Taxonomy of Reconnaissance 🐙

Reconnaissance (recon) can be classified into two parts:

1. Passive Recon: can be carried out by watching passively
2. Active Recon: requires interacting with the target to provoke it in order to observe its response.

Passive recon doesn’t require interacting with the target. In other words, you aren’t sending any packets or requests to the target or the systems your target owns. Instead, passive recon relies on publicly available information that is collected and maintained by a third party. Open Source Intelligence (OSINT) is used to collect information about the target and can be as simple as viewing a target’s publicly available social media profile. Example information that we might collect includes domain names, IP address blocks, email addresses, employee names, and job posts. In the upcoming task, we’ll see how to query DNS records and expand on the topics from the Passive Reconnaissance room and introduce advanced tooling to aid in your recon.

Active recon requires interacting with the target by sending requests and packets and observing if and how it responds. The responses collected - or lack of responses - would enable us to expand on the picture we started developing using passive recon. An example of active reconnaissance is using Nmap to scan target subnets and live hosts. Other examples can be found in the Active Reconnaissance room. Some information that we would want to discover include live hosts, running servers, listening services, and version numbers.

Active recon can be classified as:

1. External Recon: Conducted outside the target’s network and focuses on the externally facing assets assessable from the Internet. One example is running Nikto from outside the company network.
2. Internal Recon: Conducted from within the target company’s network. In other words, the pentester or red teamer might be physically located inside the company building. In this scenario, they might be using an exploited host on the target’s network. An example would be using Nessus to scan the internal network using one of the target’s computers.