Cyber attacks on computer systems according to The Unified Kill Chain model created by Paul Pols, describes the phased and strategic progressions a bad actor may follow to gain an initial foothold into a system, right through to the exfiltration of data and other negative impacts. Before an attacker reaches these late phases of the model, it is tremendously important that thorough reconnaissance of the target is carried out. This is where passive and active reconnaissance comes into action. By gaining a thorough understanding of the targets systems, users, business processes, clients etc., the attacker can essentially widen the attack surface, which may make things easier when it comes to achieving their desired attack objectives.
It is important that both penetration testers and network defenders understand the reconnaissance processes and how it can be used to create an initial attack surface or in the case of a defender, how it can be used to reduce said attack surfaces. Lets dive straight in and look at the basics of each reconnaissance type.
Passive Reconnaissance
This is the initial discovery and knowledge gathering phase relying on publicly available information without directly engaging with the target. There are various approaches or techniques that one can follow during the discovery phase, most of which are derived using the OSINT Framework (Open source intelligence) including:
- General social media searches of the targets staff and contractors. The goal is to gain as much information about key staff members as possible, which could be used later in a potential spearfishing attack.
- Checking the targets website for any information about clients or partners which could be used later in a social engineering type attack.
- DNS and WHOIS lookups may reveal information about the targets registered domains and contact information.
- DNSdumpster can reveal any potential sub-domains that may be useful to the attacker.
- SHODAN searches which may provide the attacker with technical information about the targets network infrastructure such as IP addresses, server types and versions, geographical locations etc.
- Google Maps/Google Earth can be useful to gain information about the physical layout of the targets office space which may reveal weak points in their physical security which could be exploited in various way, especially if the pentester has been tasked with checking the security of Wi-Fi networks and biometric systems.
The list goes on. Because this is a high level overview of the topic I wont go into the actual usage of these techniques and tool, I will leave that for you to explore. The bottom line with passive reconnaissance is to gain as much usable information about the target as possible before actively engage with the target. This leads us to Active Reconnaissance.
Active Reconnaissance
Once we have gathered information about the target, the active reconnaissance phase requires that some kind of direct contact is made with the target. This usually ranges from a direct telephone call or site visit, to making a direct connection to the targets system in the form of port scans, ping sweeps etc. Just a side note, when we get to this stage of the reconnaissance process, it is essential that you have the explicit signed legal authorization and a predefined attack scope agreement from your client before engaging any targets.
Right, with the legal stuff out the way, lets start with the fun stuff and look at some tools that we can use during the active reconnaissance process.
- Your good old web browser – pretty much ever browser has a set of developer tools which can be used to examine the targets websites or web apps. There is plenty of information we can gather using the browser such as inspecting cookies, JavaScript and the sites HTML code which may hold some information that we can later exploit.
- The Ping tool – regardless of the operating system used, on most you will be able to make use of the ping tool. Pinging a targets IP address is a basic way to determine if the target machine is online. Just a side note, sometimes ICMP traffic may be blocked by the target machines firewall, which means that when you attempt to ping the machine, it will appear to be offline. A tool called Nmap can be used to recon a machine regardless of ICMP traffic being blocked, more on this later.
- Traceroute – Similar to the ping tool, the traceroute tool is found on most operating systems and can be used to trace or count the number of hops between routers that the network traffic needs travel to get to its final destination. This tool can be useful to allow us to plot the targets network topology, and in some cases the routers that are routed through, may reveal its IP address which we can later examine for any weaknesses.
- Telnet – A protocol used to communicate with remote systems via a command-line interface (CLI). Its been around since the late 1960s and is considered insecure in todays standards, because all data sent and received via a telnet session is in cleartext. This makes it easy for an attacker to steal login credentials through a man-in-the-middle attack. Telnet however, has other uses and being a TCP based protocol can be used to communicate with other TCP based services, for e.g. we could telnet a machine on port 80 (HTTP) and send arbitrary HTTP commands to the machine to gather additional information.
- Netcat or just nc for short, is another useful tool in the pentesters arsenal. It can function on both UDP and TCP protocols and can be used in a similar way to telnet, allowing for remote communicate with a target machine. In addition to this, Netcat can also be used in a listening or server mode, where it could be used to listen for a reverse shell script “calling home”, however, this is outside of the scope of this topic, perhaps I will do a future writeup on this.
- And finally we can also use Nmap. Nmap is a feature packed tool that allows us to perform target discovery, basic and advanced port scans and even has additional script integrations allowing us to scan for known vulnerabilities. Nmap is pretty comprehensive, I will do a writeup about it in the future, its really important to know how it works to be successful at active reconnaissance.
There are many other tools that I have not added to this list, and I will cover these in future posts when we dive into actual target enumeration in more detail. I hope that I have succinctly described the difference between passive and active reconnaissance, and as always I invite constructive discussion in the comments section below.
Happy hunting!