Scorpiones Group

Like a Special Forces Unit - Red Team Operations Require Planning, Recon and Equipment

The second phase of a red team assessment is reconnaissance.
In this phase, the red team attempts to collect information relevant to the assessment while keeping as low of a profile as possible.
In order to successfully perform effective, largely passive reconnaissance,
the red team members need to access a variety of data sources and have a means for organizing the collected information to maximize its usability for the assessment.
This phase is the most important phase.
If you do it right, it will most likely end in the success of the project.
A good team can profile the targets quickly, modify the plan accordingly, adapt the tools and finish the project successfully.

Reconnaissance can be divided into at least two categories, active and passive.
Active reconnaissance requires that you interact with the target computer system to gain information about it.
Although this can be very useful and accurate, it risks detection.
If you're detected doing reconnaissance on a system, the system admin may choose to block your IP address and you'll leave a trail to your subsequent activity.

If possible, we would prefer to gather the essential information without ever interacting with the system, thus leaving no trail to trace back to us. That's what passive reconnaissance is.

Purpose of reconnaissance in red team
Scoping the Phase: Every organization and red team assessment is different, and this is reflected in the way that a red team does reconnaissance.

The goals and methodologies of the reconnaissance phase of a red team assessment are shaped by the goals of the assessment.
The vast quantity of data available about an organization, its employees, and its business partners means that it’s often impossible to collect and analyze all available data.

To be effective, a red team performing reconnaissance must determine what questions they have and look for data that may help to answer these questions.
For example, in an assessment that disallows social engineering, it is probably unnecessary to build a complete profile on the CEO and their personal habits.
However, knowing that the CEO is a proponent of cloud services may be useful for finding AWS S3 buckets that may be accessible and contain sensitive information.

You often overhear people at mingling events use the following exit line: “It was great meeting you. I’ll be sure to add you on LinkedIn.”
Many people use LinkedIn as a virtual business card or an online resume.
While LinkedIn is a great networking tool, it can also be used for attack reconnaissance.
One example is compiling an Email list of all the employees using the company’s alias.

The initial recon and planning phase is critical.
Some operations fail because of lack of information about the target, others are highly successful because the recon was carefully performed and all the possible weak points were identified.

The main goal of reconnaissance is collecting data about the target of the red team assessment.
Since the red team wishes to remain undetected,
this is mainly performed using “passive” methods, i.e., nothing that involves interacting with the target in a way different from the average customer. Sources for useful data for reconnaissance include (but are not limited to) open-source intelligence, digital and physical monitoring and social engineering.

The next phase of the digital recon is mapping the public facing digital assets.
We want to know their digital footprint: IP address ranges, domains, websites and security devices if possible.
We want to map the ports open, the services behind those ports, operating systems, web server software, database software, versions of the software, email servers, file transfer services, etc.
Once we have this information, we can perform a very simple and fast vulnerability assessment and see what is exploitable right then and there.

An extremely powerful and often undervalued source of information for a red team assessment is open-source intelligence or OSINT.
OSINT includes anything that is publicly available and can be accessed without drawing excessive attention to the red team.

If we’re considering the possibility of a physical penetration, we need to recon the target.

We at Scorpiones usually divide the recon into two different methods: covert and overt.
In a covert recon, you’re usually either away from the target, using binos or scopes to surveil the target, or you are performing recon at night completely hidden.
An overt recon usually means walking into the target’s premises and pretending to be someone you’re not, while trying to collect as much information as you can by either observing or talking to people (social engineering).

During a physical reconnaissance, we would also perform a scan of the premises for any wireless, Bluetooth or other RF that I can find.
Many times during projects we found open wireless access points and routers.
I logged right into them and used them as a channel in.
As part of the kit, it’s useful to not only have a lightweight laptop during a physical recon, but also a wireless signal finder/scanner, Wi-Fi antenna booster, a good set of stumblers and other software to map all the signals you might find.

Don’t wait until a real-world cybercriminal attacks to find the gaps in your security controls.
Scorpiones’s Red Team services let you perform a “live fire” cyber security test to identify (and fix) holes in your defense—before malicious actors exposes them for you, Contact us now.

Tags: Red Team Reconnaissance Blue Team Penetration Testing

Contact Us