1. Home
  2. Training Library
  3. 2. Reconnaissance

Reconnaissance

Developed with
QA

Contents

keyboard_tab
Cyber Primer Online Learning
1
Reconnaissance
PREVIEW9m 29s

The course is part of this learning path

Cyber Primer
course-steps 5 description 1
play-arrow
Reconnaissance
Overview
DifficultyBeginner
Duration19m
Students4
Ratings
5/5
star star star star star

Description

Course Description 

This module will introduce some techniques used for reconnaissance and social engineering. The software simulations introduce some of the methods and software that can be used in reconnaissance.  

  • Reconnaissance 
  • Social Engineering
  • Twitter Profiling  
  • Google Hacking  
  • Maltego  

 

Intended Audience  

Although perceived as an IT issue, cyber security is, in fact, a subject relevant to all business units. Cyber Primer is aimed at anyone with an interest in cyber security, whether they are looking to pursue a career as a penetration tester, or just want to get a feel for the world of cyber security.  

 

Prerequisites of the Certifications 

There are no prerequisites for this course, however, participants are expected to have a basic understanding of computers and the internet. 

 

Feedback 

We welcome all feedback and suggestions - please contact us at qa.elearningadmin@qa.com to let us know what you think. 

Transcript

The first stage of the cyber kill chain is recon. In this video, you'll be looking at some of the tools a threat actor can use to conduct recon on the target. And build up a profile. You'll cover how to use Maltego to map large areas of an organization's human and technological attack services. How to use Shodan to find and connect to unsecured devices. How to craft searches with Twitter to expand your attack surface and track individual user's movements. How to craft searches with Google to uncover information leaks. How to craft searches with Facebook to understand your own online presence. And what social engineering is and some of the tools to perform it. During the recon stage, a threat actor will attempt to discover most of the information they need from open source intelligence, which is information that is freely available online. This can often be done without directly connecting to the target systems. This is called passive reconnaissance. They can also directly interact with target systems using network scanning tools that can detect the specific version of the operating system running on the remote system. The specific version of services being hosted on the remote system. The rules enforced on firewalls. Vulnerabilities that exist on remote systems. The DNS configuration and the active sub domains that are not advertised or discoverable through search engines. The first point of call for passive recon can be done using Google, in a process known as Google hacking. Google hacking is not about hacking Google itself. It's a way of crafting searches, in a way that leverages Google to uncover information, that an organization thought was hidden. Google hacking allows us to uncover all kinds of things such as: SQL database backups, internal documents, passwords for a target's email address and directories used by web servers for backups. It was invented by Johnny Long, and has since spawned the Google hacking database which is full of crafted search terms to discover all kinds of useful information. Google hacking utilizes Google's in-built search operators to perform very specific searches that return only one kind of result. If we can define the thing we are looking for by using key words, we can potentially find hidden domains, file extensions, directories, webpage titles and specific strings such as @live.co.uk or @gmail.com. The Google hacking database contains multiple Google search operators to locate very specific information. These combinations of search operators are known as Google Dorks. Further to Google, a threat actor may also use Shodan. Shodan is a search engine like Google; however, it is not used to find webpages. Instead it is used to find unsecure devices. It's an immensely powerful tool that is used to discover unsecure devices that are exposed to the internet. It allows a threat actor to search through IP address ranges that are known to belong to the target. And discover devices that are not properly secured. This can be anything from a webcam, toothbrushes and smart TVS through to industrial control systems, that manage and control industrial processes. The system could contain immense forces like nuclear energy or hydroelectric power stations. Shodan can be used to target and investigate a specific set of target IP addresses or ranges or can simply be used to find all devices that say, are vulnerable to Shellshock or Heartbleed attacks wherever they may exist. After finding all of this open source information, it's useful to collate it. The entities discovered during an open source investigation can get out of hand quickly as new information is feed back to the intelligence cycle. Maltego is an open-source tool that can be used to collate all of the information gathered. Maltego can automate intelligence gathering, visualize the relationships between entites, uncover domain usernames from document metadata, uncover contact information from WHOIS, and locate employee's social media accounts. Maltego is excellent at mapping both the human and the technolgical attack surfaces. After scoping the target organization, the threat actor may then need to gain details from personnel at the target organization. Such as usernames and passwords to gain access to the systems. Acquiring these details is often done via social engineering. Social engineering is a method of using human interaction and social skills to obtain or compromise information about an organization or it's computer systems. Targets could be key personalities within the organization; such as system administrators, C-Suite individuals like the CEO or COO and developers. The attacker could then look for a key target's personal interests. Understanding what a person's interests are provides the foundation for any social engineering attack. For example, knowing that someone likes to refurbish vintage cars would allow an attacker to approach them with the service that may be of interest. The attacker may also target a key personality's friends. It might be that an individual has secured their online presence but their friends may not have. A friend sharing photos on social media may reveal a target's location. And frequent photos at the same bar, say after work on a Friday, may clue the attacker in on a regular pattern. Facebook is a massively powerful tool for connecting people, groups, teams and colleagues. And is used by approximately 2.4 billion people worldwide. Privacy of posts and content in Facebook is determined by the author of that content. An unintended consequence of this is that users that lock down their privacy settings are left with the impression that everything they do on Facebook is private. This assumption is a mistake. By performing crafted searches on Facebook, a threat actor can reveal comments that a user has made on a less private post, photos that a user has been tagged in on a less private post, event invitations where the owner of that event has set privacy to public, which is almost always the case, events that the user intends to attend in the future and locations that the user has checked into. This information can all be used for social engineering. Twitter is used by approximately 330 million users worldwide. It can provide an insight into the lives of it's users as well as their whereabouts. This information can be queried by anyone. Through the Twitter developer, API, a threat actor can harvest all tweets from a specific area, the location of a user while they are tweeting, the frequency of a user's tweets and a user's frequent tweeting locations and times at those locations. This information can be use to build up a profile of a target in real time. In this video, we've looked at some of the tools a threat actor has at their disposal. Including how Shodan can be used to discover and connect to unsecured devices. How Google can be used to uncover sensitive data leaks. How Maltego can quickly map large portions of an organization's human and technological attack surface. Social engineering and how social media can be used to harvest a target's information such as, how Facebook can be used to see the data a user thought was protected, building the foundation for social engineering attacks. And how Twitter can be used to expand the attack surface. You'll now have the opportunity to attempt to use some of these tools. Watch the simulation videos, and then have a go at them yourself.

About the Author

Students32
Courses5
Learning paths1

Originating from a systems administration/network architecture career, a solid part of his career building networks for educational institutes. With security being a mainstay his implementation he grew a strong passion for everything cyber orientated especially social engineering. The educational experience led to him mentoring young women in IT, helping them to begin a cyber career. He is a recipient of the Cisco global cyber security scholarship. A CCNA Cyber Ops holder and elected for the CCNP Cyber Ops program.