One of the topics this week is about Reconnaissance, or learning about the target. You may be hired to think just like an outsider, someone trying to “hack” their way in. Remember that some of the “hacking” techniques may not require specific coding. There are so many methods, that for this week’s question, everyone needs to post a unique method of performing reconnaissance in order to earn full points. Describe the method of reconnaissance, and if possible, provide an example of a “hack” or other breach that can be tied back to the information learned due to reconnaissance.
I’ll start with an example that you’re likely seeing on television as part of New Jersey Transit’s “See Something, Say Something” campaign. The commercial promotes security awareness, with several suspicious actors. One of the scenes shows two people along the road, possibly looking at their potential target, but more specifically, another actor taking pictures, and the scene is shown from the viewpoint where we see that the pictures being taken are those of the CCTV system. Why? By taking pictures of the facility, the outsider is learning about the physical security controls of the facility, and can plan the attack to avoid the line of sight from these cameras.
A good example of reconnaissance would be dumpster diving in the companies trash / dumpsters to see if you can find any sensitive information that was not properly destroyed. The issue with this is if someone sees you rummaging through the trash you may have security / the police called on you for doing so.
I like this classic example of physical reconnaissance. I would argue that many people tend to forget about this method, which makes it prove to be still quite useful today especially with how freely people disregard the privacy of their own data. It is not all that rare for organizations to place sensitive legible information in the trash on site.
Another example of (passive) reconnaissance would be identifying an IP block with nslookup in the context of an external or black-box penetration test or an unethical malicious hack as well. Using the nslookup command is OSINT, and can reveal information on DNS records relevant for gaining entry to a system. After performing this type of reconnaissance, the penetration tester will then be able to try to map the network from the obtained ip block, and proceed to follow the cyclic process of enumerating, identifying vulnerabilities, and, provided the skill and experience, exploiting them to eventually escalate privileges in the target system(s).
Reconnaissance could come in the form of social media. Sites like Facebook, Twitter, and even LinkedIn contain large amounts of information that could become valuable to a hacker. Particularly with LinkedIn, an attacker has the ability to see where an individual works, who their team members are, and even what they are working on. This can allow them to gain insider information. As we discussed in class, an employer or even an employee could state what current technologies they are working on/looking for. An article from Trend Micro states that engineers from AMD had leaked information related to their next-generation products on their LinkedIn.
Source: Pernet, C. (2015, June 2). Reconnaissance via professional social networks. TrendLabs Security Intelligence Blog. https://blog.trendmicro.com/trendlabs-security-intelligence/reconnaissance-via-professional-social-networks/.
Link: https://blog.trendmicro.com/trendlabs-security-intelligence/reconnaissance-via-professional-social-networks/
It is amazing how much people claim to care about privacy and spying from the government while willingly laying out their entire life on social media. Really boggles the mind. This method provides con-men with even more information than they need to fool an unsuspecting person by playing off of the target’s interests, hobbies, place of employment, and vacation schedules.
A form of reconnaissance could simply be observation. For instance, what times do the security guards (if any) go on break? Are there any gaps in their schedule? What would the best times to break in be? Who works at the company, and what are they like? For example, if an individual at the company is disgruntled, they could potentially be more likely be a target for social engineering.
This is a great example that often gets overlooked. Observations can tie into many different forms of reconnaissance whether physical or in a digital form. Physical like you said, noticing when security guards go on break or knowing where all of the security cameras are located, and digital going along your statement could be an employee database or even LinkedIn.
In the attack against Microsoft back in April, it is believed that the Chinese hacking group gathered lots of information on personal accounts through reconnaissance before carrying out the final attack. By gathering this personal information and accounts, they used them to infiltrate universities, law firms, and infectious-disease researchers. After those initial infiltrations, they found a universal exploit for Microsoft exchange as a whole and used that information to carry out the global attack.
https://www.wsj.com/articles/suspected-china-hack-of-microsoft-shows-signs-of-prior-reconnaissance-11617800400
My favorite technique for performing recon is to attend a job interview at the company of interest. The information gathered during an interview can be quite sensitive and useful to an attacker because interviewers are often overworked/unsatisfied employees whom might look kindly upon an intriguing technical discussion or an opportunity to complain about the company’s unwillingness to either invest in newer more secure technologies or mitigate glaring risks.
In addition to the information that can be attained during the actual conversational process of the interview, the threat actor can observe the layout of the building and check which physical security controls are in place.
This is a great social engineering example, Tal. This is realistically impossible to prevent in my opinion and interestingly enough it does provide that extra internal information from within the organization.
One form of recon could be walking through a company’s parking lot and looking for valuable information on employee vehicles. This link shows what information can be obtained about someone just from their bumper stickers:
http://ecbpublishing.com/what-do-your-bumper-stickers-really-tell-people/
With information about a person, an intruder could then potentially socially engineer their way into more information. For example, they could target an employee with a phishing email with a subject line that pertains to one of their interests.
This is really interesting because I would have never thought you could gain so much information through bumper stickers. I think the littlest details can really help uncover major details about the person. It would not be hard to guess what the person likes or what they like to do.
Reconnaissance could be learning about other through what they and where they work. This could be at work or companies that are in the same industry. When you how the life is like yourself it is very easy to learn about others. You can easily tell if the person after work likes to go out or do they other reservations. You can easily pick up things they like to do at work or who they like to talk to and these activities would fall through the cracks. It would not be hard to learn about someones lifestyle when you have had your experience and you know how to dig deeper.