Reconnaissance:
It's a method for gathering or collecting information about a system. In the context of cybersecurity reconnaissance, it's the method of gathering and collecting the information of the target which is going to help us in the targeting. This information may include the details related to the target infra, network, staff/personal, social media, and others, all this information helped us in making our objective and scope and also which methodology and tools we are going to use.
Types of Reconnaissance:
We have two types of reconnaissance
1- Active Reconnaissance:
In active reconnaissance we directly interact with our target system, we obtain the information of the target directly by different methods and techniques. Like
Port scanning of the target by using Nmap and Rustscan
Vulnerability scanning by using Nessus, Nikto, Nexpose, etc.
Network Scanning by using Wireshark and IP Scanner tools
Directory fuzzing using fuff, Dirsearch, gobuster, etc
Network Miner - Network Traffic Sniffer
2- Passive Reconnaissance:
In passive reconnaissance we didn't interact directly with our target system, we use different third-party software and tools to get the target information and detail which are publically available it allows us to collect information about a target without alerting them or leaving any traces. Some of the common sources of passive recon data are:
• Search engines:
Search engines are powerful tools to find out information about a target. The search engines can crawl inside web pages and fetch data which might be harder to find while manually browsing the website. It can be achieved by
censys
• Dorking:
we can also use Dorking techniques in passive reconnaissance to discover potentially sensitive information about a target by using advanced search engine queries to locate specific types of content
Google Dorking
Github Dorking
Shodan Dorking
•Technology: we can find the technology of the web app using different tools like Wappalyzer (Chrome extension)
• Social media:
Social media platforms can also provide useful information about the target in the reconnaissance phase, following are the tools for recon in social media info gathering
tinfoleak.com (Twitter)
mostwantedhf.info (Skype)
searchmy.bio (Instagram)
search.carrot2.org (Results grouped by topic)
boardreader.com (forums)
psbdmp.ws (search in Pastebin)
kribrum.io (social-media search engine)
• Domain Recon:
we can obtain the domain-related information like DNS Information, IP address details, hosting details, etc. of an application we have multiple tools for this
whois
whoislookup
https://github.com/melbadry9/WhoEnumhttps://github.com/melbadry9/WhoEnum
netcraft .com
dnsdumpster.
• Email Harvesting:
we can also collect email addresses from various sources, such as websites, social media, public records, and online directories. The process of email harvesting typically involves the use of automated tools, such as web crawlers, email extractors, and search engines, to scan and collect email addresses from publicly available sources. Different tools for this are:
emailrep.io # Accounts registered by email
searchcode.com # search by code in repositories
swisscows.com # semantic search engine
publicwww.com # search by source page code
https://github.com/SimplySecurity/SimplyEmail
https://emkei.cz/ https://snov.io/email-finder
https://github.com/m4ll0k/Infoga
https://github.com/martinvigo/email2phonenumber
https://github.com/jkakavas/creepy/
https://github.com/Josue87/EmailFinder
https://github.com/laramies/theHarvester
• Certificate transparency logs:
We can obtain the information of digital certificates of a domain, which can also help us in further processes we can obtain the Certificates Details using
• Archives:
We can also gain historical information about a website, including its content, structure, and functionality, which can be useful for reconnaissance purposes by using
visualping
So in the case of passive reconnaissance, we are not obtaining information by interacting directly with our target we just obtaining the information from the publically available resources.