SlideShare a Scribd company logo

Sessiontask1_PASSIVE_RECONNAISSANCE.docx

T
TESTERGUY1

This document discusses passive reconnaissance techniques. Passive reconnaissance involves gathering open source information about a target without directly interacting with it. Tools discussed for passive reconnaissance include search engines, social media, domain registrars, network scanners used passively, and open source intelligence tools. The goal is to identify assets, vulnerabilities, network topology, and sensitive information through non-intrusive means to guide further security testing activities. Examples are provided for how tools like Google, Shodan, LinkedIn, WHOIS, Nmap, and OSINT frameworks can be leveraged in a passive reconnaissance approach.

Education
1 of 14
1
2
3
4
5
6
7
8
9
10
11
12
13
14
PASSIVE RECONNAISSANCE  What is Passive Reconnaissance?  Tools Used for Passive Reconnaissance  References  Session Task
Passive reconnaissance is a non-intrusive information-gathering technique that involves collecting data about a target system or network without directly interacting with it. This approach relies on publicly available sources to gather valuable insights into the target's infrastructure, vulnerabilities, and potential attack vectors. Objectives of Passive Reconnaissance: The primary objectives of passive reconnaissance include: 1. Asset Identification: Identifying the assets within a target network, such as IP addresses, domain names, and open ports. This information helps understand the attack surface and prioritize potential targets. 2. Vulnerability Detection: Revealing information about known vulnerabilities in the target systems or software. This information is crucial for assessing risk and guiding further penetration testing activities. 3. Network Topology Understanding: Gaining insights into the network topology, including the types of devices, operating systems, and protocols used. This understanding is essential for planning attacks and exploiting vulnerabilities. 4. Sensitive Information Uncovering: Detecting sensitive information, such as leaked credentials, exposed files, or misconfigured databases, which can be exploited to gain unauthorized access.
Publicly Available Tools for Passive Reconnaissance 1. Search Engines: Google, Bing, and Shodan are powerful tools for searching publicly available data about the target organization. Specific search queries, known as Google Dorks, can uncover publicly accessible files, exposed databases, and other sensitive information. Google Dorks: These are specific search queries used to refine search results within Google. They're crafted to uncover sensitive information inadvertently exposed on the internet. By using operators and modifiers in search queries, one can find information like:  Exposed Files: Such as configuration files, password files, log files, etc.  Exposed Databases: Inadvertently exposed databases or tables that might contain sensitive information.  Vulnerable Devices: Devices with known vulnerabilities that might be accessible online. Bing: Similar to Google, Bing allows for advanced search queries using specific operators to find information that might not easily surface during standard searches. It can reveal files, documents, or information that organizations might unintentionally expose. Shodan: Unlike traditional search engines, Shodan is designed to search for devices and servers connected to the internet. It specializes in finding specific devices, such as webcams, routers, servers, and more, providing details like IP addresses, services running on them, and potential vulnerabilities.
Figure 1Example of google dorking Figure 2 Example of google dorking
2. Social Media Platforms: LinkedIn, Facebook, and Twitter provide insights into employees, their roles, technologies used, and potential attack vectors for social engineering campaigns LinkedIn: Often used for professional networking, LinkedIn profiles can provide details about an organization's employees, their job roles, skills, and connections. For cybersecurity, it's beneficial for understanding an organization's workforce structure, potential points of contact, and identifying key personnel who might hold sensitive roles. Facebook: While personal in nature, public Facebook profiles or pages associated with an organization might reveal additional details. It could showcase organizational events, interactions between employees, or public posts mentioning the company's internal workings or technologies used. Twitter: Public tweets can offer real-time insights into ongoing activities within an organization, industry trends, technologies used, or potential vulnerabilities. Tweets from employees might unintentionally disclose information that could aid in social engineering attacks or provide clues for cyber threat intelligence.
Figure 3 Employees working in an organization
3. Domain Name Registrars: WHOIS records reveal domain ownership, contact details, and IPaddresses, enabling identification of the organization and further information gathering. Domain Ownership Details: WHOIS records contain essential information about domain ownership, including the organization or individual's name, address, email, and contact numbers associated with the domain registration. Contact Information: These records provide contact details, such as administrative, technical, and billing contacts, offering points of contact within the organization responsible for managing the domain. Registration Dates and History: WHOIS records reveal the date of domain registration, expiration dates, and the history of changes or updates made to the registration information, aiding in establishing a domain's lifecycle. DNS and IP Information: They often include Domain Name System (DNS) server details and IP addresses associated with the domain, valuable for mapping network infrastructure and potential attack surfaces.
Figure 4: Whois sample data
4. Network Scanning Tools: Nmap and Nessus can passively scan a target network for open ports, vulnerabilities, and running services, providing insights into the network's infrastructure and potential attack points. In passive reconnaissance, Nmap and Nessus can be used in limited capacities due to their active scanning nature. However, in certain scenarios, they can be adapted for passive information gathering: Nmap for Passive Reconnaissance: DNS Resolution: Nmap can passively resolve DNS information to map network hosts without directly sending packets, thereby obtaining hostnames and IP addresses. Network Topology Mapping: By observing responses to certain queries, Nmap can deduce network topology, identifying devices or services without actively probing the network. Nessus for Passive Reconnaissance: Vulnerability Intelligence Gathering: Nessus can passively gather information from available databases or sources to collect vulnerability intelligence without directly scanning the target network.
Figure 5 Nmap sample result
5. Open-Source Intelligence (OSINT) Tools: Specialized OSINT tools aggregate data from various sources, offering a comprehensive view of the target organization, including its history, employees, financial status, and relevant details. Data Aggregation: OSINT tools gather information from diverse sources like social media platforms, online forums, public databases, news articles, and more, aggregating data relevant to the target organization. Company History: They offer details about the organization's history, including its founding, mergers, acquisitions, leadership changes, or major milestones, aiding in understanding its evolution and growth. Employee Information: OSINT tools can source information about employees, their roles, professional connections, skills, and affiliations, providing an understanding of the organizational structure and potential points of contact. Financial Status and Partnerships: They often compile information about a company's financial reports, partnerships, contracts, or industry collaborations, contributing to an assessment of its financial health and strategic alliances. Relevant Details for Threat Intelligence: OSINT tools provide relevant data that cybersecurity professionals leverage for threat intelligence, identifying potential attack vectors, vulnerabilities, or emerging risks associated with the organization.
Figure 6:List of OSINT tools in the Osint frame work
References: https://www.techslang.com/definition/what-is-passive-reconnaissance/ https://www.sciencedirect.com/topics/computer-science/reconnaissance Google Hacking Database: https://www.exploit-db.com/google-hacking- database Whois: https://www.whois.com/whois/ Nmap: https://nmap.org/book/osdetect-other-methods.html OSINT Framework: https://osintframework.com/
Session Task: Platform: Tryhackme Room Name: Passive Reconnaissance Status: Completed Figure 7: Completion of Session Task Adith Intern Cyber Sapiens

More Related Content

PPTX
Cyber Security Project Presentation: Unveiling Reconnaissance Tools and Techn...
Boston Institute of Analytics
 
PPTX
Tools and Methods of Reconnaissance in Cybersecurity: A Comprehensive Guide b...
Boston Institute of Analytics
 
PPTX
Tools and Methods for Reconnaissance in Cybersecurity
Boston Institute of Analytics
 
PPTX
Tools and Methods for Effective Reconnaissance: A Comprehensive Report
Boston Institute of Analytics
 
PPTX
Cyber Security Project Presentation : Essential Reconnaissance Tools and Tech...
Boston Institute of Analytics
 
PPTX
Reconnaissance Tools and Techniques: A Comprehensive Guide to Information Gat...
Boston Institute of Analytics
 
PPTX
Web hacking 1.0
Q Fadlan
 
PPTX
( Ethical hacking tools ) Information grathring
Gouasmia Zakaria
 
Cyber Security Project Presentation: Unveiling Reconnaissance Tools and Techn...
Boston Institute of Analytics
 
Tools and Methods of Reconnaissance in Cybersecurity: A Comprehensive Guide b...
Boston Institute of Analytics
 
Tools and Methods for Reconnaissance in Cybersecurity
Boston Institute of Analytics
 
Tools and Methods for Effective Reconnaissance: A Comprehensive Report
Boston Institute of Analytics
 
Cyber Security Project Presentation : Essential Reconnaissance Tools and Tech...
Boston Institute of Analytics
 
Reconnaissance Tools and Techniques: A Comprehensive Guide to Information Gat...
Boston Institute of Analytics
 
Web hacking 1.0
Q Fadlan
 
( Ethical hacking tools ) Information grathring
Gouasmia Zakaria
 

Similar to Sessiontask1_PASSIVE_RECONNAISSANCE.docx (20)

PDF
Open Source Information Gathering Brucon Edition
Chris Gates
 
PDF
Owasp modern information gathering
KZA
 
PDF
Ethical hacking at warp speed
Sreejith.D. Menon
 
PPTX
hacking techniques and intrusion techniques useful in OSINT.pptx
sconalbg
 
PDF
101+ Cybersecurity Tools List And Beyond by westwp.com.pdf
Westwp
 
PDF
OSINT: Open Source Intelligence - Rohan Braganza
NSConclave
 
PDF
OSINT for Attack and Defense
Andrew McNicol
 
PDF
technical-information-gathering-slides.pdf
MarceloCunha571649
 
PPTX
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
AlfredObia1
 
PPTX
Cyber warfare introduction
jagadeesh katla
 
PPTX
Cyber Security Project : Comprehensive Vulnerability Analysis Report.pptx
Boston Institute of Analytics
 
PPT
Unit-2 ICS.ppt
20ME1A4607YANAMADALA
 
PDF
Passive monitoring to build Situational Awareness
David Sweigert
 
PPTX
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Jason Trost
 
PDF
Osint
Kamal Rathaur
 
PPT
Reconnaissance
maroti164
 
PPTX
Vapt life cycle
penetration Tester
 
PPTX
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
PPTX
scanning and analysis tools Fuzz testing
maryjanebataluna19
 
PDF
M1-02-HowCriminalsPlan.pdf
Shylesh BC
 
Open Source Information Gathering Brucon Edition
Chris Gates
 
Owasp modern information gathering
KZA
 
Ethical hacking at warp speed
Sreejith.D. Menon
 
hacking techniques and intrusion techniques useful in OSINT.pptx
sconalbg
 
101+ Cybersecurity Tools List And Beyond by westwp.com.pdf
Westwp
 
OSINT: Open Source Intelligence - Rohan Braganza
NSConclave
 
OSINT for Attack and Defense
Andrew McNicol
 
technical-information-gathering-slides.pdf
MarceloCunha571649
 
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
AlfredObia1
 
Cyber warfare introduction
jagadeesh katla
 
Cyber Security Project : Comprehensive Vulnerability Analysis Report.pptx
Boston Institute of Analytics
 
Unit-2 ICS.ppt
20ME1A4607YANAMADALA
 
Passive monitoring to build Situational Awareness
David Sweigert
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Jason Trost
 
Osint
Kamal Rathaur
 
Reconnaissance
maroti164
 
Vapt life cycle
penetration Tester
 
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
scanning and analysis tools Fuzz testing
maryjanebataluna19
 
M1-02-HowCriminalsPlan.pdf
Shylesh BC
 
Ad

Recently uploaded (20)

PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PPTX
Lesson notes of climatology university.
sgladness67
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
Lesson notes of climatology university.
sgladness67
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
RMMM.pdf make it easy to upload and study
sajedul2
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
Institutional Correction lecture only . . .
limvtheghins
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
Classroom Observation Tools for Teachers
Nicaramirez
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
Ad

Sessiontask1_PASSIVE_RECONNAISSANCE.docx

  • 1. PASSIVE RECONNAISSANCE  What is Passive Reconnaissance?  Tools Used for Passive Reconnaissance  References  Session Task
  • 2. Passive reconnaissance is a non-intrusive information-gathering technique that involves collecting data about a target system or network without directly interacting with it. This approach relies on publicly available sources to gather valuable insights into the target's infrastructure, vulnerabilities, and potential attack vectors. Objectives of Passive Reconnaissance: The primary objectives of passive reconnaissance include: 1. Asset Identification: Identifying the assets within a target network, such as IP addresses, domain names, and open ports. This information helps understand the attack surface and prioritize potential targets. 2. Vulnerability Detection: Revealing information about known vulnerabilities in the target systems or software. This information is crucial for assessing risk and guiding further penetration testing activities. 3. Network Topology Understanding: Gaining insights into the network topology, including the types of devices, operating systems, and protocols used. This understanding is essential for planning attacks and exploiting vulnerabilities. 4. Sensitive Information Uncovering: Detecting sensitive information, such as leaked credentials, exposed files, or misconfigured databases, which can be exploited to gain unauthorized access.
  • 3. Publicly Available Tools for Passive Reconnaissance 1. Search Engines: Google, Bing, and Shodan are powerful tools for searching publicly available data about the target organization. Specific search queries, known as Google Dorks, can uncover publicly accessible files, exposed databases, and other sensitive information. Google Dorks: These are specific search queries used to refine search results within Google. They're crafted to uncover sensitive information inadvertently exposed on the internet. By using operators and modifiers in search queries, one can find information like:  Exposed Files: Such as configuration files, password files, log files, etc.  Exposed Databases: Inadvertently exposed databases or tables that might contain sensitive information.  Vulnerable Devices: Devices with known vulnerabilities that might be accessible online. Bing: Similar to Google, Bing allows for advanced search queries using specific operators to find information that might not easily surface during standard searches. It can reveal files, documents, or information that organizations might unintentionally expose. Shodan: Unlike traditional search engines, Shodan is designed to search for devices and servers connected to the internet. It specializes in finding specific devices, such as webcams, routers, servers, and more, providing details like IP addresses, services running on them, and potential vulnerabilities.
  • 4. Figure 1Example of google dorking Figure 2 Example of google dorking
  • 5. 2. Social Media Platforms: LinkedIn, Facebook, and Twitter provide insights into employees, their roles, technologies used, and potential attack vectors for social engineering campaigns LinkedIn: Often used for professional networking, LinkedIn profiles can provide details about an organization's employees, their job roles, skills, and connections. For cybersecurity, it's beneficial for understanding an organization's workforce structure, potential points of contact, and identifying key personnel who might hold sensitive roles. Facebook: While personal in nature, public Facebook profiles or pages associated with an organization might reveal additional details. It could showcase organizational events, interactions between employees, or public posts mentioning the company's internal workings or technologies used. Twitter: Public tweets can offer real-time insights into ongoing activities within an organization, industry trends, technologies used, or potential vulnerabilities. Tweets from employees might unintentionally disclose information that could aid in social engineering attacks or provide clues for cyber threat intelligence.
  • 6. Figure 3 Employees working in an organization
  • 7. 3. Domain Name Registrars: WHOIS records reveal domain ownership, contact details, and IPaddresses, enabling identification of the organization and further information gathering. Domain Ownership Details: WHOIS records contain essential information about domain ownership, including the organization or individual's name, address, email, and contact numbers associated with the domain registration. Contact Information: These records provide contact details, such as administrative, technical, and billing contacts, offering points of contact within the organization responsible for managing the domain. Registration Dates and History: WHOIS records reveal the date of domain registration, expiration dates, and the history of changes or updates made to the registration information, aiding in establishing a domain's lifecycle. DNS and IP Information: They often include Domain Name System (DNS) server details and IP addresses associated with the domain, valuable for mapping network infrastructure and potential attack surfaces.
  • 8. Figure 4: Whois sample data
  • 9. 4. Network Scanning Tools: Nmap and Nessus can passively scan a target network for open ports, vulnerabilities, and running services, providing insights into the network's infrastructure and potential attack points. In passive reconnaissance, Nmap and Nessus can be used in limited capacities due to their active scanning nature. However, in certain scenarios, they can be adapted for passive information gathering: Nmap for Passive Reconnaissance: DNS Resolution: Nmap can passively resolve DNS information to map network hosts without directly sending packets, thereby obtaining hostnames and IP addresses. Network Topology Mapping: By observing responses to certain queries, Nmap can deduce network topology, identifying devices or services without actively probing the network. Nessus for Passive Reconnaissance: Vulnerability Intelligence Gathering: Nessus can passively gather information from available databases or sources to collect vulnerability intelligence without directly scanning the target network.
  • 10. Figure 5 Nmap sample result
  • 11. 5. Open-Source Intelligence (OSINT) Tools: Specialized OSINT tools aggregate data from various sources, offering a comprehensive view of the target organization, including its history, employees, financial status, and relevant details. Data Aggregation: OSINT tools gather information from diverse sources like social media platforms, online forums, public databases, news articles, and more, aggregating data relevant to the target organization. Company History: They offer details about the organization's history, including its founding, mergers, acquisitions, leadership changes, or major milestones, aiding in understanding its evolution and growth. Employee Information: OSINT tools can source information about employees, their roles, professional connections, skills, and affiliations, providing an understanding of the organizational structure and potential points of contact. Financial Status and Partnerships: They often compile information about a company's financial reports, partnerships, contracts, or industry collaborations, contributing to an assessment of its financial health and strategic alliances. Relevant Details for Threat Intelligence: OSINT tools provide relevant data that cybersecurity professionals leverage for threat intelligence, identifying potential attack vectors, vulnerabilities, or emerging risks associated with the organization.
  • 12. Figure 6:List of OSINT tools in the Osint frame work
  • 13. References: https://www.techslang.com/definition/what-is-passive-reconnaissance/ https://www.sciencedirect.com/topics/computer-science/reconnaissance Google Hacking Database: https://www.exploit-db.com/google-hacking- database Whois: https://www.whois.com/whois/ Nmap: https://nmap.org/book/osdetect-other-methods.html OSINT Framework: https://osintframework.com/
  • 14. Session Task: Platform: Tryhackme Room Name: Passive Reconnaissance Status: Completed Figure 7: Completion of Session Task Adith Intern Cyber Sapiens