This is a brief introduction to what Reconnaissance and this blog is all about.
First of all I would like to say that reconnaissance is my favorite and most stressed subject, and by no means I am an expert in this field. But like everyone else dedicated to a particular subject, I try to learn and get better everyday!
Reconnaissance is the art of information gathering. In the cyber world, it is the art of gathering as much information as possible about the target and mapping the attack surface against it. Now, when we talk about an attack surface , it does not necessarily have to be an IP or group of IP's belonging or somehow related to the target. It can be an email address, telephone number e.t.c. belonging to a person who is somehow related to the target. Reconnaissance is one of the most misunderstood, underestimated and difficult topics in the field of information security. When I say difficult, it refers to the approach a person should take to carry out this process.
After all, if u can't get all the avenues to attack a target, u can miss out on achieving your objective , which might be to breach the security of the target or audit it( depending on who u r ;) ).
So folks, recon can even include the things that seem very insignificant at first.
Without going into technical details, the brief objectives of recon include(and by no means it is complete):-
1. Studying about the target and what it does. (which can include documents published by it online, which give information about its organizational, political or IT infrastructure). This can also include usage of search engines, geo-location mapping e.t.c.
2. Mapping the real world target to a cyber world target. This refers to gathering all the IP's reflecting the complete target organization including all its affiliates, partner companies, sister companies, brands, divisions e.t.c.
3. Gathering all the information about personnel related to the target. This can include gathering email addresses, official and residential phone numbers, social networking site, news groups or forums information, resumes, personal web sites, social engineering, using search engines, extracting metadata from published documents e.t.c. This is often the weakest link to attack, but going through this process is very tedious at times.
Some technical specifics included in the recon process, that I find the most interesting and difficult, which again are by no means complete:-
1. Identifying the online presence of corporate networks belonging to the target.
2. Identifying all the DNS servers (which are publicly accessible) used by the personnel related to the target.
3. Identifying masquerading. When we see traffic from an IP, how do we know that traffic is generated by a single machine and not by a natting device(Hell Yeah! that's what identifying masquerades is all about).
4. Identifying network or application firewalls, load balancers, honeypots, reverse proxies, IPS/IDS e.t.c.
5. Mapping the target network's layout.
6. Identifying the presence of URL rewriting engines employed on a web server.
7. Identifying application servers, backend technologies and to some extent the inner workings of a target web application.
Some people may argue that many of the aforementioned points belong to the enumeration phase of an attack, but for me all of these fall under recon (To tell the truth, for me identifying a database backend via an error message also falls under recon even if I have injected a single quote in a web application parameter to cause the error ;) ).
One last note :
even though this blog is primarily about reconnaissance, this doesn't means that I am not going to post on other topics of information security.
Will be back with more..
Cheers!
