The term Reconnaissance by definition comes from the military warfare strategy of exploring beyond the area occupied by friendly forces to gain information about the enemy for future analysis or attack. Reconnaissance of computer systems is similar in nature, meaning typically a Penetration Tester or hacker will attempt to learn as much as possible about a target's environment and system traits prior to launching an attack. This is also known as establishing a Footprint of a target. Reconnaissance is typically passive in nature and in many cases not illegal (however, we are not lawyers and cannot offer legal advice) to perform as long as you don't complete a three-way handshake with an unauthorized system.
Examples of Reconnaissance include anything from researching a target on public sources such as Google, monitoring employee activity to learn operation patterns, and scanning networks or systems to gather information, such as manufacture type, operating system, and open communication ports. The more information that can be gathered about a target brings a better chance of identifying the easiest and fastest method to achieve a penetration goal, as well as best method to avoid existing security. Also, alerting a target will most likely cause certain attack avenues to close as a reaction to preparing for an attack. Kali's official slogan says this best:
"The quieter you become, the more you are able to hear"
Reconnaissance services should include heavy documentation, because data found may be relevant at a later point in the penetration exercise. Clients will also want to know how specific data was obtained, and ask for references to resources. Examples are what tools were used to obtain the data or what publicfacing resources; for example, the specific search query in Google that was submitted to obtain the data. Informing a customer "you obtained the goal" isn't good enough, because the purpose of a Penetration Test is to identify weakness for future repairs.
- Target background: What is the focus of the target's business?
- Target's associates: Who are the business partners, vendors, and customers?
- Target's investment in security: Are security policies advertised? What is the potential investment security, and user security awareness?
- Target's business and security policies: How does the business operate? Where are the potential weaknesses in operation?
- Target's people: What type of people work there? How can they become your asset for the attack?
- Define targets: What are the lowest hanging fruit targets? What should be avoided?
- Target's network: How do the people and devices communicate on the network?
- Target's defenses: What type of security is in place? Where is it located?
- Target's technologies: What technologies are used for e-mail, network traffic, storing information, authentication, and so on? Are they vulnerable?
Kali Linux contains an extensive catalog of tools titled Information Gathering specified for Reconnaissance efforts. It could fill a separate book to cover all tools and methods offered for Information Gathering. This chapter will focus on various web application Reconnaissance topics and relate the best tools found on the Internet as well as that offered by Kali Linux.