Active Reconnaissance of External and Internal Networks

The main goal of the active reconnaissance phase is to collect and weaponize information about the target as much as possible in order to facilitate the exploitation phase of the kill chain methodology.

We have seen in the last chapter how to perform passive reconnaissance using OSINT, which is almost undetectable and can yield a significant amount of information about the target organization and its users.

Active reconnaissance builds on the results of OSINT and passive reconnaissance and emphasizes more focused probes to identify the path to the target and the exposed attack surface of the target. In general, complex systems have a greater attack surface, and each surface may be exploited and then leveraged to support additional attacks.

Although active reconnaissance produces more useful information, interactions with the target system may be logged, triggering alarms by protective devices, such as firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS). As the usefulness of the data to the attacker increases, so does the risk of detection; this is shown in the following diagram:

To improve the effectiveness of active reconnaissance in providing detailed information, our focus will be on using stealthy, or difficult to detect, techniques.

In this chapter, you will learn about the following:

  • Stealth scanning strategies
  • External and internal infrastructure, host discovery, and enumeration
  • Comprehensive reconnaissance of applications, especially recon-ng
  • Enumeration of internal hosts using DHCP
  • Useful Microsoft Windows commands during penetration testing
  • Taking advantage of default configurations
  • Enumeration of users using SNMP, SMB, and rpcclient
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
54.86.180.90