Recon and resource development with MITRE ATT&CK: Example and walkthrough
Keatron Evans uses the Infosec Skills cyber range to show you advanced adversary tactics with reconnaissance and resource development in this episode of Cyber Work Applied.
Understanding reconnaissance and resource development
Learn the MITRE ATT&CK® techniques adversaries use for reconnaissance and resource development in this walkthrough from Keatron Evans. Then try it yourself in the Infosec Skills cyber range.
Cyber Work listeners get free cybersecurity training resources. Click below to check out the free courses and other materials.
Mapping events to the recon and resource development
The edited transcript of the reconnaissance and resource development walkthrough video is provided below, separated into each step Keatron covers in the video.
Importance of recon and resource development
(0:16- 1:17)When we look at the MITRE ATT&CK framework, which all of our labs are actually mapped to now, one of the first and most important things that attackers do is reconnaissance and develop resources to further attack and target the organization.
When I teach pentesting, ethical hacking and even incident response, what I find is, a lot of times the skills are lacking in the reconnaissance part, because people want to get to the more fun stuff of trying to break in. But if you don't have good reconnaissance techniques, the concept of breaking in becomes more difficult to do. So let's dive right into it and look at this lab.
One of the most important things when doing reconnaissance is knowing that there could be some elements of social engineering included in your recon activities. So we're talking about spearphishing, whaling or whatever you've decided is going to be most effective against that target.
Understanding how the cyber range works
(1:18-2:05) Now, we're looking at this lab, and one of the things that I want to point out about our cyber range and how it works is you can actually see that we give you hints, we give you screenshots, you can actually click this here, and it pastes or copies it to your clipboard.
When you open up your command prompt, like it says to do here, and actually enter that command, we can then simply paste it.
root@ip-172-20-16-27:/# touch /tmp/step1
All right, you entered the command. We're just simply using touch to create a file here named step one. Notice you get the green arrow when you complete that step. So this is our way of letting you know that you met the requirements of completing that first task. So we're going to now move on to the next task.
Gathering emails with CeWL for social engineering
(2:06- 4:14) Step two is gathering emails with CeWL. CeWL is a tool that we all use in the world of pentesting. What it does is it scrapes a target website and domain and pulls all the words on there and helps you to build a dictionary that we can later use for password cracking against that organization.
You'd be surprised how many organizations use things that are about the organization or about their industry to help them create passwords. So CeWL is a great way to take advantage of that.
So it says at the URL we see here that there is a website simulating a pentesting target. In this section, what we're going to do is extract what information we can from that target, before we move on to the next step of trying to phish the organization.
Now CeWL is a tool that we use for that so we can do cd here:
And then we're going to actually do this command, which is actually having CeWL go out and do that:
root@ip-172-20-16-27:/# cewl -n -e --email_file=./emails chipsco.tld/chip-co
Now when we do this command you see that it actually goes out — it does what it's supposed to do as far as bringing down the copy, and it tells us that the task is completed:
CeWL 5.4.8 (Inclusion) Robin Wood (firstname.lastname@example.org) (https://digi.ninja/)
What happens here is it took a little bit of time for it to run. Now I want you to understand that if it's a big website with a lot of information on it, it could take a considerable amount of time to actually run and finish what it does.
We're now going to do CAT emails here:
root@ip-172-20-16-27:/# cat ./emails
And you can see the emails that were scraped off.
Now we have some valid email addresses that we could phish. But this can also be useful if these aren't the people we’re phishing. They might be people that we impersonate to try to phish others inside the organization. So this gives us this nice list of emails that we can use to move on to the next step and try to actually phish these people that we’re using to phish others.
Using gobuster to search for files and directories
(4:15-7:47) So next, you get introduced to gobuster. gobuster is another website for information that we can either use for phishing — or we can just get these documents. And sometimes the documents that you find on here, like hidden files and directories actually have some of the information that we're looking for. We've even, for example, found pieces of code that have hard-coded passwords in them and things like that, using this tool.
So we're going to use gobuster:
root@ip-172-20-16-27:/# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u chipsco.tld/ --wildcard -x “txt,md”
So what we're doing is we're going out, we're looking in this directory, and we're basically pulling down this information and parsing through it to let us see what's actually there.
Now, again, the bigger the website, the more resources they are to parse. This could take longer. You might have this running for hours or days, depending on what resources you're actually pulling from.
Now, what's going to happen is this is just going to take a few minutes after it finishes. We're basically going to get a list of information. Some of it's going to be false positives. And this is kind of where your expertise comes in, as you'll have to go and get rid of those.
Now, as we're waiting for this, for those of you who are new to Linux or new to Linux command line, what happens here is we have woven or integrated learning Linux into the exercises. So you're not really thinking about the fact that you're learning Linux. You're just learning it as a result of you doing these exercises.
For example, a thing that we use in Linux a lot is stuff like grep, awk and sed. We're weaving this into this exercise. So you know, you have an end goal in place, and you're learning these Linux techniques in the process of actually doing that.
Alright, so now it's finished. And as we said, there are a lot of false positives. And the false positives all tend to have a size, as we said, of 3467. And you can see that size specified in this last column here:
/~user.md (Status: 200) [Size:3467]
So what we can do is go ahead and grab this command. Then we can run it. And what it does for us is we can now take out the false positives. We see everything else other than what we know to be false positives.
root@ip-172-20-16-27:/# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u chipsco.tld/ --wildcard -x “txt,md” | grep -v “Size: 3467”
So one of the things about reconnaissance and why the framework really has a big part in this is when you're doing reconnaissance, you're often going to be running tools that go out and get a lot of information.
You have to then be able to take that information, parse information down and pull out what's useful. This is a perfect exercise to get you the chops and get you to practice doing that very important thing that we always have to do when it comes to reconnaissance.
Exploring the results of your reconnaissance
(7:48- 10:07) Now, I'm going to stop this. And we're going to move on to the next step here: exploring the results. In other words, now we need to look and see what we actually got. Among the results from the previous step is a change log.md file that was created. We're going to open that file up and take a look at what's in there. We'll actually use a browser to do that.
root@ip-172-20-16-27:/# firefox http://chipsco.tld/changelog.md
Here is the file. We're going to go ahead and grab that file browser. I just said okay to open it. Now you can just use a text editor to read it. But as you can see here, there's lots of useful information. It contains information about the current version of the content management system that they use to manage this website.
As an attacker, this is absolutely pivotal in key reconnaissance information, because now that we know what the CMS is, we can go and look for vulnerabilities related to that specific CMS. So after we see that the information is useful, then we'll commit to bringing that information down.
So now that I'm sure that it's useful, I can get out of the browser. I'm going to go back to my command prompt to follow the instructions here. And we're going to bring that file down. Just using wget which again, is a tool that we use a lot in the world of Linux.
root@ip-172-20-16-27:~# wget chipsco.tld/changelog.md -0 /root/changelog.md
Now we verified that that file was useful and now we're committing to bringing it down and storing it because we can now partake in the exercise of digging into that thing for a lot more information or pulling out pieces that are going to help us get to the next step.
Using the Social Engineering Toolkit
(10:08- 13:02) Now we're going to jump into the social engineering toolkit or SET. SET is a very, very powerful tool that allows you to automate many, many things, including setting up fake websites or setting up websites to look like real websites that have got malicious code. It takes the coding and the hard part out of it. So we're going to start by just starting up the SET.
When SET starts up, we have to answer a few questions here. For example, that asks us if we want to agree to the terms. If you don't agree to the terms, that's fine. You just are not going to be able to run, so you want to say yes to that.
And then it asks us to pick 1 for social engineering. Then we're going to pick 2 for the website attack vectors. And then we're going to select 3 for credential harvester because this is an exercise where we're going to actually manage credentials.
Now what it says next is, “Do you want to clone a site or do you want to use a web template?” We're gonna go with 2 for site Cloner. The web template basically has a pre-created version of Gmail or Facebook or Twitter or whatever it is, and it may not be a good idea because that template may be out of date, whereas when you pick site Cloner it actually goes out in real-time and pulls out a real copy of what the target website looks like right now.
So we're gonna go with 2, “Site Cloner,” as the instructions say here. And then we're going to go with 3. And then you can make the IP anything you want. So that's going to be chipsco.tld.
Now, this part is important. What you could put here is you could actually put an IP address or a domain name as long as it's resolvable. So we're going to put that in there. And it'll actually go out and clone that site for us.
It says, “Where do you want to clone?” We re-enter our site there. Then they're going to clone the admin part of it to simulate login.
And then it goes out and gets us a copy of that site. So again, you don't have to browse the site, go to and click download, and bring it down and mess with it. It already did it, formatted it perfectly, and it's sitting there now waiting for someone to visit it.
So now we've actually created a website that looks exactly like the real site. So when a victim or we go and social engineer someone into visiting our site, they're going to see what looks like the real site. Hopefully, they put their credentials in and then we would collect those credentials.
Try this cyber range yourself
(13:03- 13:23) Thank you for watching. If you want to do exercises, just like what I just showed you on your own in practice and get good with it, and see how these are mapped to the MITRE ATT&CK framework, then head on over to our page of free cybersecurity training resources to get started.