“Sicherheit und Industriespionage: Ein Realitätsabgleich”
Ruhr-Universität Bochum
Phase 1 - Reconnaissance: Information gathering before the attack
Reconnaissance denotes the collection of information before the attack. The idea is to collect as
much information as possible about the target which may be valuable later. To achieve this, many
different publicly available sources of information will be searched. The extracted
information will often already allow a detailed insight into the affected company.
Different types of information, different sources
This encompasses technical as well as nontechnical information. Technical information may be IP- ranges, insight into the (internal) network infrastructure, used hardware and even passwords. But nontechnical information can also prove to be interesting in the context of a pentest, like social structures and localities. When used in combination, this information is often very helpful. One example may be that critical information is normally found in the upper management, and not with e.g. an apprentice. Knowing about the internal structures may therefore help focussing on the right targets. Examples for used information sources are search engines, newsgroups, WHOIS databases or the Domain Name System (DNS).
All the data is publicly available and is not gathered through attacking the network. Such an inquiry is not recognizable for the company, as normally the only contact will be made through the website and these queries cannot be distinguished from regular visitors. Due to the fact that no active attacks are taking place, the systems of the company are completely safe during this phase.
Step by step
With Reconnaissance, the pentester gets an overview of the company to the point of detailed information about specific areas. Through this, the second phase of the pentest (Enumeration) is prepared, where the information may be immediately used as an entry point. This procedure corresponds directly to the actions a real attacker would take to collect information about the company before starting an attack.
As a matter of course, even if all the information which is collected is publicly available, it is also handled as being confidential.
After evaluating the gathered information, the next phase is the Enumeration, where this data will be used.