Reconnaisance in Pentesting
Overview
Reconnaissance, also known as information gathering, is the first phase of a penetration test where the pentester collects as much information as possible about the target system to identify potential vulnerabilities.
- Helps in identifying potential entry points for an attack.
- Provides critical information to tailor the penetration test to the specific target.
- Proper reconnaissance can help in planning stealthy attacks to avoid detection.
- Ensures overall test effectiveness by covering all possible vulnerabilities.
Types of Reconnaissance
Reconnaissance is the initial phase of a cyber attack, where attackers gather as much information as possible about their target. This phase can be broadly categorized into two types: Active Reconnaissance and Passive Reconnaissance.
Active Reconnaissance
Active reconnaissance involves direct interaction with the target system to collect detailed information. This method is more intrusive and can provide comprehensive data about the target's infrastructure, but it carries a higher risk of detection by the target's security systems.
- Performing network scans to identify active devices and services.
- Sending probes or queries to the target to elicit responses.
- Utilizing tools like ping sweeps and traceroutes to map network paths.
Passive Reconnaissance
Passive reconnaissance entails collecting information without directly engaging with the target system. This approach aims to avoid detection by only utilizing publicly accessible data and indirect methods of information gathering, making it a stealthier but potentially less informative technique.
- Analyzing publicly available data such as website content and social media profiles.
- Reviewing public records and documentation for insights.
- Monitoring news articles and press releases for information leaks.
- Less likely to be detected, but can yield less information.
Environment Classifications
Environment classifications define the level of information available to the tester about the target system. This classification helps in simulating different attack scenarios, ranging from those performed by internal employees to external attackers with no prior knowledge of the system.
Known Environment
In a known environment, the tester has comprehensive knowledge about the target system, including its architecture, configurations, and security measures.
- Often referred to as white-box testing.
- Focuses on known assets, evaluating vulnerabilities and weaknesses.
- Allows for comprehensive and detailed testing.
- Resembles an insider threat scenario.
- Typically used for internal audits and in-depth security assessments.
Partially Known Environment
A partially known environment provides the tester with limited knowledge about the target system. This method balances thoroughness and realistic attack scenarios, uncovering vulnerabilities in both known and hidden assets.
- Also known as grey-box testing.
- Combines elements of both known and unknown environments.
- Often used when some information is available but full details are not disclosed.
Unknown Environment
In an unknown environment, the tester has no prior knowledge of the target system. This approach simulates a real-world external attacker scenario, providing an unbiased view of the system's security from an outsider’s perspective.
- Commonly referred to as black-box testing.
- The attacker knows little to nothing about the target.
- Relies heavily on reconnaissance and discovery techniques.
Methods and Techniques
Open Source Intelligence (OSINT)
OSINT involves gathering information from publicly available resources. This method leverages various online platforms to collect data about the target, providing valuable insights without direct interaction.
- Leveraging search engines to find data about the target.
- Reviewing forums, blogs, and online communities for relevant information.
- Analyzing metadata from documents and images for hidden details.
Network Scanning
Network scanning identifies live hosts, open ports, and running services on the target network. This method uses various tools to perform comprehensive scans and discover potential vulnerabilities.
- Using tools like Nmap to perform comprehensive scans.
- Conducting vulnerability scans to find exploitable weaknesses.
- Mapping network topologies and discovering connected devices.
Footprinting
Footprinting maps out the network architecture, infrastructure components, and their relationships. This technique gathers detailed information about the network to understand its structure and potential entry points.
- Gathering details about network devices, operating systems, and software versions.
- Documenting external and internal network boundaries.
Social Engineering
Social engineering manipulates individuals into revealing confidential information. This method uses various tactics to deceive targets and gain access to sensitive data.
- Manipulating individuals to divulge confidential information.
- Conducting phishing attacks to obtain login credentials.
- Pretexting to impersonate trusted individuals or entities.
- Using baiting tactics to lure targets into revealing information.
Tools
Here's the information converted into a table format:
| Tool | Description |
|---|---|
| Nmap | A network scanning tool to discover hosts and services on a network. |
| Shodan | A search engine for Internet-connected devices to find exposed systems. |
| WHOIS Lookup | A protocol used to query databases for domain registration information. |
| Google Dorking | Using advanced search techniques to find specific information on the web. |
| curl | A command-line tool for transferring data with URLs. |
| scanless | A tool to perform open port scans using multiple online scanners. |
| dnsenum | A DNS enumeration tool that helps in gathering information about DNS servers and records. |
| tcpreplay | A suite of tools to edit and replay captured network traffic. |
| Cuckoo | An automated malware analysis system. |
| theHarvester | An information gathering tool to get emails, subdomains, hosts, employee names, open ports, and banners. |
| hping3 | A network tool able to send custom TCP/IP packets and to display target replies like ping does with ICMP replies. |
| Metasploit Framework | A penetration testing framework that helps identify and exploit vulnerabilities. |