Reconnaissance is the
first step of the kill chain when conducting a penetration
test or an attack against a network or
server target. An attacker will typically dedicate up to seventy-five percent
of the overall work effort for a penetration test to reconnaissance, as it is
this phase that allows the target to be defined, mapped, and explored for the
vulnerabilities that will eventually lead to exploitation. There are two types
of reconnaissance: passive
reconnaissance, and active reconnaissance.
Passive
reconnaissance is concerned with analyzing information that is openly
available, usually from the target itself or public sources online. On accessing
this information, the tester or attacker does not interact with the target in
an unusual
Manner—requests and activities will
not be logged, or will not be traced directly to the tester. Therefore, passive
reconnaissance is conducted first to minimize the direct contact that may
signal an impending attack or to identify the attacker.
Basic principles of reconnaissance
Reconnaissance, or
recon, is the first step of the kill chain when conducting a penetration test
or attack against a data target. This is conducted in before the
actual test or attack of a target
network. The findings will give a direction to where
additional reconnaissance may be
required, or the vulnerabilities to attack during
the exploitation phase.
Reconnaissance
activities are segmented on a gradient of interactivity with the target network
or device.
i)            
Passive
reconnaissance (no direct interaction)
ii)           
Normal
interaction
iii)          
Active
reconnaissance
iv)          
More
information greater chance of detection
Passive
reconnaissance does not involve direct interaction with the target network.
The attacker's source IP address and
activities are not logged (for example, a Google
search for the target's e-mail
addresses). It is difficult, if not impossible, for the target
to differentiate passive
reconnaissance from normal business activities. In general, passive
reconnaissance focuses on the business and regulatory environment, the company,
and the employees. Information of this type is available on the Internet or
other public sources, and is sometimes referred to as open source intelligence,
or OSINT.
•           Passive
reconnaissance also involves the normal interactions that occur when
an attacker interacts with the target
in an expected manner. For example, an attacker will log on to the corporate
website, view various pages, and download documents for further study. These
interactions are expected user activities, and are rarely detected as a prelude
to an attack on the target.
•             
 Active reconnaissance involves direct queries
or other interactions (for example, port scanning of the target network) that
can trigger system alarms or allow the target to capture the attacker's IP
address and activities. This information could be used to identify and arrest
an attacker, or during legal proceedings. Because active reconnaissance
requires additional techniques for the tester to remain undetected.
Penetration testers
or attackers generally follow a process of structured information gathering,
moving from a broad scope (the business and regulatory environments) to the
very specific (user account data).
To be effective,
testers should know exactly what they are looking for and how the data will be
used before collection starts. Using passive reconnaissance and limiting
the amount of data collected minimizes the risks of being
detected by the target.
 
