Reconnaissance is an important first stage in any ethical hacking attempt. Before it’s possible to exploit a vulnerability in the target system, it’s necessary to find it. By performing reconnaissance on the target, an ethical hacker can learn about the details of the target network and identify potential attack vectors.
Reconnaissance efforts can be broken up into two types: passive and active. While both versions can be effective, passive reconnaissance prioritizes subtlety (ensuring that the hacker is not detected), while active reconnaissance is used for cases where collecting information is more important than remaining undetected.
Top passive recon tools
In passive reconnaissance, the hacker never interacts directly with the target’s network. The tools used for passive reconnaissance take advantage of unintentional data leaks from an organization to provide the hacker with insight into the internals of the organization’s network.
Wireshark is best known as a network traffic analysis tool, but it can also be invaluable for passive network reconnaissance. If an attacker can gain access to an organization’s Wi-Fi network or otherwise eavesdrop on the network traffic of an employee (e.g., by eavesdropping on traffic in a coffee shop), analyzing it in Wireshark can provide a great deal of useful intelligence about the target network.
By passively eavesdropping on traffic, a hacker may be able to map IP addresses of computers within the organization’s network and determine their purposes based on the traffic flowing to and from them. Captured traffic may also include version information of servers, allowing a hacker to identify potentially vulnerable software that can be exploited.
Google can provide a vast amount of information on a variety of different topics. One potential application of Google is for performing passive reconnaissance about a target.
The information that an organization posts online can provide a massive amount of information about their network. The organization’s website, especially its career page, can provide details of the types of systems used in the network. By using specialized Google queries (Google Dorking), it’s also possible to search for files that were not intentionally exposed to the internet but still publicly available as well.
FindSubDomains.com is one example of a variety of different websites designed to help identify websites that belong to an organization. While many of these sites may be deliberately intended for public consumption and others may be protected by login pages, the possibility exists that some are unintentionally exposed to the internet. Accessing error pages or unintentionally exposed pages (that should belong on the company intranet) can provide valuable intelligence about the systems that the company uses.
VirusTotal is a website designed to help with analysis of potentially malicious files. Anyone with an account on the service can upload files or URLs for analysis and receive results that describe whether or not the file or website is likely to be malicious, behavioral analysis and other potential indicators of compromise.
The problem with VirusTotal is that it, and other similar sites, make the same information available to any free subscriber (and provide more data to paid users). As attacks become more sophisticated and targeted, malware or malicious websites targeting an organization may include sensitive internal data. As a result, terabytes of sensitive data are being uploaded to the service by companies trying to determine if they are the victim of an attack. A hacker searching through the data provided on VirusTotal by keywords associated with a company can potentially find a great deal of valuable intelligence.
Shodan is a search engine for internet-connected devices. As the Internet of Things grows, individuals and organizations increasingly are connecting insecure devices to the internet.
Using Shodan, a hacker may be able to find devices within the IP address range belonging to a company, indicating that they have the device deployed on their network. Since many IoT devices are vulnerable by default, identifying one or more on the network may give a hacker a good starting point for a future attack.
Top active recon tools
Tools for active reconnaissance are designed to interact directly with machines on the target network in order to collect data that may not be available by other means. Active reconnaissance can provide a hacker with much more detailed information about the target but also runs the risk of detection.
Nmap is probably the most well-known tool for active network reconnaissance. Nmap is a network scanner designed to determine details about a system and the programs running on it. This is accomplished through the use of a suite of different scan types that take advantage of the details of how a system or service operates. By launching scans against a system or a range of IP addresses under a target’s control, a hacker can learn a significant amount of information about the target network.
Nessus is a commercial vulnerability scanner. Its purpose is to identify vulnerable applications running on a system and provides a variety of details about potentially exploitable vulnerabilities. Nessus is a paid product, but the comprehensive information that it provides can make it a worthwhile investment for a hacker.
OpenVAS is a vulnerability scanner that was developed in response to the commercialization of Nessus. The Nessus vulnerability scanner was previously open-source, and, when it became closed-source, OpenVAS was created off of the last open-source version to continue to provide a free alternative. As a result, it provides a lot of the same functionality as Nessus but may lack some of the features developed since Nessus was commercialized.
Nikto is a web server vulnerability scanner that can be used for reconnaissance in a manner similar to Nessus and OpenVAS. It can detect a variety of different vulnerabilities but is also not a stealthy scanner. Scanning with Nikto can be effective but is easily detectable by an intrusion detection or prevention system (like most active reconnaissance tools).
Metasploit is primarily designed as an exploitation toolkit. It contains a variety of different modules that have prepackaged exploits for a number of vulnerabilities. With Metasploit, even a novice hacker has the potential to break into a wide range of vulnerable machines.
Although it was designed as an exploit toolkit, Metasploit can also be effectively used for reconnaissance. At the minimum, using the autopwn option on Metasploit allows a hacker to try to exploit a target using any means necessary. More targeted analysis can allow a hacker to perform reconnaissance using Metasploit with more subtlety.
Conclusion: Performing network reconnaissance
Network reconnaissance is a crucial part of any hacking operation. Any information that a hacker can learn about the target environment can help in identification of potential attack vectors and targeting exploits to potential vulnerabilities. By using a combination of passive and active reconnaissance tools and techniques, a hacker can maximize the information collected while minimizing their probability of detection.