Scribd
Upload
85 views7 pages

Recon: Surveying The Attack Surface: CEH Test Prep Video Series

This document discusses reconnaissance techniques for cybersecurity assessments. It outlines the standard attack workflow including reconnaissance, enumeration, gaining access, and maintaining access. Reconnaissance techniques can be passive like open-source intelligence gathering or active like interacting with systems. The goals of reconnaissance are to collect technical data on network ranges, domains, servers, software configurations, and personal data. It provides an overview of passive reconnaissance tools and sources like search engines, social media, and archives. Active reconnaissance tools are also summarized like DNS tools, port scanners, and email validation. The document concludes with references to standard methodologies and lists of reconnaissance tools.

Uploaded by

x
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
85 views7 pages

Recon: Surveying The Attack Surface: CEH Test Prep Video Series

This document discusses reconnaissance techniques for cybersecurity assessments. It outlines the standard attack workflow including reconnaissance, enumeration, gaining access, and maintaining access. Reconnaissance techniques can be passive like open-source intelligence gathering or active like interacting with systems. The goals of reconnaissance are to collect technical data on network ranges, domains, servers, software configurations, and personal data. It provides an overview of passive reconnaissance tools and sources like search engines, social media, and archives. Active reconnaissance tools are also summarized like DNS tools, port scanners, and email validation. The document concludes with references to standard methodologies and lists of reconnaissance tools.

Uploaded by

x
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Recon:

Surveying the Attack Surface


CEH Test Prep Video Series
Attack workflow(s)
• Reconnaissance • PTES
• Enumeration • The standard
• Technical guidelines
• Modeling attacks
• OSSTMM
• Gaining access
• NIST
• Escalating privileges • SP 800-115
• Maintaining access
• Collecting evidence
• Reporting
Recon types and goals
• 80/20 rule • Data types
• Technical data
• Network ranges
• Passive recon • DNS names, URLs
• Special servers: NS, MX, webmail etc.
• Non-interaction with client
• Software and configurations
• Active recon • ‘People’ data
• Interaction with client • Full names
• Email
• Phone numbers
• Important: • Social media accounts
• Geodata
• Blurred boundaries • Interests, hobbies, life stories
• Both massively automated • Skills and work history
Passive Recon (OSINT)
“The quieter you become, the more you can hear.” –Ram Dass

• Data sources • Tools and methods


• Internet footprint • Google, Bing, Yahoo, local engines
• Search engines
• Social media
• LinkedIn, Facebook, Twitter,
• Client web-sites Instagram…
• Metadata • Archive.org
• Job search web-sites • Maltego
• Web forums
• Mailing lists and user groups • Recon-NG
• Special resources
• Internet databases
• Internet archives
• Specialized search engines
• Web-service APIs
Active Recon
• Input sources • Tools and automation
• Internet DBs: DNS, whois etc. • Kali recon tools
• Client systems: servers, web-sites, • nc, netcat, ncat
product web-sites etc. • Recon-NG
• Cloud considerations • BurpSuite
• Client networks (once inside) • SecLists
• Client personnel • Python or any scripting language
• Direct observation • Nmap
• FOCA
Recon walkthrough and tools summary
• Passive recon • Active recon
1. Map the scope 1. Collect metadata
• Maltego || Recon-NG • FOCA
• Google hacking – site:, inurl: etc. 2. Find more hosts
2. Find more hosts • nmap -sn …
• dig, dnsrecon, dnsenum, fierce 3. Identify more networks
• Browse shares, visit web-sites • Whois, Maltego

3. Collect names and contacts 4. Validate emails


• Netcat scripting, Maltego
• LinkedIn, Facebook
5. GOTO 1
4. Collect hosts, emails
• theHarvester
5. GOTO 1 • Feed the data back and forth
References
• Pentest methodologies
• NIST SP 800-115 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
• OSSTMM http://www.isecom.org/research/osstmm.html
• PTES http://www.pentest-standard.org/index.php/Main_Page
• PTES technical guidelines http://
www.pentest-standard.org/index.php/PTES_Technical_Guidelines
• Recon tools
• Google hacking database https://www.exploit-db.com/google-hacking-database/
• SecLists https://github.com/danielmiessler/SecLists
• Maltego https://www.paterva.com/web7/buy/maltego-clients/maltego-ce.php
• FOCA https://www.elevenpaths.com/labstools/foca/index.html
• Recon-ng https://bitbucket.org/LaNMaSteR53/recon-ng
• Sn1per https://github.com/1N3/Sn1per

You might also like