Introduction

Reconnaissance is the first and most important step in ethical hacking. And you should design your attack strategy before scanning a customer’s network or throwing exploits at it. Which is done during the Reconnaissance.

Understanding your customer’s business model, the products, services, and technologies they use and develop is important.

Similarly, social media outlets they use for marketing and customer relations can go a long way in assisting you in visualizing the target organization’s external attack surface as you formulate your strategy as a penetration tester.

The reconnaissance procedure, also known as footprinting, is a surveying approach that may assist pentesters in enumerating sensitive information in support of a pentest using publicly available data.

Reconnaissance step: Open Source Intelligence (OSINT)

The process of obtaining open-source intelligence (OSINT) includes exploring, collecting, and evaluating data from public or open sources.

This publicly available data can be extremely useful in determining things like which operating systems and applications are installed on the target organization’s network, which ports and services are accessible over the Internet, who the system administrators are, whether the target’s accounts or passwords have been reported in a previous data breach, and so on.

Another key component of OSINT collection is that the techniques used to get the data are not traceable back to the pentester.

When footprinting an organisation, two unique and quite different information collecting strategies are used: passive and active.

The practise of intercepting or finding information through passive observation is known as passive information collection.

Pentesters often do their research on the target company using software tools and public search engines, and they make every effort to stay anonymous during the process.

Active information collecting entails the use of technologies to learn about the design, configuration, and security procedures of the system, application, or network environment in question.

Open ports, services, apps and their versions, network topology, and other information may be gathered during an active footprinting endeavour.

This strategy is more likely to cause log events and lead to discovery, while passive information collecting is considerably more difficult to notice by the target.

Given the time constraint permitted by the client, it is critical for the team doing the assessment to operate as effectively and efficiently as possible throughout the pentest.

It is critical for pentesters to keep track of the information they learn about the target environment. Microsoft Word, Excel, and collaborative tools like MediaWiki (https://www.mediawiki.org) are excellent tools for gathering and organising information on the target’s surroundings.

Gathering OSINT on the target organization’s organisational culture, social media practises, and technology utilized by the target (among other OSINT) may greatly benefit you in building your pentesting plan, as detailed in the following sections.

Learning about Organizational Culture

Many factors influence organisational culture, including the organization’s history and how long it has been around, the market it operates in, the types of people employed and how they are managed, the technology that is used, the business model and values , and how the organisation operates.

When utilising public, accessible sources of information, determining an organization’s culture may not be difficult. During a pentest, you may come across part of your target organization’s organisational culture defined on its website or social media sources.

For example, you may be able to learn about the firm’s market, stated principles and values, some of the organization’s clients (i.e., who they do business with), or even whether or not the organisation makes goods or services.

Knowing whether the company makes goods or provides services might aid in establishing trust connections with suppliers who may have known weaknesses in their products.

Assume you’re gathering OSINT on a company that makes industrial components for heavy gear that’s specifically tailored for the construction industry.

While obtaining information from open sources, you come across design paperwork and user manuals for some of the company’s equipment.

After doing some research, you discover that the company uses Siemens programmable logic controllers (PLCs) in its products.

After that, you may start looking for publicly known vulnerabilities related with the specific product models you uncovered throughout your investigation.

Organizational culture may be determined by the sorts of individuals that work for the company, as previously stated.

Organizations generally publish open job opportunities on their websites or on job search engines like Indeed (https://indeed.com), Glassdoor (https://glassdoor.com), or Monster (https://monster.com) when they are seeking to employ talent to help create their products or offer services to their clients.

Job criteria and qualifications are a crucial resource for a pentester since they often indicate which skill sets and expertise with which technologies the target company is seeking for and/or currently employing inside the business.

If a corporation is seeking a Linux system administrator to run its corporate data centres in Chicago, and your engagement targets are in the same data centre, there’s a good chance you’ll have to check into known Linux vulnerabilities.

All of this information will aid you in defining the attack surface of your company and, eventually, in prioritising your testing efforts.

Finding about Social Media Behavior

Organizations use social media technology to communicate information and ideas, as well as to facilitate cooperation within virtual communities or networks.

This data may be used to influence choices, generate opinions, and stimulate employee innovation. LinkedIn, Facebook, Twitter, and YouTube (just to mention a few) are popular social networking networks for both workers and companies.

IT professionals, for example, may include not just who they work for but also their expertise with certain technologies, credentials and degrees they possess, tech organisations they are members of, connections to tech conferences, and so on in their LinkedIn profiles.

Employees and businesses/organizations publish information to social media that is in the public domain and thus can be collected anonymously, including names of organisational employees, e-mail addresses and other contact information for technical personnel and organisational leadership, and possibly some of the projects the organisation has worked on.

Consider how workers of a software development business utilise YouTube to give video lessons on how to install and configure the firm’s products to consumers as an example of OSINT gathered through social media.

During the video, a developer may reveal the default login and password for one of the company’s products’ back-end database management systems (DBMS).

This is just one of the hundreds of instances of how to use social media platforms to find hidden gems of information that may be easily available to you during passive information discovery.

Information Technology

If a customer hires you to do a white-box pentest, you may be given network diagrams, hardware/software inventories, hostnames, IP addresses, and other information to help you execute the pentest.

There are many compelling reasons to provide this information to the pentest team up front, including time and cost savings.

If you’re requested to do a black-box evaluation, though, you’ll have to depend on OSINT procedures for your first data collection.

Knowing what publicly accessible information about the target organization’s technology exists is critical for justifying and creating acceptable risk mitigation processes. Fortunately, there are technologies available to assist you in gathering that data.

Both the Internet-Wide Scan Data Repository (https://scans.io) and the ZMap Project (https://zmap.io) provide a set of tools for conducting large-scale scans of hosts and services on the public Internet.

Companies and other organisations in the cybersecurity sector, such as schools and universities, conduct these scans and gather the data in order to study network topology configurations, services, and security technologies in use.

However, if a company uses technologies with public-facing IP addresses, the company’s ports and services information will be gathered and shared in methods similar to those used by market research firms selling consumer data.

As a pentester, it’s critical that you employ the correct tool(s) to achieve the pentest’s stated aims and objectives. This will most likely include using a variety of discovery techniques in order to get as much information as possible about the target company.

Discovery Methods

Pentesters have access to a variety of open source discovery techniques, each with its own set of services and capabilities.

• Internet Registries by Region (RIRs)
• Databases and searches for WHOIS
• Looking up DNS records
• Engines of search
• Tools for gathering OSINT
• Analyzing metadata

Regional Internet Registries

The Internet Assigned Numbers Authority (IANA) is a division of the Internet Corporation for Assigned Names and Numbers (ICANN; https://www.icann.org/) that is in charge of worldwide coordination and administration of many operations that keep the Internet running smoothly.

IANA is responsible for three types of Internet management: managing the DNS root, coordinating the worldwide pool of IP numbers with the Regional Internet Registries, and ensuring that the Internet Protocol (RFC 791) numbering systems are handled in collaboration with standards organisations.

Additional information is available at https://www.iana.org.

A Regional Internet Registry (RIR) is an organisation that oversees and supervises the distribution of Internet Protocol (IP) addresses based on a particular area, such as a nation or continent, that were assigned by IANA.

There are a number of RIRs across the world:

• American Registry for Internet Numbers (ARIN)
• Réseaux IP Européens Network Coordination Centre (RIPE NCC)
• Latin America and Caribbean Network Information Centre (LACNIC)
• African Network Information Centre (AFRINIC)
• Asia-Pacific Network Information Centre (APNIC)

Educational institutions (e.g., universities), governments, big enterprises, and Internet service providers (ISPs) are allotted blocks of IP addresses by each RIR for the purpose of reassigning that space to their surroundings and/or clients.

For example, a small company in the United States that wishes to register for a block of Class C IPv4 IP addresses might simply contact their local reseller (i.e., ISP) to do so.

The organisation next obtains an ISP router to connect to the Internet backbone, and may begin assigning public-facing IP addresses to assets on the corporate network in order to make its services accessible to the general public.

The country/region in which an organisation is situated will determine the IP address range it gets.

IP2Location (https://lite.ip2location.com/) offers free IP geolocation services to let you trace IP addresses to particular places across the world.

Typing the web server’s unique numerical IP address into the web browser’s address bar is a time-consuming operation, and the digits are tough to memorize.

Unique designations, called domain names, are used to represent hosts to make this procedure simpler.

DNS makes it simpler for end-users to navigate the Internet by allowing them to visit a website or other Internet destination by typing a string of characters (domain name) rather than a difficult string of numbers.

Domain name resolution is the process by which DNS converts a name into a unique IP address. E-mail addresses and other Internet apps also utilise domain names.

WHOIS is a mechanism for obtaining information about registered users of IP addresses and domain names held in RIR databases.

WHOIS Database

The WHOIS protocol was started in 1982, with the formal specifications described in an Internet Engineering Task Force Request for Comments (RFC) (IETF).

The initial WHOIS criteria were outlined in RFC 812, which was replaced in 1985 by RFC 954, which was superseded in 2004 by RFC 3912 (https://tools.ietf.org/html/rfc3912).

WHOIS is a transaction-oriented query/response protocol based on TCP.

Originally intended to offer “white pages” services and information on registered domain names, today’s deployments include a far larger variety of information services.

WHOIS Searches

WHOIS database servers listen on TCP port 43 for Internet registrant information.

InterNIC’s archived database (https://www.internic.net/whois.html) is a web-based interface that enables Internet users to check up domain names, registrars, and name servers.

InterNIC used to be the body in charge of DNS assignments, but ICANN now manages them.

InterNIC WHOIS search example

The WHOIS client is a command-line programme in Kali Linux that searches WHOIS databases compatible with RFC 3912 criteria for items such as Internet registrar information.

When the WHOIS client is run, it looks for objects given in the WHOIS command-line query on recognised WHOIS lookup servers (e.g., whois.arin.net, whois.iana.org, and whois.networksolutions.com).

A WHOIS query for example.com with no command-line arguments, for example, will return all items from the distant WHOIS server.

Other command-line arguments for the WHOIS client tool are available. You may get more information by running man whois from the command line.

WHOIS client search example

Registration Data Access Protocol

According to RFC 3912, the WHOIS protocol lacks adequate security measures and hence lacks important security concerns including access constraints, registrar data integrity, and confidentiality.

Since 2013, ICANN has been attempting to reinvent the WHOIS database with a more restrictive source system of record in order to keep Internet registrar information hidden from the majority of Internet users and only reveal it when a request meets certain criteria, such as domain-name research, domain-name resale and purchase, regulatory enforcement, legal actions, and so on.

Obtaining registrar information such as an e-mail address, company address, and telephone number of a point of contact for a target domain during OSINT collection may be more difficult with this layer of protection.

Registration Data Access Protocol (RDAP) inquiries are carried out via the Domain Name Registration Data Lookup (https://lookup.icann.org).

RDAP was designed to eventually replace the WHOIS protocol by allowing Internet users to get current registration data.

The results of an RDAP inquiry run using the web interface come straight from register operators and/or registrars.

ICANN does not collect, keep, or store any data related with an RDAP-compliant lookup. The whois.icann.org database is used as a failover lookup service when the information in an RDAP query is not accessible.

Domain Name Registration Data Lookup example

Conclusion

The reconnaissance procedure, also known as footprinting, is a surveying approach that may assist pentesters in enumerating sensitive information in support of a pentest.

Open source intelligence (OSINT) can be extremely useful in determining what operating systems and applications are installed on the target’s network.

Gathering OSINT on the target’s organisational culture, social media practises, and technology utilised by the target (among other OSINT) may greatly benefit you in building your pentesting plan.

Knowing what publicly accessible information about the target organization’s technology exists is critical for justifying and creating acceptable risk mitigation processes.

LinkedIn, Facebook, Twitter, and YouTube are popular social networking networks for both workers and companies. Use these platforms to find hidden gems of information that may be easily available to you during passive information discovery.

Pentesters have access to a variety of open source discovery techniques, each with its own set of services and capabilities.

The Internet Assigned Numbers Authority (IANA) oversees and supervises the distribution of Internet Protocol (IP) addresses based on a particular area, such as a nation or continent. Domain name resolution is the process by which DNS converts a name into a unique IP address.

WHOIS is a transaction-oriented query/response protocol based on TCP. InterNIC’s archived database (https://www.internic.net/whois.html) enables Internet users to check up domain names.

The WHOIS client is a command-line programme in Kali Linux that searches WHOIS databases compatible with RFC 3912 criteria for items such as Internet registrar information.

Since 2013, ICANN has been attempting to reinvent the WHOIS database with a more restrictive source system of record.