Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Reconnaissance for Ethical Hackers
Reconnaissance for Ethical Hackers

Reconnaissance for Ethical Hackers: Focus on the starting point of data breaches and explore essential steps for successful pentesting

Arrow left icon
Profile Icon Glen D. Singh
Arrow right icon
$19.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.9 (14 Ratings)
Paperback Aug 2023 430 pages 1st Edition
eBook
$21.99 $31.99
Paperback
$39.99
Subscription
Free Trial
Renews at $19.99p/m
Arrow left icon
Profile Icon Glen D. Singh
Arrow right icon
$19.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.9 (14 Ratings)
Paperback Aug 2023 430 pages 1st Edition
eBook
$21.99 $31.99
Paperback
$39.99
Subscription
Free Trial
Renews at $19.99p/m
eBook
$21.99 $31.99
Paperback
$39.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Reconnaissance for Ethical Hackers

Fundamentals of Reconnaissance

As an aspiring ethical hacker, penetration tester, or red teamer, reconnaissance plays an important role in helping cybersecurity professionals reduce organizations’ digital footprint on the internet. These digital footprints enable adversaries such as hackers to leverage publicly available information about a target to plan future operations and cyber-attacks. As more organizations and users are connecting their systems and networks to the largest network infrastructure in the world, the internet, access to information and the sharing of resources are readily available to everyone. The internet has provided the platform for many organizations to extend their products and services beyond traditional borders to potential and new customers around the world. Furthermore, people are using the internet to enroll and attend online classes, perform e-commerce transactions, operate online businesses, and communicate and share ideas with others.

Nowadays, using the internet is very common for many people. For instance, if an organization is looking to hire an employee to fill a new or existing role, the recruiter simply posts the job vacancy with all the necessary details that are needed for an interested candidate. This enables anyone with internet access to visit various job forums and recruiting websites to seek new career opportunities and easily submit an application via the online platform. Information that’s posted and available online enables adversaries to collect and leverage specific details about the targeted organization. Such details help hackers to determine the type of network infrastructure, systems, and services that are running on the internal network of a company without breaking in. This book will teach you all about how threat actors and ethical hackers are able to leverage publicly available information in planning future operations that lead to a cyber-attack.

During the course of this chapter, you will gain a solid understanding of the importance of reconnaissance from both an adversary and cybersecurity professional’s perspective, and why organizations need to be mindful when connecting their systems and network to the internet. Furthermore, you will learn the fundamentals of attack surface management, why it’s important to organizations, and how cybersecurity professionals use it to reduce the risk of a possible cyber-attack on their networks. Lastly, you will discover the tactics, techniques, and procedures that are commonly used by threat actors, adversaries, ethical hackers, and penetration testers during the reconnaissance phase of an attack.

In this chapter, we will cover the following topics:

  • What is ethical hacking?
  • Importance of reconnaissance
  • Understanding attack surface management
  • Reconnaissance tactics, techniques, and procedures

Let’s dive in!

What is ethical hacking?

The term hacking is commonly used to describe the techniques and activities that are performed by a person with malicious intentions, such as a hacker, to gain unauthorized access to a system or network. Since the early days of telephone systems, computers, and the internet, many people have developed a high level of interest in determining how various devices and technologies operate and work together. It’s quite fascinating that a person can use a traditional landline telephone to dial the telephone number of another person and establish a connection for a verbal conversation. Or even using a computer to send an email message to someone else, where the email message can be delivered to the intended recipient’s mailbox almost instantaneously compared to traditional postal operations.

Due to the curiosity of people around the world, the idea of disassembling a system to further understand its functions created the foundation of hacking. Early generations of hackers sought to understand how systems and devices work, and whether there was any flaw in the design that could be taken advantage of to alter the original function of the system. For instance, during the 1950s and 1960s in the United States, a security vulnerability was found in a telephone system that enabled users to manipulate/alter telephone signals to allow free long-distance calls. This technique was known as phreaking in the telecommunication industry. Specifically, a person could use whistles that operated at 2600 MHz to recreate signals that were used as the telephone routing signals, thus enabling free long-distance calling to anyone who exploited this flaw. However, telecommunication providers had implemented a solution known as Common Channel Interoffice Signaling (CCIS) that separated the signals from the voice channel. In this scenario, people discovered a security vulnerability in a system and exploited it to alter the operation of the system. However, the intention varied from one person to another, whether for fun, experimental, or even to gain free long-distance calling.

Important note

A vulnerability is commonly used to describe a security flaw or weakness in a system. An exploit is anything that can be used to take advantage of a security vulnerability. A threat is anything that has the potential to cause damage to a system. A threat actor or adversary is the person(s) who’s responsible for the cyber-attack or creating a threat.

A very common question that is usually asked is why someone would want to hack into another system or network. There are various motives behind each hacker, for instance, many hackers will break into systems for fun, to prove a point to others, to steal data from organizations, for financial gain by selling stolen data on the dark web, or even as a personal challenge. Whatever the reason is, hacking is illegal around the world as it involves using a computing system to cause harm or damage to another system.

While hacking seems all bad on mainstream media, it’s not all bad because cybersecurity professionals such as ethical hackers and penetration testers use similar techniques and tools to simulate real-world cyber-attacks on organizations’ networks with legal permission and intent to discover and resolve hidden security vulnerabilities before real cyber-attacks occur in the future. Ethical hackers are simply good people and are commonly referred to as white-hat hackers in the cybersecurity industry, who use their knowledge and skills to help organizations find and resolve their hidden security weaknesses and flaws prior to a real cyber-attack. Although threat actors and ethical hackers have similar skill sets, they have different moral compasses, with threat actors using their skills and abilities for malicious and illegal purposes and ethical hackers using their skills to help organizations defend themselves and safeguard their assets from malicious hackers.

The following are common types of threat actors and their motives:

  • Advanced Persistent Threat (APT) groups – The members of an APT group design their attacks to be very stealthy and undetectable by most threat detection systems on a targeted network or system. The intention is to compromise the targeted organization and remain on its network while exploiting additional systems and exfiltrating data.
  • Insider threats – This is an attacker who is inside the targeted organization’s network infrastructure. This can be a hacker who is employed within the company and is behind the organization’s security defense systems and has direct access to vulnerable machines. In addition, an insider threat can be a disgruntled employee who intends to cause harm to the network infrastructure of the company.
  • State actors – These are cybersecurity professionals who are employed by a nation’s government to focus on national security and perform reconnaissance on other nations around the world.
  • Hacktivists – These are persons who use their hacking skills to support a social or political agenda such as defacing websites and disrupting the availability of or access to web servers.
  • Script kiddie – This type of hacker is a novice and lacks the technical expertise in the industry but follows the tutorials or instructions of experts to perform cyber-attacks on targeted systems. However, since this person does not fully understand the technicalities behind the attack, they can cause more damage than a real hacker.
  • Criminal syndicates – This is an organized crime group that focuses on financial gain and each person has a specialized skill to improve the attack and increase the likelihood of success. Furthermore, this group is usually well funded to ensure they have access to the best tools that money can buy.
  • White hat – These are cybersecurity professionals such as ethical hackers, penetration testers, and red teamers who use their skills to help organizations prevent cyber-attacks and threats.
  • Gray hat – These are people who use their hacking skills for both good and bad. For instance, a gray hat threat actor could be a cybersecurity professional who uses their skills in their day job to help organizations and at night for malicious reasons.
  • Black hat – These are typical threat actors who use their skills for malicious reasons.

Ethical hackers, penetration testers, and red team operators always need to obtain legal permission from authorities before engaging in simulating any type of real-world cyber-attacks and threats on their customers’ systems and network infrastructure, while ensuring they remain within scope. For instance, the following agreements need to be signed between the cybersecurity service provider and the customer:

  • Non-Disclosure Agreement (NDA)
  • Statement of Work (SOW)
  • Master Service Agreement (MSA)
  • Permission of Attack

The NDA is commonly referred to as a confidentiality agreement, which specifies that the ethical hacker, penetration tester, or red teamer will not disclose, share, or hold on to any private, confidential, sensitive, or proprietary information that was discovered during the security assessment of the customer’s systems and network infrastructure.

However, the SOW documentation usually contains all the details about the type of security testing that will be performed by the ethical hacker/service provider for the customer and the scope of the security testing, such as the specific IP addresses and ranges. It’s extremely important that ethical hackers do not go beyond the scope of security testing for legal reasons. Furthermore, the SOW will contain the billing details, duration of the security testing, disclaimer and liability details, and deliverables to the customer.

The MSA is a general agreement that contains the payment details and terms, confidentiality and work standards of the provider, limitations and constraints, and delivery requirements. This type of agreement helps the cybersecurity service provider to reduce the time taken for any similar work that needs to be provided to either new or existing customers. In addition, the MSA document can be customized to fit the needs of each customer as they may require unique or specialized services.

Permission of attack is a very important agreement for ethical hackers, penetration testers, and red teamers as it contains the legal authorization that is needed to perform the security testing on the customer’s systems and network infrastructure. Consider this agreement, in the form of a document, as the get-out-of-jail card that is signed by the legal authorities, which indicates the granting of permission to the service provider and its employee(s) who are performing ethical hacking and penetration testing services on the customer’s systems and network.

Mindset and skills of ethical hackers

Threat actors are always seeking new and advanced techniques to compromise their target’s systems and networks for legal purposes. For instance, there are different types of hackers and groups around the world, and each of these has its own motive and rationale for their cyber-attacks:

  • Personal accomplishment/challenge, such as proving they have the skills and capabilities to break into an organization and its systems
  • Financial gain, such as stealing confidential data from organizations and selling it on various dark web marketplaces
  • Supporting a social or political agenda such as defacing and compromising websites that are associated with a social/political movement
  • Cyber warfare, such as compromising the Industrial Control Systems (ICS) that manage the critical infrastructure of a country

While there are many cybersecurity companies around the world who are developing and improving solutions to help organizations defend and safeguard their assets from cyber criminals, attacks, and threats, there’s also a huge demand for cybersecurity professionals in the industry. It’s already noticeable through mainstream media platforms that it’s only a matter of time before another organization is the target of threat actors. In an online article published by the World Economic Forum on January 21, 2015, What does the Internet of Everything mean for security?, the former executive chairman and CEO of Cisco Systems, John Chambers, said, “There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.” Each day, this statement is becoming more evident, and more of a reality, as many companies are reporting data breaches, and some reports indicate attackers were living off the land for many days or even months before the security incident was detected and contained.

The need for ethical hacking skills and knowledge is ever growing around the world, as leadership teams within small to large enterprises are realizing their assets need to be protected and ethical hackers and penetration testers can help discover and remediate hidden security vulnerabilities, reduce the attack surface, and improve the cyber defenses of their company against cyber criminals and threats. Ethical hackers have the same skill set and expertise as malicious attackers such as threat actors, however, the difference is their intention. Ethical hackers have a good moral compass and choose to use their skills for good reasons, whereas threat actors use their skills and knowledge for bad reasons, such as causing harm and damage to systems for illegal purposes.

The following are common technical skills of ethical hackers in the cybersecurity industry:

  • Administrative-level skills with various operating systems such as Windows and Linux
  • Solid foundational knowledge of networking, such as routing and switching
  • Understanding the fundamentals of common security principles and best practices
  • Familiar with programming languages such as Go and Python, and scripting languages such as Bash and PowerShell
  • Familiarity with virtualization, containerization, and the cloud

While the preceding list of foundational skills seems a bit intimidating, always remember the field of cybersecurity and learning is like a marathon and not a sprint. It’s not how quickly you can learn something, but ensuring you’re taking the time you need to fully understand and master a topic.

The following are non-technical skills of ethical hackers:

  • Being proficient in oral and written communication between technical and non-technical persons
  • Being an out-of-the-box thinker
  • Being self-motivated and driven to learn about new topics and expand knowledge
  • Ensuring you understand the difference between using knowledge for good and bad intentions

Ethical hackers use the same techniques, tools, and procedures as real threat actors to meet their objectives and discover hidden security vulnerabilities in systems. There’s a proverb that says if you want to catch a thief, you need to think like one. This proverb applies to ethical hacking – if you want to find the security vulnerabilities that real hackers are able to discover and exploit, then you need to adapt your mindset while using the same techniques, tools, and procedures to help you do the same, with legal permission and good intentions.

The following diagram shows the EC-Council’s five stages of ethical hacking:

Figure 1.1 – Stages of hacking

Figure 1.1 – Stages of hacking

As shown in the preceding diagram, ethical hackers and threat actors start with reconnaissance on their target, then move on to scanning and enumeration, then onward to gaining access and establishing a foothold in the system by maintaining access, and then covering tracks to remove any evidence of an attack. Since this book is based on the concept of Reconnaissance for Ethical Hackers, we’ll focus on reconnaissance, scanning, and enumeration during the course of it.

The importance of reconnaissance

The first phase of ethical hacking is reconnaissance – the techniques and procedures that are used by the ethical hacker to collect as much information as possible about the target to determine their network infrastructure, cyber defenses, and security vulnerabilities that can be compromised to gain unauthorized access and improve attack operations accordingly. From a military perspective, reconnaissance plays an important role in planning and launching an attack on a target. Collecting information about the target helps the attacker to determine the points of entry, type of infrastructure, assets owned, and the target’s strengths and weaknesses.

To put it simply, reconnaissance helps ethical hackers to gain a deeper understanding of an organization’s systems and network infrastructure before launching an attack. The collected information can be leveraged to identify any security vulnerabilities that can be exploited, thus enabling the ethical hacker to compromise and gain a foothold in the targeted systems. For instance, using reconnaissance techniques enables the ethical hacker to identify any running services and open ports and the service and software versions on a system, all of which can be used to identify and determine potential attack vectors on the target.

In addition, using reconnaissance techniques such as Open Source Intelligence (OSINT) enables the ethical hacker to passively collect information about their target that’s publicly available on the internet. Such information may contain usernames, email addresses, and job titles of employees of the targeted organization. This information can be leveraged to create various social engineering attacks and phishing email campaigns that are sent to specific employees within the targeted company.

The following screenshot shows an example of employees’ information that’s publicly available on the internet:

Figure 1.2 – Employees’ data

Figure 1.2 – Employees’ data

As shown in the preceding screenshot, these are various employees of a specific organization. Their names, email addresses, and job titles are publicly known on the internet. A threat actor could look for patterns in their email addresses to determine the format that’s used for all employees of the company. For instance, let’s imagine there’s an employee whose name is John Doe and his email address is jdoe@companyname.com and another employee is Jane Foster with an email address of jfoster@companyname.com. This information shows a pattern and format for employees within the same organization: {f}{lastname}@domain-name.com, where f is the initial letter of the person’s first name followed by their last name and the company’s domain name. Such information can help an ethical hacker to send phishing email campaigns to specific email addresses of high-profile employees of the targeted organization.

Reconnaissance helps organizations to reduce the risk of being compromised by a threat actor and improve their cyber defenses. By enabling an ethical hacker to perform reconnaissance techniques and procedures on an organization’s systems and network infrastructure, the organization can efficiently identify security vulnerabilities and take the necessary measures to remediate and resolve them before they are discovered and exploited by adversaries. Furthermore, reconnaissance helps organizations to both identify and keep track of potential threat actors, enabling the company to gain a better understanding of the cybersecurity threat landscape while implementing and improving proactive countermeasures to safeguard their assets, systems, and networks. Hence, reconnaissance is not only important to adversaries but cybersecurity professionals use the gathered information to help organizations.

Reconnaissance is divided into the following types:

  • Passive reconnaissance
  • Active reconnaissance

Passive reconnaissance enables the ethical hacker to leverage OSINT techniques to gather information that’s publicly available from various sources on the internet without making direct contact with the target.

The following are some examples of OSINT data sources:

  • Job websites
  • Online forums
  • Social media platforms
  • Company registry websites
  • Public Domain Name System (DNS) servers

It’s important for ethical hackers to use similar techniques and procedures as adversaries during their security assessments to provide real-world experience to their customers. In addition, it also helps the organization to determine whether its security team and solutions are able to detect any security intrusions that are created by the ethical hacker. If the security team were unable to detect any actions that were performed during the ethical hacking and penetration testing assessment, it’s a good sign for the ethical hacker as their techniques were stealthy enough to bypass and evade any threat detection systems on the network. However, this means the organization’s security team needs to improve their threat monitoring and detection strategies and tune their sensors to catch any security-related anomalies.

Active reconnaissance involves a more direct approach by the threat actor and ethical hacker to gather information about the target. In active reconnaissance, the ethical hacker uses scanning and enumeration techniques and tools to obtain specific details about the targeted systems and networks. For instance, to determine running services and open ports on a server, the ethical hacker can use a network and port scanning tool such as Nmap to perform host discovery on a network. However, active reconnaissance increases the risk of triggering security sensors and alerting the security team about a possible reconnaissance-based attack being performed.

In the next section, you will learn how cybersecurity professionals, including ethical hackers, leverage the information that is collected during reconnaissance to help organizations improve their security posture and manage their attack surfaces.

Understanding attack surface management

The attack surface is simply the number of potential security vulnerabilities that can be exploited to gain access to a system, network, and organization using attack vectors. If organizations are unable to identify their security vulnerabilities and implement countermeasures, they are simply leaving themselves susceptible and exposed to cyber-attacks and threats. Attack Surface Management (ASM) is not a new study in the cybersecurity industry, rather it’s a new focus for cybersecurity professionals and organizations around the world. ASM is a strategy that’s used by cybersecurity professionals that enables them to focus on identifying, analyzing, and reducing the attack surface of an organization. As a result, by reducing the attack surface of an organization, it reduces the risk of being compromised by cyber-attacks and threats while safeguarding its assets, resources, and sensitive information.

Adopting ASM within an organization enables the security team to identify and prioritize security vulnerabilities based on their vulnerability score and potential impact. The Common Vulnerability Scoring System (CVSS) is commonly referenced within many vulnerability scanning tools to provide vulnerability of between 0 and 10, where 0 is the least impact and 10 is critical. These scores help cybersecurity professionals to apply high priority and resources to remediate security vulnerabilities with higher severity.

For instance, the following screenshot shows the base metrics of the CVSS calculator:

Figure 1.3 – CVSS calculator

Figure 1.3 – CVSS calculator

As shown in the preceding snippet, the metrics within the base score influence the vulnerability score. For instance, if an attacker can compromise a security vulnerability on a targeted system over a network, where the attack complexity is low and does not require any user interaction or escalated privileges, where the impact will greatly affect the confidentiality and integrity of the system, the CVSS calculator provides a vulnerability score of 9.4. Keep in mind, these scores are assigned to a vulnerability based on the criticality and impact on the system.

Tip

To learn more about the CVSS calculator, please see https://www.first.org/cvss/calculator/3.1.

The following snippet shows the results of a Nessus vulnerability scan, displaying the number of security flaws and their scores:

Figure 1.4 – Nessus scan results

Figure 1.4 – Nessus scan results

As shown in the preceding snippet, the CVSS scores were referenced from the CVSS calculator.

It’s important to recognize that cybersecurity professionals may identify a security vulnerability that is critical to the operation of the organization and its business processes but has a low potential impact. There can be security vulnerabilities that are less critical to the operation of the business but have a greater potential impact if they’re exploited by a threat actor. Therefore, ASM helps organizations in prioritizing security vulnerabilities based on their impact levels while allocating their resources to remediating the most critical security vulnerabilities first.

Additionally, organizations that implement ASM are able to better identify and track changes to their attack surfaces. For instance, if an organization installs a new update to an existing system, this new update could introduce new security vulnerabilities and potentially change the attack surface, enabling a threat actor to use new techniques to compromise the system. Similarly, if an organization implements a new system or application on its network infrastructure, it has the potential of bringing new security flaws to the attack surface. However, ASM enables cybersecurity professionals to track changes that are being made to the attack surface of the organization while ensuring the security team is aware of any new security vulnerabilities that are introduced during this process. Furthermore, the organization can take the necessary actions to remediate these security vulnerabilities before they can be exploited by a threat actor.

Another benefit of ASM is its capability of helping organizations efficiently monitor their attack surface and identify any suspicious activities. This improves real-time threat detection and response within the company, enabling the security team to take immediate action to prevent, contain, or remediate the threat from systems and networks. Lastly, when ASM is implemented properly, it helps security teams to identify whether any malicious activities or threats that evaded security solutions have gone undetected on their systems and networks.

The following are the major benefits of ASM within the cybersecurity industry:

  • Reducing risk – Organizations that adopted ASM are able to identify and reduce their own attack surfaces, thereby reducing the risk of potential cyber-attacks and threats, and protecting their assets from threat actors. Hence, by identifying and remediating security vulnerabilities, it becomes more difficult for threat actors to compromise systems and gain a foothold.
  • Prioritization – ASM helps companies to prioritize their resources to remediate security vulnerabilities that are more critical than others.
  • Continuous monitoring – For organizations to ensure their attack surface is small, continuous monitoring and maintenance are needed. This helps both cybersecurity professionals and organizations to always be aware of any new security vulnerability that may exist, either due to a new implementation or an upgrade to a system, therefore, taking the necessary actions needed to mitigate any security vulnerabilities before they can be exploited.
  • Improving incident response – ASM helps security teams to efficiently identify and respond to security incidents on their network in real time, as a result, reducing the impact and spread of a threat.
  • Compliance – There are regulatory standards and frameworks that are needed within organizations that operate in certain industries. For instance, organizations that operate in the payment card industry need to ensure their systems and networks are compliant with the Payment Card Industry Data Security Standard (PCI DSS). Being compliant means the organization’s systems and networks have the specific security controls in place to ensure data is protected.
  • Cost-effectiveness – Since ASM helps organizations to improve the identification and remediation of security vulnerabilities, it reduces the risk of data breaches and increases the availability of systems that are critical to the organization.

The following are key steps that organizations and cybersecurity professionals can use to get started with ASM:

  1. Asset management – Ensure all assets within your organization are properly tracked and entered into your inventory. These may include computers, servers, applications, and mobile devices. This helps organizations to better understand which assets are to be protected and identify security flaws in them.
  2. Identifying and mapping the attack surface – At this stage, the cybersecurity professionals are to identify security vulnerabilities and map the attack surface of the organization. This stage includes potential attack vectors that could be used to deliver an exploit and points of entry such as open ports and vulnerable running services on systems and networks.
  3. Assessing risk – This stage focuses on assessing the risk of each security vulnerability and its impact on the organization. This phase helps with prioritizing and focusing on the most critical security vulnerabilities, then on less critical vulnerabilities.
  4. Implementing security controls – This phase focuses on implementing security controls and solutions to remediate and mitigate security vulnerabilities that were identified in the previous stages. Here, the security team will implement network security devices, threat monitoring and prevention solutions, network segmentation, and so on.
  5. Monitoring and maintenance – For ASM to be effective, continuous monitoring of all assets, systems, and devices is required. It’s important to continuously monitor and maintain security controls that are responsible for mitigating cyber-attacks and threats from exploiting security vulnerabilities. In addition, continuous monitoring and maintenance help ensure security controls are effective in safeguarding the assets of the organization.
  6. Continuously perform reconnaissance – To identify new security vulnerabilities on the attack surface, organizations need to continuously perform reconnaissance on their assets, systems, and network infrastructure. Once new security vulnerabilities are identified, the lifecycle of ASM is repeated, taking the necessary steps to mitigate the security risk.

In addition to using the preceding key steps, there are several tools that will help both cybersecurity professionals and organizations with ASM:

  • Vulnerability scanners – These are specialized, automated tools that help cybersecurity professionals identify security vulnerabilities in a system and provide recommendations on how to remediate the issue. Furthermore, these tools provide severity ratings, vulnerability scores, and potential impact.
  • Network scanners and mappers – This type of tool helps cybersecurity and networking professionals to determine live hosts, open service ports, and running applications on host devices. In addition, they help organizations to map their entire network infrastructure and identify unauthorized devices that are connected to the company’s network.
  • Configuration management tools – This type of tool helps organizations track and manage their configurations on systems and networks. It also helps cybersecurity professionals to identify new security vulnerabilities such as misconfigurations that are introduced onto a device after a new change.
  • Application security testing tools – These are specialized tools that are commonly used by cybersecurity professionals to perform security testing on applications and software to identify any unknown security flaw.
  • Attack Surface Reduction (ASR) tools – These tools are designed to help organizations reduce their attack surfaces. It works by identifying and denying any malicious network traffic and disabling unnecessary services on systems and protocols.
  • Risk management tools – Risk management tools enable organizations to both track and manage the risk as it’s associated with their attack surface. Furthermore, this tool helps cybersecurity professionals to monitor the effectiveness of the security controls that are in place to prevent cyber-attacks and threats.
  • Security Information and Event Management (SIEM) – This is a security solution that collects, aggregates, and analyzes security-related log messages generated from systems and devices within an organization to identify any potential cyber-attack and threat in real time.

While these tools are simply recommendations, it’s important to remember no single tool has the capability of providing complete coverage of the attack surface of an organization. Therefore, a combination of different tools, techniques, and procedures is required to ensure the organization can effectively manage its attack surface. Furthermore, as many tools are software-based, it’s important they are regularly updated to ensure they have the capability of detecting the latest security vulnerabilities and threats in the industry.

In the next section, you will learn about the tactics, techniques, and procedures that are used by adversaries during the reconnaissance phase of a cyber-attack.

Reconnaissance tactics, techniques, and procedures

As you have learned thus far, before an adversary launches an attack against an organization, they need to perform reconnaissance to gather as much information as possible on the target to determine its attack surface (points of entry). While there are many techniques that are used by both threat actors and ethical hackers, MITRE has created its well-known MITRE ATT&CK framework, which outlines the Tactics, Techniques, and Procedures (TTPs) of adversaries that are based on real-world events. These TTPs are commonly used by cybersecurity professionals, researchers, and organizations to both develop and improve their threat modeling and cyber defenses.

MITRE ATT&CK includes reconnaissance TTPs that help us to better understand the methods that are used by adversaries to collect information about their targets prior to launching an attack. These TTPs are also used by ethical hackers to efficiently identify security vulnerabilities and how a threat actor could compromise the attack surface of their client’s network infrastructure.

The following are common reconnaissance TTPs that are used by adversaries:

  • Active scanning – During active scanning, adversaries use various scanning tools to collect information about the target that can be leveraged in future operations. These scanning tools send special probes to targeted systems and networks to determine live hosts, operating systems, open ports, and running services on the host machine. Active scanning is an active reconnaissance technique that involves scanning IP network blocks and public IP addresses of the target, vulnerability scanning to identify security weaknesses that can be exploited, and wordlist scanning to retrieve possible passwords for future password-based attacks against the target.
  • Gathering victim host information – This technique enables the attacker to collect specific details about the target’s devices such as their hostnames, IP addresses, device types/roles, configurations, and operating systems. Additionally, the adversary is able to collect hardware, software, and client configuration details that can be used to improve the plan of attack. This technique involves using a combination of both active and passive reconnaissance as a threat actor can gain a lot of intelligence from OSINT alone and can perform active reconnaissance to identify specific details that are not easily available on the internet.
  • Gathering victim identity information – This technique focuses on collecting details about the target’s identity – personal data such as employees’ names, email addresses, job titles, and users’ credentials. This type of information can be collected using passive reconnaissance and leveraged for future social engineering attacks and gaining access to the target’s systems.
  • Gathering victim network information – Adversaries can use passive reconnaissance techniques to collect information on the target’s network infrastructure such as IP ranges, domain names, domain registrar details (physical addresses, email addresses, and telephone numbers), and DNS records. However, active reconnaissance techniques will help the attacker to better identify the target’s network topology, networking devices, and security appliances. Such information helps the adversary to better understand the target’s network infrastructure.
  • Gathering victim organization information – This technique enables adversaries to collect specific information about the target’s organization such as names of departments, business operations and processes, and employees’ roles and responsibilities. Such information can be collected using passive reconnaissance. Furthermore, adversaries use this technique to determine physical locations, business relations, and operating hours.
  • Phishing for information – Adversaries send phishing email messages to employees of the target organization with the intention of tricking a victim into performing an action such as downloading and installing malware on their system or even revealing sensitive information such as their user credentials. Adversaries can use spear phishing services from online service providers, insert malicious attachments in email messages, and insert obfuscated links within the body of the email message. Since the attacker is using a direct approach, this is an active reconnaissance technique.
  • Searching closed sources – The adversary may attempt to collect information about the target from closed sources, where the information is available as a paid subscription (passive reconnaissance). Such information includes threat intel vendors such as private details from threat intelligence sources that can be used to compromise the target. Furthermore, adversaries can purchase information about the target from Dark Web marketplaces/black markets.
  • Searching open technical databases – There are many public online sources that enable anyone to collect information about a target. This technique focuses on leveraging public information that can be used to improve the plan of attack against an organization. For instance, the adversary can leverage public DNS records, WHOIS data (domain registration details), digital certificates (help identify sub-domains), and public databases that contain IP addresses, open ports, and server banner details about the target. This is another passive reconnaissance technique to collect information about the target.
  • Searching open websites and domains – Adversaries use this technique to search various online websites and platforms such as social media, internet search engines, and code repositories (such as GitHub) to collect information that can be used to compromise the target. Searching open websites and domains is another passive reconnaissance technique for collecting public information.
  • Searching victim-owned websites – This technique is used by the adversary to search the target’s websites for any details that can be leveraged, such as organizational details, physical locations, email addresses of employees, high-profile employees, and even employees’ names and contact details. This is an active reconnaissance technique since the attacker establishes a direct connection to the target’s asset.

These are common strategies used by threat actors, and it helps ethical hackers to efficiently identify security vulnerabilities within organizations. Additionally, keep in mind that reconnaissance TTPs are continuously expanding as adversaries are developing new techniques and tools to compromise organizations. However, cybersecurity professionals and organizations can leverage reconnaissance TTPs to improve cyber defenses, identify and remediate security vulnerabilities, and reduce their attack surface and risk of a cyber-attack.

Summary

In this chapter, you have learned the importance of ethical hacking and how it helps organizations to improve their security posture. You have also discovered why threat actors spend a lot of time collecting information about their targets and how it can be leveraged to identify security vulnerabilities. Furthermore, you have learned why ethical hackers use similar techniques and strategies to help organizations identify and remediate their security vulnerabilities before a real cyber-attack occurs.

In addition, you have explored the need for attack surface management within the cybersecurity industry and how it helps organizations improve their defenses against cyber-attacks and threats. Lastly, you have gained an insight into reconnaissance TTPs that are commonly observed around the world as it helps security professionals and organizations to improve their threat modeling and strategies in safeguarding their assets from cyber criminals.

I hope this chapter has been informative for you and helpful on your journey in the cybersecurity industry. In the next chapter, Setting Up a Reconnaissance Lab, you will learn how to construct a security lab environment that will be safe for performing active reconnaissance and vulnerability assessments on your personal computer.

Left arrow icon Right arrow icon

Key benefits

  • Learn how adversaries use reconnaissance techniques to discover security vulnerabilities on systems
  • Develop advanced open source intelligence capabilities to find sensitive information
  • Explore automated reconnaissance and vulnerability assessment tools to profile systems and networks

Description

This book explores reconnaissance techniques – the first step in discovering security vulnerabilities and exposed network infrastructure. It aids ethical hackers in understanding adversaries’ methods of identifying and mapping attack surfaces, such as network entry points, which enables them to exploit the target and steal confidential information. Reconnaissance for Ethical Hackers helps you get a comprehensive understanding of how threat actors are able to successfully leverage the information collected during the reconnaissance phase to scan and enumerate the network, collect information, and pose various security threats. This book helps you stay one step ahead in knowing how adversaries use tactics, techniques, and procedures (TTPs) to successfully gain information about their targets, while you develop a solid foundation on information gathering strategies as a cybersecurity professional. The concluding chapters will assist you in developing the skills and techniques used by real adversaries to identify vulnerable points of entry into an organization and mitigate reconnaissance-based attacks. By the end of this book, you’ll have gained a solid understanding of reconnaissance, as well as learned how to secure yourself and your organization without causing significant disruption.

Who is this book for?

If you are an ethical hacker, a penetration tester, red teamer, or any cybersecurity professional looking to understand the impact of reconnaissance-based attacks, how they take place, and what organizations can do to protect against them, then this book is for you. Cybersecurity professionals will find this book useful in determining the attack surface of their organizations and assets on their network, while understanding the behavior of adversaries.

What you will learn

  • Understand the tactics, techniques, and procedures of reconnaissance
  • Grasp the importance of attack surface management for organizations
  • Find out how to conceal your identity online as an ethical hacker
  • Explore advanced open source intelligence (OSINT) techniques
  • Perform active reconnaissance to discover live hosts and exposed ports
  • Use automated tools to perform vulnerability assessments on systems
  • Discover how to efficiently perform reconnaissance on web applications
  • Implement open source threat detection and monitoring tools

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Aug 04, 2023
Length: 430 pages
Edition : 1st
Language : English
ISBN-13 : 9781837630639
Category :
Concepts :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Aug 04, 2023
Length: 430 pages
Edition : 1st
Language : English
ISBN-13 : 9781837630639
Category :
Concepts :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 136.96 154.97 18.01 saved
Practical Threat Detection Engineering
$41.98 $59.99
Reconnaissance for Ethical Hackers
$39.99
Ethical Hacking Workshop
$54.99
Total $ 136.96 154.97 18.01 saved Stars icon

Table of Contents

14 Chapters
Part 1: Reconnaissance and Footprinting Chevron down icon Chevron up icon
Chapter 1: Fundamentals of Reconnaissance Chevron down icon Chevron up icon
Chapter 2: Setting Up a Reconnaissance Lab Chevron down icon Chevron up icon
Chapter 3: Understanding Passive Reconnaissance Chevron down icon Chevron up icon
Chapter 4: Domain and DNS Intelligence Chevron down icon Chevron up icon
Chapter 5: Organizational Infrastructure Intelligence Chevron down icon Chevron up icon
Chapter 6: Imagery, People, and Signals Intelligence Chevron down icon Chevron up icon
Part 2: Scanning and Enumeration Chevron down icon Chevron up icon
Chapter 7: Working with Active Reconnaissance Chevron down icon Chevron up icon
Chapter 8: Performing Vulnerability Assessments Chevron down icon Chevron up icon
Chapter 9: Delving into Website Reconnaissance Chevron down icon Chevron up icon
Chapter 10: Implementing Recon Monitoring and Detection Systems Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.9
(14 Ratings)
5 star 92.9%
4 star 7.1%
3 star 0%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




Tomica Kaniski Aug 26, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
If you're looking for a great resource for gathering information about a certain subject, from an ethical hacker's point of view, this is a book for you. Has it all - a wealth of knowledge, guidance for setting up a lab, exercises, and numerous real-world examples, addressing both entry-level and advanced topics. I think it's a book you'll enjoy reading, but also be coming back to.
Amazon Verified review Amazon
CarlonG. Aug 10, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I was curious about learning how hackers think and I must say this one was an eye opener for me after completing my networking course. It has a lot of real world scenarios that we take for granted daily and would help you to better protect yourself and your data.
Amazon Verified review Amazon
Saket Laddha Aug 18, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I recently read "Reconnaissance for Ethical Hackers" by Glen D. Singh and I highly recommend it. The book provides valuable insights and information on ethical hacking, specifically focusing on the importance of reconnaissance in data breaches and the essential steps for successful penetration testing. The author covers various topics such as real-world reconnaissance techniques, gathering sensitive information on systems and networks, vulnerability assessments, threat modeling, lateral movement, privilege escalation, command and control (C2), and advanced pentesting approaches and hacking techniques employed on networks, IoT, embedded peripheral devices, and radio frequencies. I appreciate the author's expertise and the practical knowledge shared in the book. It is considered a valuable resource for those looking to enhance their penetration testing skills and understand the tactics employed by real hackers. Overall, "Reconnaissance for Ethical Hackers" is a must-read for individuals interested in ethical hacking and penetration testing, providing valuable insights and practical knowledge in the field.
Amazon Verified review Amazon
Dwayne Natwick Aug 08, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I received a copy of Packt Publishing’s Reconnaissance for Ethical Hackers by Glen Singh. In this book, the author provides an amazing overview of ethical hacking and how reconnaissance is important within cybersecurity operations. The book only becomes more intriguing and helpful from here. Glen provides all the guidance and tools necessary to create your own lab to perform security reconnaissance and evaluate vulnerable systems. This includes tools for websites, endpoints, identity, and the perimeter and internal networks. Each section dives into each of these areas and how to perform the activities for reconnaissance within various frameworks. The book closes with ways to then build these frameworks into monitoring and detection systems for security operations. I highly recommend this book for anyone that is wanting to understand how to approach cybersecurity reconnaissance from an ethical perspective.
Amazon Verified review Amazon
justin cardinal Aug 09, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I would highly recommend this book. Glen D Singh provides a great insight as well as invaluable information on ethical hacking and how reconnaissance is important for cybersecurity operations. A great book for new comers to cybersecurity.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.