Reconnaissance (Information Gathering)

Name- Maria Rose Thayil

Batch - SVNG-MAR2024

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Agenda

Abstract
Reconnaisance
Active reconnaisacne tools and methods
Passve reconnaissance tools and methods

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Reconnaissance
• Refers to a set of process and techniques such as scanning and enumeration to
covertly gather location and steal as much confidential information as possible.

• In Cyber Security , it refers to process of gathering information about a system.

Through the information gathered one plans the cyber attack.

• Commonly done in ethical hacking and penetration testing.It is the first step in
planning phase of cyber kill chain.

• There are 2 types of reconnaissance:

• Active Reconnaissance :- scanning and probing target system for weakness
• Passive Reconnaissance :- collecting publicly available data
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Passive Reconnaissance

• Reconnaissance conducted without direct

interaction with target.
• Reduced risk of detection as no direct attacking is
involved.
• Collects publicly available datas
• Passive reconnaissance also include non digital
form of snooping.
• Involves tools like
• Google dorks
• Open source intelligence(OSINT)
• Packet sniffing
• Shodan searched
• WHOIS data
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Active Reconnaissance
• Collecting information through direct
interaction with the target.
• Active reconnaissance has higher risk of
detection due to higher noise,but faster and
more accurate informations are obtained.
• It involves using various tools like
• Nmap
• Traceroute,port scanning
• Manual testing
• Automated scanning
• Netcat and so on

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Tools used in Active Reconnaissance
1. NMAP
• Network mapper is an open source linux command line tool used to scan IP
addresses and ports.
• It finds which devices are running on their network,discover open ports and
services and detect vulnerabilities.
FUNCTIONALITIES AND OUTCOMES
• Quickly map out and recognizes devices in the network using simple commands.
• Identify running services ,vulnerabilities and detailed information regarding the
operating system.
• Can scan multiple port at same time.
• Develop visual mappings of network using Zenmap.

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
 In the above example we have carried out nmap for youtube.com and we can
see that it has 2 open ports.
Similarly nmap have target specification,host discovery,port specification,OS
detection,service/version detection scans and many more.

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
2. Nikto
• Nikto is an open source web server
scanner.
• It performs vulnerability scanning
against web server for dangerous
files and programs.
• Checks for outdated web server
version and server configuration
error.
• Nikto can be used to find SQL
injection,XSS and can even identify
installed softwares.

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
3. Metasploit
• Metasploit is a penetration testing framework
that helps in finding and exploiting
vulnerabilities in systems.
• It is also frequently updated with new exploits
published in CVE(Common vulnerability and
exposure)
• Also used as a development platform that allows
to create security tools and exploits.
• In reconnaissance phase metasploit integrates
with tools like Nmap ,SNMP scanning and
nessus to find vulnerabilities.
• Provides clean exist and persistent access to
target system.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
 Here nmap is run in
metasploit tool.
Shows the output for
nmap for
scanme.nmap.org
Click to edit
Master title
style

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
 • Scans for IP addresses and open ports
• It is a GUI based IP address scanner
• Scan IP address to find live hosts and critical
information about the IP addresses.
• Java is a important requirement.
4.Angry IP Scanner • Network scanner alternative scanner to
Nmap.
• Scan types include UDP scans, TCP scans and
ping scans.

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
 Here shows the
scan result of
port number 80
ip range from
Click to edit 10.0.2.0 to
Master title 10.0.2.255 and
style display only alive
hosts in angry ip
scanner tool

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
5.OSINT Reconnaissance
• Open source intelligence reconnaissance involves using publicly
available resources to collect information.
• OSINT tools are also used in passive reconnaissance.
• Some of the OSINT tools include:-
• Shodan IO and Censys.io- Search engine that provides reports on devices that
are accessible from internet.
• Reversewhois.io - Locates all domains owned by an individual or companies by
using names or email address for the search
• Dnsdumpster.com - Find hosts related to a domain.
• VirusTotal - Analyzes suspicious files ,URLs and hashes.

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Interface of Shodan.io and Dns dumpster

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
• Interface of VirusTotal and Reverse whois lookup

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
 • Social engineering involves directly interacting
with the target in various ways.
• While OSINT uses publicly available
information ,social engineering is more
psychological persuasion of target or people near
6.Social the target company or person.
Engineering • Types of social engineering attacks include:
• Phishing: Imitating as a legitimate source to gain
information.
• Tailgating : “Piggybacking” gaining access while
piggybacking authorized personnel through scams and
false alarms.

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Tools used in Passive Reconnaissance

1. Wireshark
• A network traffic analyzer and packet sniffer.
• In depth information about each packet in your
network. Click to edit
• Filters in wireshark helps in narrowing down
the data,such as capture filter and display filter.
Master title style
• Identify security threat and malicious activity
on a network.
• Export data to XML,CSV files.

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
 Wireshark
capturing
packets from wifi
network

Click to edit
Master title
style

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
2.Netcraft
• It is a comprehensive tool to
identify phishing or legitimate
sites.
• Scan and identify malicious
websites as well as fraudulent
domains,social media profiles
email and more.
• Generate report for the same .
• Image shows report from
netcraft for website
scanme.nmap.org.

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
3. TheHarvester

• Is a command line tool in Kali linux that has

variety of search engines used to find email
accounts,sub domain name,virtual
hosts,open ports from different public Click to edit
sources.
• Different public sources include search Master title style
engines,PGP key servers and shodan
computer databases.

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
 theHarvester
showing result
after searching
for gmail.com in
Click to edit duckduckgo
Master title search engine
style

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
4.Spiderfoot

• SpiderFoot is an open-source
intelligence automation tool
widely used for gathering and
analyzing information about a
target ,domain,IP address or
person.
• Also used offensively as part of
black-box testing .
• Image shows spiderfoot running
a command to scan ip 192.0.2.1.

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
 5.Recon-ng

• It is a free and open source tool that we can

use to for gathering information and
assessing the vulnerability of web application.
• Recong-ng in the command line speeds up
Click to edit the recon process as it automates gathering
Master title information from open sources.Similar to
style metasploit.
• It has variety of options to configure ,perform
recon and output results into different report
types.

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
4.Maltego

• Link analysis tool used to gather,analyze

and visualize publicly available
information ,uncovering relationships and
patterns between entities like domains,IP Click to edit
addresses and more.
• Maltego enable graphical link analysis Master title style
which is used for real time data mining.
• Even provide representation of information
in node based graph,making patterns and
multiple connections between information
easily identifiable.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
 Interface of maltego tool.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Protection Against Reconnaissance
1. Cyber Deception Technology :- Make the system appear more vulnerable than it seems
by using decoys like Honeypots , Mimicking and Repacking . The attacker will attack
the decoys thinking its the actual system thereby providing us with alarms and ways to
prevent the attack from happening.
2. Deploy Vulnerability Scanning Tools : Scan software to find weakness and
vulnerabilities in systems.
3. Intrusion Detection System & Intrusion Prevention Systems : Use detection and
prevention together more effective in stopping threats .
4. Monitor Network & Traffic logs : To find odd signals from traffic and network to
identify potential reconnaissance on system.
5. Configure Firewalls : Such that it can detect activity that could indicate packet
sniffing , port scanning and so on. Ensure that rules don’t leave gaps for attackers to
exploit.
6. Perform Initial Reconnaissance : Conducting self reconnaissance is a great way to
protect ones system.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
References
1. https://www.esecurityplanet.com/threats/how-hackers-use-reconnaissance/#:~:text=
Active%20Reconnaissance&text=Ping%20probes%2C%20port%20scanning%2C%20or,o
ut%20what%20you're%20doing
.
2. https://www.javatpoint.com/spiderfoot-a-automate-osint-framework-in-kali-linux
3. https://www.oreilly.com/library/view/web-penetration-testing/9781788623377/71203
ba9-3894-4192-af66-1003405ab8ed.xhtml
4. https://www.kali.org/tools/
5. https://www.sciencedirect.com/topics/computer-science/netcraft
6. https://medium.com/
7. https://bostoninstituteofanalyti399-my.sharepoint.com/:p:/r/personal/corporateofficei
ndia_bostoninstituteofanalytics_org/_layouts/15/Doc.aspx?sourcedoc=%7BC4C2B140-
CE98-4395-A7F2-36CD67EC72BC%7D&file=21-Reconnaissance.pptx&action=edit&mob
ileredirect=true&wdsle=0

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Questions ?

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.
 Thank You!

CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material
is prohibited and subject to legal action under breach of IP and confidentiality clauses.