Active/Passive Reconnaissance

Goals of Recon

• Network Information (IPs, CIDR, Domains)

• Systems (Server Names/IPs)

• Web Applications

• Security Tools (Firewalls, IDS/IPs, Endpoint Security)

• People (Leadership, Admins, Engineers, Developers, etc.)

• Partners (Vendors, Hosting Providers)

Passive Reconnaissance

Mostly OSINT, Publicly available information

Tools/Strategies

• ICANN

• Domain Registration (contact names, addresses, nameserver info)

• IP Addresses Registration

  • Internet Assigned Numbers Authority (IANA) - Five regions

    • AfriNIC - Africa

    • APNIC - Asia/Pacific

    • ARIN - North America

    • LACNIC - Latin America and Caribbean

    • RIPE = Europe, Middle East, Central Asia

• Google Dorking

  • Aka Google hacking

• Shodan

  • https://www.shodan.io/

• The Harvester

  • Command line tool to query multiple search engines

  • Included in Kali, but has had issues in the past

• Netcraft

  • Provides technical reports on other websites

• Metagoofil (Technically not Passive because you interact with the host but can give larger insight into the target)

  • Kali utility that is designed for extracting metadata from public documents

• DNS

  • Nslookup and Dig are useful command line tools

  • Dnsrecon (included in kali) offers a streamlined approach to gathering data, however, pull down the latest version

  • MxToolbox

    • Find email services provider, DNS information, WhoIs information, and more

Active Reconnaissance

Interacting Directly with the the target - Needs Permission in going beyond public access

Tools/Strategies

• Nmap

  • Network scanner that can be found on kali

  • Can give you good guesses as to what targets are open to the public

  • If inside the network can help with finding services

    • This can/will set off many "alarms" depending on how the network is setup

• Nikto Website scanner https://www.cirt.net/nikto2/

  • Looks at it's database for vulnerabilities on web servers.