bughra.dev
Go back

Passive and Active Reconnaissance

Overview

Reconnaissance (recon) is the first phase in a penetration test and involves collecting information about the target systems, networks, and organizations. This phase is critical as the quality and quantity of information gathered directly impacts the effectiveness of subsequent phases in the penetration testing process.

Passive Reconnaissance

Passive reconnaissance involves gathering information about the target without directly interacting with the target systems. This approach is non-intrusive and doesn’t leave traces or logs on the target systems.

Key Characteristics

Common Passive Recon Techniques

  1. OSINT (Open Source Intelligence)

    • Examining public records and databases
    • Researching company websites and documentation
    • Reviewing job postings for technology stack information
    • Analyzing social media profiles of employees

  2. WHOIS Lookups

    • Gathering domain registration information
    • Identifying administrative and technical contacts
    • Determining domain registrars and expiration dates
    • whois bughra.dev

  3. DNS Information

    • Analyzing DNS records (A, MX, NS, CNAME, TXT)
    • Zone transfers (when available)
    • Subdomain enumeration via public records
    • dig any bughra.dev
    • nslookup bughra.dev

  4. Search Engine Research

    • Google dorking (using advanced search operators)
    • Finding cached content and historical data
    • Locating exposed documents and files

  5. Web Archives

    • Reviewing historical versions of websites
    • Identifying removed content and old infrastructure
    • archive.org

  6. Certificate Transparency

    • Analyzing SSL/TLS certificates
    • Discovering subdomains through certificate logs
    • crt.sh

Passive Recon Tools

Active Reconnaissance

Active reconnaissance involves direct interaction with the target systems to gather more detailed information. This approach is more intrusive and can potentially leave traces in system logs.

Key Characteristics

Common Active Recon Techniques

  1. Network Scanning

    • Port scanning to identify open services
    • Service version identification
    • Operating system fingerprinting
    • Network topology mapping

  2. Vulnerability Scanning

    • Automated identification of potential vulnerabilities
    • Service misconfiguration detection
    • Patch level assessment

  3. Banner Grabbing

    • Collecting service banners to identify software versions
    • Protocol-specific probing
    • nc $IP $PORT
    • telnet $IP $PORT

  4. Web Application Enumeration

    • Directory and file discovery
    • Parameter discovery and analysis
    • Technology stack identification
    • CMS version detection

  5. Active DNS Techniques

    • DNS zone transfer attempts
    • Brute forcing subdomains
    • DNS cache snooping

  6. Social Engineering Reconnaissance

    • Phishing campaigns for information gathering
    • Pretexting calls to help desk or employees

Active Recon Tools

The Reconnaissance Process Flow

A systematic approach to reconnaissance typically follows this pattern:

  1. Define Scope and Objectives

    • Determine target systems and boundaries
    • Establish goals for information gathering

  2. Passive Reconnaissance

    • Gather publicly available information
    • Build target profile without detection

  3. Initial Analysis and Mapping

    • Organize collected information
    • Identify potential entry points

  4. Active Reconnaissance

    • Verify findings from passive recon
    • Discover additional technical details

  5. Documentation and Analysis

    • Organize all gathered information
    • Identify patterns, vulnerabilities, and attack vectors
Share this post on:
Share this post via WhatsApp Share this post on Facebook Share this post on X Share this post via Telegram Share this post on Pinterest Share this post via email
Previous Post
Network Enumeration with Nmap
Next Post
Red Team Fundamentals and Methodologies