Passive reconnaissance is the initial phase of penetration testing where the tester gathers information about the target system or network without directly interacting with it. This phase is crucial as it helps in understanding the target's environment and identifying potential vulnerabilities without alerting the target.
Key Concepts
-
Definition:
- Passive reconnaissance involves collecting data from publicly available sources without directly engaging with the target system.
-
Objectives:
- To gather as much information as possible about the target.
- To remain undetected by the target during the information-gathering process.
-
Sources of Information:
- Public websites
- Social media platforms
- Public records and databases
- DNS records
- WHOIS databases
Techniques and Tools
Techniques
-
Open Source Intelligence (OSINT):
- OSINT involves collecting information from publicly available sources. This can include websites, social media, forums, and other online platforms.
-
WHOIS Lookup:
- WHOIS databases provide information about domain registration, including the registrant's name, contact information, and the domain's creation and expiration dates.
-
DNS Enumeration:
- DNS enumeration involves gathering information about the domain name system (DNS) records of the target. This can reveal subdomains, mail servers, and other related information.
-
Social Media Profiling:
- Analyzing social media profiles of employees and the organization can provide valuable insights into the target's structure, key personnel, and potential security weaknesses.
Tools
-
Maltego:
- Maltego is a powerful tool for OSINT and forensics, providing a graphical interface to visualize relationships between different pieces of information.
-
Recon-ng:
- Recon-ng is a web reconnaissance framework with independent modules to gather information from various sources.
-
theHarvester:
- theHarvester is a tool designed to gather emails, subdomains, hosts, employee names, open ports, and banners from different public sources.
-
Shodan:
- Shodan is a search engine for Internet-connected devices, allowing testers to find information about the target's exposed devices and services.
Practical Example
Let's perform a basic WHOIS lookup using a command-line tool.
WHOIS Lookup Example
Explanation:
- The
whoiscommand queries the WHOIS database for information about the domainexample.com.
Output
Domain Name: EXAMPLE.COM Registry Domain ID: 2336799_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.iana.org Registrar URL: http://res-dom.iana.org Updated Date: 2021-08-14T07:00:00Z Creation Date: 1995-08-14T04:00:00Z Registry Expiry Date: 2022-08-13T04:00:00Z Registrar: RESERVED-Internet Assigned Numbers Authority Registrar IANA ID: 376 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.3103015820 Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited Name Server: A.IANA-SERVERS.NET Name Server: B.IANA-SERVERS.NET DNSSEC: unsigned
Explanation:
- The output provides details about the domain, including the registrar, creation and expiration dates, status, and name servers.
Practical Exercise
Exercise 1: Perform a WHOIS Lookup
- Choose a domain name you want to investigate.
- Use the
whoiscommand to gather information about the domain. - Document the key details you find, such as the registrant's name, contact information, and domain status.
Solution
- Open your terminal.
- Run the following command:
- Analyze the output and note down the important details.
Exercise 2: Use theHarvester to Gather Information
- Install theHarvester tool.
- Use theHarvester to gather emails and subdomains for a given domain.
Installation:
Usage:
Explanation:
-d example.com: Specifies the domain to search.-l 500: Limits the number of results to 500.-b google: Specifies the search engine to use (Google in this case).
Solution
- Open your terminal.
- Run the following command:
- Review the output for emails and subdomains related to
example.com.
Common Mistakes and Tips
-
Mistake: Directly interacting with the target during passive reconnaissance.
- Tip: Ensure that all information gathering is done through publicly available sources without engaging the target system.
-
Mistake: Overlooking social media as a source of information.
- Tip: Social media can provide valuable insights into the target's personnel and potential security weaknesses.
-
Mistake: Not documenting findings properly.
- Tip: Keep detailed notes of all information gathered during passive reconnaissance for future reference.
Conclusion
Passive reconnaissance is a critical phase in penetration testing that involves gathering information about the target without direct interaction. By using techniques like OSINT, WHOIS lookup, and DNS enumeration, and tools like Maltego, Recon-ng, and theHarvester, testers can collect valuable data while remaining undetected. This information forms the foundation for subsequent phases of the penetration test, helping to identify potential vulnerabilities and plan further actions.
Pentesting Course: Penetration Testing Techniques
Module 1: Introduction to Pentesting
Module 2: Reconnaissance and Information Gathering
Module 3: Scanning and Enumeration
Module 4: Exploitation of Vulnerabilities
- Introduction to Exploitation
- Exploitation of Web Vulnerabilities
- Exploitation of Network Vulnerabilities
- Exploitation of System Vulnerabilities