Reconnaissance (recon) is a major part of preparing to hack a security system, for both malicious reasons and penetration testing. The goal of this process is to analyze the target and identify weak points to exploit. This can include doing research on important people at the company, IP addresses, password complexity requirements, and physical security. This process can take up to several months and end in the attacker having a detailed map of the network. There are two methods in finding out this information: passive and active.
Often known as “footprinting”, passive recon is gathering information without actively interacting with or alerting the target to your presence. This can start off by simply visiting the target's website. There, you can get basic information , but you can find some more in depth sources like maps of the facility, viewing source html files for personal information, and names of employings, peticularly the higher ups. Then, one can find more information like phone numbers, addresses, and associated people. Tools and Techniques Some of the common tools used in passive reconnaissance are Wireshark and Shodan. Wireshark is a network analysis tool that can be used to listen to the targets network traffic. Shodan can provide information about what devices are within an IP range, giving a good jumping off point for future attacks. An additional technique common in passive recon is OS fingerprinting, which can reveal what operating systems are used within the company, opening the possibilities of OS specific weaknesses.
When the attacker engages with the victim to obtain their information, it is called active reconnaissance. This is typically riskier and can make the target be in suspicion that they are being attacked, warning them to perhaps increase their security. On the other hand, it is faster, more accurate, and more detailed than passive recon.
One of the most common techniques used in active reconnaissance is Port Scanning, gathering data from opened ports on a computer. Nmap is a tool used for scanning that can find details about programs running on a network. Metasploit is an exploitation toolkit that has numerous functions, which can be particularly useful to a hacker with limited knowledge of the different vulnerabilities. Finally, Spyse is a tool that can be used for a fast overview of a network and the connected infrastructures. Several other tools include Nessus, OpenVas, and Nikto.