Passive Reconn

Passive reconnaissance, also known as information gathering, is the process of collecting information about a target without directly interacting with the target system or network. In this phase, the tester collects as much information as possible about the target from publicly available sources. This information can later be used to find potential vulnerabilities. Here are the typical activities and tools involved in passive reconnaissance:

1. Open Source Intelligence (OSINT) Gathering

Websites and Search Engines: Utilizing search engines, websites, and online databases to gather information about the target.
Social Media: Analyzing social media platforms to gather information on individuals or organizations, including their associates, interests, and activities.
Forums and Communities: Exploring online forums, communities, and groups where information about the target might be discussed.

2. Domain and DNS Research

WHOIS Databases: Querying WHOIS databases to obtain details about domain ownership and contact information.
DNS Interrogation: Extracting details from DNS servers, such as DNS records, domain relationships, and IP information, without directly interacting with the target's DNS servers.

3. Network Analysis

Network Infrastructure Analysis: Gathering information related to the target's network infrastructure from public resources like Shodan, Censys, etc.
ASN Information: Obtaining details about the Autonomous System Number (ASN) associated with the target, which can provide insight into the target's network infrastructure.

4. Third-party Databases and Repositories

Public Code Repositories: Investigating public code repositories (like GitHub) for code snippets, projects, or information shared by the target.
Data Breach Databases: Checking databases that store information on known data breaches to see if the target's data might have been compromised in the past.

5. Analyzing Public Documents

Document Metadata Analysis: Analyzing metadata from public documents associated with the target to extract information like author names, software used, and file paths.
Public Records and Reports: Reviewing public records, reports, and publications associated with the target for potential information.

6. Email Analysis

Email Header Analysis: Analyzing email headers from emails sent by the target to gather information about email servers, IP addresses, and potentially software used.
Phishing Campaign Analysis: Analyzing phishing campaigns targeting the organization can sometimes provide insight into the security posture of the organization.

7. Geolocation Data

IP Geolocation: Using IP geolocation services to determine the geographical location of the target's IP addresses.
Image Geolocation: Analyzing geolocation data from images associated with the target, which can sometimes be found in metadata.

During passive reconnaissance, it's critical to avoid direct interaction with the target system to prevent detection and remain within legal boundaries. This phase sets the stage for the active reconnaissance phase, where direct interaction with the target's systems and networks begins.

PreviousWelcome!NextDNS Lookup

Last updated 1 year ago

Was this helpful?

Passive Reconn

1. Open Source Intelligence (OSINT) Gathering

Websites and Search Engines: Utilizing search engines, websites, and online databases to gather information about the target.
Social Media: Analyzing social media platforms to gather information on individuals or organizations, including their associates, interests, and activities.
Forums and Communities: Exploring online forums, communities, and groups where information about the target might be discussed.

2. Domain and DNS Research

WHOIS Databases: Querying WHOIS databases to obtain details about domain ownership and contact information.
DNS Interrogation: Extracting details from DNS servers, such as DNS records, domain relationships, and IP information, without directly interacting with the target's DNS servers.

3. Network Analysis

Network Infrastructure Analysis: Gathering information related to the target's network infrastructure from public resources like Shodan, Censys, etc.
ASN Information: Obtaining details about the Autonomous System Number (ASN) associated with the target, which can provide insight into the target's network infrastructure.

4. Third-party Databases and Repositories

Public Code Repositories: Investigating public code repositories (like GitHub) for code snippets, projects, or information shared by the target.
Data Breach Databases: Checking databases that store information on known data breaches to see if the target's data might have been compromised in the past.

5. Analyzing Public Documents

Document Metadata Analysis: Analyzing metadata from public documents associated with the target to extract information like author names, software used, and file paths.
Public Records and Reports: Reviewing public records, reports, and publications associated with the target for potential information.

6. Email Analysis

Email Header Analysis: Analyzing email headers from emails sent by the target to gather information about email servers, IP addresses, and potentially software used.
Phishing Campaign Analysis: Analyzing phishing campaigns targeting the organization can sometimes provide insight into the security posture of the organization.

7. Geolocation Data

IP Geolocation: Using IP geolocation services to determine the geographical location of the target's IP addresses.
Image Geolocation: Analyzing geolocation data from images associated with the target, which can sometimes be found in metadata.

PreviousWelcome!NextDNS Lookup

Last updated 1 year ago

Was this helpful?