The content of the article
- Finding Unclosed Doors
- From Editorial Conversations
- Scan, mark, repeat
- OSINT without interactivity
- Collecting information for social engineering
- Recon as art
Of course, it is possible to knock exploits on vulnerable services available on the perimeter (and, for example, to lighten the network and its presence in the logs protection systems), but you can use spear phishing and gain a foothold on the workstation inside the perimeter. The result will be achieved in both cases, but the cost of the attack is completely different.
The reconnaissance stage is the key to choosing tactics, techniques and procedures (TTPs) to be used to achieve the goal. However, most often the task of reconnaissance is to find as many potential entry points as possible to access the target and estimate the cost of implementing the detected vectors. In order to complicate the life of the attacker who conducts reconnaissance, it is necessary to understand which TTPs he is using at this stage.
All information is provided for informational purposes only. Neither the editorial board nor the author is responsible for any possible harm caused by the materials of this article.
Searching for Uncovered Doors
Many attack points depend on the number of attack points available to an intruder. You can formally classify the entry points:
• information systems located on the perimeter and having access to the Internet (servers, workstations, administrative panels of special equipment, etc.);
• mobile devices used by employees inside the perimeter and beyond
• accounts in the cloud services of employees (including those used for personal purposes).
The last paragraph often requires the attacker to “interact” with the victim (for example, communication with the object of a phishing attack ), which increases the risk of detecting an attack. Therefore, in some cases priority is given to exploitable entry points located on the perimeter.
The network perimeter is a concept that, with the development of technology and the widespread introduction of clouds, is gradually disappearing. The concept of Bring your own device (BYOD), which allows employees of companies to use personal devices for business processes, as well as the appearance of clouds (hello, office365!) Blur the perimeter. It is incredibly difficult to monitor the flow of data between the corporate network and the outside world. And this also makes life easier for intruders – the variety of options for penetration grows.
In large organizations, the perimeter is full of services that the admins have forgotten (or do not know) and who have not patched for a long time already. I propose to look for such services in your organization. On the example of my favorite medical organizations, we will consider many vectors of penetration. Subsequently, you can use this knowledge to inventory the perimeter of the networks that belong to you.
From editorial conversations
– Denis, let’s analyze ten interesting penetration scenarios on real examples from ART!
– I studied the topic, scratched the scenarios of target attacks and honestly say that there is nothing in them that would inspire me : almost all begin with the stage “threw a phishing letter” … 🙂
Scan, mark, repeat
Obviously, to understand what is located on the network perimeter, you need to get the range of IP- addresses belonging to the target organization. In this list, it is possible that there are IP addresses of third parties (service providers, contractors, etc.) – the attacker will accurately include them in the Osprey, and you, as an auditor of your network, can not do this. The resulting IP range can be entered into the port-scanner. Instead of Nmap I recommend using Masscan or ZMap – this will greatly shorten the scan time.
So, to assess the entry points to medical corporate networks, you can unload from RIPE ranges of IP addresses of all organizations in the name of which there are keywords:
After that, you can start the port scanner and wait a few days for it to be issued.
If the scan using ZMap, then later you can use the utility ZTag for tagging each service discovery. Tags are placed on the basis of the collected banner database. In the case of medical scans, the services received are classified as follows:
Among the trivial things like web applications and mail servers are interesting applications: building management systems building management systems, by the way, we have a whole series of articles written on this topic, for example), printers (often without any authorization to the admin panels), NAS stores (and even specialized PACS servers), the mind s kettles and so on. Using each of the services found, the attacker can determine attack vectors and evaluate the complexity (read – the cost) of their implementation.
Collecting information for social engineering
Fixing within the corporate perimeter effectively allows the use of various scenarios of social engineering. For example, sending phishing messages that contain malicious attachments or links leading to phishing resources.
In order to implement these scenarios, the attacker must also collect information about the attack object in order to increase the likelihood that the addressee will follow the link in the email or open the attachment. Currently, the security services of large organizations are trying to raise their employees’ awareness of malicious mail, which obviously does not benefit the attackers. Now the villains need not only to circumvent the victim’s spam filters and deliver the “payload” to Inbox, but also to motivate the attack object to perform the necessary actions and, most importantly, not to cause suspicion.
The abundance of social networks, as well as the “emancipation” of their typical user, gives the attacker the opportunity to extract information about his victim and compose a convincing context of the “payload”: the text of the cover letter, the style of communication.
This is a creative task, and it depends on the concrete situation, but as a general example, you can use a resource that uses the public APIs of popular social networks to extract valuable account information.
For example, an attacker, by contacting LinkedIn, was able to identify key employees for organizing a spear-phishing attack, their names, surnames, contact information (e-mail). Using this data, it is easy to find the accounts of these employees in other social networks, for example, on Facebook. With the help of a web service, an attacker can collect interesting statistics of his victims, for example, where and in which hotels they “jumped”. Further on behalf of the hotel the villain can send a message with a reminder about the payment of some Resort Fee and an attached invoice as a PDF-document. Profit!
Recon as art
The topic of extracting data about the object of attack is very extensive, and there is more than one book written about exploration alone based on open sources. For this reason, I also focused on gathering technical information about the perimeter – it often contains unclosed doors that are not patched for years and which the owner may not know about.
In addition to this, an attacker, wading through external resources, does not interacts with a person (as is the case with social engineering), which means that the only obstacle is all kinds of IDS / IPS, WAF and everything that fixes activity on the perimeter. If these funds are there at all.