As an aspiring ethical hacker and penetration tester, it’s important to develop your skills and gain a solid understanding of how adversaries are able to efficiently discover and collect sensitive information about a targeted organization, and analyze the collected data to create meaningful information that can be leveraged in planning a future cyber-attack on the target. As with many aspiring ethical hackers, we are always excited to get started with hacking into systems and networks as it’s the fun part of learning offensive security tactics and techniques. However, it’s important to develop the mindset of an adversary to better understand why and how a real threat actor will plan their attack on a targeted system, network, or organization.

Adversaries use various reconnaissance techniques and procedures to find and collect data about their targets to better understand whether the targeted systems are online, whether any security vulnerabilities...

To follow along with the exercises in this chapter, please ensure that you have met the following software requirement:

• Kali Linux – https://www.kali.org/get-kali/

Reconnaissance focuses on collecting as much data as possible on a target and then analyzing the collected data to create meaningful information that can be leveraged by an adversary or threat actor to identify the attack surface and security vulnerabilities on a targeted system, network, or organization. Adversaries use various reconnaissance techniques and tools to collect system information, networking information, and organizational information about their targets. Without first understanding your target and their weaknesses, it’ll be challenging to develop cyber-attack methods, including exploits that will be effective in compromising the confidentiality, integrity, and/or availability of the targeted system, network, or organization. This section provides a general introduction to reconnaissance before we dive deep into the specifics of passive reconnaissance.

Let’s take a look at the different types of information that may...

Passive reconnaissance focuses on collecting information without directly connecting or interacting with the target. This method reduces the threat level of the ethical hacker and penetration tester, thereby reducing the likelihood of triggering any alerts that notify the target that someone is collecting information about them, their systems, and network infrastructure.

Each day, more data is being uploaded and created on the internet by people around the world. Whether someone is uploading a picture of themselves, a fun marketing video, or even information about new products and services for new and existing customers, the internet stores lots of data that can be harvested and carefully analyzed by cyber criminals to better understand their targets and improve their cyber operations. As previously mentioned, ethical hackers and penetration testers use the same TTPs as real threat actors as a method to efficiently discover how organizations are...

There are many techniques and tools that are commonly used by ethical hackers and penetration testers to gather information about their various target sources on the internet. When performing passive reconnaissance and using OSINT strategies and techniques, you’ll need to ensure you do not make direct contact with the targeted organization and that your real identity is not revealed during the process.

Sock puppet is a term that’s used within the cybersecurity industry, especially among penetration testers. It is simply a misrepresentation of an individual, such as creating an entire fake identity or persona with the intent to infiltrate an online community to gather information.

While pretending to be someone else is unlawful, hackers always create a fake identity on the internet when gathering information about their targets. By creating a fake persona on an online platform such as a social media website, no one knows the true identity...

Ensuring your identity is kept secret during a penetration test is important to prevent the target from knowing who is collecting information about them. However, during the reconnaissance phase of the Cyber Kill Chain^® (covered in Chapter 1), you may be using various tools to help automate the information-gathering process. These tools will generate traffic and contain your source IP address within each packet that leaves your device.

For instance, you’re performing a port scan on a targeted web server to identify open ports and running services. When the port scanner tool on your device sends specially crafted packets (probes) to the targeted web server, each probe will contain your source IP address, which can be used to identify your geolocation. The targeted web server will generate log messages on each transaction it performs and will contain a record of all source IP addresses, including yours. Targets can identify and counteract...

In this chapter, you have learned how reconnaissance plays an important role during penetration testing and how it helps ethical hackers build a profile about their targets to better understand the security vulnerabilities that exist on them. In addition, you have explored the various TTPs of reconnaissance and how penetration testers leverage OSINT to identify how targeted organizations are leaking sensitive data about themselves and how it can be leveraged by a real adversary. Lastly, you have gained the skills and hands-on experience to conceal your online identity and anonymize your internet-based traffic as an ethical hacker and penetration tester.

I trust that the knowledge presented in this chapter has provided you with valuable insights, supporting your path toward becoming an ethical hacker and penetration tester in the dynamic field of cybersecurity. May this newfound understanding empower you on your journey, allowing you to navigate the industry with confidence...

• MITRE ATT&CK Reconnaissance – https://attack.mitre.org/tactics/TA0043/
• OSINT lifecycle – https://www.sans.org/blog/what-is-open-source-intelligence/
• OSINT Framework – https://osintframework.com/

Join our community on Discord

Join our community’s Discord space for discussions with the author and other readers:

https://packt.link/SecNet