Overview
Gathering information on target infrastructure, operations, and personnel.
Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts. 1
Techniques
Different techniques can be used when conducting reconnaissance against a target or targets to identify hosts, networks, and users. Mapping a targets infrastructure and and environment conditions allows an attacker to uncover weaknesses that can provide a high chance of being exploitable. Generally, reconnaissance can be classified into the below categories:
- Infrastructure
- Gaining intelligence surrounding the physical and digital infrastructure of the target.
- IP Addresses, physical security controls, domains, technologies, etc
- Gaining intelligence surrounding the physical and digital infrastructure of the target.
- Environmental
- Gaining intelligence on the targets organization operational details.
- Email and User nomenclature, website scraping, document parsing, etc
- Gaining intelligence on the targets organization operational details.
- Users
- Gaining intelligence on specific user weaknesses
- Breached credential searches, social media searches, etc
- Gaining intelligence on specific user weaknesses
- Vulnerabilities
- Scanning infrastructure to identify potentially exploitable conditions
- Investigation on avenues to exploit identified conditions
Passive Scanning and Open Source Intelligence (OSINT)
Adversaries may execute passive reconnaissance via services or gather information from open source repositories that can be used for target profiling. Typically passive reconnaissance will be near impossible to attribute back to an actor.
| Detection | Mitigation |
|---|---|
| Threat Hunting | Passive scanning is outside of internal defensive scopes, however reviews of externally passive scanning and OSINT sources including employee password breaches can help |
Identifying Target Infrastructure
Passive reconnaissance can be performed against a target or in an attempt to identify a potential target by searching for information such as IP address spaces, domains, subdomains, services, etc.
Tools
- Shodan
- Censys
- Crt - Certificate Search
- Netcraft - Webserver Infrastructure
- Built With - Webserver Infrastructure
- WappAlyzer - Webserver Infrastructure
- WhatWeb - Webserver Infrastructure
- Sublist3r - Subdomain Enumeration
Discovering Email Addresses
Identifying the email addresses of key contacts within an organization can be a valuable method to scope potential targets. There are a variety of different methods to scope email accounts and personnel attached to a target, even identifying things such as management structures, work hours, phone numbers, and much more from a single name or email address.
Tools
Discovering Breached Credentials
Historic and new collation of breached credentials contain millions of username, email, and password combinations resulting from user database breaches and hacks. Collating information contain across multiple breaches can provide password patterns for users with multiple breaches making password guessing easier. Some dumps main contain clear-text credentials and others may contain hashed credentials that will require further processing to use or decrypt.
Tools
Active Scanning 2
Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction. Scanning can be achieved via several categories such as port scanning, vulnerability scanning, and wordlist scanning to name a few of the most common.
| Detection | Mitigation |
|---|---|
| Network Traffic | Scanning is outside of internal defensive scopes, however reviews of externally facing ports and services should regularly be monitored |
Tools
- Scanning IP Blocks
- Vulnerablity Scanning
- Darkcybe - Nmap Guide
- [Darkcybe - Nessus Guide] Comming Soon
- [Darkcybe - Nikto Guide] Comming Soon
- Wordlist Scanning
- Darkcybe - Nmap Guide
- [Darkcybe - Dirbuster Guide] Comming Soon
Gather Victim Host Information 3
Adversaries may gather information about the victim’s hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).