What is Reconnaissance in Cyber Security?
Reconnaissance in cybersecurity refers to the process of gathering information as much as we can about a target– whether it’s a person, system, or network.
Reconnaissance is best described as the ‘scoping’ process before a burglary. A burglar cannot go around choosing any house out of a hat—no, they have to observe a neighborhood, learn the patterns of the residents and their comings and goings, look for entry and exit points, and determine the vulnerabilities of a house (an open window, a broken security camera). However, cybersecurity and any part of computing, for that matter, are not all that different.
Why reconnaissance is important?
In the digital world, the risks are definite and tangible. Information, customer details, patents, and even state secrets are at risk if a hacker walks away with the password. It is a similar story for both the attacker and the defender, reconnaissance is the first activity that happens before anything.
For the cyber attacker’s reconnaissance is to assist them in locating the door through which they can breach a given system. It enables them to strike at the best time thus improving their possibilities of success.
Similar to cyber defenders, reconnaissance is also crucial. It helps security professionals prevent risks that could be exploited and secure the hole before it is exploited. This means the better an organization understands its systems the less exposed it is to an attack.
Types of Reconnaissance
Reconnaissance can be broken down into two main types:
1. Active Reconnaissance
Basically, active reconnaissance involves getting in touch with the target in a bid to obtain information about a target by directly interacting with its systems, such as sending packets or scanning ports, often risking detection. This is the precise reason for comparing it to a way of asking if there is anyone home when you knock on the door. It is easier for the surveillance to capture.
Examples of Active Reconnaissance Techniques:
Port scanning: Discovery of vulnerable ports in a system that can be attacked.
Banner grabbing: The process of getting information about the services operating on a system by making request messages to selected ports.
Ping sweeps: Using ICMP packets to try out several IP addresses simultaneously to know which ones will reply.
This is common when an attacker is sure he cannot be detected or when the system attacked may not be well-guarded.
2. Passive Reconnaissance
Passive reconnaissance is the process of gathering information on a target without actually communicating with it, hence it is difficult to note. This is like spying on a house from a distance to learn their schedules of the day without actually getting close.
Examples of Passive Reconnaissance Techniques:
Open-source intelligence (OSINT): Spending time searching the internet, social networks, forums, and any other materials that can be potentially related to the target. e.g- shodan, zoomeye, etc.
DNS (Domain Name System) queries: Browsing information available to anyone on a domain which includes IP addresses, mail servers, and hostnames of websites.
Google hacking: Dragging confidential data that are by some means found on the social interface of the WWW.
Passive reconnaissance is usually employed in the initial stages of an attack since it provides minimal signals that an attack is underway.
Some of the methods of reconnaissance are listed below:
Whether passive or active, there are a variety of techniques that attackers and defenders can use to gather information:
Social Engineering: In this technique, a common trick that makes people reveal important and secretive information. This can be as basic as an email from a fake account demanding the user’s password or if it is as complicated as an account of a co-worker that has been faked by malicious individuals.
Network Scanning: Nmap or Wireshark are employed to scan a particular network in order to determine ports that are effectively open, the services being run, or the devices connected. This makes it easy for attackers to identify where there might be some kinds of holes.
Website Enumeration: An attacker might use Dirbuster or Nikto – to list files, directories, and subdomains of the target website searching for something hidden or vulnerable.
Footprinting: This is the process of compiling a dossier about a target since information about him may easily be accessed by the public. From the advertised open positions (that mention the kind of software applied in the company), to the official profiles of the employees, anything can be helpful in the identification of the organizational structure.
Steps to Reconnaissance
A professional guide to footprinting and reconnaissance in ethical hacking.
1. Going Back in Time
The first step in reconnaissance involves looking into the historical records of a target website to uncover its past structure and data.
Tools for Historical Analysis:
Waybackurls.py: Extract archived URLs of a domain from the Wayback Machine.
Download: Waybackurls.pyWaybackrobots.py: Retrieve historical robots.txt files to identify previously blocked paths.
Download: Waybackrobots.py
2. Finding Subdomains
Discovering subdomains provides deeper insights into the target’s infrastructure. Start by brute-forcing or using automated scripts to identify subdomains.
Recommended Tools:
Knockpy: Quickly enumerate subdomains for a target domain.
GitHub: KnockpySublist3r: Enumerates subdomains and checks for specific open ports.
GitHub: Sublist3rSubBrute: Uses DNS scanning to find subdomains of the target.
GitHub: SubBrute
Alternative Methods:
- Google Dorking: Use advanced search queries to uncover subdomains. Example:
site:target.com -site:www.target.com
Online Resources:
3. Finding Subdomains of Subdomains
Dive deeper into the hierarchy by enumerating subdomains of subdomains.
Tools:
Altdns: Generates permutations, alterations, and mutations of subdomains.
GitHub: AltdnsSubBrute:
- Command to extract subdomains:
./subbrute.py target.com > subdomains.txt
Command to test subdomains:
./subbrute.py -t subdomains.txt
4. Validating Subdomains
Validate and visualize identified subdomains to ensure their accuracy and gather additional information.
Tool for Validation:
- EyeWitness: Captures screenshots of web pages to help in subdomain verification.
GitHub: EyeWitness
Usage:
./EyeWitness.py -f subdomains.txt
