به جلسه اول از مجموعه آموزشی مایتر اتک خوش آمدید
جهت دسترسی به ویدیو جلسه به لینک زیر مراجعه بفرمایید:
منبع اصلی دوره آموزشی سایت مایتر اتک هست
جهت دسترسی به جزییات تاکتیک و تکنیک های مختلف :
https://attack.mitre.org/tactics/TA0043/
جمع آوری اطلاعات، ریکان، اوسینت نام هایی است که بارها آن ها را در دوره های امنیت شبکه حتما شنیده اید. کلیه TA ها در قدم اول خود اقدام به جمع آوری اطلاعات از قربانی های خود می کنند که جمع آوری اطلاعات یا Active هست یعنی مستقیم با تارگت در ارتباط هست اسکن می کند مستقیم اطلاعات را از سایت یا افراد سازمان بدست می آورد یا Passive هست از دیتابیس های عمومی یا سایت های که سرویس OSINT می دهند یا اسکن آنلاین می دهند جهت جمع آوری اطلاعات از تارگت هایشان استفاده می کنند.
مهم ترین و اساسی ترین فاز جهت نفوذ جمع آوری اطلاعات است چون هکر اقدام به نقاط ضعف و آماده سازی سناریو ارسال فیشینگ می کند تا بتواند دسترسی اولیه را دریافت کند.
The adversary is trying to gather information they can use to plan future operations.
Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.
منظور از جمع آوری اطلاعات، یعنی لیست کردن کلیه دارایی های کارفرما می باشد چه فیزیکی چه مجازی باید دارایی ها را در این مرحله لیست کنیم. برای اینکار از OSINT استفاده می کنیم.جمع آوری اطلاعات به دو دسته passive و Active تقسیم بندی می شود.
Passive یعنی شما به صورت مستقیم درخواستی را به سمت سرورها کارفرما ارسال نمی کنید پس هیچ گونه سرورهای تست شما شناسایی نمی شود.
Active یعنی شما به صورت مستقیم درخواست اسکن یا Crawl کردن را به سمت دارایی های مشتری ارسال می کنید و باید موارد امنیتی مثل استفاده از VPN Tor رعایت بشه در طول پروژه ردتیم سرورها منظور VPS IP DNS نباید شناسایی شود چون کل پروژه در همان ابتدا Failed می شود برای رعایت چنین نکاتی باید OPSEC را مطالعه کنید.
ابزارها پیشنهادی که معرفی می کنم در لیست زیر ( خودتان می توانید از ابزارهای دیگر استفاده کنید و مطمن شوید خروجی ها کم نشوند زیاد مهم نیست و نکته مهم تر خروجی ها False Positive نداشته باشند.)
Passive OSINT
Network Architecture
Technology Solutions
People and Culture
Security Procedures
Adversary TTP
Place for find information and Targets
Department heads [HR, C-level officers, etc]
Target information
Software
Vendor
Appliance information
Credential from Previous/ uknown data breaches
Active Recon
Company Websites
Network Block
DNS Information
Domain Names
Subdomain
Mail Infra info
SPF
DKIM
DMARC Records
PTR
یکی از ابتدایی ترین روش ها برای جمع آوری اطلاعات از هدف ها اسکن کردن دارایی های می باشد به دلیل اینکه اسکن از سمت زیرساخت های تست نفوذ یا ردتیم انجام می شود امکان شناسایی وجود دارد ولی در کل کلیه سازمان روزانه هزاران بار اسکن می شوند! حالا این اسکن می تواند سامانه های وب، زیرساخت شبکه آدرس های IP، اسکن آسیب پذیری دارایی ها مثل وب، سیستم عامل، سرویس، فاز Enumeration Web یا Crawling جهت شناسایی سیستم های مدیریت محتوا یا پیدا کردن یک آسیب پذیری خاص
Active Scanning T1595 [Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.]
Scanning IP Blocks [Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.]
Vulnerability Scanning [Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.]
Wordlist Scanning [Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to Brute Force, its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: Gather Victim Org Information, or Search Victim-Owned Websites).]
در فرآیند جمع آوری اطلاعات از تارگت هکر کلیه دارایی های سازمان را لیست و مورد ارزیابی قرار می دهد خواه دارایی یک سخت افزار باشد خواه یک پرتال وب و خواه کارمندها و بدست آوردن شبکه های اجتماعی آن ها و فراهم سازی Pretexting می باشد. گاه در شبکه های اجتماعی یا آگهی تبلیغات سازمان به دنبال نیروی استخدامی هستند که در آگهی استخدام حتی ورژن مورد استفاده از تجهیزات یا نوع تجهیزات امنیتی مشخص هست ! گاه با استخراج متادیتا از عکس هایی که پاکسازی نشدن نوع نرم افزارهای سازمان، نویسندگان، ورژن نرم افزارها قابل استخراج می باشد که TA ها از آن ها نیز برای Pretexting استفاده می کنند.
کارمندان سازمان جزو دارایی های سازمان محسوب می شوند ایمیل های سازمان آنها همیشه مورد استقبال TA ها هست اگر ایمیلی در سایتی که مورد نفوذ قرار گرفته و دیتا لیک شده پسورد ایمیل می تواند در حمله مورد استفاده قرار بگیرد. همچنین سناریو فیشینگ برای جمع آوری اطلاعات از سازمان یکی دیگر پر استفاده ترین روش ها برای بدست آوردن اطلاعات در مورد سازمان گاه با فیشینگ گاه با تماس به سازمان گاه با چت در شبکه های اجتماعی مثل لینکدین پیاده سازی می شود.
Gather Victim Host Information T1592 [Adversaries may gather information about the victim’s hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).]
Hardware [Adversaries may gather information about the victim’s host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).]
Software [Adversaries may gather information about the victim’s host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).]
Firmware [Adversaries may gather information about the victim’s host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).]
Client Configurations [Adversaries may gather information about the victim’s client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.]
Gather Victim Identity Information T1589 [Adversaries may gather information about the victim’s identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.]
Credentials [Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.]
Email Addresses [Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.]
Employee Names [Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.]
دامنه های مربوط به سازمان و کلیه رکورد های Domain ها جهت کشف سرویس ها که نسبت به نفوذ از طریق آن ها وارد سازمان می شوند دیگر تکنیک های TA ها می باشد. هر گونه اشتباه در پیکربندی Dns مثل رکورد های مربوط به میل سرور
Gather Victim Network Information T1590 [Adversaries may gather information about the victim’s networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.]
Domain Properties [Adversaries may gather information about the victim’s network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.]
DNS [Adversaries may gather information about the victim’s DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.]
Network Trust Dependencies [Adversaries may gather information about the victim’s network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.]
Network Topology [Adversaries may gather information about the victim’s network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.]
IP Addresses [Adversaries may gather the victim’s IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.]
Network Security Appliances [Adversaries may gather information about the victim’s network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.]
TA ها از کلیه تکنیک های اوسینت برای بدست آوردن اطلاعات اولیه استفاده می کنند تا سناریو یا pretext که برای حمله مهندسی اجتماعی طراحی می کنند خیلی قابل قبول باشد برای قربانی این اطلاعات عمدتا از شبکه های اجتماعی کارمندان مدیران استخراج می شود سلایق آدرس دارایی ها و …
Gather Victim Org Information T1591 [Adversaries may gather information about the victim’s organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.]
Determine Physical Locations [Adversaries may gather the victim’s physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.]
Business Relationships [Adversaries may gather information about the victim’s business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.]
Identify Business Tempo [Adversaries may gather information about the victim’s business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.]
Identify Roles [Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.]
Phishing for Information T1598 [Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from Phishing in that the objective is gathering data from the victim rather than executing malicious code.]
Spearphishing Service [Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.]
Spearphishing Attachment [Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.]
Spearphishing Link [Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.]
Search Closed Sources T1597 [Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.]
Threat Intel Vendors [Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.]
Purchase Technical Data [Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.]
Search Open Technical Databases T1596 [Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.]
DNS/Passive DNS [Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.]
WHOIS [Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.]
Digital Certificates [Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.]
CDNs [Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.]
Scan Databases [Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.]
Search Open Websites/Domains T1593 [Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.]
Social Media [Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.]
Search Engines [Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).]
Code Repositories [Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.]
Search Victim-Owned Websites T1594 [Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: Email Addresses). These sites may also have details highlighting business operations and relationships.]
OSINT, Information Gathering
ابزارهایی که قرار بررسی کنیم برای تست نفوذ هم مورد استفاده قرار می گیرند و به طور کلی ابزارهای اوسینت هستند اکثرا مگر ابزاری مثل setoolkit که برای فیشینگ جهت جمع آوری اطلاعات قربانی استفاده می شود.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
OWASP Amass
=>Search Open Technical Databases T1596
DNS/Passive DNS
WHOIS
Digital Certificates
How to Install ?
apt install amass
amass enum -d facebook.com -src -ip -dir facebook
amass enum -d nsa.gov -src -ip -norecursive
amass enum -d facebook.com -src -ip -brute -dir facebook
amass intel -asn 16509
amass intel -whois -d facebook.com -dir facebook
amass db -dir facebook -list
amass db -dir facebook -enum 1 -show
amass viz -dir facebook -d3
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sn1per(Active and passive recon)
Active Scanning T1595
Scanning IP Blocks
Vulnerability Scanning
Wordlist Scanning
Gather Victim Host Information T1592
Hardware
Software
Firmware
Client Configurations
Gather Victim Network Information T1590
Domain Properties
DNS
Network Trust Dependencies
Network Topology
IP Addresses
Network Security Appliances
Search Open Technical Databases T1596
DNS/Passive DNS
WHOIS
Digital Certificates
Search Open Websites/Domains T1593
Social Media
Search Engines
Code Repositories
Gather Victim Identity Information T1589
Credentials
Email Addresses
Employee Names
git clone https://github.com/1N3/Sn1per
./install
sniper -t facebook.com
sniper -t facebook.com -m stealth -o -re
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
theHarvester
Gather Victim Network Information T1590
Domain Properties
DNS
Network Trust Dependencies
Network Topology
IP Addresses
Network Security Appliances
Gather Victim Identity Information T1589
Credentials
Email Addresses
Employee Names
git clone https://github.com/laramies/theHarvester
theHarvester -d facebook.com -l 500 -b google,bing,yahoo,duckduckgo
theHarvester -d facebook.com -l 500 -b google,bing,yahoo,duckduckgo -n
theHarvester -d facebook.com -l 500 -b linkedin
theHarvester -d facebook.com -l 500 -b all
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Recon-ng
Gather Victim Network Information T1590
Domain Properties
DNS
Network Trust Dependencies
Network Topology
IP Addresses
Network Security Appliances
Gather Victim Identity Information T1589
Credentials
Email Addresses
Employee Names
git clone https://github.com/lanmaster53/recon-ng
Framework
recon-ng
marketplace refresh
marketplace install all
markplace search
module load
db insert
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Maltego CE
Gather Victim Host Information T1592
Hardware
Software
Firmware
Client Configurations
Gather Victim Identity Information T1589
Credentials
Email Addresses
Employee Names
Gather Victim Network Information T1590
Domain Properties
DNS
Network Trust Dependencies
Network Topology
IP Addresses
Network Security Appliances
Gather Victim Org Information T1591
Determine Physical Locations
Business Relationships
Identify Business Tempo
Identify Roles
Maltego Email install free modules
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Social Engineering Toolkit (SET)
Phishing for Information T1598
Spearphishing Service
Spearphishing Attachment
Spearphishing Link
Social engineering Attacks
Spearphishing Attacks [high profile Target with legitimate scenario]
Website Attacks [credential Harvesting attacks]
infection media attacks
wireless AP attacks
Powershell Attacks
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Nikto
Active Scanning T1595
Scanning IP Blocks
Vulnerability Scanning
Wordlist Scanning
nikto -h x.x.x.x
nikto -host https://fb.com
nikto -host target.txt
nikto -host https://fb.com -save .
nikto -host https://fb.com -Format htm -output nikto.html
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Shodan
Gather Victim Network Information T1590
Domain Properties
DNS
Network Trust Dependencies
Network Topology
IP Addresses
Network Security Appliances
Gather Victim Host Information T1592
Hardware
Software
Firmware
Client Configurations
Search Open Technical Databases T1596
DNS/Passive DNS
WHOIS
Digital Certificates
CDNs
Scan Databases
cli shodan
shodan init API
shodan count nginx
shodan host x.x.x.x
shodan search iis
shodan search –fileds “ip_str,domains,org” –limit 10 iis
shodan honeyscore x.x.x.x
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Spiderfoot
Gather Victim Identity Information T1589
Credentials
Email Addresses
Employee Names
Search Open Websites/Domains T1593
Social Media
Search Engines
Code Repositories
Search Open Technical Databases T1596
DNS/Passive DNS
WHOIS
Digital Certificates
CDNs
Scan Databases
spiderfoot -l x.x.x.x:1100
spiderfoot -m sfp_dnsraw -s example.com -q -r
spiderfoot -m sfp_accounts -s “billg” -q -r
spiderfoot -M | less
spiderfoot -m sfp_ripe,sfp_shodan -s “x.x.x.x” -q -r
spiderfoot-cli -s http://127.0.0.1:1100
=> scans
data xxxxx -t USERNAME
summary xxxxx
start “time.ir” -u all
