The 2 types of reconnaissance
Once you have installed your Kali Linux operating system, you are ready to start your penetration testing.
Remember, we have already discussed the methodology to follow to successfully carry out a pentest.
If your Rules of Engagement are well established, and you have defined your target, the IP addresses to test, etc., you can then launch your operating system.
We will start with the first phase: reconnaissance.
During this reconnaissance phase, we will simply try to gather the maximum amount of information on our target or targets.
Generally, reconnaissance is divided into two parts: passive reconnaissance and active reconnaissance.
You will spend a defined amount of time collecting passive information, then you will do the same for the active part.
To stay organized, it is essential to document all the information gathered as you go.
It is very important to know how to document your findings because at the end of your penetration testing, you will have to write a report.
The more organized and structured your documentation is, the more efficient and productive your report writing will be.
Passive reconnaissance consists of collecting information without ever interacting directly with the target.
Let's imagine that your target is a web server and you have to perform a penetration testing on it.
When you start your passive reconnaissance, you must under no circumstances interact directly with this server.
You are not going to launch a scan, nor send packets to it from your IP address or your attack machine.
You are only going to look for publicly accessible information, whether on search engines (Google, Bing, etc.) or on social networks.
The information you are looking for includes email addresses, passwords, usernames or any other useful public data.
For example, if you go to professional social networks, you can find information about the employees of the targeted company.
This information is valuable.
If you find professional email addresses, you can then check in public databases on the Internet (such as data leak sites) if these addresses have been compromised in past hacks (data breaches).
By consulting these leak databases, you will sometimes be able to find the passwords associated with these email addresses.
All of this information is of capital importance.
In a passive way, you can also discover information about the technologies used by the company or its server.
By consulting technical forums or discussion sites, you could learn that the company is testing or using a specific version of PHP, a particular version of Django for the back-end, or a specific type of DBMS (database management system).
All of this information will be extremely useful to you during the exploitation phase.
All of this is done without any interaction with the target server.
The second approach is active reconnaissance, in which you will interact directly with the target system.
Some call this phase scanning, but we will clearly differentiate the two.
We will treat passive and active reconnaissance on one side, then scanning on the other, in order to simplify our progression, even if active reconnaissance is technically part of scanning.
In this phase, you therefore interact with the target server.
You will use tools like Nmap, Nessus, OpenVAS, as well as other web server scanners to obtain more precise details.
Indeed, passive reconnaissance is limited by nature.
We therefore complete it with active reconnaissance using tools like Nmap.
This consists of sending test packets to the target server to analyze its responses, which allows us to identify the protocols and services running, as well as the state of the ports (open, closed, filtered ports, etc.).
The advantage of active reconnaissance is that it provides very precise and technical information.
The disadvantage is that you can be detected or blocked by a firewall or an intrusion detection system if you send too many suspicious packets.
You must therefore always take this into account.
Passive reconnaissance yields more limited results but has the advantage of being completely undetectable.
Any information found online can prove crucial during exploitation.
That's it for the organization of our reconnaissance phase.
We will now see the tools that will help us carry it out.