In this blog, we will learn about the fundamentals of reconnaissance, what it is, how to perform reconnaissance on your target, how many types are there, and what are the latest tools we can use today to make our reconnaissance a lot easier.

So let's begin with...

What is Reconnaissance?

To put it simply reconnaissance is the process of gathering information about your target before attacking to know more about your target for swiftly attacking and find vulnerabilities. Let's understand this with a simple example of two armies, suppose the red army and the blue army. The blue army is protecting a fort, and the red army is attacking, so before attacking, the basic intelligence of war is to gather as much information about the enemy as possible to prepare the necessary plans.

So why do we need to do reconnaissance before pen testing or bug hunting?

So rather than going into a dark cave without a torch without knowing the actual danger behind the darkness, it is more advisable to wait for the morning. Similarly, testing a target without actual information is like beating bushes without actual information. So what we do in reconnaissance is gather the information about infrastructure is running on the target machine, and if the target already has an unpatched vulnerability or bug ,so we can exploit to gain internal access. Also, reconnaissance is used to broaden the knowledge horizon of the attacker. For example, attacking a single domain has less chances to find a bug, but if we can go deeper and know more about subdomains, our chances to find a bug will increase. We can also save time, minimize attacks, and focus on key systems.

Some of the questions you have to ask yourself before starting Recon are,

• What’s the scope of the program? Is it example.com or just example.com?
• How many subdomains does the company have?
• How many IP addresses does the company own?
• What type of site is it? Software as a service? Open source?
• Collaborative? Paid or free?
• Which technologies does it use? Which programming language is it coded in? Which database does it use? Which framework is it using?

Type of Reconnaissance

• Passive reconnaissance
• Active reconnaissance

1. Passive Reconnaissance

In passive recon, attackers try to gather more information publicly available about the target without directly engaging with the target. Understand this as the RED army, who want to attack the BLUE army, wants to gather more information without raising any suspicion about the target. They sent their troops to the local flea market to gather more information about the target.

Now let's discuss more about passive recon, how to do it, and what tools we can use.

-looking up DNS records of a domain from a public DNS server. -checking social media related to the target website as passive footprinting. -reading news articles about the target company.

Tools

• Whois

WHOIS is a TCP-based transaction-oriented query/response protocol that is widely used to provide information services to Internet users. While originally used to provide "white pages" services and information about registered domain names, current deployments cover a much broader range of information services. The protocol delivers its content in a human-readable format RFC 3912.

For using this tool, you can use both an online and local client (if you have Kali Linux or Parrot OS), so here I am using the local client because I have Kali installed.

First, we have to type the command Whois and the name of the target website. For example, we will use the following command:

whois hashnode.com

The output will look very overwhelming, you have to check some points that will help you.

• Registrar
• Contact info(Registrant)
• Dates(Creation,Update,Expiration)
• Name server (Name servers work as a directory that translates domain names into IP addresses.) (They make things easy to find across the Internet.)

While you are thinking about the importance of this data, what to do ? But the information can be used to find new attack surfaces new domains ip address.

• nslookup (Name Server Look Up)

The nslookup command has been around a while. It has two modes: non-interactive and interactive. This article focuses on non-interactive mode since it most closely resembles the functionality of dig and host.

In non-interactive mode, simply type nslookup and the destination name (or URL) you need to resolve:

$ nslookup server01

This output should display the IP address for server01, along with information about which server resolves the name. If this fails, it indicates a name resolution problem.

Perform a reverse lookup (resolving a known IP address with an unknown name) by typing:

$ nslookup 192.168.1.101

To see specific resource record types, use the -type= option. Here's an example that queries for the MX records of the example.com domain:

$ nslookup -type=MX example.com

If you want to learn more about the tool or about the DNS system, you should check out the link [[nslookup.io/learning/|Nslookup]].

Check out this Linux command cheat sheet by RedHat. For more commands, check out the Redhat Linux troubleshooting command.

• DNSDumpster

It is a DNS lookup tool like nslookup and dig, but the ability that makes DNSDumpster different is that it can find subdomains on its own. Most of the time, when trying to inspect a domain, it has many subdomains that can reveal much information about the target. There is a possibility that one of these subdomains has been set up and not updated. In most cases, a lack of proper, regular updates leads to vulnerable service. Another approach to discovering subdomains is to rely on brute force, but it is very time-consuming. If you are in the early stages of reconnaissance, you can use this tool to get an understanding of the target sitemap.

If you want to use more tools for subdomains, you can also check

• Pentest Tools Subdomain Finder
• nmmaper
• spyse +Find Subdomains
• Security Trails

• Dnsspy

• Shodan.io

One of the most used tools in reconnaissance is Shodan.io. Ever wondered what this is? , Shodan is a search engine for the internet of things where you can find how many devices are connected and allow users to search for specific types of devices.

Shodan collects information about all devices that are directly linked to the Internet. If a device is directly connected to the Internet, Shodan searches it for various publicly available pieces of information. The devices that are indexed can vary greatly, ranging from simple desktop computers to nuclear power reactors and everything in between.

So, what exactly does Shodan index? The majority of the data comes from banners, which are metadata about software that runs on a device. This can include information about the server's software, the service's settings, a welcome message, or anything else the client wants to know before interacting with the server. For further information, you can check the blog at Autumn Skerritt.

• WayBack Machine

With the help of this Tool, you may view websites from different points in history.The Wayback machine contains over 860 billion web pages, and it continues to grow every year. Through its crawl process, the Wayback Machine downloads all publicly accessible data files and information from web pages. Which an attacker could employ to see what modifications the developer made previously and, if so, whether he fixed the backend. This little sequence of events could assist you in identifying a bug.

• Google Dorking

There are various techniques how you find information from google but one of the most common technique is dorking. Google use advanced search operators to find information on the internet that may not be readily available through standard search queries. This technique can be used for finding domains or sub-domains, text/strings, files from websites.If you want to know more about dorking you can check out this cheatsheet Google Dorking Cheatsheet.

• Github Dorking

Github is where developer store their code base in their repositories and sometime these repositories contain much more then code like api,db credentials,ftp credentials, and much more. Which can be used by attackers to gain access over their database or over their FTP channel.This is an beautiful repository where you can find more about Github Dorks.

2. Active reconnaissance

To look for a bug on a target, you have to use active reconnaissance. So what I mean by active reconnaissance is that gathering more information about the target involves directly interacting with the server and infrastructure. Like using tools like nmap to check ports and services running on the target or physically accessing the company area used in advance social engineering to gather internal information about the company.

So how can we do active reconnaissance on targets and what they contain? Let's suppose we are checking the target.

• subdomain enumeration

As I already said, it is much more beneficial to have a rich attack surface. There are lots of tools on the market that you can use, but the most common ones you can use for subdomain enumeration are Fuff, Gobuster, wFuzz, Dirsearch, Sublist3r, and Subsubrute. One of the techniques I read somewhere and use in my research is find subdomain of subdomain '.

• Target IP range

While targeting a company, it is very likely that the network system they own is not limited to a single domain, so before going to test the application, it is advisable to consider the entire infrastructure of the company and check the IP address owned by the company to see how they are interrelated to your target. Tools you can use for IP ranges are ARIN and Hurricane Electric.

If you want to know more about how to get IP ranges and ASN, you can go check out "Recon like an Adversary" by Jason Haddix at IWCON 2023.

• Port scanning

After you enumerated subdomains and scanned the infrastructure with the whole information gathered, now we target the ports to find out what services are running on different ports to identify more attack surfaces. Some of the most common tools that we use for port scanning are nmap, masscan, Nabbu, and Rustscan.

The overall security of a company can also be inferred from the port scan findings. For instance, a business is probably concerned about security if it has blocked all ports other than 80 and 443, which are used to host HTTP and HTTPS websites. On the other hand, a business that has a lot of open ports is probably the opposite and may have greater bounty potential.

• Previous bugs

It is best to look for previous bugs and disclosed reports, or CVEs. When a fix is deployed, it means new code was added, which means a new vulnerability can also be present and could contain new bugs.

With the information about company infrastructure, IP address range owned by the target,subdomains, open ports, and running services, we will move on to the application, where we will test the application and check for the language server-side application framework used by the target.

There is no one path or approach to testing or pen testing. The technique you use depends on the type of application. but rather than thinking that there is now a bug because everyone has already tested this application, think that nobody has been there before.

• Tool Stack

First, we will check what tool stack the target is running, and to learn about tools, we can use extensions like wappalyzer. and whatruns. Using these extensions, we can check if there are any known vulnerabilities. Are there any vulnerabilities related to the tools the target is using or anything related to per-configured code? Any known CVE we can use for our benefit can be a plus point for us.

• Functionality mapping

Once I know about the technology and tools, I will look for functionality in the target application, like if it allows any file uploads, if there is a login page, whether I can use SQL injection or not, and if the site allows me to create webhooks. These small things can change into big vulnerabilities, and there are various approaches to finding these vulnerabilities, like Following a predefined checklist is a great way to test applications. You can also go for behavior testing, like how the application reacts to your inputs. or you can go for a specific type of vulnerability, and if you find anything, you will entirely focus on one thing.

Some things you have to keep in mind are:

• Always write what you are doing, what input gives what output.
• Click the screenshot of all the reconnaissance you have already done.
• Reconnaissance never stops, not after submitting a successful vulnerability.
• Test the application like nobody was there before.
• There is no fixed guideline for reconnaissance.

This is all. From my side as a cyber security enthusiast, this is something I learned throughout my learning from different sources and will provide you with a basic understanding of how things function. If you want to know more about this stuff, you can check out the links I provided throughout the blog.

If you think something is missing or something is not right, feel free to connect with me. I love to learn from you.