Well yesterday I spent some time reading up on the recon phase.
Again everything with a grain of salt and some Sherlock Holming ;).
First, I was thinking about this blog. I really like the vlog style of jw. But on the other side searching for a webcam in my electronics bin and uploading videos = EFFORT. Well so I have a topic for today. And I will keep this rambling, direct out of my mind style. Just need to make sure that I don’t sound like yoda to much.
AAAANNNDDDD back to the blog.
Recon is quite important. Ask any military person. But they will tell you also about the concept of the “fog of war”. https://en.wikipedia.org/wiki/Fog_of_war Most people will think back to Starcraft, and yeah just send a unit over there and the fog will be gone. But that concept falls short. The fog of war is caused by two factors. A leader without any information about the enemy is useless. A leader with detailed information about every fricking detail of the enemy is also useless.
Actually if you didn’t read him … do it NOW ! read up Sun Tzu (or all the other transcriptions of his name) “The Art of War” https://en.wikipedia.org/wiki/The_Art_of_War
There are so many great quotes to link here .. well have some.
Managing the level of information is critical for military forces. That is the reason why there are “Information management officers” etc …
So we learned that too much informations are as bad as too few. First lesson of the day done.
Next up is our time problem. In the exam I will have 24h. A recon phase lasting 25h is useless. So ever script and every action has to be quick. Again “Move swift as the Wind and closely-formed as the Wood. Attack like the Fire and be still as the Mountain.” Sun Tzu. Great guy .. back in the old china, around 2500 years ago writing about recon in a pentest. Visionary guy or ?
Well if the quote is general enough you can hammer it in place 😉
Coming to the effort. Ever heard from the 80:20 rule ? 20% of the effort netting 80% of the results ? https://en.wikipedia.org/wiki/Pareto_principle I will spare some nice formulas etc (otherwise I had to install a LateX plugin here or so .. EFFORT). In short 20% of th work will usually net you 80% of the results. That is the reason why a smart student will not study blindly .. it is much smarter to identify which 20% of the material of the course will net you 80% of the answers (assuming you need 70% to pass the test).
Ok now mix everything together and come back to our recon problem.
Do you ever tried nmap with all flags .. against the internet, on all ports. No don’t do it. If you do it your result will be :
a) Depending on your country, a nice visit
b) A totally useless dataset
c) A really long scan, taking ages
d) all of the above
My goal is to identify the scan, with 80% of my NEEDED informations, in the minimal time with the minimal effort. You might ask : “What about this super duper hidden, hardened, ninja SPEC FORCES OPSEC MILITARY GRADE NSA SUPERCOMPUTER”
Well first: My Sherlock Holems power tells me that the lab will try to mimick the real life. And every family has the akward cousin Steve. You know that stinking dude you just have to invite because of family reasons. And every network has the unpatched Win XP machine (or equivalent). You can’t patch stupidity. And if you know what your “normal” network looks like you can find your super special SPEC FORCES. Yeah even if the military the super douper secret guys will be easy to spot. If you have 5000 soldiers running around and this one guy being “TACTICOOL” with desert uniform etc, while all the other dudes wear woodland ?? Let me guess what ? SPEC OPS … being “special” will stand out as long as you know the baseline. Just look up special forces badges
If you are “special” you will stand out.
Same for our hardened host, firewalls and honeypots. If I compare them to the akward cousin Steve they will act different. I have no clue how. But I know that I first want to meet Steve.
How do I get to meet him ? Well with the minimal nmap scan. Looking up the nmap documentation the top 1000 ports will net me 93-95% (TCP or UDP) . WOW .. compared to 65535 possible ports this is roughly 1/65 of the effort for over 90% of services.
Beat that Pareto !!!
Nmap is also quite good in guessing the OS. Of course not perfect .. but everything better than 0% is good in my eyes.
So my plan for day 1 of the lab time and the course so far:
1) Connect to the lab
2) Start a stopwatch
3) run a nmap scan netting me 90%+ services against the “normal” host, saving that in every possible format of nmap output (to test my nmap to latex workflow, to make reporting easier)
4) Download the course material
5) Get a estimate of my bandwidth to the labs, and how long a scan in my vm takes
6) Start drawing my network graph with the basic infos
7) Start reading
Looks like a minimal effort route. Because why should I start SCANNING EVERYTHING on day 1 ?? TO MUCH INFORMATION .. I will not be able to understand half of the output with a nmap -FULL GIVE GIVE GIVE scan .. .and it will take ages to read. Nice little information bites. 20% effort, 20% time, 80% information.
So far ucki