وحدة 4
Passive Investigation - Analyze URLs, hostnames, and IP addresses
آخر تحديث في: 23 أغسطس 2024
تعديل هذه الصفحة على GitHubوحدة 4
آخر تحديث في: 23 أغسطس 2024
تعديل هذه الصفحة على GitHubA practitioner can use the skills outlined in this subtopic to begin a passive investigation against servers on the internet. A passive investigation is one that does not load any websites, but only looks up publicly available data on them. As such, the attacker will not be alerted that their website received additional visits, which could tip them off that an investigation is taking place. By evaluating domain and IP info, an investigator can work towards **generating rich technical information about the attack **useful for community education, threat information sharing, discovery of associated attacker infrastructure, and for placing attacks in context of broader attack patterns.
Some of those skills may be necessary as part of an initial triage process, for example to help an analyst decide if a link is suspicious. They will also prove very useful during an in-depth analysis of email headers, outlined in the next section.
After completing this subtopic, practitioners should be able to do the following:
Passive investigation utilizes open source intelligence (OSINT) tools and resources which can give us many details about the digital footprint of attack infrastructure without an attacker noticing that we are investigating.
This dives into the basics of URLs, DNS, and IPv4/IPv6. If you feel comfortable with those concepts, excellent! Go and jump to the ‘workflows’ section. Otherwise, check out the documents and resources below:
Passive IP/DNS investigations can be divided into several categories.
One of the first things we should do in our investigation is gain some initial information on domains and hosts. Several tools and tool categories that can help with that.
WHOIS
WHOIS records are publicly accessible and contain useful information on a domain. Learn how to use web-based (for example ARIN whois or who.is) or command-line utilities to view a WHOIS record and learn to read the registrant information (if disclosed), the registrar, the date of registry, and the DNS nameservers which indicate where the authoritative records for that DNS zone are hosted.
WHOIS can also be run on an IP address in order to attempt to identify the company responsible for the IP, thereby potentially telling you the hosting company serving a website.
dig & host
dig is a command-line tool either pre-installed or available for major operating systems. It allows you to easily look up (follow tutorial here) the DNS records of any domain, and differentiates between different record types. While the linked tutorial contains many elements of dig syntax, the most common use is to lookup A and MX record types. dig is quite popular among analysts since it is simple and easy to automate. **host **(see tutorial link) is an alternative command line tool which rapidly converts a hostname into an IP address with simpler syntax. There are also plenty of alternatives to dig with more features or better readability, such as doggo.
Look out for common content distribution reverse-proxy name servers such as those offered by Akamai (e.g. a1-64.akam.net), CloudFlare (e.g. eve.ns.cloudflare.com), Fastly (e.g. ns3.fastly.net), as these will obscure the actual origin server IP. After spending some time looking up name servers, you will easily be able to recognize many of those proxies. If you, for example, run the dig command to look up theguardian.com, you will see that it resolves to Fastly servers (at least at time of writing).
geoIP
IP addresses are roughly tied to physical geographies. This means that, if you know an IP address, you can figure out (MaxMind GeoIP lookup demo linked)) with some degree of certainty where in the world (country, region) the device that uses this address is located. There are many databases, known as geoIP, which allow you to look that up. Do note that the accuracy of IP-based lookups can be extremely varied: sometimes, it’s possible to track down an IP address to a specific organization, while at other times you only get country-level granularity.
🛠️ Take a moment to practice using these services. You could, for example, use them to look up your own website or that of your organization.
There are a variety of ways that one can obtain additional information about hosts in a domain. Do note, however, that most of those techniques only work some of the time and often fail. If one of them does not work, do not be discouraged. Some of these methods include:
There exist tools that use these and other techniques to try to discover additional network resources. One of the first of these, still under development, is called Fierce. Another popular tool is DNS Recon. This blog post describing DNSRecon also includes a list of other popular DNS enumeration tools.
Once you have obtained identifier information (domains and IPs) you can search this data in greater depth using some services which allow you to investigate additional information about the host and any associated activity around it.
Learn how to view open ports, active services, and service banners from a given IP by using one of numerous web intelligence scanning services. Note that this is still a passive investigation technique as these services repeatedly scan the web for their data sets and you will not be initiating new activity on the infrastructure of interest:
These and similar services and databases can help you identify the activities and history of a specified server/service.
Other scanner services also collect DNS history, allowing you to peer back in time to learn what other domain resolutions have appeared for a given IP, when they appeared/disappeared, as well as subdomains for a given domain.
Several services will collect indicators of threats and history of malicious behavior. If you need to ensure that no new scanning activity is initiated (which would be active investigation), ensure that you are not initiating a new scan with your search (for instance, while VirusTotal allows you to check a URL, it will launch a new scan against the URL, thereby initiating activity which could be detected as an investigation).
Almost every website a user will encounter now uses HTTPS, which uses a technology known as TLS (Transport Layer Security). Malicious websites use it too, in part playing on users’ beliefs that HTTPS and a lock appearing in the browser’s URL bar means that the website is therefore safe, regardless of other factors.
As TLS certificates must be signed by a trusted Certificate Authority (CA) in order to be trusted by the browser, a substantial amount of data about the domain may be available for your investigation as you look for shared infrastructure, subdomains, identifiers, and other assets.
Rich certificate data is publicly available thanks to the practice of Certificate Transparency, in which Certificate Authorities add all certificates issued to a tamper-resistant public log. It can be helpful to understand this system - see a brief overview at the Certificate Transparency website or take a deeper dive in their technical overview at How CT Works. It’s useful for learners who want to learn more about tracking and detecting malicious infrastructure to have a broad understanding of this system.
Making practice use of certificate search involves searching for domains, subdomains, IPs, identifying interesting information such as dates of issue, and correlating information found in issued certificates.
Read through the guide at Certificates: The OSINT Gift that Keeps on Giving… which describes key investigative fields and searches using Censys and Shodan, and watch the accompanying 10-minute video on YouTube which carries out the same search using crt.sh. It is useful to be able to use all three search utilities. In particular, ensure you understand:
Note that the Censys search API syntax changed in 2021 and some of the searches in the above tutorials will not work. For instance instead of “parsed.names:” simply use “names:” in the new syntax.
Many tools have been built around certificate transparency logs. For instance, try enumerating for subdomains using MassDNS (see instructions for using scripts/ct.py on the READMe page).
Censys offers further reading on advanced techniques for tracking and hunting for threat actors using their platform at Advanced Persistent Infrastructure Tracking.
Things to note
When you use a tool such as WHOIS, you will find many addresses which are hidden behind Cloudflare or similar services. This means that the administrators of this address are partially hosting it using a major third party service, for example to maintain greater anonymity or for DDoS protection. Similarly, many domains use privacy services to make sure that their data does not show up in WHOIS. Some people also put fake data into WHOIS. If this is the case, then analyzing the address through WHOIS will not yield a lot of good information (save perhaps for the creation date of the domain) and you’ll need to use alternative forms of analysis.
Many malicious URLs used in phishing emails utilize (sometimes multiple) redirects, meaning the initial URL may be less relevant for analysis. Identifying redirects and other IPs involved will require active interaction with the URL, which is covered in Active Investigation skill.
Attackers can host their own DNS server and track requests. In this case, DNS requests may not be “passive” and may alert the attacker of the investigation. Especially look out for hostnames that might have identifiers in them, like r2378r233yr39wjwr.example.com.
Choose a random-ish domain name, making sure that it is not hosted behind a content distribution/reverse-proxy service such as Cloudflare (you can figure it out by quickly searching for it using a tool such as dig and using the NS option to look for name servers). Using the above tool categories, investigate the domain and try to explain:
Sit down with a peer or a mentor who has significant experience in passive investigation against servers on the internet. Then:
What is a URL?
FreeA brief overview of what URLs are, how they are constructed, and what additional features (anchors and the like) they might have.
Introduction to DNS
FreeA basic overview of how DNS works.
Overview of DNS record types
FreeIncludes the most common record types, and some less common ones.
doggo
FreeAn alternative to the dig command, with very similar functionality but differently formatted output.
host command in Linux with examples
FreeA guide on how to use the host command in Linux, another commonly used tool to analyze servers and other types of infrastructure.
Further DNS reconnaissance: DNSRecon
FreeVarious tools to automate searching for related servers.
Further DNS reconnaissance: Fierce (resoucrce 1)
FreeVarious tools to automate searching for related servers.
Further DNS reconnaissance: Fierce (resource 2)
FreeVarious tools to automate searching for related servers.
Further DNS reconnaissance: VirusTotal
FreeVarious tools to automate searching for related servers.
GeoIP
Free for limited quantitiesLook up the (likely) physical location of a server by IP address.
whois/RDAP: who.is search
FreeShows ownership information for a domain or IP address.
whois/RDAP: ARIN RDAP search
FreeShows ownership information for a domain or IP address.
whois/RDAP: ICANN lookup
FreeShows ownership information for a domain or IP address.
What is whois and how is it used
FreeA quick summary of what a whois database is and what its potential limitations are.
The ultimate guide to the whois database
FreeOffers a look at what whois can (and cannot) be used for.
What is an IPv4 address?
FreeThere are two types of IP addresses, IPv4 and IPv6. This guide provides an introduction to the former.
Differences between IPv4 and IPv6
FreeOutlines the key differences between the two types of IP addresses.
Understanding IP addresses
FreeA quick introduction to what IP addresses are, what the different types thereof are.
What are port numbers and how do they work?
FreeA quick introduction to port numbers, includes a list of some key ones.
Subdomain enumeration: the ultimate guide
FreeA guide which contains several techniques on enumerating (figuring out) which subdomains a specific domain contains. It’s worth remembering that not all techniques will work on all domains/servers.
Threat intelligence services with DNS history: Security Trails
Free with premium features (security trails) / Free (Microsoft Defender)Those services perform DNS scans and add history; analysts who use them can therefore see whether certain websites or addresses moved or changed.
Threat intelligence services with DNS history: Microsoft XDR
Free with premium features (security trails) / Free (Microsoft Defender)Those services perform DNS scans and add history; analysts who use them can therefore see whether certain websites or addresses moved or changed.
Alienvault OTX
FreeA service that compiles threat intelligence and indicators put forward by the community.
Mandiant Advantage
Some features are available on the free tierAnother threat intelligence service, currently owned by Google.
Shodan
Free tier\nBasic $49\nMore volume available as monthly subscriptions\n(Free basic for academic emails, occasionally has great discounts, e.g. membership for $5 when they got 5 million users in July 2022, and $4 when they hit 4 million users in March of 2021)Shows information on services running on a server by IP address, can also search for all servers running a service with a particular banner.
Censys Search
FreeA tool which can observe open ports, running services, TLS certificates, and more for a given IP.
DNS Dumpster
FreeA tool used to look up the potential attack surfaces of internet facing services.
DNS Checker
Free‘Swiss Army Knives’ of DNS and IP lookups - allows various fast searches on domain/DNS, IP, and email records.
MXToolbox
Free‘Swiss Army Knives’ of DNS and IP lookups - allows various fast searches on domain/DNS, IP, and email records.
How certificate transparency works
FreeA quick introduction to what certificate transparency is, what issues it addresses, and how it functions.
Certificates: the OSINT Gift that keeps on giving (text version)
FreeA guide for analysts on how to use tools like Shodan to search for certificates and get good data on web servers they are investigating.
Certificates: the OSINT Gift that keeps on giving (video version)
FreeA guide for analysts on how to use tools like Shodan to search for certificates and get good data on web servers they are investigating.
crt.sh
FreeA search engine which focuses specifically on certificate search.
massdns
FreeA tool which can be used to brute force searches for subdomains.
Advanced Persistent Infrastructure Tracking
FreeA guide on various methods which could be used to track attacker infrastructure, which also looks at certificate searches.
تهانينا على انتهاء وحدة 4!
وسم المربع لتأكيد اكتمالك والمتابعة إلى الوحدة التالية.
يوسم الوحدة الحالية كمكتملة ويحفظ التقدم للمستخدم.
لقد أكملت جميع الوحدات في مسار التعلم هذا.