The beginning of any good penetration test, hacking attempt, or introduction to a new concept even, is reconnaissance. What is reconnaissance? From meriam-webster: Reconnaissance is: a preliminary survey to gain information. So why is this important in a cybersecurity context? Well, whenever you’re attempting to do a penetration test this is one of the most important steps you have. This step allows you to see everything from (and of course all of this is dependent on the victim’s security) what ports the company has open, their email addresses, their employees, emails, etc. This step helps you get an umbrella type understanding of the network you’re infiltrating, the company, the employees, and anything else that you can find without actually being inside the network. So what is the deal with passive and active reconnaissance, isn’t there only one type of reconnaissance? Well, no. Let’s get into a definition and an example. Passive reconnaissance is at basic level, “The process of collecting information about an intended target of a malicious hack without the target knowing what is occurring.” Think of it like being in the stands at a sports game. You are passively watching a game, yelling at the refs, cheering for your team, but you’re not actually in the game. You’re just a bystander. This type of reconnaissance is focused on finding out information that has been discarded, or even spying on the company building, etc. A popular way of doing this currently is using a packet sniffer, such as wireshark. A packet sniffer is basically an application that allows network engineers or system administrators to view contents of a network through frames(little bits of information sent between networks), and evaluate them. It can be used for optimization, auditing, and other things. More examples of passive reconnaissance are listening to employees conversations, going through old garbage to find things of importance, etc. It can also include using OSINT (Open Source Intelligence gathering, which uses online information such as Twitter, Instagram, LinkedIn, etc. to gather information) techniques to gather even more information from a target. Commonly known as PII (Personal Identifiable Information). At the most basic level, passive reconnaissance is used at the beginning of stages by penetration testers (“good” hackers who hack into systems to help people discover vulnerabilities) or even nefarious hackers, without being detected. Let’s move onto active reconnaissance. What is active reconnaissance? Active reconnaissance is a way of finding out information that does leave a footprint. (Think of a footprint like a digital signature, your thumb has a footprint, and so does your online activity although in a more abstract way) It involves an attempt to figure out things like the OS (Operating System) being used, any open ports, (a port being a pathway into a network basically. This is important because if you can find an open port, you can most likely find a way to get into the network) email addresses of the employees, etc. Active Reconnaissance however, has a drawback. One way you can use active reconnaissance is through nmap (nmap is an application used by a multitude of people but at a basic level is a network scanner that allows you to “map” or make the understanding of your network, or a target’s network more clear. Hence, nmap. You can use nmap to port scan, find the OS being used, and much more, it’s free to use which is why it’s so popular) This can become noisy ( basically meaning that the network you are targeting starts to pick up all your attempts at targeting them) and can cause you to be discovered, or damage the service. For instance you could incidentally DDoS (Distributed denial of service attack, where you send an overwhelming amount of information to a network which causes it to go down.) a network if you are sending an overwhelming amount of probes (or, requests to the target network). But, it’s still a valuable tool to gather in information. Each type of reconnaissance has it’s pros and cons, but reconnaissance is still an essential technique hackers use for any type of hacking. How can you know how to hack a network if you don’t know anything about it? That’s where reconnaissance comes in. Allowing you to use free tools and online information to better know the contents of a target’s network, company and/or person. Sources:
Today, we’ll be talking about reconnaissance, specifically how it can be grouped into two categories: passive reconnaissance and active reconnaissance. We’ll learn the difference between the two categories and when they are used. We will also look at some examples of cool techniques used in both categories.
Reconnaissance is the process of acquiring information about a target. That target might be a computer, a network, or a future victim of a social engineering attack. Reconnaissance can be passive or active, depending on how it acquires information.
Active reconnaissance involves actively interacting with the target. For example, a hacker performing active reconnaissance on a server might send unusual packets to that server, to try and get a response containing information.
Passive reconnaissance does NOT involve actively interacting with the target. Instead of sending packets to a server, a hacker might observe the traffic the server sends and receives, instead of sending traffic themselves.
Open-source intelligence (OSINT) is a reconnaissance that uses publicly available information. There is an alarming amount of information floating around the internet that can be of use to threat actors. For example, a threat targeting an organization might collect information on employees such as their name, role, social media accounts, email addresses, etc. They might also be able to find out technical information, from what hardware vendors the organization uses, to what brand of elevators they have in their office building.
OSINT relies heavily on social media platforms and search engines to find information.
Footprinting (sometimes also referred to as “fingerprinting”) is the process of determining what software a network host is running. This is very useful information for an attacker, and footprinting can be done both passively and actively. Passive footprinting usually involves observing the traffic that a target receives, and how it responds to it.
Social engineering can be a useful tool for reconnaissance, in some ways serving as an active counterpart to OSINT. For example, OSINT might use publicly posted information on an employee’s social media, while social engineering might involve posing as a fellow employee in order to gain information.
The ethics of using social engineering in a penetration test can be complicated, but most real threat actors have no such qualms, and it’s important for personnel to be able to defend themselves against social engineering attacks.
The active version of footprinting involves sending data to the target, and observing how it responds. One common example of this is port scanning with tools like Nmap, which is a powerful and versatile tool for pen testing. Active footprinting provides a more detailed and complete picture of a network or host’s configuration, but well-configured environments will attempt to detect and alert when active scanning takes place.
War Driving is a hybrid digital/physical technique where an attacker will drive around, scanning for wifi networks. In pen testing, this can be used to create maps of network coverage, and search for insecure networks. The information collected from this can be used for wifi attacks like Rogue Access Points or Evil Twin Attacks.
As drones and UAVs get cheaper and more accessible, they become an increasingly popular tools for hackers. One of the simplest uses for drones is war flying, which is just wardriving but using a drone instead of a car. This has the advantage of allowing the hacker performing the reconnaissance to stay further away from security guards and cameras.
Drones can also be used to deliver physical devices to otherwise inaccessible places or drop malicious USB drives around an area, hoping someone will pick one up and plug it in.
For pen testers and malicious hackers alike, information is crucial to achieving their objectives, and the list of ways to perform reconnaissance is only limited by human ingenuity. Passive techniques can be used to remain undetected while gathering information, while active techniques can be used for more detailed information with a risk of detection.