Collecting as much information as you can about the targets is referred to as reconnaissance (recon), or discovery. Pentesters do this during planning, initial access, and post-exploitation phases of pentesting. Recon identifies or confirms the target scope, finds potential weaknesses or vulnerabilities for exploitation, and locates other information related to the goals of the pentest.
As an Ethical Hacker here are some examples of information you might target during your professional career:
- Websites (such as login forms or exposed management interfaces)
- User accounts and e-mail addresses
- Email-addresses
- Certificate data
- Systems over a network range
- Cryptographic flaws
- Hosting Providers
- Domain Name Services
- .. many more
All of these activities can generally be broken into three categories of attack:
- Passive reconnaissance
- Active reconnaissance
For the CompTIA Pentest+ exam, you should have a firm understanding of the difference between each of these, when to use them, what tools will aid you with each task, and how to recognize and analyze the results from certain tools.
Passive Reconnaissance
Reconnaissance is always the initial step in a cyber attack. An attacker must first gather information about the target in order to be successful. Passive reconnaissance is a method of information gathering in which the tools do not interact directly with the target device or network. In this tutorial we will be exploring different tools which can used to perform such information gathering.
Let’s say you need to hire someone to fix something in your house. But you don’t want to give them money or let them into your house before you find out more about them. Does the person or business have a criminal record? Do they even do good work? You might decide to ask your friends who have done business with this individual in the past or research them with a business bureau. You could look up their reviews in social media services. You may decide to ask for a criminal background check—all without engaging with the potential contractor directly.
Common passive reconnaissance methods include the following:
- Open-source Intelligence (OSINT) gathering
- Domain Name and DNS enumeration
- Social media analysis
- Email address harvesting
- Public database searches
- Analyzing leaked data
- Website footprinting
- Analyzing network traffic patterns
- Search engine dorking (using advanced queries)
- Analyzing digital certificates
Active Reconnaissance
Let's extend our example which we used in the previous section for home maintenance, you will have to eventually directly reach out to your contractor as there are some questions which only he/she would be able to answer. For example if they are available in the required slot, do they have expertise to fix your specific problem, how much would they charge for your work i.e. to get the quotation or even if they are willing to work. You’ll probably have to interact with them directly at this point and have conversations and other interactions to get more information.
In pentesting, this would be active information gathering. You are actively engaging the target in order to do things like detect open ports, web pages, services, and identify exploitable weaknesses you can use during the pentest. These actions may show up in logs, monitoring systems, or affect bandwidth utilization of the target.
You should use this method carefully during a pentest unless you are not concerned about being detected, causing a disruption, or triggering incident response. Port scanning, for example, has resulted in civil lawsuits or complaints to Internet service providers which may cost time, money, or resources for the pentester.
Common active reconnaissance methods include the following:
- Port scanning to identify open ports and active services
- Network scanning for live hosts and network topology
- Vulnerability scanning to find potential weaknesses
- Social engineering attacks for obtaining sensitive information
- Phishing attempts to acquire credentials or other data directly from users
In summary Active reconnaissance is a method of information gathering in which the tools used actually send out probes to the target network or systems while Passive reconnaissance is a method of information gathering in which the tools do not interact directly with the target device or network.