Reconnaissance is the start of any good penetration test, hacking attempt, or introduction to a new concept. But what does reconnaissance mean?
From Meriam-webster: Reconnaissance is a preliminary survey to gain information.
So why is this important in a cybersecurity context? Attackers know they need to learn about their targets to increase the likelihood of a successful intrusion. Their first step in targeting a business is performing passive and active surveillance.
Cyber Reconnaissance
This is one of the most critical steps when attempting a penetration test. It allows you to see everything (and, of course, all this depends on the victim’s security), such as what ports the company has open, their email addresses, employees, emails, etc. This step helps you get an umbrella-type understanding of the network you’re infiltrating, the company, the employees, and anything else you can find without actually being inside the network.
So, what's the deal with passive vs. active reconnaissance? Isn’t there only one type of reconnaissance? Well, no. Let’s get into the definitions and examples.
<!--
__
/ \--..____
\ \ \-----,,,..
\ \ \ \--,,..
\ \ \ \ ,'
\ \ \ \ ``..
\ \ \ \-''
\ \ \__,,--'''
\ \ \.
\ \ ,/
\ \__..-
\ \
\ \
\ \ Capture the flag competition
\ \ Flag: AscendCTF<CTFsAreFun>
\ \
\ \
\ \
\ \
\ \
-->
Active vs Passive Reconnaissance
Active reconnaissance involves direct interactions with the target system to find technical information necessary to attack that system. This can include network enumeration, vulnerability scanning, and more.
Passive reconnaissance, in contrast, occurs when an attacker collects information without directly interacting with the target system. This information is gathered from publicly available sources through technology or non-technology means like dumpster diving or social engineering.
Passive Reconnaissance Techniques
Attackers have many techniques available for performing passive reconnaissance. Open-source tools such as Shodan and Recon-ng more efficiently and cheaply accomplish these tasks, especially compared to previous techniques, such as wiretapping and intercepting mail.
Organizations unknowingly provide passive reconnaissance opportunities through client-facing resources like websites. Attackers use corporate websites to learn more about key personnel and collect email addresses and phone numbers, which can improve their chances of phishing employees and executives.
Corporate websites may also contain information about specific technologies used by the organization. For example, a job post on a hiring company’s website might include “Need experience with CISCO Firewalls” or an Adobe PDF document that tells the attacker what version of Adobe you have in your environment. These details tell the attacker what to expect when it comes to intrusions into your network.
Passive Reconnaissance Protections
The point of (passive) web reconnaissance is that an attacker can gain valuable information with little effort and without alerting you. To limit these opportunities, consider the following protection strategies:
- See what open-source tools and domain monitoring solutions reveal about your organization
- Evaluate what technology information can be gathered directly from your website
- Reduce the amount of information you share to only what is necessary for your business
- Routinely review what information is available on your public footprint
The most crucial consideration of passive reconnaissance is knowing what information about your business is publicly available and deliberately balancing what is necessary for your business and what creates an unacceptable level of risk.
Ascend Can Help
Both types of reconnaissance have pros and cons, but reconnaissance is still a vital technique hackers use for hacking. How can you know how a hacker can access a network if you don’t know it yourself? That’s where reconnaissance comes in—allowing you to use free tools and resources to understand better the contents of a target’s network, company, or person.
Need help to uncover and remediate your vulnerabilities? Talk to an expert to get started!