Activity 1.2 Passive Recon Group Activity - JNichollsCyber/SEC-335-Eth-Hacking-Pen-Testing GitHub Wiki

Within your group - create a Shared Google Doc and:

Select a company or organization to research

Medium-size is best Let’s avoid non-profits Not Champlain.edu Gather all the interesting info you can about the organization based on its domain names and IP addresses:

1. Use theHarvester of Kali, gather as much info as you can about your organization using passive techniques (no DNS options): You can use theHarvester where -d defines you domain and -b defines the source. You can try the options:

-d (yourorganization) -b all

Hint: '>' allows you to direct your output to a file

2. Make a list of all websites identified in your recon so far. Use Netcraft.com to generate site reports for those sites

Hint: to generate site reports for those sites: https://sitereport.netcraft.com/ (Helps you identify technologies used in the website)

3. Metagoofil is a script that runs on Kali to find and download public documents (e.g. pdf, docx) for a given domain. Then, the script Exiftool can be used to analyze the metadata for interesting information such as dates, authors, version #'s, e-mail addresses.

Scripts are not installed in Kali by default - but easy to add: Follow instructions for this portion of the lab at: Passive Recon_ Metagoofil and exiftool SP2024.docxDownload Passive Recon_ Metagoofil and exiftool SP2024.docx

4. Explore Google Hacking resources such as (to see what additional information you can collect):

https://www.exploit-db.com/google-hacking-database/Links to an external site.

http://www.powersearchingwithgoogle.com/course/aps/skillsLinks to an external site.

What interesting stuff can you find about your organization?

5. Compile notes for further recon

Networks to scan

Systems to scan

Data on applications

Data on security systems

Individuals to target (social engineering)

Remember - this is Passive - minimal (if any) communication with the target organizations systems

---

Target: nuharborsecurity.com theHarvester:

• http://bentley.compass.nuharborsecurity.com
• https://divtecs.helm.nuharborsecurity.com
• https://nuharborsecurity.com

Netcraft.com:

• http://bentley.compass.nuharborsecurity.com:
  • Amazon.com 13.224.81.81 Linux AmazonS3
  • 18.66.171.61 (IANA Mapped to Amazon)
  • Reverse dns: server-18-66-171-61.dub56.r.cloudfront.net
• https://divtecs.helm.nuharborsecurity.com
  • AWS CloudFront ans S3, JavaScript, UTF8
  • 18.165.160.100 (IANA Mapped to Amazon)
  • Reverse dns: server-18-165-160-100.man51.r.cloudfront.net
• https://nuharborsecurity.com
  • Clouflare, SSL, JavaScript, jQuery, Google Tag Manager, HTML5
  • 199.60.103.104 (IANA mapped to HubSpot)

Metagoofil:

Google Hacking:

• Employee list: https://www.signalhire.com/companies/nuharbor-security/employees

  • If accurate, indicates that emails follow the convention of first two letters of last name, then full first name (e.g. dan brown → [email protected])
  • It does seem to be somewhat accurate, based on the leadership list published on the official website (https://www.nuharborsecurity.com/company/leadership)

• While we tried many other Google Hacking queries, we were unable to find any other relevant information. For the most part, they returned no results, but occasionally they did return results that were not what we were looking for. For example, the query site:*nuharborsecurity.com */admin.txt did return results, but they were screenshots from training about improving application security.

• As Nuharbor is a security company, they likely conduct periodic scans and OSINTs to ensure that there is little unnecessary information publicly available about them.

Further Recon:

• Systems to scan: 13.224.81.81 (seems to map to a login server on a subdomain of NuHarbor, likely one that has more confidential information than the general logon server.

• Networks to scan: 199.60.103.104 (IP mapped to nuharborsecurity.com, likely has a private subnet mapped to it via NAT),

• Data on applications: Specifics of JavaScript that is being used. Specifically, JavaScript was listed for all three sites, but the main site also listed Asynchronous Javascript and JQuery. Look into HubSpot, which is hosting the main webpage

• Data on security systems: Protected by CloudFlare. May want to look into password security on web portals, to check if MFA is enabled, and if sign-in is Google or Exchange based or if the credentials are stored in a company-run server.

• Individuals to target for social engineering: Company leadership: https://www.nuharborsecurity.com/company/leadership. Specifically, Nathan Mapp (VP of Sales) might be able to give information about partners, leading to a supply chain attack. There were also several interns listed (including Ina Fricke and Hollis Burnett), who may be more susceptible to a phishing attack, especially a social media based phishing attack.