Domain 5 · 5.5 Audits & Assessments

5.5.4 Reconnaissance

Passive and active.

10 min

Reconnaissance is the preparatory phase of an attack where a threat actor gathers as much information as possible about a target’s network, systems, and personnel.

Passive Reconnaissance Passive reconnaissance involves collecting information without directly interacting with the target's systems, making it difficult for detective controls to log or alert on the activity.

  • OSINT (Open-Source Intelligence): Leveraging publicly available data. Threat actors may monitor social media (Twitter/X, LinkedIn) or subreddits like r/threatintel to identify employee roles or software versions.
  • WHOIS Lookups: Querying databases to find domain registration details, administrative contacts, and IP address ranges.
  • GHDB (Google Hacking Database): Using advanced search operators (Dorks) to find exposed files, login pages, or subdomains.
  • DNS Enumeration: Analyzing publicly accessible DNS records (MX, TXT, A) to map out mail servers and infrastructure.
  • Job Postings: Examining lists for specific technologies (e.g., "Experience with Windows Server 2019 and Cisco ASA") to determine the internal tech stack.

Active Reconnaissance Active reconnaissance involves direct engagement with the target's infrastructure, which leaves a digital footprint and increases the risk of being caught by an Intrusion Detection System (IDS).

  • Port Scanning: Using tools like Nmap to identify open ports and services running on a host.
  • Vulnerability Scanning: Actively probing for weaknesses. This must be done within a defined scope to avoid legal issues, similar to bug bounty programs where researchers are authorized to probe specific assets.
  • Banner Grabbing: Sending a request to a service (like SSH or HTTP) to see what information it returns about its version and OS.
  • OS Fingerprinting: Analyzing TCP/IP stack responses to determine if a machine is running Linux, Windows, or an embedded system.
  • Network Mapping: Using utilities like traceroute or pathping to visualize the path to the internal network.

Reconnaissance Targets Reconnaissance focuses on discovering entry points and high-value targets within the architecture.

  • Trust Relationships: Identifying transitive trusts or federated systems where Company A trusts Company B. An attacker may breach a weaker partner to move laterally into the primary target.
  • Cloud Infrastructure: Identifying Cloud Deployment Models (Public, Private, Hybrid) and misconfigured storage buckets.
  • Specialized Systems: Identifying legacy SCADA/ICS or embedded systems that may lacks standard security updates.

Quick recall - Detective Controls: Tools like IDSs or cameras that identify an attack in progress. - Attack vs. Incident: An attack is the attempt to exploit a vulnerability; it becomes an incident once the target recognizes it. - Bug Bounty: A rewards-based program for reporting vulnerabilities, provided the researcher stays within the authorized scope. - Passive vs. Active: Passive = no direct contact (stealthy); Active = direct contact (noisy).