Reconnaissance for Red Teamer Operators

Intro to Reconnaissance

The first step of every Red Team engagement is to perform an information gathering phase, (also known as reconnaissance phase), in which the Red Team operator will collect as much information as possible about their targets. This information should help the Red Team operator formulate an attack strategy with the ultimate goal of getting an initial foothold inside the organisation’s network.

There are two main types of reconnaissance:

  • Passive Reconnaissance: here the Red Team is trying to gather information without actively interacting with a system or service. Examples could be looking at open-source intelligence (OSINT) or any information available online.

  • Active Reconnaissance: in this phase, the attacker is actually interacting with the identified targets, for example by performing a network port scan or by spidering the organisation’s websites.

There are a number of techniques that can be used during the reconnaissance phase, as detailed in this blog post.

Passive Reconnaissance

The main goal of the passive reconnaissance is in the end to have a list of target systems (IP addresses, ranges, domain names, websites…) belonging to our target. Let’s discuss methods that we can use to obtain this information.

Attack Surface Mapping

When performing a Red Team engagement, usually the scope is "the organisation", which is a very generic and broad scope. However, this can be an advantage for the Red Team operator (and attacker), as there is usually no limit to what we can target and attack.

The first objective is to map our attack surface, meaning translating the scope from "the organisation" to a list of systems.

Systems Discovery

There are a number of sources that we can use to identify assets belonging to our target. One of the main sources is looking at the Autonomous System Number (ASN), which is essentially a unique identifier assigned to a network run by a certain organisation. There are a number of ASN lookups tools, such as:

https://mxtoolbox.com/asn.aspx

https://dnschecker.org/asn-whois-lookup.php

https://bgp.he.net/

For example, it is possible to obtain information about the IP addresses belonging to Twitter:

It is also possible to search ASN with Amass, a tool that we are going to use throughout this guide:

Another source of information is Shodan Search Engine, a search engine that allows you to search systems connected on the internet.

A word of caution when using these sources, as we need to make sure that we are not targeting another company with a similar name to our target’s, as that would of course be out of scope.

Subdomain Enumeration

Organisations typically have a number of subdomains, which could be based on the type of service provided, such as "vpn.example.com" or "email.example.com". We can discover subdomains mainly through two methods:

  • OSINT sources: this would include all the historical data found in DNS records, SSL certificates information, web archives, whois lookups, etc.

  • Brute-forcing: our target might use a subdomain that does not have an online presence, in which case we can brute force its domain name.

Given that subdomain discovery is one of the core aspects of bug bounty programs which have seen a sharp increase in past years, there are a large number of tools to perform subdomain discovery.

Amass would probably cover most of your needs for subdomain discovery, as it is possible to create a configuration file to provide all your sources and relative APIs. A comprehensive example can be found on the official GitHub repository:

https://github.com/OWASP/Amass/blob/master/examples/config.ini

Amass will also (if configured) perform permutation of a given wordlist and perform brute-force attacks against the given domain.

Another great tool you can use is Subfinder by ProjectDiscovery.

Login Portals

One of the most interesting things we can find as a red team operator, it’s a login portal. Depending on what the portal is for, we could launch a password spray attack or validate credentials found online.

The easiest way to validate if some of the previously identified domain is servicing a login portal, is to browse to it. However, when you have hundreds of domains, this can be quite tedious. There are a number of tools nowadays which, given a list, will take a screenshot of the websites and save it on file.

Some of the tools you can use for this:

Cloud Resources

When it comes to cloud resources, things can be quite tricky. It’s not straightforward to understand what resources are assigned by the cloud provider to your target (e.g., what’s the IP address of a VM created on Azure?). However, there are some techniques that can come in handy:

  • S3 buckets enumeration: even if it’s not obvious whether the target is using AWS, it might be worth checking if there is any S3 bucket exposed online which has your target domain in its name, as this might disclose interesting information. There are a number of of tools for this purpose, such as s3enum.

  • Azure blobs: similar to S3, these may contain sensitive information. Similar techniques also apply, where we try to enumerate relevant blobs based on DNS names. MicroBurst has a function for this purpose.

Note of caution: buckets or blobs that you enumerate, may not belong to your target, even though they have the organisation’s name in their domain. Remember to stay in scope!

Mobile Applications

Another aspect to consider when doing red teaming, is whether the target has developed a mobile application. Android applications are particularly interesting as you can, most of the times, easily reverse engineer them, and get sensitive information such as:

  • Passwords or API keys

  • Third party tokens

  • API endpoints

Common tools to use are apktool and jadx to have a look at the source code.

A good strategy would be to decompile the APK file with apktool, and grep the content out - a good reference for grep regular expression is https://github.com/tomnomnom/gf.

Social Media

For obvious reasons, social media is a great source of information about our targets. During a red team, you want to focus on:

  • Employee’s information: full names, email addresses, phone numbers etc. Everything that you can then use in later stages of the attack. LinkedIn is a great source, especially when employees detail their IT skills, e.g. if someone is adding “Oracle administration” to their profile, it can be a good indicator that the target is using some sort of Oracle product.

  • Recent events: this can be a seminar or a networking event that the company attended or hosted. This information is particularly interesting if we’d need to draft a phishing campaign, posing for example as the organisers of the event.

  • Job posting: generally advertised on LinkedIn, but this can be a great source of information regarding the company structure as well as the technologies that are in use. Additionally, this can also pose as a phishing scenario (e.g. pretending to be a potential candidate and sending a malicious Office document as our CV).

Leaked Passwords

There are a number of sources for looking up email addresses against known leaked databases. Probably the most popular one is Have I Been Pwned, although this won’t show you the hashed or clear-text password.

There are other websites online however that do offer this service and show you the leaked password. Usually these are paid service and you might need to do some digging to find them.

Domain Squatting

Domain squatting is a common technique used for phishing. With this technique, we can register a domain similar to our target’s. For example, if we are attacking "example.com", we could register "example.co" or "exampl.com".

There is another advantage to registering a domain like this which helps with reconnaissance: if we also set up a mail redirector on that domain, any email sent to that will be redirected to our inbox. That would mean that for example, if someone mistypes the domain while sending an email, we will intercept this email, which if we’re lucky will contain sensitive information such as documents. Additionally, we can reply to the email and launch a very sophisticated phishing attack.

Others

There is a large amount of information online that we can harvest. Other useful sources that we found valuable are:

  • Files Metadata (you can use tools such as FOCA to automate this)

  • Github

  • PasteBin and similar

  • Darknet forums

Active Reconnaissance

Now that we have obtained a large amount of information passively about our target, it’s the time to introduce some more active reconnaissance. During this phase you might perform scanning and interacting with your target’s systems in a way that might be considered illegal, so make sure that you have written permissions to perform these activities before starting.

Network Scan

A great way of gathering more information is to perform a port scan of the systems we already know. This will highlight any service running on the hosts that we might not be aware of. Typical services that we might be interested in are:

  • Web services: not just the ones running on 80 and 443 that we analysed with our browser already, but any other site running on higher ports such as 8080, 8443 and similar. There is a good chance management interfaces are running on these).

  • Mail servers: these are interesting as we could use these to validate the emails that we’ve previously identified. Additionally, we might find open relays if we’re lucky.

  • SSH / Telnet / FTP / SQL services: really any service that allows login. We could validate any previously discovered password or launch a brute force attack against these services, or try the default credentials for the systems.

The most popular tool to perform scanning is nmap. There are a multitude of flags you can use, but a top 1000 TCP scan should be enough for this. This is actually the default scan nmap is going to run, so you can just issue the command below:

$ nmap -iL list_of_targets.txt

If you are dealing with a very large scope, you might want to look into masscan and massdns to optimise your scans.

Application Testing

Once identified web applications, it could be interesting to have a deeper look at them. We’re not going to perform a full attack on the web application, but rather interacting with them to obtain additional information.

For example, we might want to run a web crawler and a spider against them to identify all the sections of the website, potentially other login portals. Burp Suite Pro has these functionalities included, however you can use ffuf , dirsearch , gobuster or any similar tool to identify additional content, or use a spider like hakrawler.

Summary

When doing reconnaissance for a red team engagement, we want to focus on gathering as much information as possible about our target. Unlike common reconnaissance done for other security assessments, the information collected for a red team should also help the next step of the engagement, so don’t ignore information that can be used for phishing or any login portal where you can run a password spray attack.

If you are interested to find out whether your organisation has information exposed which could be abused by a real attacker, contact us and inquire about our red team service.


Popular posts from this blog

How to Secure Active Directory: a Red Teamer Perspective

2022 Common Active Directory Exploitation Paths