Reconnaissance - secuguru/security-terms GitHub Wiki

In the attack structure, reconnaissance is the initial stage where attackers gather information about a target to plan their approach. This stage is crucial, as it helps attackers understand the target’s systems, personnel, and potential vulnerabilities without directly interacting with the systems. Here’s a closer look at reconnaissance and some specific methods like OSINT, Google dorking, and Shodan.

1. Reconnaissance

  • Definition: Reconnaissance (or “recon”) is the preparatory phase where attackers collect information about a target to identify potential entry points and weaknesses. This stage involves passive data collection to avoid detection.
  • Purpose: By gathering publicly accessible information, attackers can create a detailed profile of the target without triggering security alerts.

2. OSINT (Open-Source Intelligence)

  • Definition: OSINT is the process of gathering intelligence from publicly available sources, such as websites, social media, news articles, government databases, and forums.
  • Sources Used in OSINT:
    • Social Media: Profiles and posts can reveal personal details, professional roles, schedules, and potential weak links (e.g., employees, contractors).
    • Company Websites: Public-facing pages often include staff directories, email formats, and sometimes information about software and hardware used.
    • News Articles and Press Releases: These may disclose recent changes, acquisitions, or new software that could have vulnerabilities.
  • Relevance in Reconnaissance: OSINT is highly effective in building a comprehensive understanding of the target without direct interaction, minimizing the chance of detection.

3. Google Dorking

  • Definition: Google dorking, or Google hacking, involves using advanced search operators to find specific information through Google that isn’t easily accessible through standard searches.
  • How It Works: Attackers use search queries with specific operators like filetype:, site:, or inurl: to uncover sensitive files, exposed databases, login portals, and other potentially sensitive information.
    • Example Queries:
      • filetype:xls site:example.com – Finds Excel files on a specific domain.
      • inurl:admin – Searches for URLs with “admin,” often exposing admin pages.
  • Forensics and Security Implications: Google dorking can reveal misconfigured servers, exposed files, and unsecured databases, often giving attackers an easy entry point.

4. Shodan

  • Definition: Shodan is a search engine specifically designed to scan and index devices connected to the internet, such as servers, webcams, routers, and IoT devices.
  • Purpose: Shodan provides detailed information on devices’ open ports, protocols, and configurations, which can help attackers identify vulnerable systems.
  • Usage in Reconnaissance:
    • Finding Vulnerable Devices: Attackers can filter results to find devices with open ports or default credentials, as well as industrial control systems or IoT devices that may lack proper security.
    • Scanning Specific IP Ranges: Shodan allows searches by IP, providing details about publicly exposed devices within a specific network range.
  • Security Concerns: Shodan is a valuable resource for attackers to quickly locate exposed and potentially exploitable devices, making it critical for organizations to secure internet-facing systems.

Summary

  • Reconnaissance gathers crucial data about a target using publicly accessible tools and methods.
  • OSINT leverages publicly available information to create a profile of the target without direct system access.
  • Google Dorking utilizes advanced search operators to locate sensitive information online, such as exposed files or administrative pages.
  • Shodan is a search engine that catalogs internet-connected devices, making it easy for attackers to find vulnerable systems.

By understanding these tools and techniques, security teams can better anticipate potential vulnerabilities and improve their defenses against reconnaissance efforts.