Security
Reader small image

You're reading from  Certified Ethical Hacker (CEH) v12 312-50 Exam Guide

Product typeBook
Published inJul 2022
PublisherPackt
ISBN-139781801813099
Edition1st Edition
Tools
GitHubCloudFormation
Concepts
Penetration Testing
Right arrow
Author (1)
Dale Meredith
Dale Meredith
author image
Dale Meredith

Dale Meredith is an EC-Council Certified Ethical Hacker/Instructor and a Microsoft Certified Trainer. Dale has over 10 years of senior IT management experience and was a CTO for an ISP. Dale's skill as an IT trainer lies in clarifying complicated concepts and ensuring students understand the theories. Dale's teaching style is memorable and entertaining. His expertise has led to many opportunities, including teaching teams in Fortune 500 firms, universities globally, the Department of Homeland Security, and many US military branches. Along with authoring video courses, consulting, and classroom training, you can catch Dale on stage speaking at IT conferences around the world, helping teams keep their companies safe, relevant, and breach- aware.
Read more about Dale Meredith

Right arrow

Chapter 3: Reconnaissance – A Deeper Dive

Did you know that most organizations give away intel for free! I know, right?! During the reconnaissance stage, it's important to know that by virtue of the internet being the internet, there's so much data freely available online that it makes the job of an attack extremely easy. This type of intel is often referred to as open source intelligence, or, if you want to sound like the cool kids, you say OSINT.

In this chapter, we'll cover the following topics:

  • Investigating the target's website
  • The Wayback Machine
  • What organizations give away for free
  • Employees – the weakest link
  • Reconnaissance countermeasures

Investigating the target's website

Let's look at how to conduct reconnaissance on a target's website and how we can make use of other research sites. When you're doing reconnaissance, the target website is often where you'll land after a quick online search. That's where you'll learn the business's exact functions, location, contact information, clients, who the leadership team is, and sometimes, way more than that. You'll want to pay close attention to everything on the website.

Figure 3.1 – Investigating a website

Figure 3.1 – Investigating a website

In Figure 3.1, we can see a couple of pieces of information on this main page. First, on the left side, they've provided information on how to set up Microsoft Outlook with their particular email product. I already clicked through and saw how to set up via Microsoft Exchange 2003, where they also gave me the Simple Mail Transfer Protocol (SMTP) servers they utilize. Later, I'll describe...

The Wayback Machine

At this point, the internet has been around for quite some time, and there are a number of retired web pages and websites. The Wayback Machine (https://archive.org/web/web.php) allows us to view previous versions of websites that may not even exist anymore. Think of it as the archive of the internet. Once we find the older version of our target site, we can scan for historical data that people didn't mean to expose. Now, before I got my start in security, I had no idea this tool was out there, but it's really interesting to use for fun as well (you know, like showing your kids what Amazon used to look like):

Figure 3.18 – The Wayback Machine home page

Figure 3.18 – The Wayback Machine home page

You can see here that they have saved over 456 billion web pages. The Wayback Machine goes through websites and detects any changes – if it detects a change, it makes a note and caches that information. As an example, I'll use my old company's website...

What organizations give away for free

When I was about 25 years old, there was a radio station, The Q, in the city where I lived that was holding a big contest that included giving away a big prize package. They would hide this big wooden Q every day, which was about a foot by a foot in depth and in height (30 x 30 cm) and about 2 inches (5 cm) thick, and give out clues for where to find it. If you found the Q, you won a prize package that could include a couple of four-wheelers, a trip to Hawaii, TVs, tons of stuff.

I was tracking the clues that they gave out each day, and I thought I knew where it was, so I looked around for hours in this huge park. After about three or four hours, I gave up. It turned out that I was about 25 feet (8 meters) away from it when I gave up. I still regret that today. It's the same thing here with reconnaissance – you've got to look everywhere, despite the massive amounts of information that become available to you.

The more you...

Employees – the weakest link

Have you ever lost something and it ended up being right in front of you? This usually happens with my glasses. I'll be looking everywhere for them and running around the house saying, "Anybody seen my glasses?" And my wife will turn to me and say, "They're on top of your head."

It's the same concept with different reconnaissance techniques. Some of the data that we gather in the reconnaissance phase is incredibly easy to find. In fact, a lot of the information can be found through online services that we're probably already using:

Figure 3.24 – Online services where information can be gathered

The employee side is where things get scary. For example, if an employee plays games, that may show us their interests and hobbies (not that I think that somebody sits at home with a hammer and crushes candy). This information provides us with a good sense of what people are familiar...

Reconnaissance countermeasures

One of my favorite movies is The Hunt for Red October. When the torpedoes are coming in, Sean Connery yells, "Release the countermeasures!" And this is exactly what we need to do here. We need to understand the countermeasures for reconnaissance and what we need to be looking for when performing penetration tests (pen tests). You might know GI Joe's famous quote, "Knowing is half the battle." This also applies to us. Knowing what you are exposing and knowing what the attacker is capable of is half the battle.

In this section, I'll show you how to put your shields up and implement those countermeasures, as well as some best practices for reconnaissance. I'll also show you how to set up for a pen test and the actual workflow of what you should be tracking when doing reconnaissance.

Countermeasures

So, how do you defend yourself against the kind of reconnaissance techniques we reviewed earlier?

The first thing...

Summary

Our quest led us to investigate how attackers gather information from their target's website to know the target's exact business functions, important contact information, clients and partners, the management team, and so on. We learned how to use WHOIS, the command-line interface, ping and DNS, and SOA to gather information. We learned about more tools that help with reconnaissance and footprinting, such as Sam Spade, Netcraft, and the Wayback Machine.

We saw how what the information organizations give away for free can reveal a ton of vulnerabilities. So do job sites, marketing materials, customer support, social networking profiles, and financial and competitive analysis data.

We also discussed employees as the weakest link. Their hobbies, the things they share or post online, the places they go to after work, what they buy, and more all give attackers the clues they need. We then discussed how attackers use these clues to join the groups their targets frequent...

Questions

As we conclude, here is a list of questions for you to test your knowledge regarding this chapter's material. You will find the answers in the Assessments section of the Appendix:

  1. Which information may be gathered using nslookup?
    1. A DNS server location
    2. Hostnames and IP addresses
    3. WHOIS intel
    4. A nameserver and operating systems
  2. Which of the following is the most accurate description of footprinting?
    1. Investigating a target
    2. Enumeration of services
    3. Discovery of services
    4. Dialogue with people
  3. Which record will disclose details about a domain's mail server?
    1. Q
    2. MS
    3. MX
    4. A
  4. What alternative options do you have if you can't collect enough information from a target directly?
    1. Social engineering
    2. EDGAR
    3. Competitive analysis
    4. Scanning
lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 5 of 23
Next Chapter
You have been reading a chapter from
Certified Ethical Hacker (CEH) v12 312-50 Exam Guide
Published in: Jul 2022Publisher: PacktISBN-13: 9781801813099
© 2022 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Dale Meredith

Dale Meredith is an EC-Council Certified Ethical Hacker/Instructor and a Microsoft Certified Trainer. Dale has over 10 years of senior IT management experience and was a CTO for an ISP. Dale's skill as an IT trainer lies in clarifying complicated concepts and ensuring students understand the theories. Dale's teaching style is memorable and entertaining. His expertise has led to many opportunities, including teaching teams in Fortune 500 firms, universities globally, the Department of Homeland Security, and many US military branches. Along with authoring video courses, consulting, and classroom training, you can catch Dale on stage speaking at IT conferences around the world, helping teams keep their companies safe, relevant, and breach- aware.
Read more about Dale Meredith

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages