Ethical Hacking — Information Gathering
Passive Reconnaissance
In Information Gathering there are Two types of Reconnaissance Active And Passive, You must Be thinking why is Passive on Very First Place the reason is Simple, Yet IMPORTANT Thorough Understanding about the Victim is Necessary And that include getting IP of a Corporation, extract information about Buisness like the type of Product they have, the type of auto generated email from them, Email address shift timing of some Extra Business concerned Employees there habits or can they be Social Engineered in order to give out there corporate Network passwords or Local machine Credentials or maybe some ‘nasty’ information about corp that can further lead to exploitation. The list is endless and Depends.
Let’s get straight..
Passive reconnaissance is an attempt to gain information about targeted computers and networks without actively engaging with the systems. It is a gathering the information without alerting victim. If the victim host alerted then it drastically increases security against the attack.
● Search engines, which may reveal documents with the names of a (VPN) the company uses, vendor documentation mentioning that the target is a client using certain products (routers, software, etc.). In doing this, you may get information on the company’s remote access, and see cache pages that allow you to stay passive.
● Job advertisements, which can reveal contact information, requirements to know certain software or equipment that may have vulnerabilities that can be exploited, and so on.
● LinkedIn and other sites where employees have identified their involvement with a target.
● Whois sites (like www.who.is) that provide the names of servers, IP address ranges, the names of administrators, email addresses, and so on.
● Wayback Machine (www.archive.org) to see past versions of a website, allowing you to review the target’s site, see contact information for employees, and even content that may have deemed a security risk and removed from the current site.
OK, Now let's take look at some Pasive recon Tools (n.s - they can be used in Active as well):
-> [Wireshark](https://www.wireshark.org/) is best known as a network traffic analysis tool, but it can also be invaluable for passive network reconnaissance. If an attacker can gain access to an organization’s Wi-Fi network or otherwise eavesdrop on the network traffic of an employee (e.g., by eavesdropping on traffic in a coffee shop), analyzing it in Wireshark can provide a great deal of useful intelligence about the target network.
-> [Shodan](https://www.shodan.io/) is a search engine for internet- connected devices. As the Internet of Things grows, individuals and organizations increasingly are connecting insecure devices to the internet.
Using Shodan, a hacker may be able to find devices within the IP address range belonging to a company, indicating that they have the device deployed on their network. Since many IoT devices are vulnerable by default, identifying one or more on the network may give a hacker a good starting point for a future attack.
##There are many other tools us can use list is endless##
OS FINERGERPRINTING
OS Fingerprinting is a method for determining which operating system does the remote computer runs.OS Fingerprinting is mostly used for cyber reconnaissance as most exploitable vulnerabilities are operating system specific.
#NOW_THE_THING_WE_SHOULD_CARE_ABOUT
COUNTERMEASURES
There is a remarkable research work done to detect cyber attack at reconnaissance phase. Reconnaissance is a primary and starting phase of any cyber attack so if any solution for detecting cyber reconnaissance can be a good achievement in the course development of effective early warning system.Cyber attack is sequence of reconnaissance, infiltration and conclusion phase. A layered protection is always best but defense strategies for different network will be different. Stateful firewall, Intrusion Detection System, Intrusion Prevention System and NAT are preferable solutions. Firewall should be configured to allow only necessary traffic and also configured to log multiple connections from the same IP address. This implementation assures block scans such as FIN, NULL, XMAS and detect SYN scan as firewall is stateful. Snort like tool should be used which work as IDS that monitors traffic and detect anomalous activity. Snort should be configured to detect multiple connection from the same IP address. Using NAT is a good practice as it will put only single IP visible and block OS fingerprinting attempts. Apply all latest patches to block vulnerable points.
*******************************************************************
Active Reconnaissance
Once you’ve learned what you can do without touching a site or network, a hacker will move onto active reconnaissance, which involve interaction with a target and could be traceable. For example, a hacker may call or talk to employees, visit their website, or other actions in which they touch the network as a normal user. After gathering everything you can on a company, its infrastructure, personnel, and other details that can help you gain access, you should have a good idea of the company’s structure and network, and ready to move onto other steps:
● **Scanning**, where you try and identify what hosts are live and their purpose on a network. The hacker might use the PING command to see what servers are running, or use port scanning software to find weaknesses like open ports or ways to bypass firewalls. In doing so, he or she may throttle the scan so its slow pings and scans hide in the normal network traffic, and isn’t easily detectable.● **Service Enumeration**, where you identify the services running on a server, and determine any vulnerabilities they might have.● **Assess Vulnerabilities**, where you identify vulnerabilities in an app, site, or network. You might use a vulnerability database, knowledge bases, and a vulnerability scanner like OpenVAS (www.openvas.org) to scan a system and provide a report.● **Exploit Vulnerability**, where you either find an existing exploit or develop a new one that can take advantage of vulnerabilities you’ve discovered.
Let us take a look at some tools used for Active Recon:~
Metasploit
Metasploit is a penetration testing tool. While many threat actors use it to carry out attacks, whitehats employ it to develop intrusion detection/prevention systems (IDSs/IPSs), too. Since it is Ruby-based, users can write, test, and run exploit codes that allow them to conduct targeted analyses of security vulnerabilities.
Spyse
Spyse is a cyber reconnaissance tool that combines active and passive techniques with instant data access. It is commonly used for a quick overview of the target-related assets to determine the attack surface, target vulnerability level, and relations between the main target and connected cyber-infrastructures. Overall, it was made to automate routine work and save time for picking the right attack vector.
Nmap
Nmap is a network mapper. It is a free and open-source scanner for networks that users employ to discover hosts and detect system details, including currently running programs. It performs several types of scans against a wide range of IP addresses that send packets to a target network and analyzes its responses.
Nessus
Developed by Tenable, Inc., Nessus is a remote vulnerability scanning tool that identifies vulnerable applications running on a system. It returns details on how threat actors can exploit weaknesses. While this tool does not come free of charge, it does produce a vast number of useful data that security teams can use, making it a worthy investment.
OpenVAS
Open Vulnerability Assessment System (OpenVAS) is also widely used for vulnerability scanning and management. All of the components of OpenVAS run tests against clients’ computers, providing users comprehensive information about how guarded servers are against known attacks. OpenVAS was a subset of Nessus before it was commercialized, so it bears much of the latter’s functionality.
Nikto
Nikto is a web server scanner that works much like Nessus and OpenVAS. It identifies several vulnerabilities in web servers. Unlike the active reconnaissance tools that threat actors use, Nikto is highly detectable by an IDS, so it is ideal for ethical hacking purposes.
DNS Enumeration
Domain Name Server (DNS) is like a map or an address book. In fact, it is like a distributed database which is used to translate an IP address 192.111.1.120 to a name www.example.com and vice versa.
DNS enumeration is the process of locating all the DNS servers and their corresponding records for an organization. The idea is to gather as much interesting details as possible about your target before initiating an attack.
You can use nslookup command available on Linux to get DNS and host-related information. In addition, you can use the following DNSenum script to get detailed information about a domain −
DNSenum script can perform the following important operations −
- Get the host’s addresses
- Get the nameservers
- Get the MX record
- Perform axfr queries on nameservers
- Get extra names and subdomains via Google scraping
- Brute force subdomains from file can also perform recursion on subdomain that has NS records
- Calculate C class domain network ranges and perform whois queries on them
- Perform reverse lookups on netranges
And Further One can Enumerate By there Needs
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Follow For More Cyber Security Related Blogs🙂