What is Recon?
Recon or reconnaissance is the first essential step on the pentester’s checklist before digging for vulnerabilities. Basically, it’s enumerating subdomains (if the scope is domain name with wildcard), checking for open ports, scanning for live hosts and finding technologies used by the company.
Active Recon vs Passive Recon
Active recon has a very direct approach to the target. It’s basically putting your hacker hoodie and taking the risk of early detection while probing the system for weaknesses. It’s the fast way and could eventually lead to finding potential vulnerabilities without digging too much (yep you can catch and open admin panel in the wild)
Passive recon is all about gathering as much information about the target as you could without having to interact with it. It could be done by looking in google search engines for useful links or even social media for useful information about employees (don’t mix this with stalking huh)
Tools often used by pentesters in Active Recon
· Nmap: A very hacker friendly network mapper, used to check for open ports, enumerate services and find out their versions by analyzing responses
· Metasploit: A multi faced platform that evolved from a purely and exploitation framework to become a reliable reconnaissance tool, thanks to auxiliaries added by pentesters everyday (don’t forget to keep yours up to date)
· Nikto: Nikto is a purely web server scanner, it identifies several vulnerabilities by directly engaging with the target. Although it’s easy to use, it raises a lot of flags and is highly detectable by IDS.
Tools often used by pentester in Passive Recon
· Google: Every hacker’s go to, as much as it helps you along your way of learning pentest, it does not let you down on the real talk. If you start using its dorks and its hacking database, your life will be much easier (even if it’s not for pentesting purposes)
Shodan (https://www.shodan.io/): Shodan is often used to identify connected IoT and network devices connected on the internet. Just like google, a simple search (use dorks for more accurate results) will give you a good attack surface on which you can build the rest of your operation
· Archive: (https://archive.org/web/):
A very good old friend of hackers. You’ll find in there new and old version of your target; it’ll save you the time and noise of fuzzing to find directories and eliminate the risk of raising any flags. The URLs that you get from there will certainly guide you through your pentest and make you familiar with your target environment in no time.
The DNDA Way
In DND Agency, we have developed our own methodology in which we combine the active and the passive. We wrap the programmatic expressions of our will in scripts developed internally like Christmas presents for our clients (You can catch the MR Robot vibe already) The key is always precision, we minimize the error margin and avoid raising flags, while covering more surface. Time, precision, and stealth are essential players in our game, could you be fourth?
In a nutshell, recon is the bones of your operation’s body, the more time you invest in there, the better the results will be and the more you are going to enjoy hacking. If you want your digital dream safe or want to learn recon in depth with us, don’t hesitate to get on board: