The Reconnaissance phase in network penetration

In this post we will discuss about the Reconnaissance phase in network penetration. Reconnaissance means you gain information about computers or networks. This is a initial steps before exploiting the target system.

Reconnaissance attack can either be active or passive. Active reconnaissance involves port scans and OS scans, while passive reconnaissance relies on sniffing regular host traffic. In both of these methods the goal is to gain information about its capabilities and vulnerabilities.

Reconnaissance for a targeted attack takes several forms. Let’s take a look at each one of them.

Address Reconnaissance

Address reconnaissance is identification of the address space in use by the target organization. An attacker could use DNS to identify the address of the organization’s web server.

DNS will also provide the critical information such as address of the primary DNS server for the domain and the mail server addresses for the organization.

An attacker could do name searches through ARIN to find other address blocks assigned to the target organization.

DNS can also be used to identify additional web servers, mail servers, and address ranges. All of this information can be found without alerting the target.

Phone Number Reconnaissance

From what I know, phone number reconnaissance is very difficult than identifying the network addresses associated with a target organization.

Directory assistance can be used to identify the primary phone number for the target. Many organizations list contact phone or fax numbers on their web sites.

After finding a few numbers, the hacker may decide to look for working numbers. He might use some tools like war dialer or something of similar kind.

The hacker may choose to perform this activity during off hours or on weekends to lessen the potential for discovery.

The other downside of this activity is that the hacker does not know for sure which of the numbers are used by the target organization. The hacker may identify a number that leads to other organizations.

Wireless Reconnaissance

A lot of organizations use wireless technology for the advantages that it offers in terms of connectivity. The hacker is likely to check the surrounding areas to find out the wireless technology.

The hacker can perform this reconnaissance easily by walking or driving around the building. This type of reconnaissance does require the hacker to be physically near the target.

System Reconnaissance

The goal of System reconnaissance is to identify the operating system and the OS vulnerabilities.

The hacker may use ping sweeps or scans to identify the systems. If the hacker wants to remain hidden, a very slow ping rate or scan rate is most effective.

In this case, the hacker sends a ping to one address every hour or so. Most Administrators may not even notice this.

Operating system identification scans are harder to keep hidden. That’s because the packet signatures of most tools are well known. Furthermore the intrusion detection systems will likely identify any attempts.

Most of all the hacker can easily guess the operating system. In the next step, hacker can gather the OS Vulnerabilities.

The hacker can run vulnerability scanner to list the vulnerabilities found in the discovered OS.

Physical Reconnaissance

Physical Reconnaissance is hacker’s favorite. The hacker may choose to observe certain things like the cameras in the building. Time the employees enter and exit, time the employees go for a smoke breaks etc.

The hacker may note common paths taken by employees to enter or exit the facility. Such paths may be the perfect location to plant something like a USB memory stick for employees to find.

The hacker may also examine about paper recycle handling. With this a hacker may be able to find all the information he wants by searching through the dumpster at night.