1
00:00:00,060 --> 00:00:06,090
So in this section we are going to be talking about information gathering and all information gathering

2
00:00:06,090 --> 00:00:08,990
we're going to do in this section is going to be passive.

3
00:00:09,000 --> 00:00:12,860
So I'm calling this passive recon or passive reconnaissance.

4
00:00:12,870 --> 00:00:18,660
I wanted to give a brief overview of what we're going to be covering and talk about some high level

5
00:00:18,660 --> 00:00:23,190
topics before we get into the weeds and really dive into our target.

6
00:00:24,030 --> 00:00:32,190
So let's talk about the different types of passive recon so on the physical or social side physical

7
00:00:32,190 --> 00:00:38,880
meaning actually going on site and maybe doing a physical engagement or the social engineering aspect

8
00:00:38,880 --> 00:00:45,450
of maybe doing a fishing assessment or even including in a physical engagement or a bashing assessment

9
00:00:45,730 --> 00:00:51,130
just gathering this information from the physical social aspect is incredibly useful.

10
00:00:51,150 --> 00:00:59,040
So we have location information so we might utilize something like satellite images or often we'll go

11
00:00:59,040 --> 00:01:04,470
on site and do drone reconnaissance where we fly a drone around and try to gain information.

12
00:01:04,470 --> 00:01:09,920
And what we're really after with these images of this drone recon is we're trying to find out hey what

13
00:01:09,920 --> 00:01:12,040
is the building layout look like.

14
00:01:12,150 --> 00:01:15,670
Are there badge readers are there break areas.

15
00:01:15,690 --> 00:01:17,310
Does security exist.

16
00:01:17,310 --> 00:01:19,590
Do they have somebody posted out front.

17
00:01:19,590 --> 00:01:21,410
Can you just walk right in the door.

18
00:01:21,420 --> 00:01:23,850
What is their fencing look like.

19
00:01:23,850 --> 00:01:28,080
Are there areas where they're just leaving the doors propped open.

20
00:01:28,080 --> 00:01:30,290
Where do people go out and smoke in these break areas.

21
00:01:30,300 --> 00:01:35,670
Because those are a good place to just walk up to somebody light up a cigarette even if you don't smoke

22
00:01:35,760 --> 00:01:40,650
and to start a conversation and then tailgate right in with them into the building.

23
00:01:40,650 --> 00:01:48,960
Now the other aspect of this is the job information so we might be looking for employees online I might

24
00:01:48,960 --> 00:01:55,440
want to know somebody whose name job title phone number who their manager is I try to get a good idea

25
00:01:55,440 --> 00:01:56,700
of what people look like.

26
00:01:56,700 --> 00:02:00,330
So if I see them on site I have a good idea who they are.

27
00:02:00,330 --> 00:02:06,840
I also look for pictures so I cannot tell you how many times a badge photo is posted on LinkedIn or

28
00:02:06,840 --> 00:02:12,630
somebody posted on Twitter that you can see all the means out there about people posting their photos

29
00:02:12,690 --> 00:02:13,560
at work.

30
00:02:13,710 --> 00:02:14,480
And it's bad.

31
00:02:14,490 --> 00:02:15,780
It happens all the time.

32
00:02:15,780 --> 00:02:17,580
I see it to this day.

33
00:02:17,580 --> 00:02:24,060
So we're looking for badge photos I'm looking for desk photos computer photos I had a situation once

34
00:02:24,060 --> 00:02:30,090
where somebody took a picture of her watching a game at work she was watching a basketball game at work

35
00:02:30,480 --> 00:02:37,860
and the basketball game was on her computer and on her screen there it showed all the different tools

36
00:02:37,860 --> 00:02:39,560
that they utilized at work.

37
00:02:39,600 --> 00:02:42,310
She had a work application open in this photo.

38
00:02:42,420 --> 00:02:46,040
There was a desk in the background you can see different things.

39
00:02:46,170 --> 00:02:49,650
And it just gives us information and that's where they were after.

40
00:02:49,650 --> 00:02:51,470
What kind of information can we gather.

41
00:02:51,600 --> 00:02:57,000
Now this course is not a course on physical or social so I kind of wanted to give a high level of what

42
00:02:57,000 --> 00:02:57,930
to expect.

43
00:02:58,020 --> 00:03:03,840
We won't really be doing a whole lot of this in this course with this type of information gathering

44
00:03:03,960 --> 00:03:06,420
but these are the things that you should be looking for.

45
00:03:06,450 --> 00:03:12,060
So if you are tasked with the physical assessment do go out there and look for satellite images try

46
00:03:12,060 --> 00:03:18,590
to get a good feel of the building layout and also try to get a feel for who the employees are who maybe

47
00:03:18,600 --> 00:03:24,510
the I.T. manager is in case you're going to say you know I work for I.T. they may ask you who your manager

48
00:03:24,510 --> 00:03:26,400
is you might need to know those names.

49
00:03:26,580 --> 00:03:31,500
And of course look for pictures you can find a good badge photo and what that looks like.

50
00:03:31,530 --> 00:03:37,770
You can make a fake badge go on site and you'll be way more passable with that badge but sometimes they

51
00:03:37,770 --> 00:03:40,030
don't even look it can be drawn in crayon.

52
00:03:40,080 --> 00:03:45,790
So from there let's go ahead and talk about what we will be doing a lot of which is the Web and hosts.

53
00:03:46,680 --> 00:03:52,380
So when you get a web or a host assessment the first thing you really should do is what is called Target

54
00:03:52,380 --> 00:03:53,590
validation.

55
00:03:53,610 --> 00:03:56,670
So we're going to be targeting something on bug crowds.

56
00:03:56,670 --> 00:04:02,010
We're not really going to focus on this but what we're going to do in the real world is we would validate

57
00:04:02,010 --> 00:04:02,550
the target.

58
00:04:02,580 --> 00:04:09,090
Now there are situations where a client will give you an IP address or a Web site and they might they

59
00:04:09,090 --> 00:04:09,710
might fudge it.

60
00:04:09,720 --> 00:04:09,960
Right.

61
00:04:09,960 --> 00:04:15,870
They might accidentally fat finger it put the wrong number but the wrong letter and the Web site and

62
00:04:15,870 --> 00:04:16,620
then guess what.

63
00:04:16,620 --> 00:04:22,440
You're off attacking somebody else's Web site and there if you are a podcast listener there's a good

64
00:04:22,440 --> 00:04:24,570
darknet diaries episode on this.

65
00:04:24,570 --> 00:04:27,050
If you don't as a darknet diaries go check it out.

66
00:04:27,270 --> 00:04:34,800
There's a great episode with a guy named Rob Fuller a.k.a. musics and he talks about getting the wrong

67
00:04:35,460 --> 00:04:41,520
IP address on an assessment and attacking the wrong people and actually gaining access to that machine

68
00:04:41,550 --> 00:04:45,350
which is a really really big big screw up on both parts right.

69
00:04:45,370 --> 00:04:49,360
So you should always validate your targets on top of this.

70
00:04:49,350 --> 00:04:53,680
We're doing our web and our hosts on the web side.

71
00:04:53,700 --> 00:04:58,190
We're going to look for subdomains and we'll talk more about that as we get into it.

72
00:04:58,560 --> 00:05:03,560
But we can do that with we can do that with any map sublets or there's so many different tools that

73
00:05:03,560 --> 00:05:06,290
we can use and we'll cover some of the tools and how to do it.

74
00:05:06,440 --> 00:05:10,790
Get a little deep into that as well especially as we get into the web side of things.

75
00:05:10,790 --> 00:05:15,350
There's fingerprinting we need to know what's running on a Web site or what's running on a host.

76
00:05:15,350 --> 00:05:17,250
What kind of services are out there.

77
00:05:17,270 --> 00:05:20,180
Are they running a web server What's that web servers.

78
00:05:20,210 --> 00:05:23,450
ISIS is an Apache what version is it right.

79
00:05:23,450 --> 00:05:26,150
Are they running what ports are open on their machines.

80
00:05:26,150 --> 00:05:29,210
Oh they have FTC open what version of FTB is open.

81
00:05:29,210 --> 00:05:33,530
So we need to fingerprint machines and kind of understand what on the passive side.

82
00:05:33,530 --> 00:05:35,620
We're not touching any machine right.

83
00:05:35,630 --> 00:05:38,030
So we're not gonna be doing much scanning against the host.

84
00:05:38,060 --> 00:05:41,590
We just have to utilize what kind of information might already be out there.

85
00:05:41,630 --> 00:05:46,160
So if we go out to a Web site it's on the border of active.

86
00:05:46,190 --> 00:05:50,060
But as long as we're not scanning it in my book it's still passive.

87
00:05:50,060 --> 00:05:50,680
So we'll do.

88
00:05:50,720 --> 00:05:55,940
We will cover some of the passive slash active side in this section and then when we get into scanning

89
00:05:55,940 --> 00:05:59,000
we'll get way more active with it.

90
00:05:59,000 --> 00:06:05,240
Lastly we're gonna hit heavy especially in the beginning on data breaches data breaches are the most

91
00:06:05,240 --> 00:06:11,570
common way when we're doing an external assessment that we get into networks Absolutely by far.

92
00:06:11,570 --> 00:06:17,240
When we talk about data breaches we're talking about breached incidents from the past that have leaked

93
00:06:17,300 --> 00:06:18,110
data.

94
00:06:18,110 --> 00:06:25,130
Again these are like Home Depot Equifax linked in all kinds of breaches that are out there that have

95
00:06:25,130 --> 00:06:30,250
had credentials dumped and then those credentials become available to us eventually.

96
00:06:30,260 --> 00:06:35,570
And we try to utilize those to gain access or at least utilize the user names to gain access.

97
00:06:35,630 --> 00:06:42,350
Nowadays most the time there's not going to be an easy just scan find something vulnerable and exploit

98
00:06:42,350 --> 00:06:45,000
it on the external side of the house.

99
00:06:45,020 --> 00:06:50,660
So we're looking for these data breaches and this information that we can gather and this is why information

100
00:06:50,660 --> 00:06:57,140
gathering and then enumeration and scanning most important by far the better scanning enumeration that

101
00:06:57,140 --> 00:07:01,940
you can do and the better information gathering you can do the better hacker you're going to be in the

102
00:07:01,940 --> 00:07:03,660
better you're going to be at your job.

103
00:07:03,680 --> 00:07:06,750
So take these first two sections really serious.

104
00:07:06,800 --> 00:07:13,190
So we're going to start in with identifying what our target's going to be for this part of the section

105
00:07:13,520 --> 00:07:17,870
and then we're going to go ahead and start talking about data breaches and why they're important and

106
00:07:17,870 --> 00:07:19,360
go deeper into that.

107
00:07:19,460 --> 00:07:24,960
And then we'll go off some of these tools that you see here on this list and really dive into those.

108
00:07:24,980 --> 00:07:30,620
So I will look forward to seeing you in the next video when we identify our target and get some information

109
00:07:30,620 --> 00:07:31,370
gathering started.