Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,060 --> 00:00:06,090 So in this section we are going to be talking about information gathering and all information gathering 2 00:00:06,090 --> 00:00:08,990 we're going to do in this section is going to be passive. 3 00:00:09,000 --> 00:00:12,860 So I'm calling this passive recon or passive reconnaissance. 4 00:00:12,870 --> 00:00:18,660 I wanted to give a brief overview of what we're going to be covering and talk about some high level 5 00:00:18,660 --> 00:00:23,190 topics before we get into the weeds and really dive into our target. 6 00:00:24,030 --> 00:00:32,190 So let's talk about the different types of passive recon so on the physical or social side physical 7 00:00:32,190 --> 00:00:38,880 meaning actually going on site and maybe doing a physical engagement or the social engineering aspect 8 00:00:38,880 --> 00:00:45,450 of maybe doing a fishing assessment or even including in a physical engagement or a bashing assessment 9 00:00:45,730 --> 00:00:51,130 just gathering this information from the physical social aspect is incredibly useful. 10 00:00:51,150 --> 00:00:59,040 So we have location information so we might utilize something like satellite images or often we'll go 11 00:00:59,040 --> 00:01:04,470 on site and do drone reconnaissance where we fly a drone around and try to gain information. 12 00:01:04,470 --> 00:01:09,920 And what we're really after with these images of this drone recon is we're trying to find out hey what 13 00:01:09,920 --> 00:01:12,040 is the building layout look like. 14 00:01:12,150 --> 00:01:15,670 Are there badge readers are there break areas. 15 00:01:15,690 --> 00:01:17,310 Does security exist. 16 00:01:17,310 --> 00:01:19,590 Do they have somebody posted out front. 17 00:01:19,590 --> 00:01:21,410 Can you just walk right in the door. 18 00:01:21,420 --> 00:01:23,850 What is their fencing look like. 19 00:01:23,850 --> 00:01:28,080 Are there areas where they're just leaving the doors propped open. 20 00:01:28,080 --> 00:01:30,290 Where do people go out and smoke in these break areas. 21 00:01:30,300 --> 00:01:35,670 Because those are a good place to just walk up to somebody light up a cigarette even if you don't smoke 22 00:01:35,760 --> 00:01:40,650 and to start a conversation and then tailgate right in with them into the building. 23 00:01:40,650 --> 00:01:48,960 Now the other aspect of this is the job information so we might be looking for employees online I might 24 00:01:48,960 --> 00:01:55,440 want to know somebody whose name job title phone number who their manager is I try to get a good idea 25 00:01:55,440 --> 00:01:56,700 of what people look like. 26 00:01:56,700 --> 00:02:00,330 So if I see them on site I have a good idea who they are. 27 00:02:00,330 --> 00:02:06,840 I also look for pictures so I cannot tell you how many times a badge photo is posted on LinkedIn or 28 00:02:06,840 --> 00:02:12,630 somebody posted on Twitter that you can see all the means out there about people posting their photos 29 00:02:12,690 --> 00:02:13,560 at work. 30 00:02:13,710 --> 00:02:14,480 And it's bad. 31 00:02:14,490 --> 00:02:15,780 It happens all the time. 32 00:02:15,780 --> 00:02:17,580 I see it to this day. 33 00:02:17,580 --> 00:02:24,060 So we're looking for badge photos I'm looking for desk photos computer photos I had a situation once 34 00:02:24,060 --> 00:02:30,090 where somebody took a picture of her watching a game at work she was watching a basketball game at work 35 00:02:30,480 --> 00:02:37,860 and the basketball game was on her computer and on her screen there it showed all the different tools 36 00:02:37,860 --> 00:02:39,560 that they utilized at work. 37 00:02:39,600 --> 00:02:42,310 She had a work application open in this photo. 38 00:02:42,420 --> 00:02:46,040 There was a desk in the background you can see different things. 39 00:02:46,170 --> 00:02:49,650 And it just gives us information and that's where they were after. 40 00:02:49,650 --> 00:02:51,470 What kind of information can we gather. 41 00:02:51,600 --> 00:02:57,000 Now this course is not a course on physical or social so I kind of wanted to give a high level of what 42 00:02:57,000 --> 00:02:57,930 to expect. 43 00:02:58,020 --> 00:03:03,840 We won't really be doing a whole lot of this in this course with this type of information gathering 44 00:03:03,960 --> 00:03:06,420 but these are the things that you should be looking for. 45 00:03:06,450 --> 00:03:12,060 So if you are tasked with the physical assessment do go out there and look for satellite images try 46 00:03:12,060 --> 00:03:18,590 to get a good feel of the building layout and also try to get a feel for who the employees are who maybe 47 00:03:18,600 --> 00:03:24,510 the I.T. manager is in case you're going to say you know I work for I.T. they may ask you who your manager 48 00:03:24,510 --> 00:03:26,400 is you might need to know those names. 49 00:03:26,580 --> 00:03:31,500 And of course look for pictures you can find a good badge photo and what that looks like. 50 00:03:31,530 --> 00:03:37,770 You can make a fake badge go on site and you'll be way more passable with that badge but sometimes they 51 00:03:37,770 --> 00:03:40,030 don't even look it can be drawn in crayon. 52 00:03:40,080 --> 00:03:45,790 So from there let's go ahead and talk about what we will be doing a lot of which is the Web and hosts. 53 00:03:46,680 --> 00:03:52,380 So when you get a web or a host assessment the first thing you really should do is what is called Target 54 00:03:52,380 --> 00:03:53,590 validation. 55 00:03:53,610 --> 00:03:56,670 So we're going to be targeting something on bug crowds. 56 00:03:56,670 --> 00:04:02,010 We're not really going to focus on this but what we're going to do in the real world is we would validate 57 00:04:02,010 --> 00:04:02,550 the target. 58 00:04:02,580 --> 00:04:09,090 Now there are situations where a client will give you an IP address or a Web site and they might they 59 00:04:09,090 --> 00:04:09,710 might fudge it. 60 00:04:09,720 --> 00:04:09,960 Right. 61 00:04:09,960 --> 00:04:15,870 They might accidentally fat finger it put the wrong number but the wrong letter and the Web site and 62 00:04:15,870 --> 00:04:16,620 then guess what. 63 00:04:16,620 --> 00:04:22,440 You're off attacking somebody else's Web site and there if you are a podcast listener there's a good 64 00:04:22,440 --> 00:04:24,570 darknet diaries episode on this. 65 00:04:24,570 --> 00:04:27,050 If you don't as a darknet diaries go check it out. 66 00:04:27,270 --> 00:04:34,800 There's a great episode with a guy named Rob Fuller a.k.a. musics and he talks about getting the wrong 67 00:04:35,460 --> 00:04:41,520 IP address on an assessment and attacking the wrong people and actually gaining access to that machine 68 00:04:41,550 --> 00:04:45,350 which is a really really big big screw up on both parts right. 69 00:04:45,370 --> 00:04:49,360 So you should always validate your targets on top of this. 70 00:04:49,350 --> 00:04:53,680 We're doing our web and our hosts on the web side. 71 00:04:53,700 --> 00:04:58,190 We're going to look for subdomains and we'll talk more about that as we get into it. 72 00:04:58,560 --> 00:05:03,560 But we can do that with we can do that with any map sublets or there's so many different tools that 73 00:05:03,560 --> 00:05:06,290 we can use and we'll cover some of the tools and how to do it. 74 00:05:06,440 --> 00:05:10,790 Get a little deep into that as well especially as we get into the web side of things. 75 00:05:10,790 --> 00:05:15,350 There's fingerprinting we need to know what's running on a Web site or what's running on a host. 76 00:05:15,350 --> 00:05:17,250 What kind of services are out there. 77 00:05:17,270 --> 00:05:20,180 Are they running a web server What's that web servers. 78 00:05:20,210 --> 00:05:23,450 ISIS is an Apache what version is it right. 79 00:05:23,450 --> 00:05:26,150 Are they running what ports are open on their machines. 80 00:05:26,150 --> 00:05:29,210 Oh they have FTC open what version of FTB is open. 81 00:05:29,210 --> 00:05:33,530 So we need to fingerprint machines and kind of understand what on the passive side. 82 00:05:33,530 --> 00:05:35,620 We're not touching any machine right. 83 00:05:35,630 --> 00:05:38,030 So we're not gonna be doing much scanning against the host. 84 00:05:38,060 --> 00:05:41,590 We just have to utilize what kind of information might already be out there. 85 00:05:41,630 --> 00:05:46,160 So if we go out to a Web site it's on the border of active. 86 00:05:46,190 --> 00:05:50,060 But as long as we're not scanning it in my book it's still passive. 87 00:05:50,060 --> 00:05:50,680 So we'll do. 88 00:05:50,720 --> 00:05:55,940 We will cover some of the passive slash active side in this section and then when we get into scanning 89 00:05:55,940 --> 00:05:59,000 we'll get way more active with it. 90 00:05:59,000 --> 00:06:05,240 Lastly we're gonna hit heavy especially in the beginning on data breaches data breaches are the most 91 00:06:05,240 --> 00:06:11,570 common way when we're doing an external assessment that we get into networks Absolutely by far. 92 00:06:11,570 --> 00:06:17,240 When we talk about data breaches we're talking about breached incidents from the past that have leaked 93 00:06:17,300 --> 00:06:18,110 data. 94 00:06:18,110 --> 00:06:25,130 Again these are like Home Depot Equifax linked in all kinds of breaches that are out there that have 95 00:06:25,130 --> 00:06:30,250 had credentials dumped and then those credentials become available to us eventually. 96 00:06:30,260 --> 00:06:35,570 And we try to utilize those to gain access or at least utilize the user names to gain access. 97 00:06:35,630 --> 00:06:42,350 Nowadays most the time there's not going to be an easy just scan find something vulnerable and exploit 98 00:06:42,350 --> 00:06:45,000 it on the external side of the house. 99 00:06:45,020 --> 00:06:50,660 So we're looking for these data breaches and this information that we can gather and this is why information 100 00:06:50,660 --> 00:06:57,140 gathering and then enumeration and scanning most important by far the better scanning enumeration that 101 00:06:57,140 --> 00:07:01,940 you can do and the better information gathering you can do the better hacker you're going to be in the 102 00:07:01,940 --> 00:07:03,660 better you're going to be at your job. 103 00:07:03,680 --> 00:07:06,750 So take these first two sections really serious. 104 00:07:06,800 --> 00:07:13,190 So we're going to start in with identifying what our target's going to be for this part of the section 105 00:07:13,520 --> 00:07:17,870 and then we're going to go ahead and start talking about data breaches and why they're important and 106 00:07:17,870 --> 00:07:19,360 go deeper into that. 107 00:07:19,460 --> 00:07:24,960 And then we'll go off some of these tools that you see here on this list and really dive into those. 108 00:07:24,980 --> 00:07:30,620 So I will look forward to seeing you in the next video when we identify our target and get some information 109 00:07:30,620 --> 00:07:31,370 gathering started. 11715