Online course

Reconnaissance

In this course we look at the concept reconnaissance. We will cover the basic principles of reconnaissance, differences between passive and active reconnaissance, reconnaissance tools and the course ends with a quiz.

What is Reconnaissance?

Reconnaissance is a concept that is known for centuries, primarily for military strategical purpose.

In IT security it is an important phase, in which an attacker uses for obtaining detailed information about their target. By using specific tools(which will be presented later in this course) for this phase of the attack, the attacker can interact with potential open ports, services running, etc on the targets network/systems or attempt to gain information without actively engaging with the network.

What is the kill chain?

Kill Chain is a structured model for attack purpose, originally used as a military concept related to the structure of an attack, consisting of the 7 phases.

Each phase of this model has a purpose for the attacker’s final goals and for that there is many tools that an attacker can use for each phase. In this course will only focus on the reconnaissance phase and the tools for this phase.

Basic principles of Reconnaissance

Reconnaissance is the first step of the kill chain when doing a penetrations test or a malicious attack. This phase is done before the actual test or attack of the target network.

Differences between passive reconnaissance and active reconnaissance

An attacker will typically dedicate up to 75% of the overall work effort for a penetration test to the reconnaissance, as it is the phase that allows the target to be defined, mapped and explored for the vulnerabilities that may lead to exploitation.

There are two types of reconnaissance: passive reconnaissance and active reconnaissance.

Passive reconnaissance is when the attack recollects public information available on the internet, public database, social medias (Facebook, LinkedIn, X, Instagram,). Passive reconnaissance means that there is not a direct interaction between attacker and target.

While active reconnaissance is when the attacker has a direct interaction with the targets network (port scan of the target network). The attacker can recollect more useful information about the network with active reconnaissance than with passive reconnaissance. The downside of actively interact with the target, is that the attacker has a higher risk of getting caught.

Tools that are used for Reconnaissance

Whois

When the attacker is going to research a domain or IP address, the first step is to identify the responsible for the domain or IP address. To obtain more information about a domain or ip address the attacker could use whois.

Whois is a public directory where you can look up “who is” responsible for a domain or IP address.

nslookup

Nmap

Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.

Nmap features:

Host discovery
Port scanning
Version detection
OS detection
…

For the reconnaissance phase it is a tool that can deliver possible critical information of the targets network, but it is active reconnaissance and therefore the attacker have a higher risk of getting caught.

TheHarvester

TheHarvester is another tool developed in Python, useful for anyone that wants to know what the attacker can see about the organization.

The purpose of using this tool is to gather information like emails, subdomains, hosts, employee names, open ports, etc. The tool gets all the information from different public sources like search engines, PGP key servers and SHODAN computer database.

The tool is on Kali linux and can be installed on another linux machine.

Maltego

Maltego is an open source intelligence (OSINT) and graphical link analysis tool for gathering and connecting information for investigative tasks.

Maltego is a data mining tool that mines a variety of open-source data resources and uses that data to create graphs for analyzing connections. The graphs allow you to easily make connections between information such as name, email organizational structure, domains, documents, etc. Maltego uses Java so it can run on Windows, Mac, and Linux and is available in many OSINT Linux distros like Buscador or Kali.

Basically, it will parse a large amount of information and search various open-source websites for you and then toss out a pretty looking graph that will help you put the pieces together.

Maltego can be used as a resource at any point during the investigation however if your target is a domain it makes sense to start mapping the network with Maltego from the start.

See video about Maltego on YouTube

Recon-ng

Exercise

Now try these tools against a domain that you own/control.

Be cautious when doing active scan. Some Intrusion Detection Systems (IDS) might be triggered.

Quiz

Loading…