Reconnaissance
-
What is Reconnaissance?
Reconnaissance is a concept that is known for centuries, primarily for military strategical purpose.
In IT security it is an important phase, in which an attacker uses for obtaining detailed information about their target. By using specific tools(which will be presented later in this course) for this phase of the attack, the attacker can interact with potential open ports, services running, etc on the targets network/systems or attempt to gain information without actively engaging with the network. -
What is the kill chain?
Kill Chain is a structured model for attack purpose, originally used as a military concept related to the structure of an attack, consisting of the 7 phases.
Each phase of this model has a purpose for the attacker’s final goals and for that there is many tools that an attacker can use for each phase. In this course will only focus on the reconnaissance phase and the tools for this phase.
-
Basic principles of Reconnaissance.
Reconnaissance is the first step of the kill chain when doing a penetrations test or a malicious attack. This phase is done before the actual test or attack of the target network.
-
Differences between passive reconnaissance and active reconnaissance?
An attacker will typically dedicate up to 75% of the overall work effort for a penetration test to the reconnaissance, as it is the phase that allows the target to be defined, mapped and explored for the vulnerabilities that may lead to exploitation.
There are two types of reconnaissance: passive reconnaissance and active reconnaissance.
Passive reconnaissance is when the attack recollects public information available on the internet, public database, social medias (Facebook, LinkedIn, twitter, Instagram,). Passive reconnaissance means that there is not a direct interaction between attacker and target.
While active reconnaissance is when the attacker has a direct interaction with the targets network (port scan of the target network). The attacker can recollect more useful information about the network with active reconnaissance than with passive reconnaissance. The downside of actively interact with the target, is that the attacker has a higher risk of getting caught. -
Tools that are used for reconnaissance.
Whois
When the attacker is going to research a domain or IP address, the first step is to identify the responsible for the domain or IP address. To obtain more information about a domain or ip address the attacker could use whois.
Whois is a public directory where you can look up “who is” responsible for a domain or IP address.nslookup
As with whois, this tool(nslookup) obtain domain name or ip address mapping.
Nslookup command-line tool has two modes: interactive or non-interactive.
If you look up only a single piece of data, it is recommended to use non-interactive mode else it is recommended to use interactive mode.
Example:Nmap
Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.
Nmap features:- Host discovery
- Port scanning
- Version detection
- OS detection
- …
For the reconnaissance phase it is a tool that can deliver possible critical information of the targets network, but it is active reconnaissance and therefore the attacker have a higher risk of getting caught.
TheHarvester
TheHarvester is another tool developed in Python, useful for anyone that wants to know what the attacker can see about the organization.
The purpose of using this tool is to gather information like emails, subdomains, hosts, employee names, open ports, etc. The tool gets all the information from different public sources like search engines, PGP key servers and SHODAN computer database.The tool is on Kali linux and can be installed on another linux machine.
Maltego
Maltego is an open source intelligence (OSINT) and graphical link analysis tool for gathering and connecting information for investigative tasks.
Maltego is a data mining tool that mines a variety of open-source data resources and uses that data to create graphs for analyzing connections. The graphs allow you to easily make connections between information such as name, email organizational structure, domains, documents, etc. Maltego uses Java so it can run on Windows, Mac, and Linux and is available in many OSINT Linux distros like Buscador or Kali. Basically, it will parse a large amount of information and search various open-source websites for you and then toss out a pretty looking graph that will help you put the pieces together. Maltego can be used as a resource at any point during the investigation however if your target is a domain it makes sense to start mapping the network with Maltego from the start.Recon-ng
Recon-ng framework is an open source framework used for both active reconnaissance and passive reconnaissance. -
Exercise
Now try these tools against a domain that you own/control.
Be cautious when doing active scan. Some Intrusion Detection Systems (IDS) might be triggered.
-
Quiz