Reconnaisance in Pentesting
Overview
Reconnaissance, or information gathering, is the first step in a penetration test. The goal is to collect as much data as possible about the target to find potential vulnerabilities.
- Identifies weak points and attack surfaces
- Helps plan more effective and targeted attacks
- Can include stealthy methods to avoid detection
- Ensures the test covers all possible areas
Types of Reconnaissance
Active Reconnaissance
This method involves directly interacting with the target to gather data. It's more detailed but also more likely to be detected.
- Network scanning to find active hosts and services
- Sending packets or queries to get system responses
- Using tools like
ping,nmap, andtraceroute
Passive Reconnaissance
This approach avoids touching the target system. It gathers info through public sources, making it harder to detect but may return less detail.
- Checking websites, social media, and public records
- Analyzing press releases or job postings
- Monitoring traffic externally or using third-party sources
Environment Classifications
These classifications describe how much information the tester has before the test. Each simulates different levels of attacker knowledge.
Known Environment
The tester has full knowledge of the target system, including its architecture, configurations, and security measures.
- Allows for comprehensive and detailed testing
- Resembles an insider threat scenario
- Useful for internal audits and deep testing
Partially Known Environment
The tester has limited knowledge of the system.
- Combines insider and outsider perspectives
- Simulates a partner, contractor, or semi-informed attacker
- Helps uncover gaps between known and unknown areas
- Some information is available but full details are not disclosed
Unknown Environment
The tester knows nothing about the system beforehand.
- Simulates an external attacker with no access
- Requires extensive reconnaissance and discovery
- Offers a real-world view of outside attack risks
Methods and Techniques
Open Source Intelligence (OSINT)
OSINT uses publicly available sources to gather information without touching the target’s systems.
- Search engines to find public data about the target
- Forums, blogs, and social media to uncover discussions and leaks
- Extracting hidden data (metadata) from documents and images
Network Scanning
Network scanning helps identify active systems, open ports, and running services in the target network.
- Tools like *Nmap- to find open ports and services
- Scanning for known vulnerabilities
- Mapping the network to see how devices are connected
Footprinting
Footprinting maps out the network architecture, infrastructure components, and their relationships. This technique builds a detailed picture of the target's network layout and systems.
- Collecting data on devices, operating systems, and software versions
- Identifying external and internal network boundaries
Social Engineering
This technique targets people rather than systems to trick them into giving up sensitive information.
- Tricking users into revealing credentials or other sensitive data
- *Phishing- emails that look legitimate to steal login info
- *Pretexting- by pretending to be someone trusted
- *Baiting- with fake updates, free software, or USB drives
Tools
Here's the information converted into a table format:
| Tool | Description |
|---|---|
| Nmap | A network scanning tool to discover hosts and services on a network. |
| Shodan | A search engine for Internet-connected devices to find exposed systems. |
| WHOIS Lookup | A protocol used to query databases for domain registration information. |
| Google Dorking | Using advanced search techniques to find specific information on the web. |
| curl | A command-line tool for transferring data with URLs. |
| scanless | A tool to perform open port scans using multiple online scanners. |
| dnsenum | A DNS enumeration tool that helps in gathering information about DNS servers and records. |
| tcpreplay | A suite of tools to edit and replay captured network traffic. |
| Cuckoo | An automated malware analysis system. |
| theHarvester | An information gathering tool to get emails, subdomains, hosts, employee names, open ports, and banners. |
| hping3 | A network tool able to send custom TCP/IP packets and to display target replies like ping does with ICMP replies. |
| Metasploit Framework | A penetration testing framework that helps identify and exploit vulnerabilities. |