Seeing what is currently being exposed about your networks and company resources is vital. This course will provide a fundamental understanding of both reconnaissance and scanning and how it can affect your security posture.
You've been tasked as an "Incident Handler" and you are wondering where you start. Attackers typically start with doing a little "reconnaissance" of their target, so it only makes sense that you start there as well. In this course, Performing and Analyzing Network Reconnaissance, you will learn how to think like an attacker in order to stay a step ahead of one. First, you will learn about the two different steps of reconnaissance and scanning. Next, you will learn what to look for, how it's done, and what you can do to protect your infrastructures. Finally, you will learn about tools you can use that the attacker will use against you. By the end of this course, you'll know how to look at your infrastructure the same way attackers do, and understand the process to minimize those threats.
Dale Meredith received his Certified Ethical Hacker and Certified EC-Counsel Instructor certifications back in 2006, as well as being a Microsoft Certified Trainer since 1998 (yes we had computers back then). Dale takes great pride in helping students comprehend and simplify complex IT concepts.
Course Overview Hey, everybody. This is dale Meredith, and welcome to my course, Performing and Analyzing Network Reconnaissance. Give you a little bit of background about myself. I am technical guy with a lot of technical certs from companies like Microsoft, EC-Council, and CompTIA. I'm a Microsoft and cybersecurity trainer and consultant for my own company, My Mentored Learning, and I also maintain my own security channel called Dale Dumbs it Down. This course is designed to kind of be a starting off point for several certifications. that are all focused around cybersecurity, ethical hacking and instant handling. That's starting off point is what we refer to as the reconnaissance stage. Meaning we want to see what is currently being exposed about our networks and company resources or, better yet, what could be exposed without our knowledge. This is done through several steps and tools. Among those tools is for you to start thinking like an attacker so you understand the how and why of reconnaissance. Now, some of the major topics that we'll talk about will be things like what to look for when we're doing a reconnaissance. We'll also look at some interesting online resources that can help you with reconnaissance that could possibly scare you a tad. We'll also make sure you understand why reconnaissance is so easily done. I'll give you a hint. It's because really, it is what it is. And, of course, we'll take a look at lots of tools that we can use and that attackers will use against you, and hopefully, by the end of this course, you'll know how to look at your infrastructure the exact same way that attackers do, and let's face it, knowing is half the battle. Now, before beginning this course, you should be familiar with the basics of networking, including things like TCP/IP and the basic knowledge of how to get around in Windows, iOS, Linux, in particular Kali Linux. And from here, you should feel comfortable diving into courses on CSA+, ECIH, GCIH or really any cybersecurity related courses for networks. So I hope you'll join me on this exciting journey on learning how to start thinking like an attacker with Performing and Analyzing Network Reconnaissance course here at Pluralsight.
Initially What Do You Look For? So this whole recon thing, what are you actually looking for? So to answer that question, I'm actually going to pull out another quote, you know me and my quotes. This one's actually from a movie, from 1998 called Sneakers; it's a great movie about hacking. It stars Robert Redford, Sidney Poitier, one of my favorite actors, and in it Robert Redford meets up with his college buddy who's been this big hacker and he makes this statement. He says, "There's a war out there, old friend. A world war, and it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think. It's all about the information. " And that is so true. The more information you have, and that's the whole purpose behind recon and footprinting is that we're trying to get as much info as we can. We're going to first go through and take a look in this module about how to utilize or leverage search engines to our advantage, what type of information we can discover about the company, and not just where their website is, but you'll be surprised at what else we can find. We'll then go through and take a look at websites. Now this could be not only the customer's websites but some other websites that actually show you some very, very interesting things that you probably never knew was being recorded about possibly your own website. Then we'll go through and take a look at using Whois. I think he's on first, isn't he? Okay, that was a little bit of my Abbott and Costello coming out of me. Whois is a great little utility or site that we can use to discover more information about our target, and then we'll go through and take a look at utilizing some tools that you're probably familiar with, but again, we're going to leverage them a little differently. We're going to be using both PING to discover some information as well as DNS. So fire up your computer. Let's get going.
Reconnaissance via Google Hacking So you know that Snickers commercial where the guy's in charge of painting the football field, and he gets done, and he looks, and one of the players points out to him as he runs off the field, You know we're the Chiefs, not the Chefs, and the maintenance man utters the phrase which just cracks me up. He says, Great googly-moogly. I think a lot of people end up saying something similar to that when they see what we can do with Google Hacking. Now, to kind of set this up, you need to understand what Google is designed to do. Google is not around to give you free applications and free storage space and a nice little search engine. That's not their job. Their job is to sell advertising, and they do that by providing those types of services. In fact, Eric Schmidt, who is the CEO of Google, once said, "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place. " That is his whole concept when people have asked him about what Google's doing out there, as far as it going out and crawling. So in this module, we'll go through and make sure you understand how to get your Google on. In that, we'll look at understanding Google, what it does for us. We'll go through and then take a look at some of the Google operators. Then we'll get into taking a look at some advanced Google operators, and then we'll start taking those operators and using them a little differently, so that we start to find things that people wouldn't necessarily suspect to be out there, and, of course, to make things easier, we can bypass a lot of the syntax that we'll be implementing, but it's good to know, especially for your, wink wink, hint hint, nudge nudge, immediate future. You'll need to know some of the syntax. But there is something out there called the Google Hacking Database, also known as the GHDB. Then we'll go through and take a look at some of the other tools that we can use that implement or that's designed around Google itself.
Let's Not Forget PowerShell Okay, so technology has been changing quite a bit on us and one of the things that has come into the spotlight, has become very, very popular is PowerShell and believe it or not, you can actually use PowerShell during the reconnaissance process. In this module, we'll go through and we'll take a look at several different aspects. We'll look at, first of all, a quick overview of PowerShell. We'll then go through and take a look at or dISEuss why we would want to use PowerShell in the reconnaissance process. We'll then go through and make sure you get some basics down. If you haven't seen PowerShell or if you haven't watched a Pluralsight video on PowerShell, we'll at least get you started and then guess what? I've got some demos for you, we'll go through or I'll go through and show you how to scan a network using PowerShell. Afterwards, I'll show you how to remote into a machine, as well as pull registry off or even do things like show me users accounts, oh, yeah. So, let's get going.
Types of Scanning Listen, the one thing that an attacker or a pen-tester doesn't want to do, that is be visible when he's doing his scanning. In this module, we're going to go through and take a look at the types of scanning that we can accomplish. Some of them are a little sneaky, while others are pretty blatant. Again, if you remember from our previous module, we talked about looking for live systems. And you know, here comes the Star Trek geek in me. What we're doing here is, we're again, scanning for signs of life, but we want to do it, and thanks, Spock for that quote, I appreciate that, live long and prosper. We want to be able to do this against that we're not recognized as doing what we're doing. So we'll go through in this module and we'll take a look at a, ooh yes, I get to use my word again, a plethora of different ways that we can scan. One of the ways that we'll look at is called a Full Scan. It's extremely noisy. It's very blatant and very easily detectable. We'll also go through and take a look at Half-open Scans, and also take a look at a Xmas Tree scan, as well as a FIN scan. You know, some of these should be looking familiar to you, because we talked about the 3-way handshake. And now you'll understand where this comes into play. We'll also go through and take a look at what they refer to as a NULL scan, NULL meaning nothing. And we'll take a look at doing UDP scans. We'll also go through and take a look at different ways that we can avoid being detected by intrusion detection systems. And of course, we probably want to know what are some of the countermeasures. As being a security expert, this is great that you know these scans are being done, but what are the countermeasures for them? So get your tri-quarters ready and let's get scanning.
Banner Grabbing and OS Fingerprinting So we've gone through, and we've found our live targets. We've scanned them to see which ports were open. Our next step is to go and try to identify the systems, and how we're going to do that, when I say identify, I'm talking about very, very specifically finding out what operating systems and what applications are possibly running on that machine. We're going to do that with Banner Grabbing and OS Fingerprinting. You know what, and I guess maybe the best way to sum up what this module's about was best phrased by the famous scholar, Joey Tribbiani, who said, How you doing? And that's exactly what we're doing here. We're trying to get to know the system, the target. We're trying to identify it, so we'll go through and we'll take a look at OS Fingerprinting, which is the process of going through and identifying the operating system by the way that it responds to certain type of packets we're going to send to it. Now there's something else we can do. It's called Banner Grabbing. This is a very direct way of identifying the system, and it's something you can't stop as an IT professional. It's just the way that operating systems are designed to work. They respond a specific way to different requests. And then eventually we'll go through and take a look at our countermeasures. Again, there's some things that you can't stop, but I can definitely, my purpose, remember, as an ethical hacker, is my purpose is to slow the attacker down. I can't stop them. You're going to give yourself a heart attack thinking you can stop them, but you can't.
More Tools for the Utility-belt Okay, let's now take a look at some additional tools that we can add to our utility-belt. Yeah, getting my Batman fix in. So, in this module, we're going to look at some applications that you might see in your immediate future on several different incident-handling exams. We're going to go through and first talk about war dialing and some wireless tools. And I know some of you guys are rolling your eyes right now, but hang on. We'll also talk about fragging-out, making sure you understand about fragmentation and what we can do to manipulate that. As an incident handler, you also need to be aware of web scanners and what they do, and, in particular, there's a product you need to be aware of. It's originally called Bro. Yo, Bro. It's now part of the Security Onion. So trust me, okay? Go ahead and strap on your security hats, and let's get going.
Threats from Wireless So what are the threats from wireless? I mean, again, it's a great technology, or great media. Is it really a media, if it's wireless? Ah, that's beside the point. But the aspect is, at least in this course, is how do we evaluate the threats, or possibility of threats that we expose our networks to? So here comes another one of my famous quotes. This one may have been said while under the influence by Eddie "The Man" Van Halen. He said wireless is wirelss and it's digital. When digital first started, I swear I could hear the gap between the ones and zeros. Yeah, sure you could Eddie. You just keep playing that guitar for me, would ya? So, in this module we're going to go through and take a look at the fact that you're going to have lots of issues. Some of those issues are going to include the different types of attacks that can be made against your environment. And we'll go through and look at integrity attacks, confidentiality attacks, availability attacks and authentication attacks. We'll then go through and look at another vector, which is the attack on the access point, and that's going to include things such as Rogue AP attacks, unauthorized associations, HoneySpot, I did not misspell that, a lot of you guys might be thinking honeypot. Nope, it's called a HoneySpot AP attack, and we'll also look at some AP MAC spoofing. The other vector would include attacks on the client, and those are going to include things such as a Denial of Service attack on the client, as well as ad-hoc attacks and we'll get our jammin' on. So, let's jump in to this.