Phase 1 - Reconnaissance: Information Gathering before the Attack
Reconnaissance denotes the work of information gathering before any real attacks are planned. The idea is to collect as much interesting information as possible about the target. To achieve this, many different publicly available sources of information are used. The extracted information will often already allow a detailed insight into the affected systems.
Different Types of Information, Different Sources
RedTeam Pentesting gave us an extremely professional service, and each year they find new issues to check for and new ways to exploit Software weaknesses. We have the impression they are helping us to stay ahead of the curve in the fight to avoid hackers successfully compromising any of our sites. We particularly like the fact that they are very easy to work with, without sacrificing any professionalism or competence. Their demonstration sessions in report meetings of weaknesses can be devastating - but this is exactly the effect needed to show developers and non-technical people about the dangers of bad code on the Internet.
This encompasses technical as well as nontechnical information. Technical information may be IP-ranges, insight into the (internal) network infrastructure, used hardware and even passwords. But nontechnical information can also prove to be interesting in the context of a pentest, like social structures and location information. When used in combination, this information is often very helpful. For example, critical information is normally accessed by upper management, and not by interns. Knowledge about the internal structures may therefore help focussing on the right targets. Examples for information sources are search engines, social networks, WHOIS databases or the Domain Name System (DNS).
All of this data is publicly available and not gathered by exploiting vulnerabilities. Such an investigation is not recognisable for the company, as normally the only direct contact that is made is accessing the company website, which cannot be distinguished from regular visitors. Due to the fact that no active attacks are taking place, the systems of the company are completely safe during this phase.
Step by Step
Data acquired through reconnaissance gives the penetration testers an overview of the company, sometimes down to the point of detailed information about specific topics. This prepares for the second phase of the pentest, the enumeration phase), where the information may be immediately used as a starting point. This procedure corresponds directly to actions real attackers would take, as they would also first collect information about the company before starting any attacks.
It goes without saying that even though all the collected information is publicly available, it is also treated as confidential.
After evaluating the information gathered during the reconnaissance phase, the next step is the enumeration phase, where this data will be used for determining potential attack vectors.