Red Team Recon/Weaponization

[WDavid404]

Red Team Recon

Topics:

• Types of reconnaissance activities
• WHOIS and DNS-based reconnaissance
• Advanced searching
• Searching by image
• Google Hacking
• Specialized search engines
• Recon-ng
• Maltego

Objectives:

• Discovering subdomains related to our target company
• Gathering publicly available information about a host and IP addresses
• Finding email addresses related to the target
• Discovering login credentials and leaked passwords
• Locating leaked documents and spreadsheets

[WDavid404]

Taxonomy(分類学) of Reconnaissance

Reconnaissance (recon) can be classified into two parts:

• Passive Recon: can be carried out by watching passively
• Active Recon: requires interacting with the target to provoke it in order to observe its response.

Passive recon: relies on publicly available information that is collected and maintained by a third party. Open Source Intelligence (OSINT) is used to collect information about the target.

Active Recon: External Recon and Internal Recon.

Built-in Tools

whois:

WHOIS is a request and response protocol that follows the RFC 3912 specification. A WHOIS server listens on TCP port 43 for incoming requests. whois will query the WHOIS server to provide all saved records. whois thmredteam.com whois thmredteam.com -h <whois server's IP>

Netcraft (from OSCP)

Netcraft's DNS search page (https://searchdns.netcraft.com) to gather information.

Netcraft1 is an internet service company, based in England, offering a free web portal that performs various information gathering functions such as discovering which technologies are running on a given website and finding which other hosts share the same IP netblock.

Gitlab search (from OSCP)

e.g. Let's search MegaCorp One's repos for interesting information. We can use path:users to search for any files with the word "users" in the filename and press ENTER.

Security Headers and SSL/TLS

Security Headers (https://securityheaders.com/)

DNS queries

. dig

dig provides a lot of query options and even allows you to specify a different DNS server to use. For example, we can use Cloudflare's DNS server: dig @1.1.1.1 tryhackme.com

host:

host cafe.thmredteam.com

// Using host to find the MX records for megacorpone.com
kali@kali:~$ host -t mx megacorpone.com
megacorpone.com mail is handled by 10 fb.mail.gandi.net.
megacorpone.com mail is handled by 20 spool.mail.gandi.net.
megacorpone.com mail is handled by 50 mail.megacorpone.com.
megacorpone.com mail is handled by 60 mail2.megacorpone.com.

//Using host to find the TXT records for megacorpone.com
kali@kali:~$ host -t txt megacorpone.com
megacorpone.com descriptive text "Try Harder"
megacorpone.com descriptive text "google-site-verification=U7B_b0HNeBtY4qYGQZNsEYXfCJ32hMNV3GtC0wWq5pA"

//Using Bash to brute force forward DNS name lookups
kali@kali:~$ for ip in $(cat list.txt); do host $ip.megacorpone.com; done

//by showing only entries that do not contain "not found".
kali@kali:~$ for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found"

DNSRecon

DNSRecon5 is an advanced DNS enumeration script written in Python. Let's run dnsrecon against megacorpone.com, using the -d option to specify a domain name and -t to specify the type of enumeration to perform (in this case, a standard scan). kali@kali:~$ dnsrecon -d megacorpone.com -t std use the -d option to specify a domain name, -D to specify a file name containing potential subdomain strings, and -t to specify the type of enumeration to perform, in this case brt for brute force. dnsrecon -d megacorpone.com -D ~/list.txt -t brt

DNSnum

DNSEnum is another popular DNS enumeration tool that can be used to further automate DNS enumeration of the specified domain. dnsenum megacorpone.com

nslookup

nslookup mail.megacorptwo.com
nslookup -type=TXT info.megacorptwo.com 192.168.50.151
//note: DNS server (192.168.50.151) 

Traces the route taken by the packets from our system to the target host

traceroute (Linux), tracert (Windows)

Advanced Searching

下面文法有助于更精准地在搜索引擎上搜索 Symbol / Syntax	Function
"search phrase"	Find results with exact search phrase
xxx filetype:pdf	Find files of type PDF related to a certain term.
xxxx site:blog.tryhackme.com	Limit search results to a specific site.
xxxx -site:example.com	Exclude a specific site from results
xxxx intitle:TryHackMe	Find pages with a specific term in the page title.
xxxx inurl:tryhackme	Find pages with a specific term in the page URL

搜索引擎： Google Advanced Search. Google Refine Web Searches, DuckDuckGo Search Syntax, Bing Advanced Search Options.

Google Hacking Database （GHDB）

Footholds

• Consider GHDB-ID: 6364 as it uses the query intitle:"index of" "nginx.log" to discover Nginx logs and might reveal server misconfigurations that can be exploited.
• Files Containing Usernames For example, GHDB-ID: 7047 uses the search term intitle:"index of" "contacts.txt" to discover files that leak juicy information.
• Sensitive Directories For example, consider GHDB-ID: 6768, which uses the search term inurl:/certs/server.key to find out if a private RSA key is exposed.
• Web Server Detection Consider GHDB-ID: 6876, which detects GlassFish Server information using the query intitle:"GlassFish Server - Server Running".
• Vulnerable Files For example, we can try to locate PHP files using the query intitle:"index of" "*.php", as provided by GHDB-ID: 7786. Vulnerable Servers For instance, to discover SolarWinds Orion web consoles, GHDB-ID: 6728 uses the query intext:"user name" intext:"orion core" -solarwinds.com.
• Error Messages Plenty of useful information can be extracted from error messages. One example is GHDB-ID: 5963, which uses the query intitle:"index of" errors.log to find log files related to errors.

Specialized Search Engines

ViewDNS.info Threat Intelligence Platform Censys Search Shodan: shodan host 172.67.212.249 https://cli.shodan.io/

[WDavid404]

Recon-ng

Creating a Workspace

Run workspaces create WORKSPACE_NAME

recon-ng -w WORKSPACE_NAME starts recon-ng with the specific workspace.

Seeding the Database

We want to insert the domain name thmredteam.com into the domains table. We can do this using the command db insert domains.

pentester@TryHackMe$ recon-ng -w thmredteam
[...]
[recon-ng][thmredteam] > db insert domains
domain (TEXT): thmredteam.com
notes (TEXT): 
[*] 1 rows affected.
[recon-ng][thmredteam] > marketplace search

To check the names of the tables in our database, we can run db schema To query domain: db query select * from domains To query host: db query select * from hosts

Recon-ng Marketplace

• marketplace search KEYWORD to search for available modules with keyword.
• marketplace info MODULE to provide information about the module in question.
• marketplace install MODULE to install the specified module into Recon-ng.
• marketplace remove MODULE to uninstall the specified module.

We can install the module we want with the command marketplace install MODULE, for example, marketplace install google_site_web.

Working with Installed Modules

• modules search to get a list of all the installed modules
• modules load MODULE to load a specific module to memory

To run it, we need to set the required options.

• options list to list the options that we can set for the loaded module.
• options set <option> <value> to set the value of the option.

Keys

Some modules cannot be used without a key for the respective service API. K indicates that you need to provide the relevant service key to use the module in question.

• keys list lists the keys
• keys add KEY_NAME KEY_VALUE adds a key
• keys remove KEY_NAME removes a key Once you have the set of modules installed, you can proceed to load and run them.
• modules load MODULE loads an installed module
• CTRL + C unloads the module.
• info to review the loaded module’s info.
• options list lists available options for the chosen module.
• options set NAME VALUE
• run to execute the loaded module.

[WDavid404]

Maltego

an application that blends mind-mapping with OSINT. In general, you would start with a domain name, company name, person’s name, email address, etc. Then you can let this piece of information go through various transforms.

In Maltego’s terminology, a transform is a piece of code that would query an API to retrieve information related to a specific entity. Every transform might lead to several new values. For instance, if we start from the “DNS Name” cafe.thmredteam.com, we expect to get new kinds of entities based on the transform we use. For instance, “To IP Address” is expected to return IP addresses as shown next.

Transform hub: https://www.maltego.com/transform-hub/

• the transform that queries NIST’s National Vulnerability Database: NIST NVD

[WDavid404]

Weaponization

Weaponization

Weaponization is the second stage of the Cyber Kill Chain model. In this stage, the attacker generates and develops their own malicious code using deliverable payloads such as word documents, PDFs, etc.

Most organizations block or monitor the execution of .exe files within their controlled environment. For that reason, red teamers rely on executing payloads using other techniques, such as built-in windows scripting technologies. Therefore, this task focuses on various popular and effective scripting techniques, including:

• The Windows Script Host (WSH)
• An HTML Application (HTA)
• Visual Basic Applications (VBA)
• PowerShell (PSH)

Command And Control - (C2 Or C&C)

C2 frameworks are post-exploitation frameworks that allow red teamers to collaborate and control compromised machines. C2 is considered one of the most important tools for red teamers during offensive cyber operations.

Some popular C2 frameworks that we'll briefly highlight are

• Cobalt Strike,
• PowerShell Empire,
• Metasploit. Most of these frameworks aim to support a convenient environment to share and communicate between red team operations once the initial access is gained to a system.

Delivery Techniques

• Email Delivery： The goal is to convince the victim to visit a malicious website or download and run the malicious file to gain initial access to the victim's network or host.
• Web Delivery
• USB Delivery