The reconnaissance assessment of Utica College involved three phases: 1) asset identification to discover IP addresses and associated assets, 2) human intelligence gathering information on employees from social media and employment sites, and 3) vulnerability assessment to identify vulnerabilities in public services. Phase 1 uncovered IP addresses, DNS records, and contact information. Phase 2 found skills listings and personal details that could be exploited. Phase 3 identified vulnerabilities that could allow attacks like denial of service or information theft. Recommendations included software updates, firewalls, limiting posted employee information, and training on secure practices.
3. ReconProject 3
1. Executive Summary
Businesses and organizations face the challenge of protecting their systems from cyber-
attacks. While companies feel their computers are safe from attack, many of these organizations
are unaware of the vulnerabilities in their systems. Utica college hired our company—Bortniker
consultants—to perform a risk assessment of their organization. This report highlights the three
phases of reconnaissance performed—asset identification, human intelligence and vulnerability
assessment. The first phase, asset identification, lists the IP addresses and subsequent assets
associated with those IP addresses. The second phase, human intelligence, displays all
information on Utica College’s employees that attackers can use against the employee as well as
the organization. Finally, the third phase, vulnerability assessment, lists all the vulnerabilities
associated with Utica’s public facing services. The amount of information available to
cybercriminals on the internet allows for potential attacks against Utica College. This report
displays the results, methods employed and recommendations to mitigate the risk of attack.
2. Methods and Tactics
The tools that the Bortniker Consultant group employs for reconnaissance are open source
websites. These tools help to identify problems with the current security parameters and policy
set in place by the college. Each phase requires specific resources to gather adequate intelligence
on the target organization.
2.1. Phase 1 tactics
In the first phase, the tools are centralops.net, robtex.com and pentest-tools.com. These three
websites help to identify the IP range and any asset associated with that range. For example,
4. ReconProject 4
centralops.net and robtex.com display the DNS records (IP addresses, Start of authority, mail
exchange, nameserver, address, text, and pointer for inverse lookup records), subnet range,
location, and phone number. By entering Utica’s domain name (ex. Utica.edu), the public facing
information is displayed for anyone to see. While pentest-tools.com performs the same duties,
this website presents all of the subdomains linked to the college. When on the pentest-tools
webpage, there is a link on the left for finding subdomains. Enter Utica.edu for the list of
subdomains. The next phase performs human intelligence on the employees.
2.2. Phase 2 Tactics
The second phase of the reconnaissance relies heavily on social media and employment
websites. The purpose of this phase is to gain insight into the employees and job opportunities of
the organization. Many employment sites—Linkedin, Indeed, and Monster—gives copious
information about an employee or job opportunity. By simply entering a Utica College into one
of these sites, the search provides a list of employees and job positions. After searching the
employees or job openings, the next step is to turn to social media, which includes Facebook,
Twitter, and Instagram. Enter the employee’s name into one of these websites to find personal
information. Although not every employee is a member of these websites, there are enough
employees for a potential attacker to gather enough information to use it against the organization.
While the second phase relies on human intelligence tools, the third phase requires the use of
tools that will find vulnerabilities linked to the public facing services.
2.3. Phase 3 Tactics
The vulnerability assessment phase requires the use of websites to find the server application
and version, as well as the vulnerabilities associated with the applications. The tools to
distinguish the applications are builtwith.com, whatweb.net, and shodan.com. By entering the
domain name of the target organization into the search bar, the list of applications, appear.
Shodan.com, though, is slightly different in regards to performing the search; the user can enter
the domain name, IP address or range, and the city of origin. The next step for this phase is to
discover the vulnerabilities in the applications by using cvedetails.com and cve.mitre.org. For
finding the vulnerabilities, enter the name of the application into cvedetails.com and then look
for the version to find the vulnerabilities. The vulnerabilities are listed by a scoring system that
5. ReconProject 5
recognizes the most recent and serious vulnerabilities. The next section of the report describes
the findings of the reconnaissance.
3. Results
The results of the surveillance reveals the information that cybercriminals can use to exploit
Utica College’s systems. Each phase exposes both the flaws and strengths of the security
parameters that Utica has in place. This section describes the data and the correlation of the data
between the three phases.
3.1. Asset Identification Results
In the asset identification phase, the surveillance uncovers many of assets associated with the
IP range of Utica College. The domain names associated with Utica College are Utica.edu,
ecii.edu, and cimip.org. All of these domains have the same IP address, which is 72.237.4.113.
Knowing the IP addresses of the domain name allows the attacker to gain access to the DNS
(Domain Name System) records of the domains. Within the DNS records, our consultants found
the address record, nameserver record, mail exchange record, text record, pointer for inverse
lookups record, and start of authority records for all of the domains. These records give an
attacker vital information regarding the organization. An attacker can use the IP address and
DNS records to find the location of the domain name. The root email in the start of authority
record allows cyber criminals to know the system administrator’s email, which leaves the email
susceptible to attack. The mail exchange record gives an attacker information regarding the email
provider that the college uses. Furthermore, knowing the email service can provide information,
such as authentication questions and passwords to use against Utica College. The phone number
of the college is available as well. The college needs to be aware of imposters trying to phish for
information. Fortunately, our consultants were unable to retrieve Host Information Record
(HINFO). These records provides the hardware and operating system that the organization is
running, which allows an attacker to find vulnerabilities in the operating system.
3.2. Human Intelligence Results
6. ReconProject 6
The reconnaissance of the employees and job openings at Utica College presents some issues
concerning the information available on the internet. One of the common issues found is the
listing of skills for the job on employee and job posting profiles. For example, the director of
infrastructure services job posting requires the applicant to have knowledge of Cisco switching
and routing. Another job posting requires that the applicant have experience with bannerweb
software. While this information might seem innocuous, listing specific companies or software
gives an attacker knowledge of the hardware and software configurations that the company uses.
Another issue found is copious employees provides personal skills that are not necessarily
needed by the organization. For example, one employee has knowledge of programming
languages, such as pearl, python and c++. The problem with listing these skills is that the
attacker knows the experience of the employee, which allows the hacker to use advanced skills
against the employee. Along with the skills, many of the help desk employees post the type of
operating system that they maintain or work with. As explained in the first result section, this
type of information can give insight into the systems that Utica College runs. The last problem is
that many employees posts their emails on Linkedin, which can lead to phishing by unknown
assailants. The next section will cover the results from the vulnerabilities assessment.
3.3. Vulnerabilities Assessment Results
Most of vulnerabilities that exist in the applications do pose a serious threat to the college’s
systems. For example, one vulnerability—CVE-2014-0026—allows attackers to perform a
denial-of-service attack as well as the possibility of obtaining sensitive information against
apache/2.4.9. If students were to take an online test using this application and a denial-of-service
attack occurs on the application, the students will be unable to access the test. The college will
have to spend time and money eradicating the vulnerability in the application. Another
vulnerability found allows for unauthorized disclosure of information and unauthorized
modification. Exploiting this vulnerability can mean serious repercussions for the school.
Cybercriminals can steal social security, credit card and other pertinent information from the
school’s database. The attacker can also modify school records—like grades and financial
reports—to wreak more havoc on the school. Again, this can cause the school immense time and
money in solving the problems.
7. ReconProject 7
The three phases can give an attacker all the ammunition that they need to execute a cyber-
attack on the school. Knowing the IP address and mail exchange records helps to give an attacker
a clearer idea of the location of the school’s servers and systems. Once the attacker obtains the IP
address of the school, the assailant can decipher the experience and skill level of the employees.
Then the attacker can exploit the various applications and software that Utica College uses. The
final section will discuss recommendations on how to protect Utica College’s systems.
4. Recommendations
The recommendations made in this section by our consulting group will help to make Utica
College safe from cyber predators. These recommendations will help to educate both technical
and non-technical employees on the best information security practices.
The assets associated with Utica College are searchable with the open source tools. This
means that anyone can use these tools to look up the schools IP addresses and DNS records. One
recommendation to thwart outsiders is for Utica College to hire an outside consulting firm to
perform penetration tests to find vulnerabilities in the schools systems. Utica College should
update their software on a regular basis because these updates can fix previous bugs in the older
version. In addition to software updates, the school should install security hardware like a
firewall, which protects numerous systems within the organization from outside IP addresses. A
big issue that our consultants found is the applications that had major vulnerability problems.
The school needs to switch to applications that have a limited amount of serious vulnerabilities.
Furthermore, the employees that run these applications need to be aware of the potential
vulnerabilities that exist in these applications.
One of the biggest problems concerning the human intelligence is posting the skills and
applications that they use for their work. While Utica College cannot force the employees to take
down this information, the college should urge employees to remove this information and
explain that cyber criminals can exploit the schools systems with it. If these employees are
hesitant about removing information, then suggest making their profile private to limit the
amount of information on the profile. They should also be educated on Phishing techniques that
these attackers use to take advantage of the employees. Furthermore, employees need to be
educated on strong passwords versus weak passwords. If there is a technical job opening (i.e.
System administrator), then the college should actively search for the candidate rather than post
8. ReconProject 8
the job on an employment website. While searching for a candidate can be time consuming,
posting the job will provide a potential predator with ample information. Employees need to be
mindful of the content that they post on social media. Anything posted on these websites can
give cyber criminals advantage against the employee; cyber criminals can black mail them to
access information from the employee.
The recommendations presented in this section will only benefit the school. Implementing
changes in the computer systems, employee training, and school policy will allow for a more
secure network. While these recommendations are quite costly, the damage done by a cyber-
attack will cost the school much more.
Lessons learned:
I felt that this project was both challenging and rewarding for the knowledge that I
gained. One of the biggest roadblocks I came across was finding the application and version
number for phase three. Whatweb.net provided the application used by the hostname, but did not
provide a version number. Shodan.com was very helpful in finding the application as well as the
version number, but the website set a limit on the amount of pages that I could look through for
the applications. I found myself kind of lost at that point. Another roadblock for me was figuring
out some of the terminology (i.e. text records, DNS, etc.). I am not the most technical person so I
had to look up the terms to figure out the meaning. The easiest part of the project was the second
phase. I am very active on social media as well as Linkedin. I was able to find many employees
by searching through the Utica employees search on Linkedin and checked Facebook and
Twitter to find out an employee’s interests. One thing I would like to be changed would be to
add more resources to find the assets and vulnerabilities. At times, I felt some of the tools were
not very helpful (i.e. builtwith.com and whatweb.net), but luckily most of the tools were very
helpful. Overall, I really enjoyed the challenge of this project.