Introduction

Reconnaissance is the cornerstone of a successful assessment. Understanding the target’s infrastructure through detailed exploration and data gathering is crucial for identifying potential vulnerabilities.

This guide aims to provide a comprehensive approach to reconnaissance, covering essential techniques and tools for discovering and collecting critical information about your target. From domain enumeration to network scanning, and fingerprinting, we’ll explore each step necessary for a thorough and effective reconnaissance phase.

What is Recon?

In the context of ethical hacking and penetration testing, reconnaissance is the practice of discovering and collecting information about a target infrastructure.

Definition

“In military operations, reconnaissance or scouting is the exploration of an area by military forces to obtain information about enemy forces, terrain, and other activities.”

As you can see, the term originates from military language, referring to a mission into enemy territory to obtain critical information—similar to the concept of “Operational Security.”

Reconnaissance refers to the preliminary step of a penetration test, where a pentester scouts the target system and infrastructure for valuable information to achieve a specific goal (in this case, gaining a foothold).

Active and Passive Reconnaissance

We distinguish between active reconnaissance and passive reconnaissance.

In active reconnaissance, we directly interact with the system’s infrastructure to gain information, but we’re at the risk of getting detected.

Passive reconnaissance involves gathering information without directly connecting to a computer system. We collect valuable data without interacting with the target’s infrastructure.

As penetration testers and hackers, our aim is to gather as much data as possible about our target, effectively “mapping” all relevant information for our assessment before we begin our attack.

Critical information might include:

• Network addresses
• Enabled services
• Open ports
• Usernames and passwords
• Etc.

Common sources where we can obtain valuable information include:

• Domains and subdomains
• WHOIS information
• Social media accounts (of employees and the company)
• Social engineering attacks on employees

This information will then be used to target an infrastructure at its weakest point, looking for access to company systems and networks.

This blog post will focus exclusively on the enumeration of domains and subdomains to extend our attack surface.

The recon process can be divided into 7 steps:

7-Step Reconnaissance Process

• Gather initial information
• Determine network range
• Identify active machines
• Discover open ports and access points
• Fingerprint the operating system
• Uncover services on open/filtered ports
• Map the network

These steps can be broken down into a set of processes and techniques:

• Footprinting
• Scanning
• Enumeration

Footprinting

Footprinting is the first step where we gather as much information as possible about the target to identify the attack surface.

We can gather the following information by footprinting our target:

• Domain name
• IP addresses
• Namespaces
• Employee information
• Phone numbers
• Emails
• Job information

Domain Name Information

You can use the whois command or websites with similar functionality to get detailed information about a domain name, including its owner, registrar, date of registration, expiry, name server, and owner’s contact information.

Here is a sample record for www.zekosec.com:

[image not available]

As you can see, the domain was registered with namecheap.com, but no sensitive information is leaked to the public due to Namecheap’s private registration and privacy protection.

• https://who.is/whois/
• https://whois.domaintools.com/

IP Address

Use ping to find the IP address of a website:

[image not available]

IP Address Ranges / ASN (Autonomous System Numbers)

Small organizations usually have a single or a few IP addresses associated with them, but larger companies (e.g., Apple, Tesla, Microsoft, Twitter, etc.) have multiple IP addresses serving different domains and subdomains.

We can gather a lot of information by looking up the ASN of an organization.   Here’s a list of all assigned IP addresses to Tesla Inc.:

Some useful tools and websites to find IP address ranges by looking up ASN:

• nitefood / asn
• https://bgp.he.net/
• https://ipinfo.io/

Fingerprinting

Fingerprinting refers to any method used to determine what operating system is running on a remote computer.

Active Fingerprinting

• Sending specially crafted packets to a target machine and observing its response. Analyzing the gathered information helps determine the operating system on the target system.
• Nmap’s OS detection mode

Passive Fingerprinting

• Analyzing sniffer traces from the remote system
• Wireshark’s ability to analyze packets to determine the operating system on a target system

There are 4 important aspects to analyze to determine the OS of a remote system:

• TTL: What does the OS set as the Time-To-Live on the outbound packet? (can also be checked by ping) (Linux (64) vs. Windows (128))
• Window Size
• DF: Does the OS set the Don’t Fragment bit?
• TOS: Does the OS set Type of Service, and if so, to what value?

Nmap OS Detection

You can issue a simple Nmap command that attempts to identify the operating system serving the website and all opened ports (default: 1000 ports) associated with the domain name / IP address.

nmap -O -v zekosec.com

It will show the following information about the domain name:

Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-01 13:43 CET
Initiating Ping Scan at 13:43
Scanning zekosec.com (164.92.240.80) [4 ports]
Completed Ping Scan at 13:43, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:43
Completed Parallel DNS resolution of 1 host. at 13:43, 0.08s elapsed
Initiating SYN Stealth Scan at 13:43
Scanning zekosec.com (164.92.240.80) [1000 ports]
Discovered open port 22/tcp on 164.92.240.80
Discovered open port 80/tcp on 164.92.240.80
Discovered open port 443/tcp on 164.92.240.80
Completed SYN Stealth Scan at 13:44, 11.03s elapsed (1000 total ports)
Initiating OS detection (try #1) against zekosec.com (164.92.240.80)
Retrying OS detection (try #2) against zekosec.com (164.92.240.80)
Nmap scan report for zekosec.com (164.92.240.80)
Host is up (0.059s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE  SERVICE
22/tcp  open   ssh
53/tcp  closed domain
80/tcp  open   http
443/tcp open   https
Aggressive OS guesses: Linux 4.15 - 5.6 (91%), Linux 5.3 - 5.4 (91%), Linux 2.6.32 (90%), Linux 5.0 - 5.3 (90%), Linux 3.1 (88%), Linux 3.2 (88%), Linux 50 (88%), Linux 5.0 - 5.4 (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Linux 5.4 (87%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 49.044 days (since Tue Jan 11 12:40:23 2022)
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros

Read data files from: /usr/local/bin/../share/nmap
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.42 seconds
           Raw packets sent: 2057 (93.808KB) | Rcvd: 40 (2.372KB)

As we can see, Nmap has determined:

• Operating system (here: Linux 4.15 - 5.6)
• Open/closed/filtered ports (running services)

Once an attacker knows about open ports, they can identify the services behind them and check for vulnerabilities, potentially discovering an unpatched service and successfully exploiting it.

Important: Patch all production servers and close all ports that are not needed for production. This can be achieved by creating firewall

Censys.io / Shodan.io

Use both search engines to scan the CIDR range of an organization. You will get an overview of the infrastructure, learn about what services are running and extend the attack surface.

Subdomain Enumeration

To maximize the effectivness of our attack and possibly find an “easy way in”, enumerate the subdomains for our target.

Here is a handy script that uses amass and assetfinder to generate a list of subdomains.

#!/bin/bash

# $1 => domain.com

amass enum --passive -d $1 -o domains_$1
assetfinder --subs-only $1 | tee -a domains_$1

subfinder -d $1 -o domains_subfinder_$1
cat domains_subfinder_$1 | tee -a domains_$1

sort -u domains_$1 -o domains_$1
cat domains_$1 | filter-resolved | tee -a domains_$1.txt

Conclusion

Effective reconnaissance lays the foundation for successful penetration testing and vulnerability assessment. By employing a structured approach to gathering information, from footprinting and scanning to fingerprinting and subdomain enumeration, you can uncover valuable insights that might be critical in identifying weaknesses within a target infrastructure. Remember, the quality of your reconnaissance directly impacts the effectiveness of your subsequent attacks. Happy hunting!