looking glasses make that infromation more easily accessible

Question 16

Wireless Networks

Answer 16

You can use wardriving to scan for wireless networks from a car, bus, walking, etc

The data you get can be matched to data sources like wigle.net

It can also be mapped using triangulation based on the strength of the signal from each access point

Question 17

Security Search Engines

Answer 17

These provide a way to review hosts, services, and other details without actively probing a network

They don’t always have the most up to date information on them, but they’re highly effective as early steps in passive information gathering and analysis

Shodan
* One of the most popular security search engines
* Provides prebuilt searches as well as categories for ICS, databases, etc

Censys
* Similar to Shodan
* Delivers GeoIP information if available, comprehensive summary of the services the host exposes, and drill-down links for highly detailed info

ZoomEye.org and hunter.io
* Not covered on exam
* Other good options to explore

Question 18

Google Dorks and Search Engine Techniques

Answer 18

Pentesters need to know how to use search engines to return highly specific information based on queries

The Google Hacking Database can be super useful

Question 19

Password Dumps and Breaches

Answer 19

Pentesters can use credentials that have been previously breached as part of their testing

Credential reuse is common aong users, and if MFA isn’t required a breach provides a potentially easy way

haveipbeenpwned and pwnedornot provide easy access to existing password dumps

Question 20

Source Code Repositories

Answer 20

Repos like GitHub , Bitbucket, and Sourceforge are a key passive recon tool

Data leaks that provide passwords or keys occur occasionally, but pentesters are more likely to find information about configs, interfaces, IPs, and domains

Use IaC tools as well:
* CloudFormation
* Ansible
* Puppet
* Chef
* SaltStack

DION NOTES
* Public source code repos contain a lot of valuable data
* EX: You can see the entire source code if it’s mis-classified
* EX: Common insecure coding mistakes will sometimes have API keys, hardcoded creds, etc
* NOTE: Deleted data can still exist somewhere on the internet—cached Google pages and Waybackmachine could have that stuff

Question 21

Passive Enumeration and Cloud Services

Answer 21

Cloud and hosted services present a challenge

It isn’t safe to assume that IPs will remain fixed, that systems or services aren’t shared, or that geographic information you find is the only availability zone or region where services are deployed

Tools like Amazon CloudFront, Cloudflare, Akami, and other DDoS prevention and CDN can mask the underlying infrastructure and systems

Full knowledge tests can help with this

Partial or zero knowledge tests require that you perform additional recon and validation whenever the underlying infrastructure may not be as simple as it looks, or if third parties are involved

Question 22

Active Recon and Enumeration

Answer 22

After passive recon is finished

This is where you build and then narrow down the list of hosts, networks, or other targets

DION NOTES
You can conduct active recon with this general flow:
* Conduct discovery scan
* Then, narrow focus on a specific target
* Finally, go down to the specific services found on those hosts
* You move from ping scans to port scans, to port enumeration and fingerprinting

Enumeration digs deep into target systems and links identified components into known vulnerabilities—you can enumerate anything on a network, including:
* Hosts
* Services
* Networks
* User and Groups
* Network Shares
* Domains
* URLs
* Tokens
* and more

Fingerprinting is the identification of an OS, service, or specific software version that’s in use by a host, system, or network

Question 23

Hosts

Answer 23

Enumerating hosts is the first thing most pentesters will think of when they prepare to assess a target

Active scans can identify many hosts, and while it’s tempting to rely on just those scans, there are many other ways to identify hosts on a network

Combine multiple methods to ensure you don’t miss any systems:
* Leverage central management systems like MS Endpoint Configuration Manager, JAMF Pro, or other tools that maintain and inventory of systems, IPs, etc
* Network logs and config files
* Logs from DHCP servers
* Router logs, ARP tables, and other network information

NOTE: In unknown tests, you might not be able to get this information until later in the test, so port scanning is usually the first technique done early in this type of engagement

Question 24

Services

Answer 24

Service identification is one of the most common tasks done in active recon

This provides a list of potential targets, including vulnerable services and those you can test using credentials you have available

Often done using a port scanner (nmap)

Question 25

Port Scanners

Answer 25

Send traffic to remote systems and then gather responses that provide information about the systems and services they include

Port scanners have these features in common:
* Host discovery
* Port scanning and service identification
* Service version identification
* OS identification

Understand common ports and services to take full advantage of port scanners

Ports 0 to 1023 are well-known ports or system ports

Ports 1024 to 49151 are registered ports assigned by IANA when requested

Page 80 for port list

Question 26

Service and Version Identification

Answer 26

Service identification is done in one of two ways:
1. Connecting and grabbing the banner or connection information provided by the service
2. Comparing its responses to the signatures of known services

Question 27

OS Fingerprinting

Answer 27

The ability to identify an OS based on the network traffic that it sends

Typically done using TCP/IP stack fingerprinting techniques that focus on comparing responses to TCP and UDP packets sent to remote hosts

The difference in how OS respond, what TCP options they support, athe order in which they send packets, etc can often provide a solid guess at what OS you’re probing

Question 28

nmap

Answer 28

CLI flags for nmap:
* -sS: TCP SYN
* -sT: TCP connect / Full connect
* -sU: UDP-only scan
* -sA: TCP ACK (tests firewall rulesets)
* -p: number ranges (1-65535) or names (http)
* -T0 to -T5: slow to aggressive speeds
* -sV: service version
* -O: OS version
* -Pn: disabling ping
* -IL: input from a target file
* -oX: XML output
* -oN: normal output
* -oG: greppable output (deprecated, XML replaced)
* -oA: all output

Page 82-84 for all of them

Question 29

Network Topology

Answer 29

Understanding the topology or layout of the network helps you design your scanning and attack process

Topology maps can provide information about what systems and devices are likely to be accessible, and help you make decisions about when to pivot to a different target to bypass security controls

Zenmap GUI for nmap can show topology, but not always accurate

Question 30

Detecting Network Defenses

Answer 30

Pentesters often attempt to determine the infrastructure and technical defenses that an org has in place

This means using detection techniques during scans and testing and combining that information with OSINT where possible

There are four types of detection needed for the exam:

Load Balancer Detection
* Uses tools like lbd (load balancer detector) to determine if there is a DNS or HTTP based load balancer in place
* These tools analyze differences in headers and responses from servers to determine if there’s a load balancer
* Possible to perform a DNS query or even ping to see if multiple IPs resolve for a website and if TTL is different
* WAFs can be detected by reviewing cookies, headers, and HTTP responses, and by looking at behaviors like the use of FIN/RST packets to end unwanted connections

Antivirus Detection
* Challenging since these tools don’t provide a remotely visible signature or response
* AV can be problematic for pentesters since it can detect and remove useful tools
* BeEF (Browser Exploitation Framework) provides AV detection modules that can detect AV signatures on a target once access is gained

Firewall Detection
* Traceroutes can show where traffic no longer passes, but more detailed info takes more complex tools
* nmap scans can test for firewalls, but firewall devices may prevent scanners from detecting them
* Firewall detection pays attention to responses that may provide clues about what type of device is responding
* Once a firewall is identified, the next step is to map the devices behind it with a tool like Firewalk

IDS/IPS and WAF Detection
* nmap has a NSE script that will attempt to determine if the target is proected by an IDS, IPS, or WAF
* http-waf-detect
* Tools like wafw00f and WhatWaf can also sometimes detect

Question 31

Eavesdropping and Packet Capture

Answer 31

Pentesters use Wireshark or TCPDump to gather info about a network including IPs, MACs, TTL, and data about services and the content of traffic when it’s unencrypted

Kismet
* Kismet provides added features when sniffing wireless networks
* Can find hidden SSIDs, passive association of wireless clients and APs, and tools that help decrypt encrypted traffic

Bluetooth
* The most common non-WiFi wireless implementation that pentesters encounter
* Short range makes it challenging to intercept without getting close to target
* Relatively insecure, makes it easier to gather info if you can get within range or gain access to a system that can provide that access

Question 32

SNMP Sweeps

Answer 32

Usually requires internal access to a network and may not be in the first round of active recon activities

Requires you to acquire the community string used by the network devices, and a lack of a response from a system doesn’t mean that there isn’t a system at the IP

Four possible reasons a lack of response could occur:
* Wrong community string
* System may be unreachable
* SNMP server may not be running
* SNMP is using UDP and response wasn’t received yet (maybe not ever)

Question 33

Packet Crafting and Inspection

Answer 33

Pentesters sometimes need to interact with packets and traffic directly to gather the information they need

Manual or tool-assisted packet creation can allow you to send packets that otherwise wouldn’t exist

You can also modify legitimate packets with your own paylods

There are four tasks that packet crafting and inspection involve:
* Packet review and decoding
* Assembling packets from scratch
* Editing existing packets to modify their content
* Replaying packets

Wireshark is helpful for packet analysis, but pentesters use other tools for packet crafting like Hping, which lets you create custom packets

EX: Sending SYN packets to a remote system with Hping
* hping -S -V targetsite.com -p 8080

Other popular tools aside from Hping are Scapy, Yersinia, and Netcat

DION NOTES
You may want to craft packets when:
* Trying to set unusual TCP flags to see how a firewall responds to that, and whether if you can get a packet through defenses

EX: Some legacy firewalls with strict TCP interpretation will allow Christmas Tree attack packets through

• If you want to fragment packets, breaking them up in order to sneak them by a sensor on an IPS
• Additionally, fragmented packets can be made so they don’t reassemble, which starts consuming up the resources on a given system or service which can lead to DoS

The Goal
* Use as few packets as possible to reach our desired objective
* We want to be silent, sneaky, and evade detection

Question 34

ARP Traffic

Answer 34

Address Resolution Protocol traffic

Used to determine which host has what IP address

ARP request and response that’s captured with Wireshark looks like:
“who has IP?” “Tell IP”

Question 35

Enumerating Users

Answer 35

The most common way to do this through exposed services are SMB and SNMP

Once you gain access to systems, you can also directly enumerate users from files, directories, and sometimes directory services

In many orgs, user accounts are the same as email accounts which makes email user enumeration crucial

Question 36

Email Enumeration

Answer 36

theHarvester
* Program that gathers information about targets:
* Emails
* Emplyee names
* Subdomains
* Host information
* Open ports
* Banners from search enines (including Shodan)

Metasploit
* Also includes similar functionality with email harvesting tool
* /auxiliary/gather/search_email_collector

Question 37

Groups

Answer 37

Groups come in many forms like AD groups in a domain to group management tools built into identity management suites

Groups also exist in apps and service management infrastructure

Understand what groups exist and what rights, roles, or permissions are associated with them

Pentesters often target group management interfaces and tools because adding an unprivileged user to a privileged group can provide an easy way to gain additional privileges without havin the user directly monitored

EX: If your target supports SNMP, and you have the right community string, you can use snmpwalk to enumerate users

Question 38

Kumu

Answer 38

Shows focal points and interconnections between social media users

Helps understand how users relate to each other

Question 39

Shares

Answer 39

Enumerating Samba (SMB) shares seeks to find all shares, which are readable and writable, and any additional information about the shares that can be gathered

SMB scanners are built into a varity of vulnerability scanning tools

Purpose-built SMB scanners as well, like SMBMap

nmap includes the smb-enum-shares and smb-enum-users NSE scripts

Question 40

Crawling and Scraping Web Pages

Answer 40

**Web Crawling **
Uses tools, called spiders, follow links defined by scoping settings that determine if they can go to other domains, subdomains, or websites, and how deep through links they go

This can help you identify web content and directories, and reveal where useful information is or where it’s accessible but not linked

Web Scraping
imilar but it captures the information, web pages, and other data found on a site

Pentesters can gather data and search through it for information like emails, directories, filenames, etc

Scraping social media sites can reveal important contacts, job responsibilities, tech the org uses, ad details of job postings that hit about the org infrastructure and skills

Question 41

Manuan Inspection of Robots.txt and Web Links

Answer 41

A robots.txt file tells serach engines and outher automated crawlers to ignore specific files, directories, or other materials on a site

Since these files aren’t intended to be indexed, they’re potentailly useful for pentesters—manual validation of the contents of those files and directories is a common practice

Pentesters also review web links to check for interesting directories

If files are stored on a directory, you can see if it has indexing turned on by visiting that directory manually or check for common filesnames by guessing based on other links elsewhere

Question 42

Reputation and Security Posture

Answer 42

Sites like Glassdoor can show the overall tone for a workplace and employee satisfaction

Place to target social engineering attack victims

News sites, PRs, and articles can provide info about the org’s reputation as well

Question 43

Applications

Answer 43

Enumerating all of an org’s applications can be challenging, especially in a secure environment

Pentesters can often only connect to public apps in the early phases of a pentest and then must continually reassess what apps and services are accessible as they go deeper

Question 44

Fingerprinting Applications

Answer 44

Application assessments rely on knowing information about the apps, like name, version number, underlying web server and app stack, host OS, etc

Fingerprinting applications usually starts with banner grabbing with Netcat

EX: nc 10.0.2.5 80
GET / HTTP/3.0

nmap can also provide similar answers with -sV flag

DION NOTES
* Banner grapping uses a program like netcat, wget, or telnet to connect to a given port that’s running a service
* When you connect to that port, the service responds in a particular way, like providing what service is running on the port, what version of the service is being run, etc
* netcat gives responses as plain text and interact with service
* EX: nc diontraining[.]com 80 GET /HTTP/1.1
* This will display the server name and version
* You can determine the version of the Apache web server that’s being run, which gives info to idenfity vulns
* EX: wget [domain or IP] -S
* Zenmap, nmap, and metasploit will automate this with packet crafting and manipulation

Question 45

Certificate Enumeration and Inspection

Answer 45

The certs that an org’s website present can be useful

nmap can gather this information with ssl-cert NSE script, and all major vulnerability scanners have the ability to grab and validate cert information

Web app vulnerability scanners also specifically build in this capability

Knowing what certs are in use, if they’re expired, revoked, or otherwise problemactic is big because it points to cryptographic flaws or other admin or support issues that can be exploited

Certs are also used for users and services, and may be acquired during later stages of the pentest—user and service certs and keys are typically tracked as they are acquired rather than directly enumerated

Question 46

Tokens

Answer 46

Tokens are used many places, like between Windows systems, for web ap access, and throughout infrastructure where systems and devices need to communicate

They’re a prime target for pentesters who want to acquire legitimate tokens that they can use or to forge legitimate tokens for their own purposes

The exam focuses on three key areas for tokens:

Scoping Tokens
* Tokens may specifically identify a user and then limite the actions that user can take based on their scope
* They may identify an app and limit the actions it can take in a given scope
* Set of limitations and conditions on a token that determines what it can do and where it can do it
* Acquiring a token without scoping limitations, or with limitations that allow you to perform desired actions, is a pentesters goal

Issuing A Token
* Use the token-issuing system to issue arbitrary tokens that match your needs
* Obtain the ability to sign your own tokens
* Targeting the issuing server or process as well as the secret signing key are both common in token-based pentesting

Revocation of Tokens
* If tokens are revoked, you may not be able to keep using it
* Understand how tokens can be revoked, if the app or service properly handles token revocation, and if you can avoid having a token that you issued or acquired be revoked

Question 47

Discovering Third-Party Hosted Assets

Answer 47

Assets like apps, servers, or other elements of an infrastructure can be challenging to discover

You have to be careful you don’t inadvertantly probe assets outside your scope and RoE

Pentesters need to confgure their tools to limit IPs, domains, or depth of links that they scan or test

There’s still a clear cut need to test third party hosted assets though, so take these design elements into account

Question 47

Cloud Asset Discovery

Answer 47

Tools like CloudBrute can help you discover a target’s cloud infrastructure for IaaS providers like Amazon, Google, and Microsoft

These tools attempt to discover cloud apps and storage

Discovering storage buckets and apps can provide you with additiona targets or even direct access to data / security keys if the storage buckets are unsecured

Question 48

Scripts and Interpreted Code

Answer 48

The most accessible code is often found in scripts and other interpreted code

Most scripts and interpreted code may not be accessible during the initial active recon phase, but once you’ve bypassed outer layers you’re likely to recover code that you can analyze

Question 49

Decompilation

Answer 49

Compiled code must be decompiled before it can be analyzed, so you need a decompiler to pull it apart and provide readable source code

Question 50

Debugging

Answer 50

If you have the source code for a program, you can also use a debugger to review it

Like with decompilation, you’re unlikely to get this code in the early phases of a pentest but analyzing souce code is still a common way to gather additional information

Debuggers are built into the same tools you’d use for manual code review: Eclipse, Visual Studio, etc

Question 51

Defense Against Active Recon

Answer 51

Typically relies on a few common defenses:
* Limit external exposure of services to those that absolutely must be exposed
* Use an IPS or similar defensive tech that can limit or stop probes to prevent scanning
* Use monitoring and alerting systems to alarm on events that continue despite these preventative measures

Question 52

Preventing Passive Information Gathering

Answer 52

This is more challenging than active recon prevention because it relies on controlling the information that they release

Question 53

Footprinting

Answer 53

Figuring out exactly what types of systems the org uses to be able to attack them in the next phase of the pentest (attacks and exploits)

Question 54

OSINT Tools

Answer 54

Metagoofil
* Linux based tool that can search the metadat associated with public documents located on a target’s website
* Relies on Python to locate metadata within different files like Excel, Word, PowerPoint, OpenOffice Writer, Calc, and BASE
* Metadata like author, company who created it, title, subject, words in document, how long you spent editing it, etc
* Can run on any system because it’s running on Python interpreter

FOCA
* Fingerprinting Organizations with Collected Archives
* Used to find metadata and hidden information in collected documents from an org
* Take all Word, Excel, and ppt docs that a company created on Google (by dorking) and then run it through FOCA
* Uses GUI vs Metagoofil CLI
* Has to run on Windows, won’t work on Linux

The Harvester
* Program for gathering emails, subdomains, hosts, employee names, email addresses, PGP key entries, open ports, and service banners from servers

Shodan
* A website search engine for web cameras, routers, servers, and other devices that are considered part of the IoT
* It will show you webcams that are public-facing, but shouldn’t be, or it will show you devices with default passwords, etc
* Think of it like Google for devices

Maltego
* Commercial software used for conducting OSINT that visually helps connect relationships between pieces of information
* You can map emails, job titles, etc to find paths to specific people at an organization
* Chaining from one person, machine, or network to the next one
* Can also automate the querying of public sources of data and then compare it with other information from various sources

Recon-ng
* Uses a system of modules to add additional features and functions for your use
* EX: Module that can conduct WHOIS queries to identify admin and technical points of contact
* EX: Module that conducts PGP key searches
* EX: Module for social media profile searching
* File crawling, DNS enum, have I been pwned breach, etc
* Python script for x-platform
* A complete tool like metasploit

Censys
* Website search engine used for finding hosts and networks across the internet with data about their configurations
* Similar to Shodan in that it’s a website

Question 55

Metagoofil Syntax

Answer 55

metagoofil -d udemy[.]com -t doc,ppt,pdf -l 50 -n 25 -o UdemyFiles -f

Meaning
* -d = domain
* -t = file type
* -l = limit the number of searches
* -n = number of downloads
* -o = output directory
* -f = create a file in one combined html file

Question 56

theHarvester Syntax

Answer 56

theHarvester -d udemy[.]com -l 5 -b google

Meaning
* -d = domain
* -l = limit number of results
* -b = search engine to use

Question 57

DNS Records

Answer 57

Address (A) Record
* Links a hostname to an IPv4 address

AAAA Record
* Links a hostname to an IPv6 address

Canonical Name (CNAME) Record
* Points a domain to another domain or subdomain

Mail Exchange (MX) Record
* Directs emails to a mail server

Start of Authority (SOA) Record
* Stores important information about a domain or zone
* A zone is all of the information about a given domain name, including A, CNAME, MX, etc

Pointer (PTR) Record
* Correlates an IP with a domain name
* Opposite of an A record
* Always stored under .arpa, which is the top level domain used when dealing with PTR records

Text (TXT) Record
* Adds text into the DNS
* Allows us to have machine readable data that’s added into records
* Used for different reasons, including to say that this domain is authored by someone

Service (SVR) Record
* Specifies a host and port for a specific service
* You can set up something for chat services, or VoIP with this SVR record

Nameserver (NS) Record
* Indicates which DNS nameserver has the authority
* If you buy a blog domain from GoDaddy, tey’re the NS
* If you want to switch from GoDaddy to Google Domains, you have to change the NS record to show Google is the new NS

DION NOTES
* As a pentester, you want to pull up al the DNS records to check for relevant information
* EX: If you look up a domain, you can see what type of web server, email server, record server for domains, servers for third party, etc
* Focus on MX, TXT, and SRV records to check for email and third-party SaaS solutions
* This will show you many targets you may not have discovered otherwise

Question 58

DNS Tools

Answer 58

nslookup
* Name Server Lookup
* X-platform tool used to query the DNS to provide the mapping between domain names and IPs or other DNS records
* Alt tools are dig and host

WHOIS
* CLI tool on Linux, also a website, that’s a query and response protocol for internet resources
* Shows who registerd the domain
* Name and address of who owns the domain
* Email and phone for person who registered
* Billing POC, tech POC, other admin POC
* See domain registrat which can be used for phishing (pretend to be registrar)
* Also find the status of the domain (when up for renewal, etc)
* NS records to possibly zone transfer

Question 59

GHDB

Answer 59

Google Hacking Database
* Provids a database of search strings optimized for locating vulnerable websites and services
* Pairs with Google dorking (hacking)

Question 60

Cryptographic Inspection

Answer 60

Checks the validity of certs or potential vulnerabilities to exploit within target servers

If you look at the cryptographic information for a web server, you should be able to determine if they’re using SSL 2, SSL 3, TLS 1.0, 1.1, 1.2, or 1.3

Question 61

Cipher Suite

Answer 61

Defines the algorithm supported by the client and server when requesting to use encryption and hashing

TLS 1.2
ECDHE RSA AES128 GCM SHA256
* Elliptic curve diffie hellman ephemeral mode to negotiate the session key agreement
* RSA for digital signatures
* AES with Galois/Counter Mode with 128 bit block size for symmetric bulk encryption
* SHA256 hashing algorithm to conduct message autentication

TLS 1.3
TLS AES 256 GCM SHA384
* TLS 1.3 protocol will use an ephemeral key agreement since it’s the only one supported by the protocol
* AES Galaois/Counter Mode with a 256 block is used for symmetric bulk encryption
* SHA384 is used to support cryptographic hashing functions for us

DION NOTES
* As a pentester, understand how to read cipher suites because you may be looking at a vuln scan report and ID which one is most vulnerable because it’s using an insecure suite
* To test, go to ssllabs[.]com and enter the website—it will display all the cipher suite information
* EXAM NOTE: You don’t need to know the ciphers themselves, but you should know that cipher suites are made up inside these protocols and as you negotiate those protocols you can downgrade to a lower protocol as part of an attack

Question 62

Digital Certificates

Answer 62

When doing cryptographic inspection during recon, always inspect digital certificates to identify other potential targets or servers in digital certificate fields

For example, there is the Subject Alternate Name (SAN) Field:
* Allows the use of digital certificates with other domains in addition to the main domain
* AKA multi-domain certificate because it can spport multiple different domain names with one cert
* Doesn’t support subdomains, that needs to have a wildcard cert

DION NOTES
* As a pentester, look at the SAN field or wildcard field to check for other domains or subdomains to investigate as part of your scope

Question 63

Certificate Techniques for Pentesters

Answer 63

Certificate Pinning
* A method of trusting digital certificates that bypass the CA hierarchy and chain of trust in order to minimize on-path attacks
* Without this, when establishing a TLS encrypted tunnel, attackers can attempt to substitute a malicous but trusted cert into the chain of trust that includes the client, the server, and the intermediate or root CA in an on-path attack
* This allows attackers to eavesdrop on supposedly secure comms between client and server
* This is considered insecure and not used

Certificate Stapling
* Allows a web server to perform certificate status checks instead of using the browser
* The server checks the status of the certificate and provides the browser with a digitally signed response from the OCSP responder
* This allows the cert holder to get the OCSP record from the server at regular intervals, and then include it as part of the SSL/TLS handshake
* Eliminates the need for additional connection at the time of the request

HSTS
* HTTP Strict Transport Security
* Allows a web server to notify web browsers to only request using HTTPS and not HTTP
* You have to use an encrypted tunnel to connect

Question 64

Host Enumeration

Answer 64

If you’re inside the network, you can use living off the land techniques and use the tools already on the host to enumerate

net
* net view = shows a list of all network shares available from that workstation that are being served by other hosts on the network

arp -a
* Displays the ARP cache
* ARP cache is a list of all the other machine’s MAC addresses that have recently communicated with the host you’re currently on

ipconfig
* Determines the IP of the current machine you’re on
* ipconfig /displaydns to see all the DNS names that have recently been resolved on that computer

Bash on Linux
* finger = show home user’s directory, login name, current idle time
* uname -a = OSS name, version, and other relevant details
* env = environmental variables on a Linux system

Question 65

Services Enumeraton

Answer 65

Conducting an intensive scan with nmap returns information about the services running on a host’s open ports

For example, you can see that port 80 is open which means a web server is there—but you’re not done enumerating that port because there are many web servies that can run on port 80 HTTP like:
* Apache
* Microsoft IIS
* ngix
* LiteSpeed
* and others

Question 66

Domain Enumeration

Answer 66

Windows domains, not website domains or DNS entries

In Windows, everything is done with AD:
* The database that stores, organizes, and enables access to other objects under its control
* Connects all hosts to servers and those server’s resources via Kerberos

Domains:
* Contains Organizational Units (OU), and these domains can be consolidated into a tree, and multiple trees can become part of a forest (in larger orgs)
* Considered te core of a Windows network
* First domain is always considered the root domain
* All other domains underneath the root domain (aka subdomains) are called children
* By default there’s an inherent trust relationship between children and the root domain that created them, which can be exploited by a skilled attacker

OU:
* Used within a domain to group together simimlar objects (computers, groups, users, etc)

When Enumerating a Domain
* If living off the land, you’ll use PowerShell
* If not LOTL, use nmap or metasploit

PowerShell
* Get-NetDomain = List the current logged in user’s domain
* Get-NetLoggedon = Get a list of all the users who are logged into a given computer (helpful if you get access to a server)

Question 67

User Enumeration

Answer 67

When enumerating users, you can also enumerate groups because many users are also part of a group as part of their access rights and permissions

PowerShell Example
* Assume you have gained initial access and logged in as a user with their creds
* Get-NetGroupMember = Gets a list of domain members belonging to a given group
* Once you know what group they’re a part of, you can figure out what resources like servers and file shares you now have access to

What If No PS1 Access?
* net user = lists all the users on a given machine
* net groups = lists all the groups on a given machine

Question 68

URL Enumeration

Answer 68

Once you have a list of value URLs, you can use tools to gain more details about a web server or apps running on those URLs

nmap Example
* nmap –script=http-enum [target URL]
* This will return information about about the services as well as the apps running the server like the CMS like Drupal, Joomla, or WordPress
* Once you identify these you can link them to CVE to plan attacks and exploits

Question 69

Website Recon and Enumeration

Answer 69

Seek to discover the resources used as well as any hidden information. To do so, you need to determine:
* Software used to run the org’s website
* OS the server is using
* If the server is hosted by the org under a first-party model or third-party CSP

When alayzing a websites code, you’ll find it’s:
* Created by a programmer or team using HTML, CSS, JS, etc
* The site is built on top of a CMS (WordPress) or page builder (SquareSpace)

IF CMS BUILT
* Find CVE for the verions of software they’re using to build and host

IF CUSTOM BUILT
* You need to identify your own vulnerabilities like SQL injection, XSS, caching server attacks

When enumerating websites, you must find every page that exists on the website because any one page can hold a vulnerability—this can be done with website crawling and forced browsing

Website Crawling
* The process of systematicaly attempting to find every page on a given website
* robots.txt tells web crawlers (aka spiders) what pages not to index—this is a good recon target for pentesters because it’s areas the web devs don’t want the public to see
* DirBuster is how you can brute force all these pages

Web Scraping / Harvesting / Data Extraction
* Technique used for extracting data from websites performed using automation or through manual processes

CeWL (Custom World List Generator)
* A Ruby app that can crawl a given URL up to a specified depth and return a list of words that can be used with a password cracker

cewl -d 1 -m 6 -w wordlist.txt hxxps://diontraiing[.]com
* Check main page of diontraining
* Scan down to a depth of one level below top directory structure
* Find all words at least 6 letters long
* Add words to wordlist.txt file

Question 70

Detecting and Evading Defenses

Answer 70

Load Balancer
* Not a security device, but can cause trouble for pentesters scanning, enumerating, and attacking networks
* Used to distribute traffic across multiple servers inside a server farm
* Network scans might get sent to different servers as the requests come in which gives different answers and responses
* Creates false positives or negatives, you need to know if there is a load balancer

LBD (Load Balancing Detector)
* lbd [domain you want to test]

Firewall
* One of the easiest ways to detect if an org is using a firewall is to use traceroute (tracert)
* If you see an asterisk where responses should be it indicates a security device like firewall, UTM, etc
* You can use tools to map out firewalls

Firewalk
* firewalk -S[ports you want to use] i [interface] -n -pTCP [target]
* Helps you map out the ACL on a firewall
* With firewalking, you can move through the firewall and identify the rule sets

WAF
* Layer 7 firewall that uses specific rule sets to prevent common attacks against web apps like XSS and SQL inject
* To get through WAF, you have to use obfuscation techniques to confuse the web apps, so they can’t see data as easily
* To detect a WAF, there are a few key givewaways:

Personalized Cookes in HTTP Packets
* Most WAF will add a personalized cookie in the HTTP packet that get sent back to someone scanning them, or someone trying to send data through the WAF
* Looking at the cookies in the HTTP packets, you can identify if there’s a WAF

Header Alterations
* Changes the original response header to confuse the attacker
* If you start seeing abnormal header responses, there might be a WAF in place

WAF Notifications
* Sometimes the WAS is blatant in the fact that it’s there and sends a page or header that says request blocked because protected by WAF

Antivirus
* Used to precent, scan, detect, and delete viruses or malware
* Once installed, runs automatically in the background to prevent attacks
* When doing scanning it’s not a big deal, but when you move into attack and exploit it’s a problem
* To bypass AV you can:

Create a Metamorphic Virus
* Transforms the virus as it propagates through the network, hard for AV to detect

Signature Obfuscation
* Obfuscate a known signature with specialized tools and change the code for the exploit
* One-time change, not metamorphic

Fileless Malware
* Use tools or paylaods that use fileless malware
* A lot of OS embedded functions can be used to conduct malicious activities for you—PS1 scripts, cmdlets, bash utilities, etc
* Challenging to detect, form of LOTL

Encryption
* Can eliminate the ability for the AV program to detect the malware through signatures alone
* Pentesters will often encrypt their malicious payload and attach a stub that decrypts once it’s on the victim machine (process injection and hollowing)

Question 71

hping

Answer 71

Open-source CLI spoofing tool that provides a pentester with the abilty to craft network packets in order to exploit vulnerable firewalls and IDS/IPS

It can do many different functions like:
* Host and port detection
* Firewall testing
* Timestamping
* Traceroute
* Fragmentation
* DoS

Host and Port Detection / Firewall Testing
* Sends a SYN or ACK packet to conduct detection and testing

hping3 -S -p80 -c1 192.168.1.1
* Send 1 SYN packet to port 80
* Stealthy because you’re only sending one packet out to see if a machine is online

hping3 -A -p80 -c1 192.168.1.1
* Send 1 ACK packet to port 80

Timestamping
* Allows us to determine a system’s uptime and how long the host has been online
* If a server has been online for over a year, it’s possible that they haven’t installed all the patches or upgrades because you usually have to reboot servers when you do

hping3 -c2 -S p80 –tcp-timestamp 192.168.1.1
* Sends 2 SYN packets to port 80 to determine uptime
* 2 SYN is more effective than 1 when doing timestamp

Traceroute
* Uses arbitrary packet formats, such as probing DNS ports using TCP or UDP, to perform traces when ICMP is blocked on a given network

hping3 –traceroute -V -1 [domain]

Fragmentation
* Attempts to evade detection from IDS/IPS and firewalls by sending fragmented packets across the network for later reassembly
* Because you’re using TCP you can send packets in any order you want, and the system will put them back together once it receives
* In most modern systems, these are going to be caught

DoS
* Can be used to perform flood-based DoS attacks from randomized source IPs
* Not likely to be effective against most modern OS and network appliances
* But if you’re going against legacy systems this can still work though, so it’s still valid to try as a pentester (IF IN SCOPE)

Question 72

Scapy

Answer 72

Python-based interactive packet manipulation tool, packet generator, network scanner, network discovery, packet sniffer, and more all in one script

It can replace most of what hping can do, a lot of what nmap can do, and other tools like ARP spoofing, ARPing, TCP dub, Enthrill, and PLF

When using Scapy:
* Define a set of packets
* Send those packets
* Receive the answers
* Match requests with answers
* Return a list of packet couples
* Return a list of unmatched packets

EXAM NOTE
Usage of Scapy is not covered on the exam, but know that it’s a packet crafting tool