Cyber Reconnaissance is the first step of any professional penetration test. In this phase the goal is to gather as much information about the target as possible. This includes technical information about it’s network topology and systems. But it also includes information on employees and the company itself that may be useful in the later stages of the penetration test. The more information you gather during the reconnaissance phase the more likely you are to succeed in the later stages of the penetration test. There are two types of cyber reconnaissance that you can perform active information gathering and passive information gathering.
Passive Cyber Reconnaissance
Passive recon is when you gather information about a target without directly interacting with the target. This means that you don’t send any type of request to the target and therefore the target has no way of knowing that you are gathering information on them. Generally passive information gathering uses public resources that have information on that target. Using public resources to gather information is called Open source intelligence (OSINT). Using OSINT you can gather things such as IP addresses, domain names, email addresses, names, hostnames, dns records and even what software is running on a website and it’s associated CVE’s. Here are some common tools penetration testers use for passive information gathering:
Google Hacking (search engines): You can use custom search queries in google, bing and other search engines to find information such as usernames, passwords, hidden web pages, hidden files, metadata and more. People often use a resource called the google hacking database, which is a free online tool that stores useful google search queries that have been known to return interesting results.
Netcraft: Netcraft is used to find information related to a domains network, SSL/TLS, hosting history, owner, associated addresses and email, parent organization, domain registrar and more.
Shodan: This is a very popular tool used to identify IOT devices and network devices over the internet. It gives information such as potential vulnerabilities, ISP, hostnames, country, open ports, SSL certificate information, encryption algorithms and more.
Active Cyber Reconnaissance
Active recon is when you interact directly with a computer system in order to gather system specific information about the target. Unlike passive information gathering that relies on publicly available information, active information gathering relies on tools that will send different types of requests to the computer. The goal is to gather information about that device or other devices that are connected to it on the same network. Active recon can be used to find out information such as open/closed ports, the OS of a machine, the services that are running, banner grabbing, discovering new hosts or find vulnerable applications on a host. The main drawback of active reconnaissance compared to passive reconnaissance is that direct interaction with the host has a chance of triggering the systems IDS/IPS and alerting people to your activity. Here are some of the most commonly used active information gathering tools:
Nmap: Nmap is an open source network mapper and port scanner. This means it can be used to perform ping sweeps that discover new hosts as well as scan currently known hosts to find information on; what ports are open, what services are running on those ports, the machines operating systems and with some configuration known CVEs associated with those services.
Source @ nmap.org
Nessus: Nessus is a commercial vulnerability scanner. It scans hosts and identifies vulnerable applications running on that host in an organized report. Unlike nmap this tool is not free, but it provides very comprehensive reports and is widely used within the industry.
Nikito: Nikito is a free command line web server scanner that identifies vulnerabilities on web servers. This includes dangerous files, outdated server software and other common problems.
Active vs Passive cyber reconnaissance what is the difference?
The main difference between active and passive cyber reconnaissance are the methods they use to gather information. Active recon tools interact directly with the systems in order to gather system level information while passive recon tools rely on publicly available information. As a result, active recon tools tend to gather more useful information but run the risk of alerting the owner of the machine of your activities.
Typically penetration testers use both methods to collect information on their target. Both types of cyber reconnaissance can uncover information that will prove vital in the course of the penetration test.
Conclusion
Cyber reconnaissance is a critical part of the penetration testing process. The information that you find in this step will dictate what you do in the other steps of the test. When doing reconnaissance you can do passive information gathering, using public resources to obtain information about the company, it’s employees or the technology that they use. You can also use active information gathering techniques to gather system level information about specific systems the target owns, such as the OS, the services that machines runs and open/closed ports. Both types of information gathering are important and a good penetration tester will utilize both to find the best method for breaching the company.