Reconnaissance
Information Gathering, also known as Reconnaissance, is the first and foundational phase of a penetration test. The purpose of this phase is to collect as much relevant data about the target entity as possible, whether it's an organization, network, or individual.
This process involves gathering both publicly available and potentially sensitive information. For example, details about employees such as names and email addresses can be particularly useful. Such information, when leveraged correctly, becomes valuable during later stages of the penetration test, where an attacker might use it to craft targeted attacks like phishing or deliver malicious attachments.
The more detailed and precise the information you collect during this stage, the higher the chances of success during the exploitation and post-exploitation phases of the pentest. A well-prepared penetration tester knows that thorough reconnaissance is key to exposing vulnerabilities in the target's defenses.
Examples of useful information:
Employee details: Names, email addresses, roles
Systems and Networks: Public IP addresses, domain names, infrastructure details
Technological Stack: Web technologies, software, and platforms in use
The success of future phases often hinges on the quality and depth of information gathered during this phase.
Types of Reconnaissance
There are two main types of reconnaissance in penetration testing: Active Reconnaissance and Passive Reconnaissance.
Active Reconnaissance
Active Reconnaissance involves directly interacting with the target system to gather information. This means explicitly communicating with the target, often by sending data packets and monitoring the responses. The tester might:
Gather the IP address of the target.
Perform port scans using tools to identify which services and ports are open.
Probe the network to learn about its internal infrastructure and perform enumeration.
The goal is to actively explore the target's systems to identify potential vulnerabilities by directly engaging with them.
Passive Reconnaissance
Passive Reconnaissance, on the other hand, does not involve direct interaction with the target. Instead, the tester gathers information from public resources and external observation. This process could include:
Analyzing the target's website, IP addresses, and DNS information.
Identifying domain names and domain ownership.
Collecting email addresses, social media profiles, and subdomains.
Researching the web technologies and platforms the target uses.
This method is more subtle, as it doesn't alert the target that they are being observed or tested.
Last updated