Performing Reconnaissance
Active Reconnaissance
A penetration testing method used to collect information. It sends data to systems and analyzes responses to gain information on the target. Compare with passive reconnaissance. Using the active reconnaissance method, you directly interact with a system. For example, you can execute a nmap command to collect information about the open ports. Active reconnaissance can include the following methods: IP or Port scanning Operating system scanning Footprinting of existing services in a system Zone transfer on an internal DNS server Spidering the public Webpages Fuzzing Social Engineering
Passive Reconnaissance
A penetration testing method used to collect information. It typically uses open-source intelligence. Compare with active reconnaissance. You do not interact with the system. Instead, you use various methods, such as a web search, to find information about a target. Passive reconnaissance can use some of the following methods: Search the Whois database Browse through the target's Website Perform Social Network scraping Search Google or any search engine Extract the DNS information Review blogs, public forums, and Websites Search breach databases and DarkWeb about the target The Whois databases is a good start to gather information about a domain name. You can simply visit the whois.net website and enter the URL for the domain. The outcome is displayed, as shown in the below exhibit.
Types of Reconnaissance
Active Passive Pseudonymous Internet Anonymous
Collect Maximum Information
In the Reconnaissance phase, you may be able to gather much information. Once identified and analyzed, this information can help you generate your database about the security weaknesses of a target system or network. Based on the weaknesses, you can prepare your attack to break into the security perimeter.
Pseudonymous Reconnaissance
In this method, you collect information that is published by the target under a pseudo name or pseudonym. The target uses this name so that the information about him or her cannot be traced back to them. For example, a group of hackers uses a pseudo name Anonymous. No one knows who they are as their real identity is concealed behind the pseudo name.
anonymous reconnaissance
In this method, you will collect information anonymously. You would use this method when you do not want someone to trace you. For example, there are several free VPN tools available that allow you to surf the web anonymously. You can even use search engines like duckduckgo.com to surf the web without leaving any privacy traces. TOR is one example that one can use to surf the web anonymously. It uses duckduckgo.com as the default search engine.
Internet Reconnaissance
In this method, you would use the Internet to collect information about the target. For example, you can use Google Hacking Database (GHDB) to find the information that is otherwise not visible in normal searches. it would be difficult for you to locate a website that has exposed passwords in the URL. To do this, you can find the search terms in GHDB, which contains thousands of search terms that can help you exploit certain vulnerabilities.
Kali Linux Reconnaissance
Kali Linux also includes reconnaissance or footprinting tools under different categories, which are: DNS Analysis IDS/IPS Identification Live Host Identification Network & Port Scanners OSINT Analysis Route Analysis SMB Analysis SMTP Analysis SNMP Analysis SSL Analysis
NMAP (Network Mapper)
Network Mapper, more commonly known as Nmap, is a network and host discovery tool. It is one of the most widely used tools for various activities, such as: Discovering hosts, services, and ports Fingerprinting operating system Enumeration Discovering vulnerabilities on the local and remote host Find the IP address of a remote system Using Nmap, you can scan for targets in the following way: Scan for a single IP: nmap 192.168.0.1 Scan for a host by using its name: nmap host1.plab.com Scan an entire subnet: nmap plab.com/24, nmap 192.168.0.0/24, nmap 192.168.0.* Scan for a range of IP addresses: nmap 192.168.0.1-10 Scan for a range and a system outside the range: nmap 192.168.0.1, 1.10
Recon-ng
Recon-ng is an open-source framework that is developed in Python. It is mainly used for reconnaissance and information gathering on the Internet. It provides multiple modules for reconnaissance and information gathering. These modules are divided into multiple categories, such as Auxiliary, Contacts, Hosts, Output, and Pwnedlist. By default, these modules are not added to the current version. You will have to get these modules from the Recon-ng marketplace and install them.
reconnaissance
Reconnaissance, also known as Footprinting, is a method of collecting information about a target. It is the first phase and lays the foundation for the attack. With the discovered information, you can determine the attack surface of a target.
DNS Analysis category
The DNS Analysis category includes the following tools: dnsenum dnsmap dnsrecon dnstracer dnswalk fierce urlcrazy
IDS/IPS Category
The IDS/IPS Identification category includes the following tools: fragroute fragrouter ftest lbd wafw00f
Live Host Identification category
The Live Host Identification category includes the following tools: arping cdpsnarf fping hping3 masscan miranda ncat thcping6 unicorscan wof-e xprobe2
Network & Port Scanners
The Network & Port Scanners category includes the following tools: masscan nmap unicorscan zenmap
OSINT Analysis category
The OSINT Analysis category includes the following tools: automater maltego theharvester twofi urlcrazy
Route Analysis category
The Route Analysis category includes the following tools: 0trace intrace irpas-ass irpass-cdp netdiscover netmask
SMB Analysis Category
The SMB Analysis category includes the following tools: enum4linux nbtscan smbmap
SMTP Analysis category
The SMTP Analysis category includes the following tools: smtp-user-enum swaks
SNMP Analysis category
The SNMP Analysis category includes the following tools: braa onesixtyone snmp-check
The SSL Analysis category
The SSL Analysis category includes the following tools: sslaudit ssldump sslh sslscan sslyze tlssled
Reduce Attack Area
The attack area is the target system or network that you want to exploit. It is always better to reduce the attack area so that you have a more controlled attack. Attacking a larger area is easier to trace, so the organization has more of a chance to stop the attack. You can reduce the attack area to a network subnet, a specific domain name, or an individual system that directly connects to the Internet.
theHarvester
TheHarvester is an information-gathering tool. By providing a domain name and a search engine name, you can search for the following information: E-mail accounts User names Hostnames Subdomains Banners
Draw Network Diagram
Using the Footprinting method, you can collect information and generate a network diagram, which can help you understand the network layout. For example, you can run the tracert tool to find the path from a system to a target system. A network diagram gives you clarity on how systems are placed on a network. For example, you can find whether the Internet-facing servers are placed on the same network or a separate network, such as the demilitarized zone (DMZ).
Tools for Reconnaissance
Various tools can be used in reconnaissance or footprinting. Some of the key tools are: Whois - Queries for domain names Nslookup - Queries DNS FOCA - Enumeration for users, files, folders, and OS information theHarvester - Information gathering for an E-mail address, subdomains, hostnames, banners Shodan - Information search engine using metadata Maltego - Information gathering Recon-ng - Web reconnaissance Censys - Search engine for information about devices on the Internet
Understand the Security Posture
When you footprint an organization's network, you can gain information on the security devices, the level of defense, and much more information about the security implementation. Based on the information that you collect, you build your attack accordingly. For example, you can understand if the organization has single-layered security, such as a firewall, or defense-in-depth, which contains multiple layers of security devices.
Need for Reconnaissance or Footprinting
Without Footprinting, it would be difficult for a hacker to break into a system or network. Therefore, hackers spend a significant amount of time gathering information about the system or the organization's network. Based on the collected information, hackers build their hacking strategy and execute it. As an ethical hacker, you gain the following benefits when you perform footprinting:
Perform DNS Querying
nslookup is a network administration command-line tool that is primarily used to query the Domain Name System (DNS). Using this tool, you can obtain the domain name or IP address mapping.
