Reconnaissance:
Reconnaissance is the first phase of the cyber exploitation life cycle.
In this phase, hackers focus on collect as much information about the target without getting detected.
1) Collect Elementary Information:
a. What is the website look like
b. What web server are they using
c. Where are they physically located
d. Officers of the company
e. When was the company founded
f. Where do they start from?
g. Who is providing the hosting service
h. No. of offices the company has
2) Discover OS, Web Servers & Platforms:
a. What operating system is running in the system exposed
b. What web server they are using? E.g. apache, ISS etc.
c. What version they are using
3) Perform Queries:
a. Whois
b. DNS information
c. Underlying networking information
d. Routers they are using
e. Employees Information for social engineering
4) Discover Vulnerabilities:
a. Possible vulnerabilities
Why Reconnaissance?
1) It helps us to understand the security posture of any company. Understand the network infrastructure of the target company as in exposed and possibly internal IP address, what is behind the firewall, which version of DMZ they use etc.
2) Helps in reducing the attack area. I.e. focused domains, IP address, ports etc.
3) Helps in building information database to keep track of attack vectors etc.
4) Layout a network map.
5) It makes the job easier in the long run
Types of recon:
1) Passive scanning: Using public available sources to determine as much information about the target e.g. IP address, OS, web servers, services open, access control, IDS etc.
2) Active Recon: Touching the target e.g. Going to job interview, social engineering, walking through the building
3) Anonymous: Getting information from unknown/third party sources.
4) Organization/private: Process of getting info from event calendar, email services etc.,
5) Internet recon: Using internet sources like passive. Use google to reconnaissance their website etc.
6) Pseudonymous: Collecting info. From sources that are published but not direct from the employee or company e.g. Government etc.
Goals of Reconnaissance:
1) What am I looking for:
a. Network information
i. Domain names: child domains etc.
ii. Internal domains etc. like .net, .com so .com is used outside but .net internally
iii. IP addresses
iv. Unmonitored/private websites
v. TCP/UDP services
vi. IDS/Access controls
vii. VPN info
viii. Phone numbers/VoIP
b. Operating system info.
i. User & group names: like how they do system naming
ii. Banner grabbing
iii. Routing tables how packets are getting router
iv. SNMP
v. System architecture
vi. Remote Systems
vii. System names like if the name of one of the server is from stars we can try to identify others
viii. Passwords length etc.
c. Organization Information
i. Organization website
ii. Company directory
iii. Employee details
iv. Location details
v. Addresses/Phone Numbers
vi. Comments in HTML source code
vii. Security Policies deployed
viii. Web server links i.e. Partnering company
ix. Background of organization
x. News/press releases
Once we get the information, hackers try to create a blueprint of the organization. This helps in identifying the different point of entries to the organization etc.
Tools Used for Reconnaissance:
1) WinHTTrack (Website Copier)
2) Webmaster toolkit (Link Extractor)
3) Whois
4) Ping
5) Nslookup
6) Netstat
7) Tracert
8) Netcraft
9) Wayback machine
10) PoliteMail
11) Email Lookup
12) Nmap
13) Vulnerability Scanners like Nessus, Nexpose etc.
14) Sniffers like Wireshark, Ettercap etc.
15) Packet Crafters like Netcat, Hping etc.
12) Nmap
13) Vulnerability Scanners like Nessus, Nexpose etc.
14) Sniffers like Wireshark, Ettercap etc.
15) Packet Crafters like Netcat, Hping etc.
