Sunday, 8 January 2017

What is Reconnaissance step of Penetration Testing?



Reconnaissance is the first step of any penetration testing and ethical hacking and it is when we start gathering information about the target and getting prepared for the next steps.
There are two type of reconnaissance: Passive and Active

Passive Reconnaissance
  • This step is used to gather information about a company, network, or other target with using any intrusive means
  • It is very difficult to detect/defend against by the target company
  • Most of these information are publicly available on web, newspapers, advertisements, brochures, etc.
  • You can use resources like company websites, Exchange commission, better business bureau, literature, job site posting (e.g. if Nortel skills required you will know they have Nortel equipment), partner sites, etc.
  • Information can include name of company officers, addresses or major locations (data centres), partner network and connections, types of systems used (FW, IDS, etc.), IP address space, domain names, etc.
  • Gathering Information with Whois and other Tools
    • Name of administrators, IP address space, location, Email addresses, phone number, etc.
  • Other tools include Sam Spade and web based tools are also available
  • One popular tool is Maltego on Kali Linux which will be explained later in this book


Active Reconnaissance

  • At this stage hacker uses more intrusive methods to gather information and actively touches target sites and networks as a normal user
  • It does not involve a hacking system
  • May involve personal contact or site visits
Some Tools and Methods:
  • Banner Grabbing - Telnet/SSH to devices and read the banner to identify what it is
  • Mail Bouncing - Send an email to wrong email address to check the bounce message and identify the mail servers
  • DNS Zone Transfers - To get a list of all the available servers and hosts
  • View company’s public web site source code and directory structure - To identify the type of possible CMS they are using
  • Social Engineering - e.g. Find out where Sysadmin goes after work and go with him, socialize and make friend and get the information out of him!
  • Shoulder Surfing - Stand on someone’s shoulder, watch and gather information like passwords, codes, etc.
  • Dumpster Diving - This is mainly done by local people who steal information
  • Piggybacking/Site Visits – E.g. Following people, visiting sites and bypassing security.



Putting it all together

  • Use reconnaissance techniques to footprint and organization’s structure and network
  • Gather publicly available or easily obtained info about target organization
  • Use this info to determine weaknesses and organization boundaries
  • Examples include names, addresses, titles, phone numbers or company personnel
  • IP address range and domain structure (e.g. using BGP or Lookups)
  • Infrastructure layout and software used
  • Document all the findings in this step and put them together
  • The information gained at this step serves as starting point for next steps



No comments:

Post a Comment