Introduction
In this post, we covered the first part of passive and active reconnaissance basics and tools. We covered DNS reconnaissance using tools such as dig, whois, nslookup in addition to online tools such as threat intelligence platforms. This was part of TryHackMe Red team pathway.
In a red team operation, you might start with no more than a company name, from which you need to start gathering information about the target. This is where reconnaissance comes into play. Reconnaissance (recon) can be defined as a preliminary survey or observation of your target (client) without alerting them to your activities. If your recon activities create too much noise, the other party would be alerted, which might decrease the likelihood of your success.
Reconnaissance can be broken down into two parts — passive reconnaissance and active reconnaissance. We will be focusing on passive reconnaissance, i.e., techniques that don’t alert the target or create ‘noise’. In later rooms, we will use active reconnaissance tools that tend to be noisy by nature.
Reconnaissance (recon) can be classified into two parts:
- Passive Recon: can be carried out by watching passively
- Active Recon: requires interacting with the target to provoke it in order to observe its response.
Passive recon doesn’t require interacting with the target. In other words, you aren’t sending any packets or requests to the target or the systems your target owns. Instead, passive recon relies on publicly available information that is collected and maintained by a third party. Open Source Intelligence (OSINT) is used to collect information about the target and can be as simple as viewing a target’s publicly available social media profile. Example information that we might collect includes domain names, IP address blocks, email addresses, employee names, and job posts. In the upcoming task, we’ll see how to query DNS records and expand on the topics from the Passive Reconnaissance room and introduce advanced tooling to aid in your recon.
Active recon requires interacting with the target by sending requests and packets and observing if and how it responds. The responses collected – or lack of responses – would enable us to expand on the picture we started developing using passive recon. An example of active reconnaissance is using Nmap to scan target subnets and live hosts. Other examples can be found in the Active Reconnaissance room. Some information that we would want to discover include live hosts, running servers, listening services, and version numbers.
Challenge Answers
thmredteam.com
created (registered)? (YYYY-MM-DD)To how many IPv4 addresses does clinic.thmredteam.com
resolve?
To how many IPv6 addresses does clinic.thmredteam.com
resolve?
How would you search using Google for xls
indexed for http://clinic.thmredteam.com?
How would you search using Google for files with the word passwords
for http://clinic.thmredteam.com?
What is the shodan
command to get your Internet-facing IP address?