Information Gathering – Then, Now and Why ?

Information gathering is considered first and most important part before launching any types of attacks, hacking or penetration testing.

Information gathering is known by several names – Reconnaissance, Intelligence assessment, surveillance etc. The better an attacker/analyst is in information gathering with regards to the target the better he/she can exploit it.

In cyber world there are multiple techniques for information gathering :

  1. Footprinting – profiling internet or intranet network
  2. Enumeration – Looking for weakness in known services.
  3. Scanning – Determine targets are alive or not – active or passive scan
  4. Social Engineering – The best active and passive technique – will be writing about this and my experience in relation to this in coming posts.
  5. Dumpster diving – going through the garbage and collecting information

Back in 80’s we did not have tools such as nmap, maltego, distros with inbuilt tools to make our life easier and also no complex network deployment and sense of security that we have now a days.

However, good side of this was, information gathering was still being done.  Mostly it was via passive information gathering. Sitting hours and hours using binoculars to spot the target and understand their movement – in military and they still uses it. Understanding the patterns and using your brains to identify weakness or what we now call vulnerabilities. Unfortunately, these days at-least in cyber world, we just run tools and wait for them to show results while you are playing games on your console.

in old days, analysts or attackers used websites and manually catalogue them like a telephone directory. Communications were mostly carried out on telephone network. Using PING and TRACEROUTE to understand network and manually creating network graph. It was challenging but worth it. Some attackers may do dumpster diving.

In past decade, sophistication of these tools for information gathering have definitely increased. Recently nmap announced a new version of itself. I always wonder that new tools does assist in sophisticated information gathering and attacks however, does a person need to be intelligent. Where is out of the box and intelligent thinking going these days ? Why an organisation’s offensive team is failing against those sophisticated tools ? Are the hackers now a days smarter ? or Sense/awareness of security in organisations is just on papers ?

A defender or an organisation should invest smartly in resources to make sure information gathering sweats the attackers. You know when your security controls are just an illusion when your corporate data is an easy search on google. This is likely the reason why hackers are always one step ahead due to organisation’s ignorance towards security but concentrating on selling/marketing their product. This is one of the reason organisations don’t invest on offensive/security team to make sure they are not only secured internally but also from external threats.

I have journeyed from offensive side to defensive and able to understand how an offender or hacker thinks or looks for the ways to get into a system. Beside following standards and deploying expensive hardwares, we must invest in brains that can actually carve the data into meaningful intelligent information and recommend/configure security controls to actually stop the attackers.

As information gathering is the first step in attacks on a target, we must make sure to harden our security controls and understand what information is publicly available and what risks it can pose when used by an attacker.

Advertisements

Installing/running TOR on linux distros

TOR – The onion routing – famous for anonymity. TOR browser gives user an edge to be anonymous while browsing.

Installing TOR on windows box is easy but in linux especially as  root user there are some issues. Following errors I faced to execute or open TOR browser :

1. The bundle cannot be run as a root user
2. The browser unexpectedly closed and requires reboot.

Steps to fix the issue – remember its not required to create a new user. Root can run the browser.

1. Open start-tor-browser in nano, leafpad, gedit etc and comment the function as below :
#if [ “`id -u`” -eq 0 ]; then
# complain “The Tor Browser Bundle should not be run as root. Exiting.”
# exit 1
#fi
2. Open terminal and change ownership of root:
chown -hR root tor-browser_en-US/

Open browser by ./start-tor-browser.desktop

Happy TORing…..

A interesting email – FROM field empty

Received a interesting email yesterday from Mr. Gordon Hills from London who wanted me to be partner and 5 Million dollars will be released to me. Sometimes does feel like someone should give me money 🙂

se emailheader

The email seems to be a template and this could be a broadcast on the internet. Interesting to see that sender email is hidden. The technique is not new but still is being used. There are lot of anonymous email services that cane b used to do the same. Looked through the header and was able to find the originating IP as 104.47.100.221 –  mail-ma1ind01hn0221.outbound.protection.outlook.com. The IP is blacklisted on multiple sites.
When we hit reply the email is suppose to go to masterkey728@gmail.com. From the header originating IP for the email is 116.203.77.238 which is again blacklisted in spamhaus.
The email has no attachments or URL. The attempt likely is to collect personal information for further follow-up campaign.

Associated IP :

104.47.100.221
116.203.77.238

Blacklisting :
http://www.ipvoid.com/scan/116.203.77.238/ – This IP address is infected with, or is NATting for a machine infected with the ZeroAccess botnet, also known as Sirefef as per spamhaus cbl.

http://www.ipvoid.com/scan/104.47.100.221/ – a known spamer – http://www.dnsbl.manitu.net/lookup.php?language=en&value=104.47.100.221

Comand line use to check IP reputation

Looking for reputation of an IP address is one of the most frequent task of an SOC analyst. There are number of online tools and script that does the task.

However, I always used command line to identify whether a IP address is blacklisted on any blacklist. The reason is number of online tools still show the IP as blacklisted but actual blacklisting parties such as spamhaus has already removed the IP from their blacklist.

Analyst can use either scripts or command line to get the results. nslookup, dig and host can be used to check the IP address against known blacklisting vendors.To check analyst need to know that the information that they are looking should be available by using certain DNS records.

If an analyst is using online tools than he/she can enter actual IP address such as 1.2.3.4. However, for the command line one has to reverse the IP address to be able to match to the blacklists.

samples :

nslookup 4.3.2.1.zen.spamhaus.org
host 4.3.2.1.zen.spamhaus.org
dig -x 4.3.2.1.zen.spamhaus.org

More blacklists to check :
zen.spamhaus.org
xbl.spamhaus.org
pbl.spamhaus.org
spam.abuse.ch
cbl.abuseat.org
virbl.dnsbl.bit.nl
dnsbl.inps.de
ix.dnsbl.manitu.net
dnsbl.sorbs.net
bl.spamcannibal.org
bl.spamcop.net
dnsbl-1.uceprotect.net
dnsbl-2.uceprotect.net
dnsbl-3.uceprotect.net
db.wpbl.info

site to check 1 IP against multiple blacklisting  : http://multirbl.valli.org/

Westpac Spam and an approach to STIX language

In my previous post regarding Westpac phishing mail, I mentioned associated domain and IP address.

Recently, I am diving into the threat intelligence and especially how to share information about my finding with the rest of the world beside the blog.

I ventured into understanding STIX – Structured Threat Intelligence Expression and below is my first attempt to write a small snippet.

<stix:Observables cybox_major_version=”1″ cybox_minor_version=”1″>
<cybox:Observable id = “mkioc1”>
<cybox:Object id = “IP address”>
<cybox:Properties xsi:type = “AddressObject:AddressObjectType” category = “ipv4-addr”>
<AddressObject:Address_Value>197.232.31.99</AddressObject:Address_value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</stix:Observables>

I will be writing a bot more about STIX and importance of sharing threat intelligence in later posts.