Chapter 8. Reconnaissance

Every attack—from a sophisticated e-commerce server hack to simple script-kiddie mischief—has one thing in common: before the buffer overflow is executed, before the malicious SQL is injected, or before the lethal blow is dealt, there is always a distinct reconnaissance phase. Reconnaissance (recon) might include something as simple as looking up a web server name before a denial-of-service attack or as complex as a full-scale enterprise audit. The attacker’s goal is to determine targets, find the best avenues for attack, and map the defensive capabilities of the target organization. In this chapter, we discuss several ways to perform intelligence gathering for both casual “weekend hackers” and professionals such as penetration testers.

Recon can be performed online and offline. Online recon includes web searching, web site analysis, and IT resource mapping such as port scanning. Offline recon includes classic “humint” (human intelligence), paper document analysis (such as dumpster diving), and other methods.

Online Reconnaissance

Online recon can be divided into passive (performed by querying third-party resources) and active (performed in direct contact with target network resources). The recon begins by naming a target, such as a web site.

Passive Reconnaissance

The first intelligence-gathering step is to perform passive online reconnaissance, keeping under the company radar screens. The information typically available at this stage is just the company ...

Get Security Warrior now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.