Passive Reconnaissance
Previously we have introduced reconnaissance as a concept and talked about the two forms of reconnaissance:
- Active: Gathering information through interacting with a system or service
- Passive Gathering information without interacting with a system or service
One significant advantage of taking a passive approach, is that we are getting this information silently without alerting the target of our intentions. Typically, this information will come from publicly available sources, the web (and the infrastructure supporting it) is a goldmine of information.
While it may appear that passive reconnaissance would be less useful. There is a surprising amount of information that can be gathered from public sources. For Example, we can get a good idea of the structure of an organisations key web infrastructure and the services offered by examining DNS records.
Additionally, as a large amount of passive reconnaissance is person focused, it can be invaluable when attempting any social engineering based attacks. Understanding the structure, and people within an organisation can give you an advantage here.
Sources of Passive
The objective here is to gather as much information about the organisation, and the people within it, as you can:
- Gather Information on the targets Web Presence
- Use search engine results to refine this information
- Examine 3rd party sites to gain insight
- Forums
- Newsgroups
- Job Postings
- Acquire publicly available information on the business
- companies house
- Netcraft
- Check what DNS information is available.
- Historical Information (web Caches / wayback machine)
We will examine each of these methods individually in future articles.
Types of Information we may gather
- Website addresses
- Subdomains of websites
- Web Server information
- Web server directory tree
- Information on services and software the organisation uses
- Information of people who work for an organisation that could be used in a Phishing attack
Isn't this stuff useless?
In a Q&A session, Fyodor (creator of Nmap, we will find out more about him later), gave an interesting insight into how he would go about testing a company.
Quote
4) Have you ever been tempted to use your gifts...in a negative manner?
Have you ever hacked into someone else's computer? Have you ever considered it? What would cause you to think of doing this? Would your tools (nmap, etc.) be enough to allow you to do this?
And if you haven't, why is that the case?
Fyodor
I never do script-kiddie style "hack any random vulnerable box on the Internet" cracking. But sometimes I will launch targeted attacks at specific companies. I'll usually start with just a web browser and various search engines to learn everything I can about my target. I need to understand what the company does, who it partners with, and whether it has any corporate siblings, subsidiaries, or parents. Beyond that, posts by individual employees can be a gold mine. Besides providing names and titles for social engineering and brute force password attacks, the IPs in the mail/news routing headers can be very valuable. One of the reasons I run my own mailing list archive is to maintain access to the raw mail folders which contain the routing info and X-no-archive posts that web archives strip out. Another advantage to locating employees is that you can send them trojan executable attachments, which can be a very effective way into the network.
Next I'll gather known IP network information on the companies via DNS, whois, regional registries like ARIN, routing info, Netcraft, etc. Then comes the scanning (I tend to use Nmap), application-probing, vulnerability discovery, and exploitation stages.
Of course, I only do this when the company is paying me to do so. Performing these pen-tests offers several advantages over black hat activity:
You don't go to jail (If you've worded your contract carefully.) Instead of having to keep your übertechniques secret to avoid prosecution, you get to demonstrate them to management. They actually pay you for this! And you are helping to protect them and the privacy of their customers.
Now some people might ask how you gain these skills without practicing on other networks first. Cheap hardware and the evolution of free UNIX operating systems have made this much easier than in the past. See the previous answer for some suggestions. And remember that you can always work together with friends, or participate in hacking contests like Defcon's Capture the Flag.1
Note that the first mention of active recon, comes towards the end of the second paragraph, and is a very small section of the overall answer.
Summary
Passive reconnaissance gives us the opportunity to collect a surprisingly wide range of information on our target, without directly interacting with their systems or processes. This has the advantage of not alerting the target, and may also help us find information that the target themselves are not aware of.
We have also introduced some tools and concepts we will be using for passive reconnaissance during the rest of this weeks tasks.
Discuss
If we assume the objective of passive recon is to avoid detection. It could be argued that browsing a organisations web site falls into a grey area between active and passive reconnaissance. Depending on the size of an organisation, and the web traffic they receive, looking at areas of the site that are available to the public may be lost in the noise of normal activity, and is therefore unlikely to be flagged up in server logs.
What are your views on this? - What kinds of activities would be likely to be flagged? - What kinds of checks can an organisation put in place to detect this? - Are there any ways a hacker could circumvent these checks?