For the purposes of this talk, digital reconnaissance is the act of gathering data on the target of a security review. Performing reconnaissance on a person or company can reveal many avenues of attack. Conversely, doing reconnaissance on yourself or your own company can help you determine what information you need to secure.
Backtrack, an operating system based on the Debian GNU/Linux distribution aimed at digital forensics and penetration testing, comes packed with many reconnaissance tools. These tools can be used to gather data from the Internet about employees or company resources. These tools can also gather data from resources made available by the target. All of this information can be used to find a target’s weakest point. A knowledgeable attacker can piece together many disparate sets of information into a targeted attack against company infrastructure.
We will be discussing passive and active reconnaissance and using tools to do everything from grab email addresses from websites, harvest information from Twitter, to in-depth analysis of specific types of hardware the company is using. Passive reconnaissance involves obtaining data without directly interacting with the company or its infrastructure. Active reconnaissance deals with directly obtaining information from the company’s website or servers.
Some of the open source tools we will be using are:
Netcraft – Netcraft, an internet monitoring company from England, can be used to indirectly find out information about web servers on the internet, including the underlying operating system, web server version, uptime graphs, and so forth. This can also be useful to find additional domains or subdomains that might belong to the target.
theharvester - Program that can gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers, and websites.
Nmap - Nmap is a comprehensive port scanner. Its primary use is to investigate public facing servers for available open ports. It can also enumerate operating systems and software versions along with some vulnerability scanning options.
There will be several other tools mentioned and discussed.
Knowing and using these tools enables a person or company to better understand information available to attackers. A person or company could then remove or secure information based on their own findings, before someone with malicious intent has a chance to use it.
Jake Meredith is an Associate Security Engineer at iSEC Partners, an information security firm specializing in application, network, and mobile security. At iSEC, Jake has specialized in web and network technologies.