Publicly available information serves as a launching pad for attackers initial efforts to research potential areas of exploitation.
While your organization may be exercising efforts to reduce vulnerabilities, many times attackers are looking for weaknesses in your defenses and personnel that when combined with other methodologies, can serve as an initial vector of entry or further exploit.
In this video, Nate Drier, SecureWorks Security Analysis Consultant, gives a demonstration of how an attacker would utilize port scans using Scans.io to conduct passive recon when profiling a target externally.
To learn more, watch the full webcast that features SecureWorks technical testers demonstrating and speaking about:
- Examples of real-world engagements
- Tactics and techniques commonly used to achieve their objectives
- Trends and weaknesses they are seeing in defenses
- Lessons learned
There's another really cool site to use for some anonymous recon against target environments and that is scans.io. What these guys do are full port scans or directed port scans of the entire internet or full internet. So you can see they do things like icmp echo requests against every public ip address and ipv4 space. Look for things like ssh, telnet, even some specific vulnerabilities such as heartbleed and some other ssl issues.
You can download the raw data and query that or there's a site, censys.io, which already has that data preloaded and you can do searches against it. So, for example that net range that Trenton found earlier for Dell, we can search. It will bring back basically a port scan for us. Or a limited port scan of all of the systems in this net block that belongs to Dell. You can see some of port 80 opened, 80443. This one has ssh. If we wanted to filter that down a little bit, we can say in this net block and protocols, just 22. So show me all the systems in this net block that just have 22 which is ssh open. Change that to 23/telnet. Same thing. Search, find those two hosts and the whole slash 16. If you want to do some password guessing, here is where you come and look for it. We can do even further; we can say show me everything in that netblock that has port 21, which is ftp open and is running Filezilla. And we can see there is one system here. It pulls the banner. Tells us what version of Filezilla, shows us a map of where they are located. It's pretty useful. You can do something similar. Show me all the systems that have port 80, which is http open, and is running, lets say Tomcat. It will pull the header and it knows its running Apache Tomcat. Another one that netblock and unauthorized. Meaning we need to have some type of credentials to access. Just like before, this would be a good place to start if we had credentials and wanted to find systems to see where they worked or where we could log in.