Publicly available information serves as a launching pad for attackers initial efforts to research potential areas of exploitation.
While your organization may be exercising efforts to reduce vulnerabilities, many times attackers are looking for weaknesses in your defenses and personnel that when combined with other methodologies, can serve as an initial vector of entry or further exploit.
In this video, Nate Drier, Secureworks Managing Principal Consultant, gives a demonstration of how an attacker would utilize port scans using Scans.io to conduct passive recon when profiling a target externally.
There's another really cool site to use for some anonymous recon against target environments and that is scans.io. What these guys do are full port scans or directed port scans of the entire internet or full internet. So you can see they do things like icmp echo requests against every public ip address and ipv4 space. Look for things like ssh, telnet, even some specific vulnerabilities such as heartbleed and some other ssl issues.
You can download the raw data and query that or there's a site, censys.io, which already has that data preloaded and you can do searches against it. So, for example that net range that Trenton found earlier for Dell, we can search. It will bring back basically a port scan for us. Or a limited port scan of all of the systems in this net block that belongs to Dell. You can see some of port 80 opened, 80443. This one has ssh. If we wanted to filter that down a little bit, we can say in this net block and protocols, just 22. So show me all the systems in this net block that just have 22 which is ssh open. Change that to 23/telnet. Same thing. Search, find those two hosts and the whole slash 16. If you want to do some password guessing, here is where you come and look for it. We can do even further; we can say show me everything in that netblock that has port 21, which is ftp open and is running Filezilla. And we can see there is one system here. It pulls the banner. Tells us what version of Filezilla, shows us a map of where they are located. It's pretty useful. You can do something similar. Show me all the systems that have port 80, which is http open, and is running, lets say Tomcat. It will pull the header and it knows its running Apache Tomcat. Another one that netblock and unauthorized. Meaning we need to have some type of credentials to access. Just like before, this would be a good place to start if we had credentials and wanted to find systems to see where they worked or where we could log in.
The old approaches to cybersecurity are no longer adequate. It’s time for something new. Layered defenses can create almost as many problems as they solve, and security teams struggle to keep up with the threat. What you need is context across all your layers of defense with the right people, processes, and technology working together in concert. That’s how Secureworks can help. Using 20+ years of industry knowledge, advanced analytics, industry-leading threat intelligence, and the network effect of more than 4,000 customer environments, we provide world-class cybersecurity solutions to customers around the globe. This unmatched experience empowers our customers to be Collectively Smarter. Exponentially Safer.™
Our Managed Detection and Response (MDR) solution is comprehensive, powered by our cloud-native software Red Cloak™ Threat Detection and Response that uses AI and machine learning to deliver better outcomes for your security operations. MDR unifies telemetry from your existing security technology to maximize visibility, reduce complexity, and enable you to move at the speed of the threat. Learn more about how Managed Detection and Response uses contextualized visibility to improve your organization’s security posture.