Reconnaissance




Reconnaissance


 Reconnaissance is the technique used for gathering information about computer systems and the entities they belong to. To get this information, a hacker might use various tools and technologies. This information is very useful to a hacker who is trying to crack a whole system.

It allows a hacker to gain information about the target system. This information can be used to carry out further attacks on the system. That is the reason by which it may be named a Pre-Attack, since all the information is reviewed in order to get a complete and successful resolution of the attack. Reconnaissance is basically the first step where hacker gathers as much information as possible to find ways to intrude into a target system or at least decide what type of attacks will be more suitable for the target. This is also a very important step for ethical hacker; he can find possible attacks, vulnerabilities and patch that.

The Objective of Reconnaissance are collecting Network Information, System Information, Organisation’s Information. During this phase, a hacker can collect the following information-
  • Domain name
  • System names
  • System enumeration
  • Passwords
  • IP Addresses
  • Namespaces
  • Employee information
  • Phone numbers
  • E-mails


Information gathering Techniques


Active Techniques

In this process, you will directly interact with the computer system to gain information. This information can be relevant and accurate. But there is a risk of getting detected if you are planning active reconnaissance without permission. If you are detected, then system admin can take severe action against you and trail your subsequent activities.

Knock Subdomain Scan
Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.

Sublist3r
Fast subdomains enumeration tool for penetration testers

Dirsearch
Dirsearch is a simple command line tool designed to brute force directories and files in websites.

Gobuster
A high performance directory enumeration tool written in Go.

Teh S3 Bucketeers
The S3 bucket enumeration and permission check tool.

AWSBucketDump
Security Tool to Look For Interesting Files in S3 Buckets


Passive Techniques

You will not be directly connected to a computer system. This process is used to gather essential information without ever interacting with the target systems.

This involves finding information via means that would not be directly tied back to you/your ip address. You might be browsing a site as a typical user. You might find information from whois/robtex/maltego/other public means.

Passive reconnaissance tools provide information without actually touching your target while also doing a lot of the hard work for you. Below are some tools for Passive recon

Shodan
The search engine for things connected to the internet. IP, port, application, banners, etc.

DNS Dumpster
DNSdumpster.com is a FREE domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.

Censys
Censys continually monitors every reachable server and device on the Internet, so you can search for and analyze them in real time. Understand your network attack surface”. Check for open ports and applications on a specific IP without running a portscan yourself.

BuiltWith
Find out what websites are Built With

Facebook Certificate Transparency Monitoring
This tool lets you search for certificates issued for a given domain.

cert.sh
SSL Certificate allocation based DNS enumeration using the public record of SSL certificates.

DNS Trails
Security trails allows you to access current and historical data of an organisation with DNS records, subdomains.


Other OSINT TOOLS AND Pentesting tools can be found in below link:








Comments

  1. cybersecurity8 April 2022 at 22:54

    Your website is really cool and this is a great inspiring article. keep posting. application security

    ReplyDelete

Post a Comment

Popular posts from this blog

Internal Vulnerability Assessment using Nessus

Image
Nessus Nessus is an network vulnerability scanner that uses the Common Vulnerabilities and Exposures architecture for easy cross-linking between compliant security tools. Nessus employs the Nessus Attack Scripting Language (NASL), a simple language that describes individual threats and potential attacks. Nessus has a modular architecture consisting of centralised servers that conduct scanning, and remote clients that allow for administrator interaction. Administrators can include NASL descriptions of all suspected vulnerabilities to develop customised scans.  Nessus allows scans for the following types of vulnerabilities: Vulnerabilities that allow a remote hacker to control or access sensitive data on a system. Misconfiguration (e.g. open mail relay, missing patches, etc.). Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Denials of service against the TCP/IP stack by using malformed packets Preparation for PCI DSS audit...
Read more
Image
OWASP The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organisation focused on improving the security of software. OWASP has been releasing the OWASP Top 10 list every three/four years. The list consists of the top biggest Application Security Risks according to OWASP. The list is compiled with the latest vulnerabilities, threats and attacks, as well as detection tactics and remediation. OWASP Top 10 project members create the list by analysing the occurrence rates and the general severity of each threat facing our rapidly evolving application world. Major Update This major update adds several new issues, including two issues selected by the community -  A8:2017-Insecure Deserialisation  and  A10:2017-Insufficient Logging and Monitoring . Two key differentiators from previous OWASP Top 10 releases are the substantial community feedback and extensive data assembled from dozens of organisations, possibly th...
Read more