MOCs
Goals of Recon
- Network Information (IPs, CIDR, Domains)
- Systems (Server Names/IPs)
- Web Applications
- Security Tools (Firewalls, IDS/IPs, Endpoint Security)
- People (Leadership, Admins, Engineers, Developers, etc.)
- Partners (Vendors, Hosting Providers)
Passive Reconnaissance
Mostly OSINT, Publicly available information
Tools/Strategies
- ICANN
- Domain Registration (contact names, addresses, nameserver info)
- IP Addresses Registration
- Internet Assigned Numbers Authority (IANA) - Five regions
- AfriNIC - Africa
- APNIC - Asia/Pacific
- ARIN - North America
- LACNIC - Latin America and Caribbean
- RIPE = Europe, Middle East, Central Asia
- Internet Assigned Numbers Authority (IANA) - Five regions
- Google Dorking
- Aka Google hacking
- Shodan
- The Harvester
- Command line tool to query multiple search engines
- Included in Kali, but has had issues in the past
- Netcraft
- Provides technical reports on other websites
- Metagoofil (Technically not Passive because you interact with the host but can give larger insight into the target)
- Kali utility that is designed for extracting metadata from public documents
- DNS
- Nslookup and Dig are useful command line tools
- Dnsrecon (included in kali) offers a streamlined approach to gathering data, however, pull down the latest version
- MxToolbox
- Find email services provider, DNS information, WhoIs information, and more
Active Reconnaissance
Interacting Directly with the the target - Needs Permission in going beyond public access
Tools/Strategies
- Nmap
- Network scanner that can be found on kali
- Can give you good guesses as to what targets are open to the public
- If inside the network can help with finding services
- This can/will set off many “alarms” depending on how the network is setup
- Nikto Website scanner https://www.cirt.net/nikto2/
- Looks at it’s database for vulnerabilities on web servers.