0 1 00:00:09,660 --> 00:00:10,980 Hi everyone. 1 2 00:00:11,020 --> 00:00:15,140 Welcome to another video of Expert Malware analysis and reverse engineering course. 2 3 00:00:15,530 --> 00:00:23,540 And in this video we are going to begin with analyzing the attack kill chain phases into much more 3 4 00:00:23,540 --> 00:00:24,440 detail. 4 5 00:00:24,770 --> 00:00:31,630 So the first two phases of the cyber killchain model are Reconnaissance and the Weaponization phase. 5 6 00:00:31,640 --> 00:00:39,140 So this is pretty much the pre-attack phase, where the attacker tries to gather information about the 6 7 00:00:39,140 --> 00:00:39,940 victim. 7 8 00:00:40,130 --> 00:00:47,450 And once information has been gathered they try and create a weaponization stage where they can infect 8 9 00:00:47,450 --> 00:00:49,670 or target their victims. 9 10 00:00:51,000 --> 00:00:54,320 So how to perform passive reconnaissance. 10 11 00:00:54,330 --> 00:01:00,540 So basically what I mean by passive reconnaissance is gathering information about your victim without 11 12 00:01:00,540 --> 00:01:03,530 making any direct communication with them. 12 13 00:01:04,080 --> 00:01:08,520 So this means that I'm not scanning their services. 13 14 00:01:08,520 --> 00:01:12,680 I'm not establishing any form of communication with them. 14 15 00:01:12,690 --> 00:01:20,900 I'm just using open source intelligence or open sources to gather information about my target. 15 16 00:01:20,900 --> 00:01:26,160 So information available online like Google search, Twitter and Linkedin can be one of the sources 16 17 00:01:27,120 --> 00:01:32,700 collecting information about public IP, Web services or the Internet facing services. 17 18 00:01:32,700 --> 00:01:42,060 So a lot of times the companies have their public IPs, web services etc. available in the global repository 18 19 00:01:42,060 --> 00:01:48,180 for example Domain Dossier is one repository where you can just enter the IP address and you can get 19 20 00:01:48,240 --> 00:01:51,840 a lot of information about what services are hosted. 20 21 00:01:51,840 --> 00:01:54,390 What's the range of that IP. 21 22 00:01:54,420 --> 00:02:01,420 You can also get information about their email protection policies and things like that. 22 23 00:02:01,590 --> 00:02:06,900 The other passive reconnaissance activity can be whois and reverse look up. 23 24 00:02:06,900 --> 00:02:12,480 So again this is these two are very popular Unix tools which you can use to basically query your 24 25 00:02:12,480 --> 00:02:19,770 DNS server, to get more information about a given service. Again in this case you are not making any direct 25 26 00:02:19,770 --> 00:02:22,440 connection with your target. 26 27 00:02:22,470 --> 00:02:29,400 You are just collecting information that is publicly available at various sources. 27 28 00:02:30,190 --> 00:02:35,870 Collecting target information like employee e-mails, contact numbers work location etc.. 28 29 00:02:35,920 --> 00:02:43,720 Now if you remember the example that we saw in the previous video where a spam e-mail was delivered 29 30 00:02:43,720 --> 00:02:49,700 to the employee andtha e-mail contained a malicious attachment that had an exploit inside it. 30 31 00:02:49,930 --> 00:02:53,530 So before you can send that e-mail you need to figure out 31 32 00:02:53,530 --> 00:02:55,720 Who do you want to send that email to. 32 33 00:02:55,720 --> 00:02:57,880 This is where passive recon comes into action. 33 34 00:02:57,880 --> 00:03:04,960 You basically try and gather information about the weak points, you try and gather information about 34 35 00:03:05,650 --> 00:03:10,940 users or employees of your target organization and from there, 35 36 00:03:11,020 --> 00:03:18,770 You use that information to build your next stage. Active Reconnaissance is the second activity 36 37 00:03:18,830 --> 00:03:22,250 that the attacker can try and implement. 37 38 00:03:22,270 --> 00:03:29,930 So this involves port scanning and fingerprinting. Now, port scanning is an activity where you pick 38 39 00:03:29,930 --> 00:03:38,750 up an IP address of your target and you scan for all open ports that are there for the given IP address. 39 40 00:03:38,750 --> 00:03:43,800 So what this gets you is information about what services are running on those ports, 40 41 00:03:43,820 --> 00:03:47,740 What version of services are those etc.. 41 42 00:03:47,810 --> 00:03:54,950 Now this is a scanning technique where you're directly making a connection with your target. 42 43 00:03:54,950 --> 00:03:57,130 That's why it's called an active Reconnaissance. 43 44 00:03:59,030 --> 00:04:04,860 Port scanning and fingerprinting can be performed using common tools like Nmap, Dig, nslookup 44 45 00:04:04,910 --> 00:04:11,890 and Maltego. Then you can also run a bunch of dummy tests. 45 46 00:04:11,890 --> 00:04:19,660 For example let's say we all know that if there is a company X Y Z. com then there will be an 46 47 00:04:19,690 --> 00:04:29,290 alias email address as HR@xyz.com or let's say CorporateIT@xyz.com 47 48 00:04:29,290 --> 00:04:37,450 some common email aliases or email groups that should be present in almost all the organizations. 48 49 00:04:37,450 --> 00:04:43,700 It basically consists of all the users which are within the HR group or which are within the IT group. 49 50 00:04:43,810 --> 00:04:50,620 So you can basically run a bunch of tests by sending some sample emails or by sending some dummy emails 50 51 00:04:50,620 --> 00:04:53,670 to those address and see whether they get delivered or not. 51 52 00:04:53,830 --> 00:04:59,470 If you don't get any failure notification back it means that those e-mail addresses actually exist 52 53 00:04:59,500 --> 00:05:02,620 and in the next stage you can actually send you weaponized file. 53 54 00:05:05,610 --> 00:05:07,800 so once Reconnaissance phase has been done, 54 55 00:05:07,800 --> 00:05:15,240 The next step is building the weaponization file. Now choosing the attack vector depends on the information 55 56 00:05:15,270 --> 00:05:18,870 that the attacker gathered in their reconnaissance phase. 56 57 00:05:18,900 --> 00:05:25,380 So in the reconnaissance phase you might have gathered information like email addresses, IP addresses or 57 58 00:05:25,380 --> 00:05:29,810 open ports and word services or holsted on those open ports and things like that. 58 59 00:05:30,150 --> 00:05:37,050 So once you choose your particular attack vector, that's when you're going to decide how you're going 59 60 00:05:37,050 --> 00:05:38,580 to weaponize that. 60 61 00:05:38,580 --> 00:05:44,250 For example, again coming back to the e-mail spam case let's say you figured out a bunch of e-mail IDs 61 62 00:05:44,250 --> 00:05:47,400 of HR professionals of your target organization. 62 63 00:05:47,400 --> 00:05:55,240 You can start crafting of malicious spam e-mail and attaching a malicious file with name as resumes. 63 64 00:05:55,230 --> 00:05:59,790 You can go online and you can see that the organization has posted a bunch of openings online. 64 65 00:05:59,790 --> 00:06:05,820 For example let's say a software developer. You can create an email and add an attachment that this is 65 66 00:06:05,820 --> 00:06:08,370 your resume for the software engineer role. 66 67 00:06:08,640 --> 00:06:16,780 And that's how you can basically craft your own weaponization stage. the weaponized file will also shape the 67 68 00:06:16,780 --> 00:06:18,100 delivery mechanism. 68 69 00:06:18,130 --> 00:06:21,010 So once you are weaponization file has been created. 69 70 00:06:21,100 --> 00:06:29,890 You basically go ahead and deliver it to your particular target so that was a quick introduction about 70 71 00:06:29,890 --> 00:06:30,600 reconnaissance. 71 72 00:06:30,640 --> 00:06:37,360 And weaponization phase. Later on we will start looking into the delivery phase and we'll see how the 72 73 00:06:37,360 --> 00:06:42,990 spam emails basically reach into an organization and how we can for them analyze them. 73 74 00:06:43,450 --> 00:06:44,740 That's it for this video. 74 75 00:06:44,740 --> 00:06:45,160 Thanks a lot.