Reconnaissance the key to Ethical Hacking!

If you give a hacker a new toy, the first thing he’ll do is take it apart to figure out how it works. — Jamie Zawinski

Hacking is just the act of finding a clever and counter-intuitive solution to a problem. Hacking is not a crime, its an art of exploitation and awareness which can be mastered like any other art. To master this art, there are some methods and guidelines which can help you become a Hacker. This write-up walks you through the most important and the beginning phase of hacking, Reconnaissance.

Reconnaissance is an important tool for penetration testing and the beginning point of many data breaches. The process involves gathering information about the target system, that could be used to find flaws and vulnerabilities.

In the reconnaissance stage, attackers act like detectives, gathering information to truly understand their target. The detail is everything! From examining email lists to open source information, their goal is to know the network better than the people who run and maintain it. They hone in on the security aspect of the technology, study the weaknesses, and use any vulnerability to their advantage.

Reconnaissance can be divided into two phases:

1.Passive reconnaissance.

2.Active reconnaissance.

Passive reconnaissance

In this phase a pentester tries to gather information about the target, through publicly available sources, one such source is Open-source intelligence also know as (OSINT). There are many other sources like Shodan which are very powerful tools when it comes to passive reconnaissance.

Active reconnaissance

In this process, you will directly interact with the computer system to gain information. This information can be relevant and accurate. But there is a risk of getting detected if you are planning active reconnaissance without permission. If you are detected, then the system admin can take severe action against you and trail your subsequent activities.

Footprinting, Scanning, and Enumeration

The process of reconnaissance can be carried out by Footprinting, Scanning, and Enumeration. These three are the subprocess of reconnaissance which helps us to gather effective information from the host or the target.

Footprinting is the process of collecting as much information as possible about a target network, for finding various ways to intrude into an organization’s network system. Once you methodologically begin the footprinting process, you will obtain the blueprint of the security profile of the target organization. The term “blueprint” is used here because the result gathered at the end refers to the unique system profile of the target organization.

Footprinting is done to:

1. Reduce the area of attack
2. Know the Security Posture
3. Build an information database
4. Draw Network Maps

Why do we actually do in Footprinting??

1. Check the type of OS the target is running on.
2. Find the network posture and information about the target.
3. Perform DNS techniques such as whois, DNS, Network and Organizational queries.

How do we perform Footprinting?

Footprinting through search engines

In this method, we use search engines to gather information about a target. Google hacking database is one such way to use search engines effectively. Here is a link and an example of how Google Dorking can be used to search for information.

site:https://docs.google.com/spreadsheets responses

This particular google dork helps us to find spreadsheets that have a response from the users, these spreadsheets may provide valid information which can be used as a fake identity or even more!

The Google hacking database provides many such tweaks for these dorks!

Website and E-mail Footprinting

Website and e-mail footprinting may require a little more effort and technical knowledge, but it’s worth it. Analyzing a website from afar can show potentially interesting information, such as software in use, OS, filenames, paths, and contact details. Using tools such as Burp Suite, Firebug, and Website Informer allows you to grab headers and cookies, and learn
connection status, content type, and web server information.
E-mail headers provide more information than you might think, and are easy enough to grab and examine. Though these attacks seem active another shortcut that can be used while footprinting is mirroring these websites and trying our tools. Burp Suite provides various features where u can footprint passively.

Tools for website and email footprinting:

1. HTTrack (www.httrack.com)
2. Black Widow (http://softbytelabs.com)
3. WebRipper (www.calluna-software.com)
4. Teleport Pro (www.tenmax.com)
5. GNU Wget (www.gnu.org)
6. Backstreet Browser (http://spadixbd.com)

Another cool tool that indexes website from the very beginning of their origin is wayback machine. This website takes snapshots of these websites at different periods and stores it in its archive, allowing us to find out the changes that have taken place on a website.

Others methods of footprinting include:

1. Through Social Networking Sites
2. Through directly communicating to target (Social Engineering )
3. Through Job Portals
4. DNS Footprinting.

What if we skip Footprinting?

Scenario :

You need to hack a mail account as you see no other available option to get access to your client’s system. You manage to create a phishing mail for some XYZ Bank and send him a mail alerting about some unusual activity in his bank account, hence asking for some security checkup. But you didn’t know that your client doesn’t have an account in XYZ Bank. He gets aware that someone is trying to hack him and reports the mail to the cybercrime department and gets extra careful of any other attempts you make take to
hack the system.

This scenario proves why footprinting is important and without proper information about the target the attack often fails!

To Sum Up

Scanning and Enumeration are the other topics that come under Reconnaissance which will be discussed in the later posts. I hope the readers now have a basic idea of reconnaissance and the importance of it in a penetration testers’ life.