1 00:00:06,587 --> 00:00:09,242 - So what types of information can you find out 2 00:00:09,242 --> 00:00:13,123 about a system or a network or a company 3 00:00:13,123 --> 00:00:17,290 without actually attacking it, turns out a whole lot. 4 00:00:18,339 --> 00:00:21,124 If you do any type of search engine searches, 5 00:00:21,124 --> 00:00:23,916 you can find out information on other systems 6 00:00:23,916 --> 00:00:26,951 that are available, or example if you do a Google search, 7 00:00:26,951 --> 00:00:30,717 for a company, let's say they're called example.com. 8 00:00:30,717 --> 00:00:34,695 If you use the site colon example.com search, 9 00:00:34,695 --> 00:00:37,807 it'll show up anything for that website's domain. 10 00:00:37,807 --> 00:00:40,261 Now most of the time you'll see something like, 11 00:00:40,261 --> 00:00:43,511 www.example.com other times you'll find 12 00:00:44,593 --> 00:00:48,093 maybe mail.example.com or vpn.example.com. 13 00:00:49,485 --> 00:00:51,933 The way to filter out some of that is to write, 14 00:00:51,933 --> 00:00:54,766 minus site colon and then the site 15 00:00:56,038 --> 00:00:58,000 that you're actually trying to get rid of. 16 00:00:58,000 --> 00:01:02,071 So, if you initially search for site.example.com 17 00:01:02,071 --> 00:01:05,154 and you do minus the www.example.com, 18 00:01:06,792 --> 00:01:11,510 it will filter out any searches that exclude the www, 19 00:01:11,510 --> 00:01:13,355 which is really great because you'll start 20 00:01:13,355 --> 00:01:17,250 finding host that are not as popular for that domain. 21 00:01:17,250 --> 00:01:19,803 So, often times you'll find test systems 22 00:01:19,803 --> 00:01:23,283 or developer systems, and that's one 23 00:01:23,283 --> 00:01:25,474 really neat way to actually filter it through. 24 00:01:25,474 --> 00:01:27,194 And, you're doing pure web searches, 25 00:01:27,194 --> 00:01:31,137 which means that only looking at Google results, 26 00:01:31,137 --> 00:01:32,661 or Bing results and you're not 27 00:01:32,661 --> 00:01:34,747 actually attacking their systems. 28 00:01:34,747 --> 00:01:38,680 In my practice, we have found many hidden systems, 29 00:01:38,680 --> 00:01:40,930 doing just this very trick. 30 00:01:41,839 --> 00:01:45,241 Certificate transparency, is another tool that 31 00:01:45,241 --> 00:01:48,476 security testers like to use to find out 32 00:01:48,476 --> 00:01:52,048 other sites that are available for the particular company. 33 00:01:52,048 --> 00:01:54,058 Basically, what the tool does is it looks for 34 00:01:54,058 --> 00:01:57,697 any type of issued certificates, so any certificates 35 00:01:57,697 --> 00:02:00,863 that the company purchased, to encrypt their websites. 36 00:02:00,863 --> 00:02:04,225 You can find the issued ones, and using that tool 37 00:02:04,225 --> 00:02:06,602 you can actually find out other systems 38 00:02:06,602 --> 00:02:08,719 that they purchased certificates for. 39 00:02:08,719 --> 00:02:11,885 So let's say a company purchased the certificate for 40 00:02:11,885 --> 00:02:15,931 vpn.example.com, you know that's probably a system that 41 00:02:15,931 --> 00:02:19,854 their employees use to connect to the company from home, 42 00:02:19,854 --> 00:02:23,492 and if you find out that the certificate is issued to it, 43 00:02:23,492 --> 00:02:25,835 then you have another target on your list. 44 00:02:25,835 --> 00:02:27,955 Sometimes the best way to find out systems, 45 00:02:27,955 --> 00:02:30,815 is just to guess what systems are out there. 46 00:02:30,815 --> 00:02:34,059 If you use nslookup, you just type in 47 00:02:34,059 --> 00:02:37,392 nslookup.www.example.com you'll find out 48 00:02:38,733 --> 00:02:41,686 the IP address for the www site. 49 00:02:41,686 --> 00:02:45,816 Maybe you'll type in nslookup test.example.com 50 00:02:45,816 --> 00:02:49,407 and see if IP address gets returned for that. 51 00:02:49,407 --> 00:02:50,894 If you get an IP address back then 52 00:02:50,894 --> 00:02:52,616 that means that that host exists. 53 00:02:52,616 --> 00:02:56,992 So, what attackers will do, is they'll create scrips 54 00:02:56,992 --> 00:03:00,667 of thousands and thousands of potential host names, 55 00:03:00,667 --> 00:03:03,166 and they will keep guessing them until they find 56 00:03:03,166 --> 00:03:05,141 IP addresses that get returned. 57 00:03:05,141 --> 00:03:07,952 And, that's one really great way to actually find out 58 00:03:07,952 --> 00:03:10,766 other hosts that are available on this network, 59 00:03:10,766 --> 00:03:15,015 without actually targeting the network directly. 60 00:03:15,015 --> 00:03:17,426 The regional internet registries are also a really great 61 00:03:17,426 --> 00:03:21,328 way to find out information about an organization. 62 00:03:21,328 --> 00:03:23,640 If you know some IP addresses that belong 63 00:03:23,640 --> 00:03:26,505 to that organization you can go to one of these 64 00:03:26,505 --> 00:03:29,286 regional internet registries, go to their website, 65 00:03:29,286 --> 00:03:32,152 type in the IP address and it will return 66 00:03:32,152 --> 00:03:35,270 other networks that belong to the company, 67 00:03:35,270 --> 00:03:39,349 and also talk about potential technical contacts 68 00:03:39,349 --> 00:03:42,796 for this company, and other information that 69 00:03:42,796 --> 00:03:45,510 the organization might think are actually hidden, 70 00:03:45,510 --> 00:03:47,365 but they're publicly available. 71 00:03:47,365 --> 00:03:49,486 So, you'll also find out email addresses, 72 00:03:49,486 --> 00:03:52,177 for some of their technical contacts, phone numbers, 73 00:03:52,177 --> 00:03:55,468 as well, which make really good phishing targets. 74 00:03:55,468 --> 00:03:58,364 These are the internet registries, there is AFRINIC, 75 00:03:58,364 --> 00:04:01,424 there's APNIC, ARIN, LACNIC and RIPE, 76 00:04:01,424 --> 00:04:04,942 all for the different regions of the globe. 77 00:04:04,942 --> 00:04:07,820 Netcraft searches, that's a great site for finding out 78 00:04:07,820 --> 00:04:11,987 what types of websites are available for the organization. 79 00:04:12,982 --> 00:04:16,662 It'll let you know if the website's running WordPress 80 00:04:16,662 --> 00:04:20,481 or Joomla or what other type of programming they've done 81 00:04:20,481 --> 00:04:24,077 on the back end, it's a really great resource. 82 00:04:24,077 --> 00:04:27,739 There's also Shodan and Censys.io, these tools 83 00:04:27,739 --> 00:04:32,040 are immensely useful, basically what they do, 84 00:04:32,040 --> 00:04:35,886 is they go and do the scanning of all systems 85 00:04:35,886 --> 00:04:38,872 on the internet and they list what systems 86 00:04:38,872 --> 00:04:40,594 are actually connected to the internet. 87 00:04:40,594 --> 00:04:44,579 So you can find out if, once you type in that address, 88 00:04:44,579 --> 00:04:46,356 for the organization you're looking at, 89 00:04:46,356 --> 00:04:50,081 it'll tell you all the services that are available, 90 00:04:50,081 --> 00:04:52,493 any ports they're listening in on, 91 00:04:52,493 --> 00:04:54,554 and potentially any vulnerabilities 92 00:04:54,554 --> 00:04:57,264 that are on these organizations. 93 00:04:57,264 --> 00:04:59,206 So, you're finding out open ports 94 00:04:59,206 --> 00:05:02,495 without even doing any types of port scanning. 95 00:05:02,495 --> 00:05:03,761 Let's take a look at how we perform some 96 00:05:03,761 --> 00:05:06,860 Google searches on an organization. 97 00:05:06,860 --> 00:05:10,143 So we'll use the site colon, for example.com, 98 00:05:10,143 --> 00:05:12,346 that's the example we were using, 99 00:05:12,346 --> 00:05:14,183 and you can see there's one site that appears. 100 00:05:14,183 --> 00:05:17,365 If we want to filter out sites we can do minus site 101 00:05:17,365 --> 00:05:20,950 www.example.com, and that will filter that out 102 00:05:20,950 --> 00:05:22,880 from the results and only show other 103 00:05:22,880 --> 00:05:26,363 sites that are not www.example.com. 104 00:05:26,363 --> 00:05:29,099 Let's take a look at the certificate transparency. 105 00:05:29,099 --> 00:05:32,498 So the certificate transparency looks at any types 106 00:05:32,498 --> 00:05:34,470 of issued certificates for that domain, 107 00:05:34,470 --> 00:05:38,637 so you can find out different host names for that domain. 108 00:05:39,831 --> 00:05:43,387 So the Google transparency report is the site we're using. 109 00:05:43,387 --> 00:05:47,137 You type in the example.com that we're using. 110 00:05:49,579 --> 00:05:51,701 Of course, you'd use your real domain, 111 00:05:51,701 --> 00:05:54,001 and you an see different issued certificates, 112 00:05:54,001 --> 00:05:58,168 so we can see there's a .org, .com, and other sites, 113 00:05:59,929 --> 00:06:02,100 but when you actually use this on a real organization, 114 00:06:02,100 --> 00:06:04,762 you'll find many, many more sites, 115 00:06:04,762 --> 00:06:06,805 especially the larger the organization, 116 00:06:06,805 --> 00:06:11,760 they might have mail.example.com, vpn.example.com, 117 00:06:11,760 --> 00:06:15,927 they'll be a host of others for larger organizations. 118 00:06:17,337 --> 00:06:19,506 So if you want to perform nslookup, 119 00:06:19,506 --> 00:06:22,036 remember nslookup will find out the IP address, 120 00:06:22,036 --> 00:06:23,712 that's associated with the domain. 121 00:06:23,712 --> 00:06:27,681 So we're going to do a nplookup on www.example.com. 122 00:06:27,681 --> 00:06:29,482 Just so we can use the IP address, 123 00:06:29,482 --> 00:06:33,241 to query the organization for more information. 124 00:06:33,241 --> 00:06:36,081 So we can see, we found IP address for that organization. 125 00:06:36,081 --> 00:06:39,714 Remember you can do this nslookup from the command line 126 00:06:39,714 --> 00:06:43,502 of any Windows machine, or any Linux machine, 127 00:06:43,502 --> 00:06:45,510 we're going to copy the IP address, 128 00:06:45,510 --> 00:06:49,312 we're going to look at, who is for that IP address, as well. 129 00:06:49,312 --> 00:06:52,867 So, we'll type in who is space and then the IP address, 130 00:06:52,867 --> 00:06:54,833 and we're going to find out the who is record 131 00:06:54,833 --> 00:06:58,833 that's actually associated with that IP address. 132 00:06:59,731 --> 00:07:02,187 So we type that in and we can instantly see 133 00:07:02,187 --> 00:07:05,638 the who is record, the regional internet registry 134 00:07:05,638 --> 00:07:08,180 that this belongs to, is RIPE. 135 00:07:08,180 --> 00:07:11,430 This IP address is in Europe somewhere. 136 00:07:12,943 --> 00:07:15,481 And, we can see a lot of interesting information. 137 00:07:15,481 --> 00:07:18,967 We found out a technical contact for that organization. 138 00:07:18,967 --> 00:07:20,480 We can also see a phone number, 139 00:07:20,480 --> 00:07:22,891 for this individual, as well. 140 00:07:22,891 --> 00:07:26,427 And, what's really interesting about that is, 141 00:07:26,427 --> 00:07:28,350 for many organizations, once you find out 142 00:07:28,350 --> 00:07:30,002 the technical contact, that's going 143 00:07:30,002 --> 00:07:32,348 to be a trusted individual in the company. 144 00:07:32,348 --> 00:07:35,547 The individual probably will have higher level access 145 00:07:35,547 --> 00:07:38,751 than other individuals, and that would be 146 00:07:38,751 --> 00:07:42,835 a really good phishing target, or this individual might 147 00:07:42,835 --> 00:07:45,418 be somebody that you pretend your phishing email 148 00:07:45,418 --> 00:07:47,179 is coming from, since they're probably 149 00:07:47,179 --> 00:07:50,158 a trusted individual in that organization. 150 00:07:50,158 --> 00:07:51,733 This is all part of the data collection, 151 00:07:51,733 --> 00:07:53,403 that you just try to find out as much information 152 00:07:53,403 --> 00:07:56,185 about the organizations, so you can find out 153 00:07:56,185 --> 00:07:57,877 exactly how to target it. 154 00:07:57,877 --> 00:08:01,942 Let's put that IP address into the RIPE.net website, 155 00:08:01,942 --> 00:08:06,109 to see actually from the source, how that actually looks. 156 00:08:08,042 --> 00:08:10,541 So we find out some of the same information, 157 00:08:10,541 --> 00:08:11,811 what's interesting here is that, 158 00:08:11,811 --> 00:08:13,768 after typing in the IP address, 159 00:08:13,768 --> 00:08:15,969 it also shows the network block 160 00:08:15,969 --> 00:08:18,497 that belongs to that organization, as well, 161 00:08:18,497 --> 00:08:21,694 so often times you'll have one IP address, 162 00:08:21,694 --> 00:08:23,763 you'll find out the whole network block, 163 00:08:23,763 --> 00:08:26,221 and now we have a whole range of addresses 164 00:08:26,221 --> 00:08:28,716 that are associated with this organization, 165 00:08:28,716 --> 00:08:32,610 so now you have a whole nother target to look at. 166 00:08:32,610 --> 00:08:35,549 So you can see if this entire network was in 167 00:08:35,549 --> 00:08:39,070 the rules of engagement of the company, if it's not, 168 00:08:39,070 --> 00:08:41,487 then this is probably something to ask 169 00:08:41,487 --> 00:08:43,692 the organization and bring it to them. 170 00:08:43,692 --> 00:08:45,697 Say, do you actually own this other subnet? 171 00:08:45,697 --> 00:08:50,566 And if they do, that they haven't paid much attention 172 00:08:50,566 --> 00:08:52,774 to it then most likely you'll find 173 00:08:52,774 --> 00:08:55,896 more vulnerable targets on this network range. 174 00:08:55,896 --> 00:08:58,969 We can see again, here's out technical contact, 175 00:08:58,969 --> 00:09:02,351 with their address and phone number associated with it. 176 00:09:02,351 --> 00:09:05,258 So, as you can see we're finding more 177 00:09:05,258 --> 00:09:09,008 and more information about this organization. 178 00:09:10,869 --> 00:09:12,430 Of course I'm using example here, 179 00:09:12,430 --> 00:09:14,253 when you're using the real organization, 180 00:09:14,253 --> 00:09:16,836 you'll find a lot more details. 181 00:09:18,271 --> 00:09:22,569 We can see other networks and other admin contacts, 182 00:09:22,569 --> 00:09:23,846 associated with the domain, 183 00:09:23,846 --> 00:09:27,255 just from looking up the public information. 184 00:09:27,255 --> 00:09:31,270 Let's take a look at Netcraft, so if you go to netcraft.com, 185 00:09:31,270 --> 00:09:34,091 you can actually search for information 186 00:09:34,091 --> 00:09:38,399 on a particular domain, like we discussed. 187 00:09:38,399 --> 00:09:42,399 So we're just going to look for www.example.com, 188 00:09:43,409 --> 00:09:46,828 not using any real companies in this example, 189 00:09:46,828 --> 00:09:50,218 and you can find out information about the 190 00:09:50,218 --> 00:09:54,140 organization and find out where it's actually located. 191 00:09:54,140 --> 00:09:58,307 You can also find out what types of systems they're using. 192 00:09:59,758 --> 00:10:01,764 You can see that there's Linux systems 193 00:10:01,764 --> 00:10:04,764 that the web servers are running on. 194 00:10:06,046 --> 00:10:07,976 Depending on the website, you can find out 195 00:10:07,976 --> 00:10:09,910 a host of information, just by looking up 196 00:10:09,910 --> 00:10:12,660 the organization on netcraft.com. 197 00:10:13,720 --> 00:10:15,145 Remember, just building a profile 198 00:10:15,145 --> 00:10:17,851 slowly about this organization. 199 00:10:17,851 --> 00:10:22,507 Censys.io is another great resource that we discussed. 200 00:10:22,507 --> 00:10:24,253 All you have to do is put the IP address 201 00:10:24,253 --> 00:10:26,509 of the system that you're looking at, 202 00:10:26,509 --> 00:10:29,377 you can also put in the whole network range as well, 203 00:10:29,377 --> 00:10:32,045 and it will return results for 204 00:10:32,045 --> 00:10:34,211 what types of services are listening. 205 00:10:34,211 --> 00:10:38,222 So we can see exactly where that system is located. 206 00:10:38,222 --> 00:10:40,626 We can also see that it's listening 207 00:10:40,626 --> 00:10:43,995 in on HTTP, so port 80 is open. 208 00:10:43,995 --> 00:10:47,445 We can also see port 443, so HTTPS is open, 209 00:10:47,445 --> 00:10:49,538 as well on that system. 210 00:10:49,538 --> 00:10:53,604 And, luckily the system is only listening in on 211 00:10:53,604 --> 00:10:57,629 those two IP addresses, but other public systems 212 00:10:57,629 --> 00:11:01,028 will be listening in on a whole bunch more services, 213 00:11:01,028 --> 00:11:02,754 if they do not lock it down. 214 00:11:02,754 --> 00:11:04,335 What's interesting about this is, 215 00:11:04,335 --> 00:11:07,190 we just put the IP address in the site, 216 00:11:07,190 --> 00:11:09,230 and found out all the services that 217 00:11:09,230 --> 00:11:11,126 are listening in on this system. 218 00:11:11,126 --> 00:11:13,789 We did this without even performing any port scans, 219 00:11:13,789 --> 00:11:17,504 on this system, without triggering any types of alarms. 220 00:11:17,504 --> 00:11:19,258 We just use public information 221 00:11:19,258 --> 00:11:21,273 and we can see exactly what services 222 00:11:21,273 --> 00:11:24,350 are listening in on this IP address. 223 00:11:24,350 --> 00:11:25,861 It's still a good idea when we move 224 00:11:25,861 --> 00:11:28,282 into active reconnaissance, to do the port scan, 225 00:11:28,282 --> 00:11:30,944 and then you can confirm your results 226 00:11:30,944 --> 00:11:33,230 and possibly find more ports that are open, 227 00:11:33,230 --> 00:11:36,074 but you can see we can find a wealth of information, 228 00:11:36,074 --> 00:11:38,170 just using public information. 229 00:11:38,170 --> 00:11:42,062 We're going to look at Shodan, and we're going 230 00:11:42,062 --> 00:11:44,228 to perform the same exact search, 231 00:11:44,228 --> 00:11:46,104 so we're putting in the IP address, and it's saying, 232 00:11:46,104 --> 00:11:49,402 ports 80 and 443 are open, it's showing 233 00:11:49,402 --> 00:11:52,025 the location of this system, as well. 234 00:11:52,025 --> 00:11:55,264 One neat thing about Shodan is that you an also 235 00:11:55,264 --> 00:11:58,196 put in the company name, in the search, 236 00:11:58,196 --> 00:12:02,227 and you can search systems belonging to that domain as well. 237 00:12:02,227 --> 00:12:05,956 So, I highly recommend that you get to know Shodan, 238 00:12:05,956 --> 00:12:08,873 Censys.io and see exactly how these 239 00:12:10,263 --> 00:12:14,628 searches work and you can perform in depth searches 240 00:12:14,628 --> 00:12:17,279 about the organization that you're working with 241 00:12:17,279 --> 00:12:19,222 and find out a lot of information, 242 00:12:19,222 --> 00:12:22,805 without even targeting the system directly.