Chapter 9: Network Reconnaissance

The RSA Breach Began with Open Source

In March 2011, RSA Security—the company behind SecurID tokens used to protect millions of enterprise accounts—disclosed a sophisticated breach. The attack began not with technical exploitation, but with reconnaissance.

Attackers researched RSA employees on LinkedIn and other social media, identifying staff in specific roles. They crafted targeted phishing emails with an Excel attachment titled “2011 Recruitment Plan.” The file contained a zero-day Flash exploit. One employee opened it.

From that initial foothold, attackers moved laterally until they reached systems containing SecurID token seeds. The breach affected RSA’s customers globally, including defense contractors Lockheed Martin, who later reported attempted intrusions using compromised SecurID data.

The RSA breach exemplifies how reconnaissance—gathering information before the attack—determines success or failure. Every detail about an organization’s technology, employees, and infrastructure helps attackers refine their approach. This chapter explores reconnaissance techniques from both offensive and defensive perspectives.

---

Reconnaissance Fundamentals

Reconnaissance is the first phase of any security assessment or attack. It determines what’s possible and informs strategy.

Reconnaissance Categories

Reconnaissance Categories:
═══════════════════════════════════════════════════════════════════

PASSIVE RECONNAISSANCE:
┌─────────────────────────────────────────────────────────────────┐
│ No direct interaction with target                               │
│ Cannot be detected by target                                    │
├─────────────────────────────────────────────────────────────────┤
│ • OSINT (public information)      • DNS records                 │
│ • Social media research           • Historical data (Wayback)   │
│ • Job postings analysis           • Certificate transparency    │
│ • Document metadata               • Code repository analysis    │
└─────────────────────────────────────────────────────────────────┘

ACTIVE RECONNAISSANCE:
┌─────────────────────────────────────────────────────────────────┐
│ Direct interaction with target systems                          │
│ Can potentially be detected                                     │
├─────────────────────────────────────────────────────────────────┤
│ • Port scanning                   • Banner grabbing             │
│ • Service enumeration             • Vulnerability scanning      │
│ • Web spidering                   • DNS zone transfers          │
│ • Network mapping                 • OS fingerprinting           │
└─────────────────────────────────────────────────────────────────┘

MITRE ATT&CK Reference

Reconnaissance maps to:

• T1595 - Active Scanning
• T1592 - Gather Victim Host Information
• T1589 - Gather Victim Identity Information
• T1590 - Gather Victim Network Information
• T1591 - Gather Victim Org Information

---

Passive Reconnaissance (OSINT)

Domain and DNS Information

# WHOIS lookup
whois example.com
# Shows: Registrar, dates, nameservers, contact info (if not private)

# DNS records
dig example.com ANY +noall +answer
dig example.com MX +short
dig example.com TXT +short
dig _dmarc.example.com TXT +short

# Find subdomains via certificate transparency
curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sort -u

# Historical DNS records
# ViewDNS.info, SecurityTrails, DNSDumpster

Subdomain Enumeration

# Amass - Comprehensive subdomain discovery
amass enum -d example.com -passive

# Subfinder - Fast passive enumeration
subfinder -d example.com

# theHarvester - Multi-source OSINT
theHarvester -d example.com -b all

# Combine results
cat amass.txt subfinder.txt | sort -u > all_subdomains.txt

Search Engine Dorking

Google Dorks for Reconnaissance

Google Dorks for Reconnaissance:
═══════════════════════════════════════════════════════════════════

SITE ENUMERATION:
site:example.com                    # All indexed pages
site:example.com filetype:pdf       # PDF documents
site:example.com inurl:admin        # Admin pages
site:example.com intitle:"index of" # Directory listings

SENSITIVE FILES:
site:example.com ext:sql            # SQL dumps
site:example.com ext:env            # Environment files
site:example.com ext:bak            # Backup files
site:example.com ext:log            # Log files

CONFIGURATION LEAKS:
site:example.com intext:password    # Password mentions
site:example.com inurl:config       # Config files
intext:"secret_key" site:github.com example  # API keys

TECHNOLOGY DISCOVERY:
site:example.com "powered by"       # Technology stack
site:example.com "php?id="          # Potential SQLi

Social Media and Employee OSINT

Employee Intelligence Sources

Employee Intelligence Sources:
═══════════════════════════════════════════════════════════════════

LINKEDIN:
- Employee names and roles
- Technology stack from job postings
- Organizational structure
- Third-party vendors mentioned

GITHUB/GITLAB:
- Company repositories
- Employee personal repos mentioning work
- Commit history with email addresses
- Accidentally committed secrets

JOB POSTINGS:
- Technologies in use
- Security tools (or lack thereof)
- Team structure
- Growth areas (potential new systems)

DOCUMENT METADATA:
- Author names from PDFs/Word docs
- Software versions used
- Internal paths/usernames
- Creation dates and modification history

Extracting Metadata:

# ExifTool for document metadata
exiftool document.pdf
# Author: John Smith
# Creator: Microsoft Word 2019
# Create Date: 2024:01:15 10:30:00

# FOCA - Automated metadata extraction
# Download documents, extract metadata in bulk

---

Network Scanning

Host Discovery

# Ping sweep
nmap -sn 192.168.1.0/24

# TCP SYN ping (more reliable)
nmap -sn -PS80,443 192.168.1.0/24

# ARP scan (local network)
nmap -sn -PR 192.168.1.0/24

# Or use arp-scan
sudo arp-scan -l

# List scan (DNS resolution only)
nmap -sL 192.168.1.0/24

Port Scanning Techniques

# TCP SYN scan (default, fast, stealthy)
sudo nmap -sS 192.168.1.100

# TCP Connect scan (no root required)
nmap -sT 192.168.1.100

# UDP scan (slow but important)
sudo nmap -sU --top-ports 100 192.168.1.100

# Comprehensive scan
sudo nmap -sS -sU -p- 192.168.1.100

# Fast scan of common ports
nmap -F 192.168.1.100

# Specific ports
nmap -p 22,80,443,3389 192.168.1.100

# Port range
nmap -p 1-1024 192.168.1.100

Port Scan Types

Port Scan Types:
═══════════════════════════════════════════════════════════════════

TCP SYN Scan (-sS):
SYN ────► ◄─── SYN-ACK (open)
    └──► RST (close connection, never completed)
    
TCP Connect (-sT):
Full 3-way handshake, logged by target

UDP Scan (-sU):
UDP packet ────► Silence (open|filtered) or ICMP unreachable (closed)

FIN/NULL/Xmas Scans:
Exploit RFC 793 behavior
May bypass simple packet filters

Service and Version Detection

# Service version detection
nmap -sV 192.168.1.100

# Aggressive version detection
nmap -sV --version-intensity 5 192.168.1.100

# OS detection
sudo nmap -O 192.168.1.100

# Combined
sudo nmap -sS -sV -O 192.168.1.100

# Script scanning (NSE)
nmap -sC 192.168.1.100

# Full enumeration
sudo nmap -sS -sV -O -sC -p- 192.168.1.100

Sample Output:

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.9 (Ubuntu Linux)
80/tcp   open  http       Apache httpd 2.4.52
443/tcp  open  ssl/http   Apache httpd 2.4.52
3306/tcp open  mysql      MySQL 8.0.32

OS details: Linux 5.15 - 5.19

---

Service Enumeration

Web Enumeration

# Directory brute forcing
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

# Comprehensive web scanning
nikto -h http://target.com

# Technology detection
whatweb http://target.com

# WordPress enumeration
wpscan --url http://target.com/wordpress/

# CMS detection
cmseek -u http://target.com

SMB Enumeration

# Enum shares and users
enum4linux -a 192.168.1.100

# SMB client
smbclient -L //192.168.1.100 -N

# Nmap SMB scripts
nmap --script smb-enum-shares,smb-enum-users 192.168.1.100

# CrackMapExec
crackmapexec smb 192.168.1.100 --shares
crackmapexec smb 192.168.1.100 --users

SNMP Enumeration

# SNMPwalk (default community "public")
snmpwalk -c public -v2c 192.168.1.100

# SNMP check
snmp-check 192.168.1.100

# Nmap SNMP scripts
nmap -sU -p 161 --script snmp-info 192.168.1.100

# Brute force community strings
onesixtyone -c communities.txt 192.168.1.100

LDAP Enumeration

# Anonymous bind
ldapsearch -x -h 192.168.1.100 -b "dc=example,dc=com"

# Enumerate users
ldapsearch -x -h 192.168.1.100 -b "dc=example,dc=com" "(objectClass=user)"

# Nmap LDAP scripts
nmap -p 389 --script ldap-rootdse 192.168.1.100

---

Cloud Reconnaissance

Cloud Asset Discovery

Cloud Reconnaissance Targets

Cloud Reconnaissance Targets:
═══════════════════════════════════════════════════════════════════

AWS:
- S3 buckets: company.s3.amazonaws.com
- EC2 metadata: 169.254.169.254
- CloudFront distributions
- API Gateway endpoints

AZURE:
- Blob storage: company.blob.core.windows.net
- Azure AD: login.microsoftonline.com
- Azure Apps: company.azurewebsites.net

GCP:
- Storage: storage.googleapis.com/company
- App Engine: company.appspot.com
- Cloud Functions endpoints

S3 Bucket Enumeration

# Check if bucket exists and permissions
aws s3 ls s3://company-backup --no-sign-request

# Bucket finder tools
# cloud_enum
python3 cloud_enum.py -k company

# S3Scanner
python3 s3scanner.py --bucket-name company

# Common bucket names to check:
# company-backup, company-dev, company-staging
# company-logs, company-data, company-assets

Azure Enumeration

# Azure AD enumeration
# Check if domain uses Azure AD
curl "https://login.microsoftonline.com/company.com/.well-known/openid-configuration"

# Enumerate users (if configured)
# MicroBurst toolkit
Import-Module MicroBurst.psm1
Invoke-EnumerateAzureBlobs -Base company

# Blob storage enumeration
curl -I "https://company.blob.core.windows.net/backup?restype=container&comp=list"

---

Vulnerability Scanning

Automated Scanners

# Nessus (commercial, industry standard)
# OpenVAS (open source alternative)
# Qualys (cloud-based)

# Nmap vulnerability scripts
nmap --script vuln 192.168.1.100

# Specific vulnerability checks
nmap --script smb-vuln-ms17-010 192.168.1.100  # EternalBlue
nmap --script ssl-heartbleed 192.168.1.100    # Heartbleed

Web Application Scanning

# OWASP ZAP
zap-cli quick-scan http://target.com

# Burp Suite (interactive)
# Industry standard for web app testing

# Nuclei (template-based)
nuclei -u http://target.com -t cves/

# SQLMap (SQL injection)
sqlmap -u "http://target.com/page?id=1"

---

Reconnaissance Framework

Methodology

Reconnaissance Methodology

Reconnaissance Methodology:
═══════════════════════════════════════════════════════════════════

PHASE 1: PASSIVE (OSINT)
────────────────────────
1. Domain registration (WHOIS)
2. DNS records (MX, TXT, subdomains)
3. Certificate transparency
4. Search engine dorking
5. Social media/LinkedIn
6. Job postings
7. GitHub/GitLab repos
8. Document metadata
9. Shodan/Censys

PHASE 2: SEMI-PASSIVE
─────────────────────
1. Subdomain brute forcing
2. Web spidering
3. DNS brute forcing

PHASE 3: ACTIVE
───────────────
1. Host discovery
2. Port scanning
3. Service enumeration
4. Vulnerability scanning
5. Web application scanning

DOCUMENTATION:
─────────────
- IPs and hostnames discovered
- Services and versions
- Potential entry points
- Technologies identified
- Employee information
- Organizational structure

Recon Tools Summary

Category	Tools
OSINT	theHarvester, Maltego, SpiderFoot
Subdomain	Amass, Subfinder, Sublist3r
DNS	dig, dnsrecon, DNSDumpster
Scanning	Nmap, Masscan, Zmap
Web	Nikto, Gobuster, Burp Suite
Vuln Scan	Nessus, OpenVAS, Nuclei
Cloud	ScoutSuite, Prowler, cloud_enum

---

Defending Against Reconnaissance

Reducing Attack Surface

Reconnaissance Defense

Reconnaissance Defense:
═══════════════════════════════════════════════════════════════════

OSINT REDUCTION:
□ WHOIS privacy protection
□ Minimal public DNS records
□ Remove document metadata before publishing
□ Social media policies for employees
□ Review job postings for sensitive info
□ Monitor for leaked credentials

NETWORK HARDENING:
□ Firewall non-essential ports
□ Rate limit DNS queries
□ Block zone transfers
□ Disable ICMP where not needed
□ Use non-standard ports (obscurity supplement only)

MONITORING:
□ Log and alert on port scans
□ Monitor for reconnaissance patterns
□ Honeypots for detection
□ Dark web monitoring for leaks

Honeypots and Deception

# Artillery - Honeypot + monitoring
# Detects port scans, logs attackers

# Cowrie - SSH/Telnet honeypot
# Captures attacker commands, credentials used

# T-Pot - Multi-honeypot platform
# Various services, visualization dashboard

---

Lab Exercise: Comprehensive Reconnaissance

Objective

Perform full reconnaissance on authorized target.

Environment

Lab Setup

Lab Setup:
├── Target: Deliberately vulnerable machine (DVWA, Metasploitable)
├── Tools: Kali Linux or similar
└── IMPORTANT: Only assess systems you own or have written authorization!

Exercise 1: Passive Recon

# Against YOUR test domain

# WHOIS
whois yourdomain.com

# DNS records
dig yourdomain.com ANY

# Certificate transparency
curl -s "https://crt.sh/?q=%25.yourdomain.com&output=json" | jq '.[].name_value' | sort -u

# Document results

Exercise 2: Active Scanning

# Against YOUR test network

# Host discovery
nmap -sn 192.168.1.0/24 -oN hosts.txt

# Port scan discovered hosts
nmap -sS -sV -O -oA full_scan <target_ip>

# Analyze results
cat full_scan.nmap

Exercise 3: Service Enumeration

# Based on open ports found

# Web enumeration
gobuster dir -u http://<target>/ -w /usr/share/wordlists/dirb/common.txt

# SMB enumeration (if port 445 open)
enum4linux -a <target>

# Document all findings

---

Key Takeaways

1. Reconnaissance is the foundation—quality recon determines attack success

2. Passive OSINT is undetectable—organizations leak significant information publicly

3. DNS is goldmine—subdomains, mail servers, TXT records reveal infrastructure

4. Service enumeration identifies exploitable versions—know what you’re attacking

5. Cloud adds new surface—S3 buckets, Azure blobs are common exposure points

6. Defense requires visibility—you can’t protect what you don’t monitor

---

Self-Assessment

1. Comprehension: Why is passive reconnaissance undetectable, and what limits does it have?

2. Application: You’ve been asked to assess a company’s external attack surface. Describe your methodology for the first hour.

3. What if: During a pentest, you discover an exposed S3 bucket with sensitive data. What’s your ethical responsibility?

---

Review Questions

1. What’s the difference between passive and active reconnaissance?
2. How does certificate transparency aid subdomain discovery?
3. Explain three Google dork operators and their reconnaissance uses.
4. What information can be extracted from document metadata?
5. How do you enumerate cloud storage (S3, Azure Blob)?
6. What defensive measures reduce an organization’s reconnaissance exposure?

---

MITRE ATT&CK Mapping

Technique	Technique ID	Description
Active Scanning	T1595	Port scans, vuln scans
Gather Victim Network Info	T1590	DNS, IP ranges
Search Open Websites	T1593	Google dorking, OSINT
Search Victim-Owned Sites	T1594	Web content analysis
Gather Victim Host Info	T1592	OS, software versions
Gather Victim Identity Info	T1589	Employee details

---