Phase 1 - Reconnaissance: Information Gathering before the Attack
Reconnaissance denotes the work of information gathering before any real attacks are planned. The idea is to collect as much interesting information as possible about the target. To achieve this, many different publicly available sources of information are used. The extracted information will often already allow a detailed insight into the affected systems.
Different Types of Information, Different Sources
RedTeam Pentesting presented quite some ‘eye-openers’ to us and helped us to understand attack scenarios and take appropriate counter-measures.
This encompasses technical as well as nontechnical information. Technical information may be IP-ranges, insight into the (internal) network infrastructure, used hardware and even passwords. But nontechnical information can also prove to be interesting in the context of a pentest, like social structures and location information. When used in combination, this information is often very helpful. For example, critical information is normally accessed by upper management, and not by interns. Knowledge about the internal structures may therefore help focussing on the right targets. Examples for information sources are search engines, social networks, WHOIS databases or the Domain Name System (DNS).
All of this data is publicly available and not gathered by exploiting vulnerabilities. Such an investigation is not recognisable for the company, as normally the only direct contact that is made is accessing the company website, which cannot be distinguished from regular visitors. Due to the fact that no active attacks are taking place, the systems of the company are completely safe during this phase.
Step by Step
Data acquired through reconnaissance gives the penetration testers an overview of the company, sometimes down to the point of detailed information about specific topics. This prepares for the second phase of the pentest, the enumeration phase), where the information may be immediately used as a starting point. This procedure corresponds directly to actions real attackers would take, as they would also first collect information about the company before starting any attacks.
It goes without saying that even though all the collected information is publicly available, it is also treated as confidential.
After evaluating the information gathered during the reconnaissance phase, the next step is the enumeration phase, where this data will be used for determining potential attack vectors.