The MITRE ATT&CK is a documented knowledge base of tactics and techniques used by hackers. This framework has been developed from real life cyber-attacks.
Reconnaissance is the research phase of a cyber-attack, when the attacker gathers useful information about their target. This information will allow the attacker to know the best points of attack, the spots on the castle wall where the stones are the loosest. Without the tactic of Reconnaissance, the attacker would not know where to enter and would be aimlessly wandering around their target's defensive barrier.
What is Active Scanning?
Active Scanning is a technique of the Reconnaissance tactic. This technique is different from other Reconnaissance techniques because it is about directly interacting with the network traffic of your target. Active Scanning is composed of three sub techniques: Scanning IP Blocks, Vulnerability Scanning, and Wordlist Scanning
We will be using the tools - nmap, wget, and dirb - to demonstrate Active Scanning. The IP we will be scanning is from scanme.nmap.org, which is a web page that nmap has designated for people to practice active scanning. The command, nslookup scanme.nmap.org,reveals the IP of the target domain.
We performed the default nmap command, nmap 45.33.32.156. It performs a TCP SYN scan and reveals to us the address’s open ports and the services of those ports. This can be useful for attackers because it may reveal a vulnerability that can be exploited. An example of this is contained in the output of our scan. The last port, “31337”, uses the service “Elite”. Elite is commonly known to be a backdoor used by attackers to gain unauthorized access to a system.
Scanning IP Blocks
The first sub technique of Active Scanning is Scanning IP Blocks. Rather than scanning one IP address, this sub-technique scans IP blocks, a certain range of IP addresses. So, instead of scanning a single IP (45.33.32.156) we are scanning a subnet or block (45.33.32.0/24).
In order to find the correct subnet, we used the command, whois 45.33.32.156. We found that the subnet is 45.33.0.0/17 which contains 32,768 IP addresses. I didn’t want it to take too long, so we used a smaller ip block, 45.33.32.0/24.
nmap -sn 45.33.32.0/24 is a basic IP block scan. “-sn” tells nmap to not check the ports and simply pings, which sends ICMP requests, just to see if the hosts are alive. This scan is useful because it is fast, it shows the IPs that are online, and it's fairly stealthy. Since, we are pinging the IPs the requests don’t touch the ports, which make them less likely to trigger a firewall.
Vulnerability Scanning
The next sub-technique, Vulnerability Scanning, scans targets for vulnerabilities. Often, vulnerability scans check if the target host or application would be susceptible to the specific exploit the attacker wants to use. A prime example of a vulnerability scan is banner grabbing, which pulls server banners thus revealing information like the software name, version, and sometimes configuration details.
wget --server-response --spider http://45.33.32.156 allows us to banner grab. We see that the server configuration and version is “Apache/2.4.7 (Ubuntu)”. “Apache/2.4.7” is a server version released in 2013. Being old, it most likely has vulnerabilities. We did a simple search and found quite a few vulnerabilities present in this server version. One of these is CVE-2021-44224. The vulnerability occurs if the server is set up as a forward proxy, which makes it so a specially designed URL can cause the server to crash. So, as you can see, Vulnerability Scanning can be a crucial phase of Reconnaissance, as it narrows the attackers focus and shows them which exploits align with the target host or application.
Wordlist Scanning
The last sub-technique is Wordlist Scanning, which uses wordlists to brute force the target web application to find directories and pages. The goal is to discover old vulnerable directories or hidden administrative portals, which could be used in future phases of the attack. This is called directory busting and can be performed with the tool, dirb, which comes pre-installed into Kali Linux.
We found a match with the /.svn directory using the command,
dirb http://45.33.32.156 /usr/share/wordlists/dirb/common.txt. /.svn is a hidden directory that stores version control metadata. Dirb targeted this specific directory because it stores sensitive information and if left exposed it can leak source code or other sensitive information. Normally /.svn should not be accessible.
Conclusion
Active Scanning is a crucial technique of the Reconnaissance tactic. By performing active scans, the attacker is able to interact directly with network traffic and gain valuable insights into the configuration and topology of the target host or application. The three sub-techniques - Scanning IP Blocks, Vulnerability Scanning, and Wordlist Scanning - are all useful in getting a clearer picture of the target infrastructure.
Using tools like nmap, wget, and dirb, we demonstrated how Active Scanning can uncover open ports, services, vulnerable configurations, and hidden directories. First, nmap allowed us to see which hosts within the IP block were alive. Next, with wget we performed banner grabbing which gave us the server configuration and version. Lastly, we used dirb for directory busting and discovered a potentially exploitable directory.
These techniques are important for the attacker because they show weaknesses in the target infrastructure. Once the attacker knows the specifics of their target and has discovered vulnerabilities, the attacker can plan the next phase of their attack accordingly. That’s why if defenders can prevent attackers from active scanning, they could prevent the attack from advancing to more destructive phases. Defenders can decrease the effectiveness of active scanning by configuring their firewall to block certain ports and by employing an IDPS. By understanding how attackers perform attacks, we can better improve our security posture and decrease the probability of negative impacts caused by cyber-attacks.
No comments:
Post a Comment