Reconnaissance is the act of discovery and utilizing information to achieve that. Pen testing starts with this phase in order to better understand the target. It is an important step that cannot be skipped no matter the process.
Recon can be passive or active, and often both are used depending on the type of engagement.
Recon’s goal is to gain all the information that can be gathered on a target without attacking it.
Types of reconnaissance attacks
Reconnaissance attacks are classified into two types: active and passive.
- Passive is any information that can be gathered without touching the target in any meaningful way.
This can include GoogleFu/Google Hacking, DNS research, LinkedIn profile gathering, and other ways to get data on the target via third parties.
- Active attacks are more directly touching the target but much lighter than an attack phase.
This recon is based on light probing that creates no direct changes but may be detected in the logs. This can include port scanning, email address validation, and service version confirmation.
Reconnaissance phase of an attack
These two types of recon are combined into a single phase.
This phase of the pen test makes up the start of each test that cannot be skipped. Skipping this phase usually leads to a test that misses parts of the targets.
The goal is to gather as much information as possible without alerting the target company to the recon.
This can be louder in a pen test, where the phase will not get shut down, or silent in a red team, where the goal is stealth.
Reconnaissance techniques
Reconnaissance techniques involve stealthy probing and leveraging third parties as much as possible.
Any company’s social media accounts and search engine data is fair game for recon.
The active recon needs to be as silent as possible, port scanning is often easy enough as any publicly facing device is scanned by random devices at all times.
More directed and less random techniques are more likely to alert the customer.