Learn about the structure of the reconnaissance phase of a pen test or red team exercise. Plus, learn about the value of enumeration in that phase in order to rapidly identify weak points in a target .
- [Instructor] Lockheed Martin has described a cyber attack in seven stages starting with reconnaissance. The reconnaissance stage is where the attacker or pen tester looks at the overall environment, identifies specific targets to be tested and then focuses in on target enumeration. Whether you're doing your OSCP examination, conducting a pen test or running a red team exercise, you need to carry out reconnaissance. Good reconnaissance will help identify the targets and the likely points of vulnerability that can be used to gain initial access to them.
Even once inside a target, internal reconnaissance is often necessary to understand how to escalate privileges. Kali has a number of tools that can be used to do this. Reconnaissance doesn't always happen sequentially. It's often carried out iteratively with more reconnaissance being possible as more detailed information is found. For example identifying a target and getting some initial information may point to other targets not found in the initial reconnaissance.
A service banner may indicate a specific level of operating system which then can be used to step back and better identify likely vulnerabilities in other services. Good reconnaissance will pay off by enabling more accurate identification and prioritization of vulnerabilities. In a red team exercise the domain may be explicit or it may need to be identified by researching open source material for the enterprise.
The main reconnaissance can provide substantial insight into the networks used by the target. Additional reconnaissance around mail can provide useful insight into email addresses that might provide a channel for social engineering. This will all be valuable information for selecting targets to look at. Network reconnaissance or scanning is used to acquire individual hosts on a subnet that you may want to target for subsequent testing. Some hosts may not respond to simple pings but using Kali's tool set enables a variety of techniques to be used to probe for an active host.
Whether a host is virtual or bare metal isn't that relevant. The operating system attack surface will be the same. Once a target has been acquired, we need to scan the target to see how we can gain access. This is the stage in reconnaissance known as enumeration and is the main focus for this course. The useful first step in enumeration is to identify the operating system used, the service pack level, the services exposed and the specific versions of those services.
If the operating system has a known vulnerability this may be an easy way in. The next step is to enumerate the exposed services on the host looking for the type and version of service as well as general information about the host. Gaining access to a target isn't always through a vulnerability. Often it will come from poor configuration and detailed enumeration is required to identify configuration weaknesses. This is the most complex part of pen testing as it requires experience and skill more than knowledge of the tools.
Once you know the exposed services you then start probing them for any information they made provide. This will require that you have access to and a good knowledge of how to use specific to service scanning scripts and tools. The initial probes may reveal information such as the credentials, email addresses, shares and so on, as well as any known weaknesses existing on the target. An important aspect of enumeration is speed.
Whether you're doing a time limited exam such as OSCP or whether you're on a real world assignment you'll have limited time to gain access to the target. It's important to develop the ability to get access as quickly as you can so that you can get that root shell. Efficient enumeration is the key to that. Once you have a foothold on the system, ideally a shell, you then need to carry out enumeration of the internal system as you try to find weaknesses which will enable you to gain root access.
The first thing to do is to navigate route and find the internal structure of the host. The folder hierarchy is a good place to start. By checking the home or user's folder, you can identify what users are registered and by checking the web root, what web pages exist. Identifying what processes are running is also useful to see what might provide further access opportunities such as process migration. Often a vulnerability will be found when a system administrator has omitted to harden the service allowing access in through a weak point.
You may find the system administrator has created a convenient access point assuming that an attacker wouldn't find it or has stored the credentials in an accessible place for convenience. Taking a few minutes to do a basic look around the target before starting deep enumeration may pay dividends. This course focuses on the enumeration of the host. Despite the need to enumerate quickly, spending time enumerating the host is time well spent.
The host may not present everything to a simple scan and more work may be required to pry the secrets out of a recalcitrant host. Sometimes a host won't provide any obvious access vectors. Simply brute force approaches can be successful but they're slow, sometimes too slow to be feasible. So understanding how to use smart approaches to enumeration is important. Kali provides many enumeration tools including service-specific ones which can be used to obtain potentially valuable details of the services.
We'll look at a number of these tools as we progress through this course.
- Using Masscan for rapid full-service scanning
- Passive scanning with Shodan
- Using Nmap scripts
- Scanning with Reconnoitre and Vanquish
- Diagnosing uncommon ports
- Enumerating Drupal, WordPress, and Joomla sites
- Enumerating in the Linux shell
- Using the JAWS PowerShell script