Post

Recon 101 - Beginner

Covers both passive and active reconnaissance techniques, providing a comprehensive guide for collecting information about the target organization.

Posted Updated
By beardenx
1 min read
Recon 101 - Beginner

Target Information:

  • Company Name
  • Domain
  • IP Range

1. Passive Reconnaissance

Open Source Intelligence (OSINT):

  • Tools : Netlas, Shodan, Censys, Maltego, theHarvester, Recon-ng
  • Techniques
    • Google Dorking: Use advanced search operators to find sensitive information.
    • Social Media Analysis: Gather information from LinkedIn, Twitter, and Facebook.
    • Public Databases: Search for information in public databases such as EDGAR, public records, and industry databases.

DNS Reconnaissance:

  • Tools : DNSdumpster, Fierce, DNSRecon, Sublist3r, Amass, Subfinder
  • Techniques
    • Domain and Subdomain Enumeration: Identify all domains and subdomains associated with the target.
    • WHOIS Lookup: Obtain registration information for the target’s domain.

Website Analysis:

  • Tools : Wappalyzer, Builtwith, WhatWeb, Burpsuite
  • Techniques
    • Identify Web Technologies: Determine the technologies used by the target’s website (e.g., CMS, frameworks).
    • Sitemap Analysis: Review the sitemap to understand the website structure.
    • Analyze robots.txt: Identify areas of the website that the target does not want to be indexed by search engines.

Network Reconnaissance:

  • Tools : Shodan, Censys
  • Techniques
    • Open Ports and Services: Identify open ports and services running on the target’s network.
    • Network Range Identification: Determine the range of IP addresses used by the target.

2. Active Reconnaissance

Network Scanning:

  • Tools : Nmap, Masscan, Angry IP Scanner
  • Techniques
    • IP Range Scanning: Scan IP addresses in any range and their ports
    • Port Scanning: Identify open ports on the target’s systems.
    • Service Version Detection: Determine the versions of services running on open ports.
    • OS Fingerprinting: Identify the operating systems running on target systems.

Vulnerability Scanning:

  • Tools : Nessus, OpenVAS, Nexpose
  • Techniques
    • Automated Vulnerability Scanning: Use tools to scan for known vulnerabilities.
    • Manual Verification: Verify findings from automated scans manually.

Social Engineering:

  • Techniques
    • Phishing Emails: Send phishing emails to gather credentials or deliver payloads.
    • Pretext Calls: Call employees under a pretext to gather information.
    • Physical Reconnaissance: Visit the target’s physical location to gather information.

Wireless Reconnaissance:

  • Techniques
    • Identify Wireless Networks: Detect wireless networks in the vicinity of the target.
    • Capture and Analyze Traffic: Capture wireless traffic for analysis.
Red Team, Reconnaissance
Recon Red Team
This post is licensed under CC BY 4.0 by the author.