Book Image

Reconnaissance for Ethical Hackers

By : Glen D. Singh
5 (1)
Book Image

Reconnaissance for Ethical Hackers

5 (1)
By: Glen D. Singh

Overview of this book

This book explores reconnaissance techniques – the first step in discovering security vulnerabilities and exposed network infrastructure. It aids ethical hackers in understanding adversaries’ methods of identifying and mapping attack surfaces, such as network entry points, which enables them to exploit the target and steal confidential information. Reconnaissance for Ethical Hackers helps you get a comprehensive understanding of how threat actors are able to successfully leverage the information collected during the reconnaissance phase to scan and enumerate the network, collect information, and pose various security threats. This book helps you stay one step ahead in knowing how adversaries use tactics, techniques, and procedures (TTPs) to successfully gain information about their targets, while you develop a solid foundation on information gathering strategies as a cybersecurity professional. The concluding chapters will assist you in developing the skills and techniques used by real adversaries to identify vulnerable points of entry into an organization and mitigate reconnaissance-based attacks. By the end of this book, you’ll have gained a solid understanding of reconnaissance, as well as learned how to secure yourself and your organization without causing significant disruption.
Table of Contents (15 chapters)
Part 1: Reconnaissance and Footprinting
Part 2: Scanning and Enumeration

What is ethical hacking?

The term hacking is commonly used to describe the techniques and activities that are performed by a person with malicious intentions, such as a hacker, to gain unauthorized access to a system or network. Since the early days of telephone systems, computers, and the internet, many people have developed a high level of interest in determining how various devices and technologies operate and work together. It’s quite fascinating that a person can use a traditional landline telephone to dial the telephone number of another person and establish a connection for a verbal conversation. Or even using a computer to send an email message to someone else, where the email message can be delivered to the intended recipient’s mailbox almost instantaneously compared to traditional postal operations.

Due to the curiosity of people around the world, the idea of disassembling a system to further understand its functions created the foundation of hacking. Early generations of hackers sought to understand how systems and devices work, and whether there was any flaw in the design that could be taken advantage of to alter the original function of the system. For instance, during the 1950s and 1960s in the United States, a security vulnerability was found in a telephone system that enabled users to manipulate/alter telephone signals to allow free long-distance calls. This technique was known as phreaking in the telecommunication industry. Specifically, a person could use whistles that operated at 2600 MHz to recreate signals that were used as the telephone routing signals, thus enabling free long-distance calling to anyone who exploited this flaw. However, telecommunication providers had implemented a solution known as Common Channel Interoffice Signaling (CCIS) that separated the signals from the voice channel. In this scenario, people discovered a security vulnerability in a system and exploited it to alter the operation of the system. However, the intention varied from one person to another, whether for fun, experimental, or even to gain free long-distance calling.

Important note

A vulnerability is commonly used to describe a security flaw or weakness in a system. An exploit is anything that can be used to take advantage of a security vulnerability. A threat is anything that has the potential to cause damage to a system. A threat actor or adversary is the person(s) who’s responsible for the cyber-attack or creating a threat.

A very common question that is usually asked is why someone would want to hack into another system or network. There are various motives behind each hacker, for instance, many hackers will break into systems for fun, to prove a point to others, to steal data from organizations, for financial gain by selling stolen data on the dark web, or even as a personal challenge. Whatever the reason is, hacking is illegal around the world as it involves using a computing system to cause harm or damage to another system.

While hacking seems all bad on mainstream media, it’s not all bad because cybersecurity professionals such as ethical hackers and penetration testers use similar techniques and tools to simulate real-world cyber-attacks on organizations’ networks with legal permission and intent to discover and resolve hidden security vulnerabilities before real cyber-attacks occur in the future. Ethical hackers are simply good people and are commonly referred to as white-hat hackers in the cybersecurity industry, who use their knowledge and skills to help organizations find and resolve their hidden security weaknesses and flaws prior to a real cyber-attack. Although threat actors and ethical hackers have similar skill sets, they have different moral compasses, with threat actors using their skills and abilities for malicious and illegal purposes and ethical hackers using their skills to help organizations defend themselves and safeguard their assets from malicious hackers.

The following are common types of threat actors and their motives:

  • Advanced Persistent Threat (APT) groups – The members of an APT group design their attacks to be very stealthy and undetectable by most threat detection systems on a targeted network or system. The intention is to compromise the targeted organization and remain on its network while exploiting additional systems and exfiltrating data.
  • Insider threats – This is an attacker who is inside the targeted organization’s network infrastructure. This can be a hacker who is employed within the company and is behind the organization’s security defense systems and has direct access to vulnerable machines. In addition, an insider threat can be a disgruntled employee who intends to cause harm to the network infrastructure of the company.
  • State actors – These are cybersecurity professionals who are employed by a nation’s government to focus on national security and perform reconnaissance on other nations around the world.
  • Hacktivists – These are persons who use their hacking skills to support a social or political agenda such as defacing websites and disrupting the availability of or access to web servers.
  • Script kiddie – This type of hacker is a novice and lacks the technical expertise in the industry but follows the tutorials or instructions of experts to perform cyber-attacks on targeted systems. However, since this person does not fully understand the technicalities behind the attack, they can cause more damage than a real hacker.
  • Criminal syndicates – This is an organized crime group that focuses on financial gain and each person has a specialized skill to improve the attack and increase the likelihood of success. Furthermore, this group is usually well funded to ensure they have access to the best tools that money can buy.
  • White hat – These are cybersecurity professionals such as ethical hackers, penetration testers, and red teamers who use their skills to help organizations prevent cyber-attacks and threats.
  • Gray hat – These are people who use their hacking skills for both good and bad. For instance, a gray hat threat actor could be a cybersecurity professional who uses their skills in their day job to help organizations and at night for malicious reasons.
  • Black hat – These are typical threat actors who use their skills for malicious reasons.

Ethical hackers, penetration testers, and red team operators always need to obtain legal permission from authorities before engaging in simulating any type of real-world cyber-attacks and threats on their customers’ systems and network infrastructure, while ensuring they remain within scope. For instance, the following agreements need to be signed between the cybersecurity service provider and the customer:

  • Non-Disclosure Agreement (NDA)
  • Statement of Work (SOW)
  • Master Service Agreement (MSA)
  • Permission of Attack

The NDA is commonly referred to as a confidentiality agreement, which specifies that the ethical hacker, penetration tester, or red teamer will not disclose, share, or hold on to any private, confidential, sensitive, or proprietary information that was discovered during the security assessment of the customer’s systems and network infrastructure.

However, the SOW documentation usually contains all the details about the type of security testing that will be performed by the ethical hacker/service provider for the customer and the scope of the security testing, such as the specific IP addresses and ranges. It’s extremely important that ethical hackers do not go beyond the scope of security testing for legal reasons. Furthermore, the SOW will contain the billing details, duration of the security testing, disclaimer and liability details, and deliverables to the customer.

The MSA is a general agreement that contains the payment details and terms, confidentiality and work standards of the provider, limitations and constraints, and delivery requirements. This type of agreement helps the cybersecurity service provider to reduce the time taken for any similar work that needs to be provided to either new or existing customers. In addition, the MSA document can be customized to fit the needs of each customer as they may require unique or specialized services.

Permission of attack is a very important agreement for ethical hackers, penetration testers, and red teamers as it contains the legal authorization that is needed to perform the security testing on the customer’s systems and network infrastructure. Consider this agreement, in the form of a document, as the get-out-of-jail card that is signed by the legal authorities, which indicates the granting of permission to the service provider and its employee(s) who are performing ethical hacking and penetration testing services on the customer’s systems and network.

Mindset and skills of ethical hackers

Threat actors are always seeking new and advanced techniques to compromise their target’s systems and networks for legal purposes. For instance, there are different types of hackers and groups around the world, and each of these has its own motive and rationale for their cyber-attacks:

  • Personal accomplishment/challenge, such as proving they have the skills and capabilities to break into an organization and its systems
  • Financial gain, such as stealing confidential data from organizations and selling it on various dark web marketplaces
  • Supporting a social or political agenda such as defacing and compromising websites that are associated with a social/political movement
  • Cyber warfare, such as compromising the Industrial Control Systems (ICS) that manage the critical infrastructure of a country

While there are many cybersecurity companies around the world who are developing and improving solutions to help organizations defend and safeguard their assets from cyber criminals, attacks, and threats, there’s also a huge demand for cybersecurity professionals in the industry. It’s already noticeable through mainstream media platforms that it’s only a matter of time before another organization is the target of threat actors. In an online article published by the World Economic Forum on January 21, 2015, What does the Internet of Everything mean for security?, the former executive chairman and CEO of Cisco Systems, John Chambers, said, “There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.” Each day, this statement is becoming more evident, and more of a reality, as many companies are reporting data breaches, and some reports indicate attackers were living off the land for many days or even months before the security incident was detected and contained.

The need for ethical hacking skills and knowledge is ever growing around the world, as leadership teams within small to large enterprises are realizing their assets need to be protected and ethical hackers and penetration testers can help discover and remediate hidden security vulnerabilities, reduce the attack surface, and improve the cyber defenses of their company against cyber criminals and threats. Ethical hackers have the same skill set and expertise as malicious attackers such as threat actors, however, the difference is their intention. Ethical hackers have a good moral compass and choose to use their skills for good reasons, whereas threat actors use their skills and knowledge for bad reasons, such as causing harm and damage to systems for illegal purposes.

The following are common technical skills of ethical hackers in the cybersecurity industry:

  • Administrative-level skills with various operating systems such as Windows and Linux
  • Solid foundational knowledge of networking, such as routing and switching
  • Understanding the fundamentals of common security principles and best practices
  • Familiar with programming languages such as Go and Python, and scripting languages such as Bash and PowerShell
  • Familiarity with virtualization, containerization, and the cloud

While the preceding list of foundational skills seems a bit intimidating, always remember the field of cybersecurity and learning is like a marathon and not a sprint. It’s not how quickly you can learn something, but ensuring you’re taking the time you need to fully understand and master a topic.

The following are non-technical skills of ethical hackers:

  • Being proficient in oral and written communication between technical and non-technical persons
  • Being an out-of-the-box thinker
  • Being self-motivated and driven to learn about new topics and expand knowledge
  • Ensuring you understand the difference between using knowledge for good and bad intentions

Ethical hackers use the same techniques, tools, and procedures as real threat actors to meet their objectives and discover hidden security vulnerabilities in systems. There’s a proverb that says if you want to catch a thief, you need to think like one. This proverb applies to ethical hacking – if you want to find the security vulnerabilities that real hackers are able to discover and exploit, then you need to adapt your mindset while using the same techniques, tools, and procedures to help you do the same, with legal permission and good intentions.

The following diagram shows the EC-Council’s five stages of ethical hacking:

Figure 1.1 – Stages of hacking

Figure 1.1 – Stages of hacking

As shown in the preceding diagram, ethical hackers and threat actors start with reconnaissance on their target, then move on to scanning and enumeration, then onward to gaining access and establishing a foothold in the system by maintaining access, and then covering tracks to remove any evidence of an attack. Since this book is based on the concept of Reconnaissance for Ethical Hackers, we’ll focus on reconnaissance, scanning, and enumeration during the course of it.