Reconnaissance
Summary
Reconnaissance is the initial phase in the Unified Kill Chain, where the attacker gathers information about the target without actively engaging with it.
“Reconnaissance is 90% of the job in Ethical Hacking. This is where you find most vulnerabilities. The rest is about scaling the impact.” - Adrian Bacceli
This phase is typically divided into two types:
🕵️ Passive Reconnaissance
Tools and techniques that don’t directly interact with the target systems, thus reducing the chances of detection.
- Shodan: Search engine for internet-connected devices.
- Wappalyzer: Browser extension or CLI tool to identify technologies used by a target website.
- Dark Web & Breach Reconnaissance ==(Work In Progress)==
- App Specific Passive Reconnaissance: Reverse engineering APKs, firmware analysis ==(Work In Progress)==
- Social Engineering Passive Reconnaissance - LinkedIn stalking, email scraping ==(Work In Progress)==
- OSINT
⚡ Active Reconnaissance
- Vulnerability Assessment & Hardening — Include in every step
- Application-Specific Recon: Specific to a certain application
- Cloud Reconnaissance: Focus on Cloud vulnerabilities
- Host-Based Reconnaissance: Host OS (Linux, Windows, ESXi, MacOS, AHV, Etc).
- Network Reconnaissance: Internal network scan
- Social Engineering Active Reconnaissance: Interacting with users
- Web Reconnaissance: Application capture and vulnerabilities
- Wireless Reconnaissance: WIFI, Bluetooth, Airdrop, etc..
🔗 See Also
- 02_Resource Development (next stage in the Unified Kill Chain)