List of the content
Introduction
Passive Info gathering : find as much as possible info about target online
Active Info gathering : actively engage with target system e.g. getting IP address of target, port scan
Target Scoping : process of defining exactly what system networks or application you are allowed to test.
→ simply : What am i allowed to collect information about ?
- Domain-Based Target : web application (example.com : primary domain),(mail.example.com : subdomain)
- IP-Based Targets: IP address
- Application-Based Target : specific web app, login portal
In scope : allowed to collect information from , scan, enumerate / out scope: not allowed to interact
Passive Reconnaissance
Characteristics
- No direct connection to target servers
- Low risk detection
- Usually performed first
Ex : Domain registration info, DNS record, public web content, Search engine result , publicly available email and address
Active Reconnaissance :
Characteristic
- Sends traffic to the target
- Increased visibility
- Typically Performed after passive recon
Ex : Live hosts, Open ports, Running services, Network responses
<aside>
💡
Always Passive Recon first then Active Recon
</aside>
Recon Strategy
- Define the target
- Identify the domain, or network range
- Confirm what is in scope
- Perform Passive Recon
- Gather public info
- Identify potential attack surfaces
- Build initial understanding of the target
- Perform Active Recon
- Discover live host
- Identify Open port
- Detect exposed service
- Document & Organize Your Findings
- Record domains, IPs, and ports
- Prepare information for enumeration
- Avoid repeating work later
Passive Information Gathering
Website Recon & Footprinting
What are we looking for : IP addresses, Directories hidden from search engines, Names, Email addresses. Phone numbers, Physical Addresses, Web technologies being used
Practical Demo
robots.txt : specific what folder search engine are not allowed to scrape ( EVERY web has this)
a sitemap.xml file is used to provide search engines with an organized map of a website's content.
