Reconnaissance
Octavious W.
Incident Response | Digital Forensics | Vulnerability Analysis | Security+ | CHFI | CEH | Cisco Certified CyberOps Associate | GFACT | GSEC (2025) | GCIH (2025)
What is Reconnaissance?
Reconnaissance is the process hackers use to gather as much information as possible about their target before they attack. Detection of recon activity by hackers can be a precursor to more attacks.
Passive Reconnaissance
Attackers gather publicly available information about the target primarily using open source intelligence (OSINT). The victim can’t usually detect when attackers are performing passive reconnaissance. There are several places online to find info about the target: news, company website, Facebook, Instagram, Twitter, Linkedin.
Passive Recon Tools & Techniques:
OSINT Framework: a collection of open source intelligence tools and resources
Maltego: allows you to create an interactive map of targets (servers, websites etc) and choose which transforms (like modules that perform a specific function) to run against them to gather information
Shodan: a search engine that looks for ports and IP addresses to identify vulnerable devices that are connected directly to the internet
Recon-ng: automates the process of gathering and presenting publicly available information about a target including subdomains, geolocation to IP address matching, and service fingerprinting
sublist3r: uses search engines to automate the enumeration of subdomains that belong to the target; more subdomains means larger attack surface
theHarvester: used to gather email accounts of users associated with the target organization or domain
Whois: shows information about the registrant or owner of a domain or block of IP addresses on the internet including name, email address, phone number, registry expiration date, name servers in use, location; WhoisGaurd protects the registrant information from being available publicly
Whatweb: a command line tool that identifies the web technologies used by the target website
Builtwith: similar to Whatweb, but uses a search bar instead of the command line
Google Maps: can be used to gather info about a target location including where exactly the building is located, building entrances & which entrances are used by which type of people, where the smoking areas are located and more
Google Search: allows the use of operators to fine tune the info returned from a Google search to find subdomains, specific file types, etc
War Driving/Flying: the attacker drives or flies (drone) near a business to gather information about wireless networks including SSIDs, signal strength & direction, encryption in use, location of access points, and frequencies in use.
Active Reconnaissance
Active Recon involves using tools like network scanners to send data to target systems and analyze the responses to gather info about individual systems or networks. Key information to discover includes presence of a firewall, operating systems (versions) in use, active IP addresses, and active ports & services.
Active Recon Tools & Techniques:
nmap: a scanner that returns info about a target network including active hosts, host IP addresses, ports and services running on hosts and operating system versions running on hosts
IP scanner: Identifies active hosts by sending ICMP messages to a range of IP addresses
领英推荐
netcat: can be used for transferring files, checking for open ports, remotely accessing Linux systems and banner grabbing (identify OS and application info about the target)
scanless: a tool used for port scanning that hides the source of the scans by hiding the originator's IP address
dnsenum: searches DNS records to enumerate domains, identifies DNS and mail servers, attempt a zone transfer
Nessus: a vulnerability scanner that can be used on Windows or Linux systems
hping: used to send pings via TCP, UDP, or ICMP and port scanning
Sn1per: an automated vulnerability assessment tool that can also exploit vulnerabilities
curl: a command line tool that can automate the retrieval of web pages from target URLs
Recon emails: use tracking pixels to determine if a target mailbox is active
Defending against Reconnaissance Attacks:
Resources:
Red Team Reconnaissance Techniques YouTube video by HackerSploit :
Open-Source Intelligence (OSINT) in 5 Hours - Full Course - Learn OSINT! YouTube video by Heath Adams :
Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 2) 0:17 - 2:28:05 by Heath Adams :
Search for Vulnerable Devices Around the World with Shodan [Tutorial]:
Maltego - Automated Information Gathering by HackerSploit :
Digital Marketing || Content Writing || Photographer
1 年Octavious W. Sorry to bother you, please I'm doing the Intro to Network Analysis on Blue Team. I'm stuck, please can you help me with the TCPDump and Course Capstone quiz? I'm done with the Wireshark quiz. I really need your help to pass this course. Looking forward to your response. Thanks alot. I would have sent a DM but couldn't message you.
Octavious, reconnaissance is a critical topic to understand in Cybersecurity!
Cloud Security & Compliance Leader | CEO @ Cyber Training Pro | YouTuber, Trainer, Career Coach, Mentor ?? | Developing Information Security Beginners Into Experts
1 年Octavious, what strategies or things can companies do to reduce their exposure, specifically with passive reconnaissance activities where hardening a system isn't a relevant option?