Skip to content

Reconnaissance

While we could just blindly start attacking a system, without a structured approach we are unlikely to find any flaws (unless we get lucky).

Reconnaissance (or Recon) is the process of finding out as much about the target as we can before we start testing it for security flaws. During a pen-test the information available to us as part of the recon process will differ. Some engagements may be "white box" where we have full1, knowledge of the network, systems and potentially the source code of any applications running on them. In others, we might undertake a "black box" approach, where we have zero knowledge of the systems beforehand.

Types of Recon

Broadly speaking we can break the reconnaissance phase into two types of activity Passive and Active.

They both have separate advantages, and disadvantages, and using both types will be needed to get the best outcome from a penetration test.

Note

NOTE: Depending on the contract, the nature of the reconnaissance phase may change. Some organisations may not want profiling of its employees. In others the brief may give well specified information about its network structure. However, this can be based on the organisations knowledge of its systems, which can be flawed, it is always worthwhile discussing how reconnaissance can help, and the information that can be gained.

Passive Reconnaissance

Here we focus on gathering information on our target, using publicly available information. For example we may make use of google to search for information on a company and its structure.

A key feature of passive reconnaissance, is that we do it without directly interacting with the target. Unlike active recon, where details of our investigations will be stored in log files, by not sending any traffic to the target we have a degree of stealth, which means that we can avoid detection.

As well as the organisation, the passive phase can focus on aspects of the organisation not directly related to its infrastructure, such as employees, increasing the chance for social engineering attacks to succeed.

Active Reconnaissance

Unlike the passive phase, this stage dispenses with any stealth, and directly interacts with the organisation. This can enable us to confirm the information we have learnt in the passive phase, and provide more detail on the infrastructure.

Active Reconnaissance and Scanning will be covered in more detail in Week 2.

Comparison

While active and passive recon have the same aim, gathering information on the target, the different approaches can give different results.

On the whole, passive recon will give us "generalised" information about an organisation. Whilst Active recon will provide mode detail.

However, the more detailed information from Active reconnaissance comes at the risk of alerting the site owners, falling foul of systems such as IDS.

Additionally, passive recon can be vital when it comes to social engineering approaches. Giving info about employees that give a unique insight into how an organisation works, and ways of "Hacking" the people who work there.

Scope

When performing reconnaissance as past of a penetration test you will have a well defined scope and Rules Of Engagement defined in the contract.

While you may have a well defined network plan showing hosts and services on the target system, it is still worthwhile performing some reconnaissance to discover systems and services the target may not be aware of.

Important

REMEMBER scope is important as an Ethical Hacker, attacking or examining systems we do not have permission to access can be illegal. You should also consider the ethical implications of using reconnaissance tools (such as google hacking) on people who haven't given their permission. While the information is public they may not have considered the implications of putting this data online.


  1. That's full knowledge based on what the organisation itself knows. Its still worth doing the recon, as cases of "forgotten" servers showing up during scans are known.