In this post we will discuss about the Reconnaissance phase in network penetration. Reconnaissance is an attempt to gain information about targeted computers or networks that can be used as a initial step towards a further attacks seeking to exploit the target system. Reconnaissance attack can be active or passive. Active reconnaissance involves port scans and OS scans, while passive reconnaissance relies on sniffing regular host traffic in order to gain information about its capabilities and vulnerabilities. Reconnaissance for a targeted attack takes several forms. It could be one of these address reconnaissance, phone number reconnaissance, system reconnaissance and physical reconnaissance. Let’s take a look at each one of them.
[TS_VCSC_Horizontal_Steps_Container min_width=”200″ max_width=”400″ icon_size=”50″ icon_max=”80″ el_file=””][TS_VCSC_Horizontal_Steps_Item step_replace=”true” step_image=”11598″ icon_back_default=”#ac193d” icon_back_hover=”#bf1e4b” step_title=”Phase 1″ step_content=”UmVjb25uYWlzc2FuY2U=” content_color=”#4e4e4d” el_file=””][TS_VCSC_Horizontal_Steps_Item step_replace=”true” step_image=”11463″ icon_back_default=”#008a00″ icon_back_hover=”#00a600″ step_title=”Phase 2″ step_content=”U2Nhbm5pbmc=” content_color=”#4e4e4d” el_file=””][TS_VCSC_Horizontal_Steps_Item step_replace=”true” step_image=”11397″ icon_back_default=”#d24726″ icon_back_hover=”#dc572e” step_title=”Phase 3″ step_content=”R2FpbmluZyUyMEFjY2Vzcw==” content_color=”#4e4e4d” tooltip_animation=”grow” el_file=””][TS_VCSC_Horizontal_Steps_Item step_replace=”true” step_image=”11184″ icon_back_default=”#8c0095″ icon_back_hover=”#a700ae” step_title=”Phase 4″ step_content=”TWFpbnRhaW5pbmclMjBBY2Nlc3M=” content_color=”#4e4e4d” tooltip_animation=”grow” el_file=””][TS_VCSC_Horizontal_Steps_Item step_replace=”true” step_image=”11460″ icon_back_default=”#e8be1b” icon_back_hover=”#f7d240″ step_title=”Phase 5″ step_content=”Q292ZXJpbmclMjBUcmFja3M=” content_color=”#4e4e4d” tooltip_animation=”grow” el_file=””][/TS_VCSC_Horizontal_Steps_Container]
Address reconnaissance is identification of the address space in use by the target organization. An attacker could use DNS to identify the address of the organization’s web server. DNS will also provide the critical information such as address of the primary DNS server for the domain and the mail server addresses for the organization. An attacker could do name searches through ARIN to find other address blocks assigned to the target organization. DNS can also be used to identify additional web servers, mail servers, and address ranges. All of this information can be found without alerting the target.
Phone Number Reconnaissance
From what I know, phone number reconnaissance is very difficult than identifying the network addresses associated with a target organization. Directory assistance can be used to identify the primary phone number for the target. Many organizations list contact phone or fax numbers on their web sites. After finding a few numbers, the hacker may decide to look for working numbers. He might use some tools like war dialer or something of similar kind. The hacker may choose to perform this activity during off hours or on weekends to lessen the potential for discovery. The other downside of this activity is that the hacker does not know for sure which of the numbers are used by the target organization. The hacker may identify a number that leads to other organizations.
A lot of organizations use wireless technology for the advantages that it offers in terms of connectivity. The hacker is likely to check the surrounding areas like near by parks, lobby etc to determine if the target is using wireless technology. The hacker can perform this reconnaissance easily by walking or driving around the building. In most cases, no logs will be made that anyone attempted to connect to the wireless network. This type of reconnaissance does require the hacker to be physically near the target.
System reconnaissance is used to identify which systems exist, what operating system they are running, and what vulnerabilities they may have. The hacker may use ping sweeps or scans to identify the systems. If the hacker wants to remain hidden, a very slow ping rate or scan rate is most effective. In this case, the hacker sends a ping to one address every hour or so. This slow rate will not be noticed by most administrators. Operating system identification scans are harder to keep hidden as the packet signatures of most tools are well known and intrusion detection systems will likely identify any attempts. The hacker can easily guess the OS being used. Vulnerabilities can be identified by performing the attack or examining the system for indications that vulnerabilities exist. The hacker can run vulnerability scanner to list the vulnerabilities found in the discovered OS.
The is one of the most extensively used method by Hackers. When you say “physical” here it means to allow the hacker to gain access to the information or system that he wants without the need to actually compromise the computer security of the organization. The hacker may choose to observe certain things like the cameras in the building, time the employees enter and exit, time the employees go for a smoke breaks etc. The hacker may note common paths taken by employees to enter or exit the facility. Such paths may be the perfect location to plant something like a USB memory stick for employees to find. The hacker will also examine how trash and paper to be recycled are handled. With this a hacker may be able to find all the information he wants by searching through the dumpster at night.