Reconnaissance in Pentesting

(OBJ 5.5)

Reconnaissance

• Initial phase where an attacker gathers information about the target system
• Information helps plan the attack and increase its success rate
• Often compared to "a thief casing a home that they plan to rob"
• Involves gathering information about the target systems such as
  • IP addresses
  • Domain details
  • Mail servers
  • Any potential security or detection systems that the organization may have in place.
• This information can then be used to identify potential vulnerabilities that might be exploited by an attacker

Importance of Reconnaissance

• Crucial step in penetration testing
• Identifies potential vulnerabilities in the target system
• The more information the attacker has about the target, the better they can plan their attack, which can lead to a higher chance of success.
• Helps plan the attack to reduce the risk of detection and failure

Types of Reconnaissance

• Active Reconnaissance
  • Engaging with the target system directly, such as scanning for open ports using tools like Nmap
  • While this can yield a lot of information, it also carries a higher risk of detection.
  • Example:
    • Scan for open ports using Nmap
    • Ping the attacker
    • Try to establish a connection
    • The system defenders can see the port scanning occur, and this can identify where the attacker is coming from.
• Passive Reconnaissance
  • Gathering information without direct engagement, like using open-source intelligence or WHOIS to collect data
  • Less likely to be detected but can yield a lot less information.
  • Example:
    • Using whois

Reconnaissance and Environment Types

• Reconnaissance necessity and extent depend on the test type and environment
• Known Environment
  • Penetration testers have detailed information about the target infrastructure prior to the test
    • Can include things like network diagrams, IP addresses, application details, OS versions, and even credentials.
  • Objective:
    • Not to identify unknown assets, but rather to evaluate the vulnerabilities and weaknesses in the already known assets
  • Focuses on known assets
  • Evaluates vulnerabilities and weaknesses
  • Aims to understand exploitability and potential damages
  • Resembles an insider threat scenario
    • Where the attacker has a lot of information about the environment
• Partially Known Environment
  • Testers have limited information, simulating a scenario where an attacker has partial inside knowledge
  • Focus on discovering and navigating the broader environment
  • Aims to identify vulnerabilities in both known and hidden assets
  • Attacker can fill in the gaps of their knowledge by finding out what software is being used, versions installed, or configurations in place.
• Unknown Environment
  • Minimal to no information about the target system
    • Attacker might only be given the organizations name or web domain as a starting point
  • Simulates a real-world external attacker aiming to find entry points and vulnerabilities
  • Typically starts with extensive reconnaissance is essential and then moves to identifying vulnerabilities.