Reconnaissance
Last week we looked at connecting to severs and shells, and practised connecting to remote servers in different ways.
This week we are going to look at reconnaissance (recon), and discuss methods for gathering information about your target organisation and systems.
Reconnaissance
The OED1 defines reconnaissance as:
-
The action or an act of examining or surveying a tract of country with a view to ascertaining the position or strength of an enemy, or to discovering the nature of the terrain or resources of a district before making an advance. Also (Navy): a survey of a coast, etc., made for similar purpose
-
A survey, inspection, etc., carried out in order to gain information of some kind; the action of carrying out such a survey.
-
The action or an act of surveying an area for practical or scientific purposes.
When we look at the formalised pentest process, recon is the "second" stage, after scoping. However, while it is true that you will have a focus here, recon should be an ongoing process. As you learn more about the target, the focus and methods of recon will change.
Trying Harder
A common response on HTB forums is "Try Harder". Perhaps "Recon more" would be better.
Topics for the Week
- Passive Recon (Monday)
- What is Passive Recon
- Simple Searches
- Infrastructure Tools: DNS, Netcraft
- Viewing a site without visiting it: Wayback, Cache
- Google Dorks
- Active Recon (Thursday)
- Nmap
Labs for the Week
We have 2 lab tasks for the Week.
- Passive Recon
-
For "Homework" following the Monday session, I want you to take a look at passive recon.
Pick a website (for example coventry.ac.uk) and take a look at the following
- What kind of infrastructure can you find
-
(http://www.oed.com/view/Entry/159813?redirectedFrom=reconnaissance#eid) ↩