The start of any good penetration test, hacking attempt, or introduction to a new concept even is reconnaissance. But what does reconnaissance mean?
From Meriam-webster: Reconnaissance is: a preliminary survey to gain information.
So why is this important in a cybersecurity context? It matters because attackers know they need to learn about their targets to increase the likelihood of a successful intrusion. Their first step in targeting a business is performing passive and active reconnaissance.
This is one of the most critical steps when attempting a penetration test. It allows you to see everything from (and of course, all this depends on the victim’s security) what ports the company has open, their email addresses, employees, emails, etc. This step helps you get an umbrella-type understanding of the network you’re infiltrating, the company, the employees, and anything else you can find without actually being inside the network.
So what is the deal with passive vs. active reconnaissance, isn’t there only one type of reconnaissance? Well, no. Let’s get into the definitions and examples.
Active vs. Passive Reconnaissance
Active reconnaissance involves direct interactions with the target system to find technical information necessary to attack that system. This can include network enumeration, vulnerability scanning, and more.
Passive reconnaissance, in contrast, occurs when an attacker collects information without directly interacting with the target system. This information is gathered from publicly available sources, whether through technology or non-technology means like dumpster diving or social engineering.
Passive Reconnaissance Techniques
There are many techniques available for attackers to perform passive reconnaissance. Open source tools such as Shodan, Recon-ng, and more are efficient and cheap means to accomplish these tasks, especially compared to previous techniques, such as wiretapping and intercepting mail.
Organizations unknowingly provide passive reconnaissance opportunities through client-facing resources like websites. Attackers use corporate websites to learn more about key personnel and collect email addresses and phone numbers, which can successfully improve their chances of phishing employees and executives.
Corporate websites also may contain information about specific technologies used by the organization. For example, a job post on a hiring company’s website might include “Need experience with CISCO Firewalls” or an Adobe PDF document that tells the attacker what version of Adobe you have in your environment—these details tell the attacker what to expect when it comes to intrusions into your network.
Passive Reconnaissance Protections
The point of (passive) web reconnaissance is that an attacker can gain a lot of valuable information with little effort and without alerting you of anything. To limit these opportunities, consider the following protection strategies:
· See what open-source tools and domain monitoring solutions reveal about your organization
· Evaluate what technology information can be gathered directly from your website
· Reduce the amount of information you share to only what is absolutely necessary for your business
· Routinely review what information is available on your public footprint
The most important consideration of passive reconnaissance is knowing what information about your business is publicly available and deliberately working towards a balance between what is necessary for your business versus what creates an unacceptable level of risk.
Both types of reconnaissance have their pros and cons, but reconnaissance is still a vital technique hackers use for any hacking. How can you really know how a hacker can access a network if you don’t know it yourself? That’s where reconnaissance comes in—allowing you to use free tools and resources to better understand the contents of a target’s network, company or person.
