Phases of a red team assessment: Recon

The 5 phases of a Red Team assessment:
1: OPORD | 2: Recon | 3: Target ID | 4: Live run | 5: Report

Phase 2: RECON

Recon, reconnaissance. This phase is the most important phase. If you do it right, it will most likely end in the success of the project. A good team can ID the targets quickly, modify the plan accordingly, adapt the tools and finish the project successfully.

During the last phase, OPORD, an initial plan of action was drafted. During this phase, the team observes the target and learns about it. Physical and digital surveillance are performed, as well a deeper level of open source intelligence gathering. The physical, digital and social footprints of the target are mapped and analyzed, providing a much clearer view of the possible venues of attack, vulnerabilities to exploits and, very important, the who's who of the target.
Usually, during this phase, all activities are passive - no direct contact with the target. However in some cases, when the target is open to attack, a more active scan/surveillance is performed. This will depend on the target's avility AND the Team's ability.

Types of Recon

Depending on the project or target, recon can be remote or on location. Remote recon is safer, since most of it is done via a computer or by using people that already live at the location and can perform the recon for you. On the other hand, sometimes the project calls for physical recon on-site, or due to security controls at the target, you might need to be physically present at the location. This type of recon sometimes can be a bit more challenging and dangerous.

Initial Recon

Regardless of whether you are performing a remote or on-site location, start with an open source recon. This means: open your browser and search information about your target.

For a physical recon, perform some initial activities online: perform a site survey using google maps (both topo and street view), see what's around the area, where people can eat, drink coffee or what bars are presents (social gathering places). Check parking lots in and around the target, cameras in the area that you can tap to remotely (Shodan is your friend!) and try to observe patterns of life. Learn who owns the building (records are public), gather information about the building (try to get blueprints, who provides utilities, cleaning company, security company, etc), map wireless networks in the area (Wigle is your friend!), understand traffic flows in the area, read police reports and see crime-related info.
In short, understand patterns of life and atmospherics

For a digital recon, perform an initial, surface OSINT sweep: search information about the company or target, who founded it, when, it's history, it's competitors. Search social media sites for information such as marketing releases, press releases. Begin compiling a list of employees (if applicable) from the same social media websites. Search email addresses using different search engines (for example search @target.com and see what pops up, usually you can get a lot information from technical forums where IT and network people go to ask questions, and you can learn a lot about their tech stack). Finally, search WHOIS and other DNS related stuff for their IP ranges, MX records, etc. Perform a very light initial scan on those systems/networks. Mask it as a the usual annoyance scans that happen constantly. Focus on their website (learn whether it's hosted on a hosting company, or ran at a target's itself), understand who provides their email services, learn whether they site behind a service such as Akamai, or if they route traffic through a 3rd party security provider.

Initial recon is tedious, but brings a lot of clarity about the target.

Physical Recon

Physical recon can be challenging. Depending what the location is, or what the project is, being on-site can many things you have to think about before going there. There’s the issue of whether the area is permissive, or semi-permissive / non permissive. How you carry yourself, and how you act on a permissive environment is completely different of what you can do, or how you act on a semi permissive, or even non permissive environment. Either way, atmospherics and patterns of life, as well as crime information and local customs should be your first priority. As mention in the initial recon section above, learn what, how, when and why before you even go there.
Learn about public transportation (buses, trains, taxis, etc). What hotels are in there area, which of those hotels are actually good vs dangerous to stay at. Understand the local laws, before you even bring any kind of equipment. Also, what’s the scope of this recon. You have to know what’s permitted by your customer, or what’s are the limits of the things you can do before you perform something illegal.

When traveling international, and especially to semi permissive environments, know where the embassy or consulate are. Have the phone number’s memorized, or written in different places. Know the routes (plural) to the embassy from your hotel or other places. Know how to get there by public transportation or walking. Pre game this, google it and try to find both chock points or places where you can potentially rest if needed. Call the embassy ahead of you going there, and ask if they have any information about the area where your target or customer is.
In other words: situational awareness. You have to act, not react.

Yes, I know, it sounds a little too much. But if you begin to Red Team internationally, you’d be surprise of the things that happen.

Yes... Situational awareness. In semi-permissive or even permissive environments,

always keep your back to the wall, or at least have a way to see what's behind you...

One thing we do before performing a physical recon is prepare our gear. Basic gear prep, together with fieldcraft can make the recon easier and help you remain fairly anonymous and secure (blend in) while helping you protect the sensitive information you might discover during the operation. The things listed below might not work for everyone, and some are even fairly old-fashioned (we’ve been using these since the early 2000s!), but they work and you can always adapt these to whatever you have in your area.

In addition to doing a wireless network recon via Wigle, get a portable wireless signal finder/scanner or get a good stumblr on a smart phone, tablet or laptop, and also map the area. We usually arrive two or three days earlier and recon the location, just walk around and capture all the signals you can (wireless, RF, bluetooth, etc). We often carry also a wifi antenna connected to the laptop and use that to map the wireless signals from a safer distance.
During the on-site recon you can also perform some basic HUMINT and social engineering. This is tricky, but if you need to be more active in your recon, it might bring a lot of good information. You can ask the locals where the best cafes are and if they know a good place to take business people for lunch. Then go to those places and ask whether someone from the organization you are monitoring comes to these places. Knowing where your target will be sometimes might give you a chance to actively scan him (vulnerable phones with bluetooth open, using a laptop on an open network and entering login credentials, etc). A short but useful recon can help you prepare the gear and software you will need for the digital phase, if this calls for it.

The computer and, more recently, a tablet and a good smart phone are often your main tools. As such, they have to be ready for the project. Ideally you would have a blank, brand new disk for each project, or a burn-phone / tablet. You then install your preferred OS, virtual machine with other OS's and tools. Unless your client is paying you very well, having a brand new disk per project is most likely not possible. In these cases you need to prepare the disk prior to the project.
Start by wiping the disk clean. Formatting it is not enough, information can still be retrieved from there and we don't want information from previous projects, or worst, sensitive information gathered on other operations, to be accessible. Wiping the disks usually includes writing every part of the disk with 0s, then 1s and then random data. Then repeating this several times thus making it very difficult to recover any old data, at least with normal means. Once you have your disk cleaned install the OS and tools, but be careful. Don't install anything that is not needed. Also check the laws of the place you are going (permissive and semi-permissive). In some countries is illegal to have “hacking” tools on your computer, and yes, this includes nmap.

Having the right gear can mean the difference between success and failure. As part of initial recon (see above), you should also prepare a list of things you might need based on the information you gathered. Learn from past projects, check what worked and what didn't and adapt the kit, use DOPE. For example if you are going to try to penetrate a network and need more than one computer, bring along several ethernet wires and a switch, that way you can repeat the signal from a wireless access point or a plug in the wall you found. Remember: The target dictates the weapon, and the weapon dictates movement. Get the right tools for the job.
Try to get a backpack with all you need, but try to blend. Do not bring a large duffle bag, or a fluorescent backpack for example, you'll stick out. If you have too much gear, grab the gear you will need for the day and leave everything else behind at the hotel or safehouse. If you are in a bar frequented by college students, try to get a small hiking pack or something similar for example, blend in.

Bring backup gear. Two is one and one is none.

One of the most important things is on physical recon is to blend with your environment. Try to adapt to whatever environment you are. If you are in a cafe, buy a coffee, grab a newspaper, alternate between the computer and the newspaper. If you are on a park using an open (or not) wireless network move to different locations inside the park. Observe what people are doing where you are, and try to mimic what they do. Blending in will give you a way to remain anonymous and not draw attention to you and what you are doing. However, be aware that you might be watched as well. Move and try to cause whoever is your would-be watcher to move as well.
The recon you performed prior to coming into the area should also provide information about what are the best places to sit an observe, and also the environment. For example, if you go to a cafe where most people are executives from companies around the cafe, and all wear suits and ties, do not arrive wearing a Hawaiian shirt. You don't have to wear a suit, but try to wear a business casual attire at least.
Blending in also means keeping your footprint as small as possible. If you are sitting in a cafe or the reception of a company, do not bring out the laptop, three external hard drives, a collection of USB drives, etc. That will make you noticeable. Instead, try getting longer wires, or bluetooth-enable devices and leave everything hidden inside the backpack. Just the laptop and the occasional portable hard drive will be on the table or on your lap. If you are wardriving by foot, do not have the antenna visible, hide the rest inside the pack. If you want to scan an area, disable the sleep mode on your laptop, open your network stumbler and set it to log everything on disk. Close the lid and stash the running laptop and stumbler on your backpack. Then just walk. No one will pay attention and you'll have a neat log with all the networks available around you. Be smart. Learn from your environment.

Don’t forget to move. Don’t stay too long in one spot, people might notice you. In the case of a coffee place, don’t stay longer than 40-60 minutes. During the recon of the area prepare a map with all the different locations where there are wireless signals, for example. Or locations where there is a good view of the target. Have that list memorized and move around the different points randomly, or as the target dictates. On each point blend in.
Try to randomize the locations you use and do not use the same location two days in a row. By doing this you avoid people noticing and remembering you. You want to fly under the radar. Moving helps. In order to move you have to be light, so prepare your gear accordingly. Again, the target dictates the weapon, and the weapon dictates movement.

Now, always have a backup plan. Sometimes what you think is going to happen, doesn’t. That wireless signal you found during the recon and spent 4 hours breaking the password? Gone. That vantage point with the tree that can hide you? No more tree. Have a backup plan. Move to the next location.
Everything you prepare for the project, from traveling methods to gear used, must have a contingency plan as well. We found ourselves many times in situations where the train we were supposed to take didn't run, or the hardware we brought along for the project stopped working. We immediately adapted. Failing your project because you were not prepared is not an option.

Finally, always have an escape plan (Rule 1!). This applies especially to semi-permissive and non permissive environments.

Digital Recon

We already spoke a little about digital recon above (see Initial Recon). But begin with a passive recon of your target. Use social media and google searches to get information about the digital footprints of your target. Augment this with searches within Shodan and technical forums. Comb places like Linkedin for employees of your target and see what they specialize in. Usually you van begin to understand what technology they use within your target.

Once you have a good collection of passive intelligence, move to a more active collection. But do it slowly and try to remain stealth. Understand who the service providers are: who give them internet, telephone, IT or security services. Who are their suppliers (food, office supplies, shredding services, cleaning…). Who contract for them, what companies currently have contractors inside.
Then move to scanning. Understand their digital footprint: IP ranges, web servers, mail servers, proxy and security providers. Scan their ranges, focusing on findings such as web servers, mail providers, VPN providers, routers, endpoints that might be connected directly. Compile a comprehensive list of operating systems, web technologies, and other bits of information that will allow you either search or write exploits, if needed, or get your tools right, e.g. remote shell.

Once you have all this, run it by the team and try to identify the possible targets to exploit. Try to understand the public facing technology and who runs this. Adapt your plan based on this information.

You can read the full post here, but there are some basic things you can do:

  • Understand the key players of the organization: Performing discovery on who is employed is extremely important in understanding the human landscape and its exploitability. By identifying the HPTs and HVTs (key players), their job functions, connections within the immediate organization, or outside organizations; it's possible to 'connect the dots' of not just internal reporting structures, but social circles
  • Once you understand your targets, you'll be able to shape your HUMINT operations and create your strategy around this, building rapport, and otherwise gaining a foothold with your target. After-all, people are the weakest link.
  • Identify the communication strategy of your target. This will help determining how much information they are willing to part with voluntarily and the trust they put in their agents.
  • Analyzing publicly posted jobs will give you a wealth of knowledge about the organization, its technology stack and underlying strategies, as well as its growth.
  • Reviewing civil and criminal records, in addition to news articles may reveal more information around your subject than you could otherwise find out in a short period of time. Legal discovery and attestations given in a court of law can potentially reveal internal strife within an organization, which can and should be used to your advantage.

Here are some good tools to have handy:

Simple does it.

Remember OPSEC: utilize anonymous connection tools such as Tor and VPNs, your browser's private mode (incognito), anonymous pre-paid wireless hotspots, etc. Do not do this from your house, or your office. Use public networks and move!

In the next post, we will see how to handle the targets identified during this phase. Standby for traffic.