Reconnaissance
The objective of Reconnaissance is to identify publicly available information that might aid an attacker in formulating or executing attacks against an organization. This engagement is often performed in conjunction with tests that evaluate the external attack surface of customer environments (External Network Penetration Test, Red Team Exercise, Purple Team Exercise, etc). However, Reconnaissance can be performed in a standalone fashion for organizations that desire knowledge of their Open-Source Intelligence (OSINT) footprint.
Typically, reconnaissance begins with the customer’s company name and/or domain name. This starting information is used to gather additional details about the organization that an attacker would need for staging a successful attack, either directly or through social engineering. Information that is typically desired during reconnaissance includes, but is not limited to:
title: Organizational Relationship Enumeration
Attackers may be able to gain access to an organization's network through its parent or subsidiaries. As a result, having a list of parent and children organizations can be useful scoping during Rules of Engagement discussions or during execution of the test. Typically, on an External Penetration Test, these organizations will be out of scope. However, on a Red Team Exercise, targeting subsidiaries may be acceptable. Resources belonging to the parent or subsidiaries should be enumerated as described in the sections below.title: Network Resource Discovery
In the context of external attack surface evaluation and validation, knowledge of the IP addresses, network blocks, URLs, domains, listening services, and exposed ports can be a valuable tool. In the context of reconnaissance, this information is gathered without interacting directly with target resources.title: Domain Name System (DNS) Analysis
DNS record analysis can provide a significant amount of insight into a target organization. The following information is typically useful for analysis:
+ Name Server Records (NS) - NS records can provide an indication of whether the organzation hosts its own DNS servers or uses a service provider for this service.
+ Mail Exchanger Records - MX records identify the primary Mail Transfer Agents (MTAs) used by the organization to send and receive email. Review of these records can identify email security service providers (ProofPoint, IronPort, etc) whose protections will have to be bypassed for social engineering.
+ Text Records (TXT) - TXT records can aid in identifying third-party applications and services in use by the organization. Providers often use TXT records to validate that the organization owns the domain for which they are purchasing service.
+ Sender Policy Framework (SPF) Records - A special TXT record, SPF records indicate the Mail Transfer Agents (MTAs) authorized to deliver email for the organization's domain. SPF analysis can be performed recursively, based on the presence of third-party domains in the main MX record. Analysis may identify opportunities to spoof email addresses of the target organization in social engineering attacks.
+ Host Records (A) - Host records can be used to identify the IP addresses for systems that have published domain names. Some records will have Canonical Name (CNAME) entries pointing to alternate domains. IP addresses and domain names observed during host record analysis can be useful for recursive DNS and network resource discovery.
title: Employee Information Enumeration
Enumeration of employee information can be useful as a precursor to social engineering and password attacks. Employee information can be gathered through various sources including the organization's website, third-party breach databases, email OSINT applications, and analysis of social media sites like LinkedIn.
Often during testing, collected employee names are transformed into various username and email address formats. Likewise, email addresses can be deconstructed into employee names for further analysis. Casting a wide net is often useful for this activity.title: Document Metadata Analysis
Document metadata can include useful information like hostnames, IP addresses, UNC paths, usernames, and applications used by the organization. This information can be useful for formulating follow-on attacks. In addition, the collected documents may contain valuable information like the organization's telephone directory.title: Third-party Breach Data Analysis
Organizational email addresses and passwords are often included in data breach dumps. Users may synchonize passwords between the compromised service and resources belonging to the target organization. In addition, clues from breach data may identify patterns used by employees in formulating passwords. At the very least, the email addresses disclosed in the breaches can be used for social engineering and password attacks.title: Third-Party Application/Service Enumeration
Knowledge of third-party applications used by the organization may result in additional attack paths or details necessary for executing successful social engineering campaigns. As an example, the presence of domain verification records for a Multi-Factor and Single Sign-on provider my allow the attacker to generate more convincing pre-texts for use in actual attacks.title: Financial Activity and Disclosure Information
TBDtitle: News Releases and Upcoming Events
TBDThe information above can be critical for the success of an engagement. Details collected through reconnaissance can be used for various purposes during a larger test. On a Red or Purple Team Exercise, network details can be used as the basis for vulnerability scanning (after scope approval by the target organization). Email addresses and general information about the organization can be used for formulation of social engineering pretexts and ruses. Usernames, email addresses, breach data, and login portals can be used to stage credential stuffing or password spraying attacks.