Active VS Passive Reconnaissance

2 years ago 143
BOOK THIS SPACE FOR AD
ARTICLE AD

Photo by Chris Yang on Unsplash

Just like many other cybersecurity terms, “Reconnaissance” also derives from the military jargon. The idea is to go on a mission with the goal of gaining information from enemy territory. The same idea goes by the name Footprinting.

So, what role does Recon play on this side of the wall?

For instance, imagine that you had to ethically hack into a company’s website to detect vulnerabilities. First, you got to test the waters and get your feet wet, right? And Cyber Recon is the opening move of any professional penetration test. It helps to identify the weak points of the target.

Just like a military strategist, an ethical hacker must devote ample resources to recon to find weaknesses in the enemy’s defenses. The more information you gather, the more likely you are to succeed in the later stages of penetration testing. Here is a list of information an ethical hacker aims to gain during the recon phase :

Network Information (IP addresses, subnet masks, network topology, domain names)Host Information (User, group names, architecture type, OS platform)Security Policies (Password complexity requirements, physical security, firewalls, IDS)

There are two main types of reconnaissance: passive and active.

It is the basic level, where we collect information about an intended target without the target knowing what is occurring. It is highly unlikely that the framework would know your IP address because we collect data through web indexes or freely available reports. Most of the time a packet sniffer such as Wireshark is used for this purpose. Another example would be using Shodan which is a search engine for internet-connected devices. As IoT grows, companies are increasingly connecting insecure devices to the internet. Using Shodan, an ethical hacker may be able to find devices within the IP address range belonging to an organization. More examples would be listening to employee conversations, and going through old garbage to find critical information.

Active recon is where we directly interact with the framework in order to gather system-specific information about the target system. Unlike passive reconnaissance which relies only on publicly available information, active recon relies on sending various requests using tools to the target machine. It is useful to gather information such as open/closed ports, OS platform, running services, banner grabbing, and vulnerable applications on the machine. The most commonly used active information-gathering tool is Nmap which is an open-source network mapper and port scanner. Using port-scanning the ethical hacker infers which services are visible and where an attack is possible.

Each recon has its pros and cons. Active recon is riskier from the ethical hacker’s perspective, although more useful information is gathered. Passive recon carries less risk, along with less reliability, and can be time-consuming. Because of the risk factor, ethical hackers generally undertake passive before trying active reconnaissance.

By collecting these pieces of information from everywhere through reconnaissance, an ethical hacker step by step concludes to one big picture of the entire network with all its services, ports, and applications inside the environment.

URL Abuse is a versatile free web interface for your Reconnaissance purposes. It can gather both active and passive open data on DNS infrastructure.

Adding a URL abuse report — Passive Information

Adding an active URL scan — Active Information

URL Abuse has launched its Bug bounty program on Bug Zero! Anyone who participates in the challenge can enjoy many benefits:
Cash prizes
Certificates and
Cool swags!

If you’re ready to file your “nice catch”: Check out the URL Abuse Bug Bounty Program. Don’t miss this opportunity!

Go to https://bugzero.io/webtelescope_ and join now

Bug Zero is a bug bounty, crowdsourcing platform for security testing. The platform is the intermediatory entity that enables client organizations to publish their service endpoints so that bug hunters (security researchers / ethical hackers) registered in the platform can start testing the endpoints without any upfront charge. Bug hunters can start testing as soon as a client organization publishes a new program. Bug Zero also offers private bug bounty programs for organizations with high-security requirements.

Bug Zero is available for both hackers and organizations.

For organizations and hackers, register with Bug Zero for free, and let’s make cyberspace safe.

Read Entire Article