We will be taking a look at the various tools and techniques that can be utilized to perform both passive and active reconnaissance, however, before we begin taking a look at the techniques, we need to get an understanding of the Reconnaissance MITRE ATT&CK framework tactic and the various techniques that fall under it.
We can also perform a DNS zone transfer with the built-in fierce utility. First what Fierce is not. Fierce is not an IP scanner, it is not a DDoS tool, it is not designed to scan the whole Internet or perform any un-targeted attacks. It is meant specifically to locate likely targets both inside and outside a corporate network. Only those targets are listed (unless the -nopattern switch is used). No exploitation is performed (unless you do something intentionally malicious with the -connect switch). Fierce is a reconnaissance tool. Fierce is a PERL script that quickly scans domains (usually in just a few minutes, assuming no network lag) using several tactics.
SubFinder is a tool to scan domains and discover subdomains. This may be useful during the reconnaissance phase of penetration testing where information is collected. Some subdomains may reveal sensitive data or point to interesting targets such as a backup location.
Domain Analyzer is an information gathering tool and comes in handy for reconnaissance. This can be useful for doing penetration testing or evaluating what information is publically available about your own domains. Some pieces of information that can be discovered include DNS servers, IP addresses, mail servers, SPF information, open ports, and more.
OSINT-SPY is a modular tool to query information on different subjects like an IP address, domain, email address, or even Bitcoin address. This tool can be valuable during the reconnaissance phase of a penetration test. It can be used also for defenses purpose, like learning what information is publically available about your organization and its assets.
Different scanners perform different functions, but some can scan web applications as well as databases and networks. Some are only useful for scanning web applications while others can scan databases as well. Since every situation requires its own set of tools, Kali Linux is especially handy because of its long list of vulnerability assessment tools.
Network vulnerability scanners scan for problems, but the more thorough the scan, the longer it takes to complete. Running intrusive scanners on a production network can also introduce certain issues such as increased traffic, false positives and general noisiness on the network. Selecting the right tool for the job is critical.
Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.
Subfinder is an open source subdomain enumeration tool that finds subdomains using passive reconnaissance. Subfinder uses a simple modular architecture and is optimised for speed. It purely built for Passive reconnaissance and it does that very well.
Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This VM also includes a pre-configured wiki, set up to be the central information store during your pen-test.
Network Security Toolkit (NST) is a bootable live CD based on the Fedora distribution. The toolkit was designed to provide easy access to best-of-breed open source network security applications and should run on most x86 platforms. The main intent of developing this toolkit was to provide the network security administrator with a comprehensive set of open source network security tools. What we find rather fascinating with NST is that we can transform most x86 systems (Pentium II and above) into a system designed for network traffic analysis, intrusion detection, network packet generation, wireless network monitoring, a virtual system service server, or a sophisticated network/host scanner.
Kali Linux comes preinstalled with a large suite of tools used for active and passive reconnaissance. However, most of these tools are built on Python and can be used on other operating systems as long as they match the prerequisites.
The IP address, or Internet Protocol address, is a numerical identifier for devices linked to a private or public Internet. The Internet nowadays is mostly built on IPv4. As seen in the table below, Kali contains numerous command-line tools to aid DNS reconnaissance.
I hope this article sheds some light on what passive reconnaissance is, the process behind it, and the tools that are most commonly used by attackers or penetration testers to get relevant information on a target.
CategoryAttack Surface ManagementBug Bounty ManagementBug Hunter MethodologyBugcrowd NewsBugcrowd PlatformBugcrowd SpotlightCommunity SpotlightCompany ResourcesConferences and EventsCustomer Case StudyCybersecurity NewsGuest BlogsNew ProductPenetration Testing as a ServicePlatformProduct SpotlightProduct UpdatesProgram LaunchesProgram ManagementProgram UpdatesReport RecapResearcher EventResearcher ResourcesResearcher SpotlightSecurity FlashSuccess StoriesThought LeadershipUncategorizedVulnerabilitiesVulnerability DisclosureWebinar RecapWinner's CircleTag2020 predictions2020 updates2021 predictions2faAgileAMAambassador programanalyticsAndroidAPIAPIsAppleapplication securityapplication security testingApplicationsappsecARKASMasset discoveryasset inventoryasset riskAtlassianattackattack surface discoveryAttack Surface Managementattack surface mappingattack vectorAuth0auto insuranceAutosaveaverage severityawardAWSAzurebest practicebest practicesbigbankBinanceBlack Hatblockchainbonusbounty rewardsBounty Slayerbounty slayersBoxBSidesBSides SFbudgetingbug bashbug bountiesbug bountybug bounty hunterbug bounty infographicbug bounty programbug bounty resultsbug bounty tipsbug hunterbug huntingbugcrowdBugcrowd cultureBugcrowd paymentsBugcrowd product updatesbugcrowd scholar programbugcrowd universityBugproudbusiness casecar hackingcase studyCasey EllischallengeChatGPTCISOCISOsclassic pen testcloudcodeCode of ConductcommentsCOMMUNITY SPOTLIGHTcomplianceconferenceconference takeawaysConferencescontainer securitycoordinated disclosurecoordinated vulnerability disclosureCoronaviruscoverage analysisCOVID-19Crowdcrowd statscrowd trustcrowdcontrolcrowdmatchcrowdsourcecrowdsourced securityCrowdStreamCTFCTF Challengecustomer spotlightcustomer storiescustomersCVEcyber hygienecyber risk managementcyber threatscyberattackscybercrimecybercriminalscyberscoopcybersecuritycybersecurity awareness monthcyberwarfaredata breachdata privacyDEF CONdefcondefcon badgeDepartment of DefensedevelopmentdevopsDevOps adoptiondevsecDevSecOpsdifferencedisclose.iodisclosurediversityDjangoDoDDraft SubmissionsecommerceEducationelection securityengineerEnhancementESGethical hackerseventsexternal networkfacebookFast CompanyFeature UpdateFebruaryfederalffuffinancefinancial servicesFoundational KnowledgefraudFS-ISACfundingfuture of securitygaminggender equalitygithubGooglegoogle playgovernmentgroup hackingguest postHack the Pentagonhackerhacker spotlighthacker summer camphackershackinghall of famehalloweenhardware hackinghealthcarehealthcare ransomwareHIMSSHOFholidayhospitalsHow toHow to get startedHow to get swagIBMiCloudIDaaSIDORimage embessingIncentive Programsincentivesindustriesinfographicinformationalinfosecinfosec euinfrastructureinfrastructure pen testinnovationinside the mind of a hackerinsights dashboardinstagraminsuranceintegrationsinternational women's dayInvisionIoT securityItTakesACrowdIWD2021JiraJira integrationjoinable programsJunejuneteenthjust for youKaseyakudoslaunching a programleaderboardleadershiplegallevel upLevelUpLGBTQlog4jM&Amanaged bug bountymanaged_bug_bountymarketplacesMaymedia management securitymedical devicesmeet the crowdmerger & acquisitionmerger and acquisitionMicrosoftmobileMovembermoviesMVPMVP Programneighborhood watchNetflixnetwork pen testnew hirenewsletternext gen pen testnext-gen pen testsNGPTNicole Anderson-AunotificationsOktaonline shopping securityonline streamingopen sourceorchestrationoutageouthackthemallOWASPP1P1 submissionsP1 WarriorsP1 Warrriorspandemicpartnershippayment trendspaymentspayoutspen testpen test infographicpen testerpen testingpenetration testerpenetration testingPentestpentesterPentesterLabpentestingplanningplatformplatform integrationsplatform updatespodcastportfolio accountspredictionspricingPridePride Monthprintnightmarepriority onepriority percentilesPrivate Invitesprivate programproduct updateprogramprogram briefProgram Challengeprogram invitesprogram launchprogram managementprogram rewardsprogram setupprogram spotlightprogram updatesprogramspublic programq4QueerConrachel tobacransomransomwareRecon VillagereconnaissanceRedoxREGEXremediationremote workreportReport Improvementsreportingresearchresearcherresearcher availabilityresearcher collaborationresearcher commuityresearcher communityResearcher Eventresearcher marketingresearcher rewardsresearcher spotlightResearcher Successresearchersresponsible disclosureretailretail cybersecurityretail securityREvilreward rangesrewardsrey bangoriskrisk managementRSARSA Conference 2020RSA SecurityRSA2020safe harborscannerscopescopingSDLCsecuritySecurity automationsecurity flashsecurity mistakessecurity operationssecurity predictionssecurity statisticssecurity testingsecurity trendsself-serveself-serviceServiceNowSF AIDS Foundationshadow ITSHEsignal-to-noise ratioskills matchskills shortageslack integrationsoftware vulnerabilitySoundCloudsubdomain takeoversSubmission Editingsubmission trendssubmissionssurveyswagSwisstask listteamtechnology trendsTip Jartips and trickstoolstop researcherstraditional penetration testingtriagetrusttypes of pen testingUltimate GuideUltimate Guide to XSSunicodeUS Air ForceVDPVDPsVirtualVirtual Conferencevirtual enviornmentsVPNVRTvulnerabilitiesvulnerabilityvulnerability disclosurevulnerability disclosure programvulnerability managementvulnerability rating taxonomyvulnerability scannerwaitlistedweb3whitehatwinnerswomen in securitywomen in techZAPzilliqa 2b1af7f3a8