# Active/Passive Reconnaissance

## Goals of Recon

* Network Information (IPs, CIDR, Domains)
* Systems (Server Names/IPs)
* Web Applications 
* Security Tools (Firewalls, IDS/IPs, Endpoint Security)
* People (Leadership, Admins, Engineers, Developers, etc.)
* Partners (Vendors, Hosting Providers)

## Passive Reconnaissance

Mostly OSINT, Publicly available information

### Tools/Strategies

* ICANN
* Domain Registration (contact names, addresses, nameserver info)
* IP Addresses Registration
  * Internet Assigned Numbers Authority (IANA) - Five regions
    * AfriNIC - Africa
    * APNIC - Asia/Pacific
    * ARIN - North America
    * LACNIC - Latin America and Caribbean
    * RIPE = Europe, Middle East, Central Asia
* Google Dorking
  * Aka Google hacking
* Shodan 
  * <https://www.shodan.io/>&#x20;
* The Harvester
  * Command line tool to query multiple search engines
  * Included in Kali, but has had issues in the past
* Netcraft
  * Provides technical reports on other websites
* Metagoofil (Technically not Passive because you interact with the host but can give larger insight into the target)
  * Kali utility that is designed for extracting metadata from public documents
* DNS
  * Nslookup and Dig are useful command line tools
  * Dnsrecon (included in kali) offers a streamlined approach to gathering data, however, pull down the latest version
  * MxToolbox
    * Find email services provider, DNS information, WhoIs information, and more

## Active Reconnaissance

Interacting Directly with the the target - **Needs Permission in going beyond public access**&#x20;

### Tools/Strategies

* Nmap
  * Network scanner that can be found on kali
  * Can give you good guesses as to what targets are open to the public
  * If inside the network can help with finding services
    * This can/will set off many "alarms" depending on how the network is setup
* Nikto Website scanner <https://www.cirt.net/nikto2/>
  * Looks at it's database for vulnerabilities on web servers.