1 00:00:06,454 --> 00:00:08,549 - So, John, what is reconnaissance? 2 00:00:08,549 --> 00:00:11,237 - So, reconnaissance is the very first step 3 00:00:11,237 --> 00:00:13,148 in the entire engagement. 4 00:00:13,148 --> 00:00:14,581 It's really, where you're trying to map 5 00:00:14,581 --> 00:00:17,652 out the entire network, to find out as much as you can 6 00:00:17,652 --> 00:00:19,154 about the environment, before you actually 7 00:00:19,154 --> 00:00:22,201 launch all of you attacks against it, 8 00:00:22,201 --> 00:00:23,514 so, there's really two types. 9 00:00:23,514 --> 00:00:25,693 There's passive and active reconnaissance. 10 00:00:25,693 --> 00:00:27,320 - So, if there are two types of reconnaissance, 11 00:00:27,320 --> 00:00:30,739 what is actually, passive reconnaissance? 12 00:00:30,739 --> 00:00:32,580 - So, passive reconnaissance is 13 00:00:32,580 --> 00:00:34,357 all of your research, that you're doing, 14 00:00:34,357 --> 00:00:36,898 without actually, sending any information 15 00:00:36,898 --> 00:00:38,286 to their target network. 16 00:00:38,286 --> 00:00:39,726 So, you're not scanning their network, 17 00:00:39,726 --> 00:00:42,561 you're not performing phishing, 18 00:00:42,561 --> 00:00:44,117 you're not doing any vulnerability scans, 19 00:00:44,117 --> 00:00:45,885 or port scans, or anything. 20 00:00:45,885 --> 00:00:47,886 You're just researching their environment, 21 00:00:47,886 --> 00:00:49,852 looking up Google searches, 22 00:00:49,852 --> 00:00:52,773 looking up, we'll show you different types of 23 00:00:52,773 --> 00:00:54,131 research that you can actually do, 24 00:00:54,131 --> 00:00:57,178 without actually sending information, to that organization 25 00:00:57,178 --> 00:00:59,612 and you can actually find out a surprising 26 00:00:59,612 --> 00:01:01,868 amount of information about them 27 00:01:01,868 --> 00:01:04,875 without actually tripping off any alarms. 28 00:01:04,875 --> 00:01:07,062 You imagine, if you're doing public searches, 29 00:01:07,062 --> 00:01:09,594 you're not gonna trip off an intrusion detection alarm 30 00:01:09,594 --> 00:01:12,042 or antivirus alarm and they won't know 31 00:01:12,042 --> 00:01:13,535 that you're doing all this research, 32 00:01:13,535 --> 00:01:17,032 but what's really amazing about reconnaissance, 33 00:01:17,032 --> 00:01:20,663 is that, there's so much information 34 00:01:20,663 --> 00:01:22,487 that you can find out about an organization, 35 00:01:22,487 --> 00:01:24,398 without actually attacking it 36 00:01:24,398 --> 00:01:28,599 you can find out open ports on their external network, 37 00:01:28,599 --> 00:01:30,849 you can find out their employees, 38 00:01:30,849 --> 00:01:33,390 you can often find out password that they have, 39 00:01:33,390 --> 00:01:35,175 from public breaches 40 00:01:35,175 --> 00:01:37,392 and all this information you can do, 41 00:01:37,392 --> 00:01:39,332 without tripping off any alarms 42 00:01:39,332 --> 00:01:41,885 and it's often the most overlooked 43 00:01:41,885 --> 00:01:45,660 and skipped part of the entire hacking engagement. 44 00:01:45,660 --> 00:01:47,856 So, Omar, what is wrong 45 00:01:47,856 --> 00:01:50,730 with actually skipping the reconnaissance phase? 46 00:01:50,730 --> 00:01:54,038 - There's a few drawbacks, if you actually skip this phase, 47 00:01:54,038 --> 00:01:57,736 so, especially, the non-active or the passive 48 00:01:57,736 --> 00:01:59,408 reconnaissance phase, so the first one, 49 00:01:59,408 --> 00:02:00,925 is actually like a miss vulnerability, 50 00:02:00,925 --> 00:02:04,668 so, things that you should actually be paying attention to. 51 00:02:04,668 --> 00:02:08,647 Second, is that you can attack the wrong system 52 00:02:08,647 --> 00:02:11,050 and actually, whenever, we talked about 53 00:02:11,050 --> 00:02:12,788 scoping in lesson one, 54 00:02:12,788 --> 00:02:15,464 this is actually when it becomes a little bit more relevant 55 00:02:15,464 --> 00:02:18,340 so, make sure that you actually have a clear scope 56 00:02:18,340 --> 00:02:21,640 of what systems are, of course, within scope 57 00:02:21,640 --> 00:02:24,435 of your testing and what are not 58 00:02:24,435 --> 00:02:26,448 and that's actually on of the most common mistakes 59 00:02:26,448 --> 00:02:28,582 that a lot of people actually do. 60 00:02:28,582 --> 00:02:30,090 In some cases, actually this 61 00:02:30,090 --> 00:02:32,507 can lead into legal problems. 62 00:02:33,701 --> 00:02:37,551 The other one is actually shunning, and also alerts, 63 00:02:37,551 --> 00:02:39,799 so, these are some examples, of course, 64 00:02:39,799 --> 00:02:41,643 there are several of them out there, 65 00:02:41,643 --> 00:02:44,478 but that's why reconnaissance is a really crucial phase 66 00:02:44,478 --> 00:02:46,856 and one of the first ones you do. 67 00:02:46,856 --> 00:02:50,856 So, John, has actually reconnaissance helped you 68 00:02:51,989 --> 00:02:53,331 in a penetration testing engagement? 69 00:02:53,331 --> 00:02:56,515 - Yeah, reconnaissance has really 70 00:02:56,515 --> 00:02:58,704 helped on penetration tests. 71 00:02:58,704 --> 00:03:01,900 Through various penetration tests, 72 00:03:01,900 --> 00:03:04,364 when we performed the reconnaissance phase, 73 00:03:04,364 --> 00:03:06,986 we have found new subnets that weren't listed 74 00:03:06,986 --> 00:03:08,802 and we brought it back to the client 75 00:03:08,802 --> 00:03:11,630 and said, "Are these actually subnets that you own?" 76 00:03:11,630 --> 00:03:14,047 and often times, they'll say, 77 00:03:14,047 --> 00:03:16,050 "Oh, we didn't even know those subnets existed, 78 00:03:16,050 --> 00:03:17,993 "but those are actual ones that we own." 79 00:03:17,993 --> 00:03:20,577 and we've included that in the tests 80 00:03:20,577 --> 00:03:22,144 and those are usually the most vulnerable systems 81 00:03:22,144 --> 00:03:23,951 because they're not being monitored, 82 00:03:23,951 --> 00:03:25,873 they're not on their network diagrams 83 00:03:25,873 --> 00:03:30,093 or one particular case, that I'd like to talk about, 84 00:03:30,093 --> 00:03:32,746 is where, we were working 85 00:03:32,746 --> 00:03:34,577 with a large healthcare environment 86 00:03:34,577 --> 00:03:38,744 where they told us, that their most sensitive system 87 00:03:40,272 --> 00:03:41,881 was this one particular box 88 00:03:41,881 --> 00:03:45,534 and they told us they have a large network, 89 00:03:45,534 --> 00:03:48,297 but we should focus all of our attacks on this one machine. 90 00:03:48,297 --> 00:03:50,878 So, when you first looked at that machine, 91 00:03:50,878 --> 00:03:52,837 that machine was really locked down. 92 00:03:52,837 --> 00:03:55,116 They had all their attention on that, 93 00:03:55,116 --> 00:03:58,453 so, after we looked at that for a little bit, 94 00:03:58,453 --> 00:04:00,719 we performed our usual reconnaissance 95 00:04:00,719 --> 00:04:03,847 and through the reconnaissance we found out that 96 00:04:03,847 --> 00:04:06,730 there were various test machines on the network 97 00:04:06,730 --> 00:04:09,796 that they completely forgot about, 98 00:04:09,796 --> 00:04:10,923 that were all in there, 99 00:04:10,923 --> 00:04:13,213 so, once we targeted those machines, 100 00:04:13,213 --> 00:04:15,832 which were not really monitored by them, 101 00:04:15,832 --> 00:04:19,999 we found them completely through passive reconnaissance, 102 00:04:21,151 --> 00:04:25,341 so, we were looking up what systems they had connected 103 00:04:25,341 --> 00:04:28,312 and we found several systems call test systems 104 00:04:28,312 --> 00:04:31,796 and their actual name was test system 105 00:04:31,796 --> 00:04:33,880 and so, when we targeted those, 106 00:04:33,880 --> 00:04:36,406 we found out, those were actually very easy to get into. 107 00:04:36,406 --> 00:04:39,913 Once, we got into those, we were able to actually get into 108 00:04:39,913 --> 00:04:42,142 the main systems that they were talking about, 109 00:04:42,142 --> 00:04:45,200 so we couldn't actually access the main systems 110 00:04:45,200 --> 00:04:47,472 directly, but through passive reconnaissance 111 00:04:47,472 --> 00:04:49,438 we found several test systems 112 00:04:49,438 --> 00:04:52,832 and we were able to get into the central systems that way. 113 00:04:52,832 --> 00:04:53,665 - Cool.