Passive and Active Reconnaissance (en)

From OnnoWiki
Revision as of 06:45, 29 October 2024 by Onnowpurbo (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Reconnaissance or information gathering in the context of cybersecurity is the initial phase of a cyber attack or penetration testing (pentest), where an attacker or pentester gathers as much information as possible about the target. The goal is to understand the system architecture, weak points, and potential attack vectors before launching an exploit.

Reconnaissance (Information Gathering)

This process is usually divided into two types:

  • Passive Reconnaissance: Gathering information about the target without directly interacting with its system. This technique uses open and public resources to obtain data, so it leaves no traces on the target system.
  • Active Reconnaissance: Involves direct interaction with the target system, such as pinging, port scanning, or footprinting to obtain technical information from the target server or application. This is riskier because it is more easily detected by security devices.

Passive Reconnaissance

Passive Reconnaissance is a technique in the world of cybersecurity that aims to gather as much information as possible about the target without directly interacting with the target system itself. With this method, attackers or security analysts can obtain a lot of data and identify potential vulnerabilities without leaving any traces that can be detected by the target.

Purpose of Passive Reconnaissance

The main goal is to gain a deeper understanding of the target's infrastructure, network, and resources. The information obtained at this stage is often used to plan further attacks or as a basis for security analysis.

Methods Used in Passive Reconnaissance

Passive reconnaissance techniques rely on various open and public resources to gather information. Here are some of the methods that are often used:

  • OSINT (Open Source Intelligence): Using publicly available and legal information to obtain data. These sources of information include:
    • Official websites: Examining the target's website for information such as IP addresses, server names, software versions, and contact details.
    • Social media: Exploring a company or individual's social media profiles to gain insight into the organizational structure, physical location, and employee activity.
    • Forums and online communities: Observing discussions on forums or niche communities (such as GitHub, Stack Overflow) that may provide clues about system configuration, software used, or security policies.
  • Domain Name System (DNS) Lookup:
    • Whois Lookup: Using the Whois service to obtain domain registration information, such as owner name, contact details, registration date, and DNS servers. This data is useful for understanding the structure of the domain and its potential vulnerabilities.
    • Reverse DNS Lookup: Reverse a domain lookup to find out the IP addresses associated with the domain. This helps in mapping the target network.
    • Zone Transfer: Although rare, misconfigurations on DNS servers can allow DNS zone transfers, which reveal information about all hosts and subnets on the target network.
  • Search Engine Cache Browsing: Search engines such as Google and Bing store cached versions of web pages. By exploiting the "cache" feature of search engines, attackers can view the content of a target website even if it has been changed or deleted by the owner.
    • Dorking: Google dorking is an advanced search technique that uses special search operators to find sensitive information, such as configuration files, login credentials, and more.
  • Metadata Analysis: Every published file (such as a PDF document, image, or presentation) often stores metadata, which can reveal information such as the username, location, device, and application used to create the file. This data can be used to build a more complete picture of the target.
  • Social Media and Network Monitoring: Monitoring company and employee social media activity, such as new job announcements, product launches, or security policy updates. This information can provide insight into the technologies and tools used by the target.
  • Footprinting with IP Mapping: Using public IP databases such as ARIN, RIPE, or APNIC to find information associated with the target's IP addresses, including physical location and organizational information.
  • Observing Public Network Traffic: If possible, the attacker can observe public network traffic using tools such as Shodan, Censys, or BinaryEdge. These tools allow for the discovery of devices connected to the internet as well as information about open ports and running services.

Advantages of Passive Reconnaissance

  • Undetected: Because there is no direct interaction with the target system, this technique is very difficult to detect.
  • Legal: As long as it uses public resources and does not violate privacy, this technique is completely legal and can be used for security testing.

Limitations of Passive Reconnaissance

  • Data Limitations: The information collected is only as much as is available in open sources, so it may not always be complete or up-to-date.
  • Not In-Depth: This technique only provides a general overview and does not allow for direct testing or exploitation of the target system.

With the information gained from passive reconnaissance, an attacker can plan further attack strategies. However, in the context of security testing, the information can also help organizations understand potential risks and proactively mitigate them.

Active Reconnaissance

Active Reconnaissance is the initial stage in the ethical hacking process where a pentester proactively interacts with the target to gather more information. While passive reconnaissance focuses more on collecting data from open sources, active reconnaissance involves direct interaction with the target system.

Purpose of Active Reconnaissance

  • Deeper understanding: Gaining a more detailed understanding of the target's infrastructure, services, and vulnerabilities.
  • Identify entry points: Finding points that can be used as entry points for attacks (if carried out by malicious hackers).
  • Narrowing the scope of testing: Focusing testing on the areas that are most at risk.

Active Reconnaissance Techniques

Some commonly used active reconnaissance techniques include:

  • Network Scanning:
    • Port Scanning: Scanning open ports on the target to identify running services.
    • Vulnerability Scanning: Using tools such as Nessus, OpenVAS to search for known vulnerabilities.
    • Service Fingerprinting: Identifying the version of a service running to find a specific exploit.
  • Social Engineering:
    • Phishing: Sending fake emails or messages to trick victims into giving up sensitive information.
    • Pretexting: Creating fake scenarios to get information from targets.
    • Baiting: Placing a physical device (such as a flash drive) infected with malware in a place where it can be easily found.
  • Direct Interaction:
    • Phone Call: Calling a target while pretending to be an authorized person to get information.
    • Website Visiting: Browsing a target's website to look for hidden information or vulnerabilities.
    • Using a Contact Form: Filling out a contact form with invalid input to see how the application responds.

Tools Used

  • Nmap: For port and service scanning.
  • Nessus, OpenVAS: For vulnerability scanning.
  • Metasploit: An exploitation framework that can also be used for scanning.
  • Burp Suite: For testing web applications.
  • Wireshark: For analyzing network traffic.

Example Active Reconnaissance Scenario

For example, a pentester wants to test the security of an e-commerce website. Possible active reconnaissance steps include:

  • Port scanning: Scanning open ports for web server services, database servers, and other services.
  • Vulnerability scanning: Scanning the website for common vulnerabilities such as SQL injection, XSS, and vulnerabilities in the CMS used.
  • Social engineering: Sending phishing emails to employees to obtain login credentials.
  • Contact form filling: Filling out a contact form with invalid input to see if there is inadequate input validation.

Important to Remember

  • Permission: Always get written permission before performing penetration testing.
  • Ethics: Avoid damaging the target system or data.
  • Legal: Follow all applicable laws and regulations.

Active reconnaissance is a very important step in the ethical hacking process. By conducting active reconnaissance, a pentester can gain invaluable information to plan and execute a simulated attack.

Interesting Links

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=Passive_and_Active_Reconnaissance_(en)&oldid=71159"