Taxonomy of Reconnaissance
In a red team operation, you might start with no more than a company name, from which you need to start gathering information about the target. This is where reconnaissance comes into play. Reconnaissance (recon) can be defined as a preliminary survey or observation of your target (client) without alerting them to your activities. If your recon activities create too much noise, the other party would be alerted, which might decrease the likelihood of your success.
Reconnaissance (recon) can be classified into two parts:
# Passive Recon: can be carried out by watching
passively
# Active Recon: requires interacting with the target to
provoke it in order to observe its response.
Passive recon
doesn't require interacting with the target. In other words, you aren't
sending any packets or requests to the target or the systems your target owns.
Instead, passive recon relies on publicly available information that is
collected and maintained by a third party. Open Source Intelligence (OSINT) is
used to collect information about the target and can be as simple as viewing a
target's publicly available social media profile. Example information that we
might collect includes domain names, IP address blocks, email addresses,
employee names, and job posts. In the upcoming task, we'll see how to query
DNS records and expand on the topics from the Passive Reconnaissance room and
introduce advanced tooling to aid in your recon.
Active recon
requires interacting with the target by sending requests and packets and
observing if and how it responds. The responses collected - or lack of
responses - would enable us to expand on the picture we started developing
using passive recon. An example of active reconnaissance is using Nmap to scan
target subnets and live hosts. Other examples can be found in the Active
Reconnaissance room. Some information that we would want to discover include
live hosts, running servers, listening services, and version numbers.
Active recon can be classified as:
# External Recon: Conducted outside the target's
network and focuses on the externally facing assets assessable from the
Internet. One example is running Nikto from outside the company network.
# Internal Recon: Conducted from within the target company's network. In other words, the
pentester or red teamer might be physically located inside the company
building. In this scenario, they might be using an exploited host on the
target's network. An example would be using Nessus to scan the internal
network using one of the target’s computers.
Disclaimer
All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.
0 comments:
Post a Comment
For Any Tech Updates, Hacking News, Internet, Computer, Technology and related to IT Field Articles Follow Our Blog.