Reconnaissance is the process of gathering information about a target system or network before launching an attack. It is a crucial step in any penetration testing process, as it helps to identify the target’s vulnerabilities, weaknesses, and potential entry points. Reconnaissance can be performed in two ways: passively or actively.
Passive reconnaissance involves collecting information from publicly available sources, such as websites, social media, search engines, or domain name servers. Passive reconnaissance does not involve directly interacting with the target system, so it is less likely to be detected by security measures. However, passive reconnaissance may not provide enough information to plan an effective attack strategy.
Active reconnaissance involves directly probing the target system or network to discover more information, such as open ports, services, operating systems, applications, user accounts, or network topology. Active reconnaissance can provide more detailed and accurate information than passive reconnaissance, but it also carries a higher risk of being detected by security measures or alerting the target.
Some of the tools and techniques used for passive and active reconnaissance are:
- WHOIS: A tool that queries domain name registries to obtain information about domain owners, registrars, nameservers, expiration dates, etc.
- DIG: The dig command is utilized for collecting DNS information. The term “dig” is short for “Domain Information Groper,” and this tool is specifically designed for retrieving data about Domain Name Servers.
- Shodan: A search engine that indexes devices connected to the Internet, such as webcams, routers, servers, etc.
- Nmap: A tool that scans networks and hosts to identify open ports, services, operating systems, versions, etc.
- Project Discovery: An open source software company that builds top notch tools that ca be used for finding vulnerabilities in your tech stack.
Threat groups and how they use reconnaissance:
- TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.
- The usual modus operandi of the group entails using their scanner to gather a roster of targets (such as IP addresses), which they subsequently scan for security vulnerabilities and misconfigurations. This includes unsecured Redis instances, susceptible internet-of-things (IoT) gadgets, exposed Docker APIs, leaked credentials, and devices accessible through Secure Shell (SSH). 
- APT28 aka Pawn Storm has performed large-scale scans in an attempt to find vulnerable servers.
- Throughout 2019, Pawn Storm carried out daily investigations on numerous email servers and Microsoft Exchange Autodiscover servers worldwide. The group utilized various Transmission Control Protocol (TCP) ports associated with email and probed most frequently on TCP port 443, which is utilized by webmail and Microsoft Exchange Autodiscover services. Additionally, the Internet Message Access Protocol (IMAP) [143, 993], the Post Office Protocol 3 (POP3) [110, 995], and the Simple Mail Transfer Protocol (SMTP) [465, 587] were also examined. The motive behind these actions appeared to be the search for vulnerable systems, brute-forcing credentials, exfiltrating email data, and launching spam attacks.
Reconnaissance is an essential skill for any penetration tester. It can help you to:
- Understand your target’s environment and security posture
- Identify potential attack vectors and vulnerabilities
- Plan an effective and efficient attack strategy
- Avoid unnecessary noise and detection
- Improve your chances of success
In summary to conduct effective reconnaissance, you should:
- Use a combination of passive and active methods
- Use multiple sources and tools to cross-check and verify your findings
- Document your findings and organize them in a logical way
- Update your findings as you discover new information or changes
- Respect your target’s scope and boundaries