Reconnaissance Phases
Passive Reconnaissance
In the phase of passive data collection, the focus is on harvesting information through publicly available resources without directly interacting with the target’s systems. This can include pulling details from websites, public databases, and various social media platforms. The aim is to accumulate as much knowledge as possible about the target without alerting them, which is why this stage often precedes any active penetration efforts and helps in defining the scope of the test. Usually you will aim to build a list of emails, UPNs and potentially passwords from previous dumps
Active Reconnaissance
During active reconnaissance, the goal shifts to a more hands-on approach, where specific information about the target’s network and systems is sought through direct engagement. This might involve techniques such as network scanning to identify open ports, running services, and detecting the operating systems in use. Active reconnaissance is characterized by its more aggressive nature, which can include probing for vulnerabilities in web applications or attempting to enumerate network resources. This stage is crucial for mapping out potential entry points and requires careful execution to avoid undue detection, often extending beyond basic port scans to include exploring services found on unconventional ports that might be overlooked, like a web server running on a non-standard port.
Moving recon to exploit
Eventually when all bases have been covered we can take our findings and start to try and exploit.. eg using Metasploit.
This may involve spraying or stuffing credentials to rooting a box through a known vulnerability.