In the context of cybersecurity,reconnaissanceis the practice of covertly discovering and collecting information about a system. This method is often used in ethical hacking or penetration testing.
Like many cybersecurity terms,reconnaissancederives from military language, where it refers to a mission with the goal of obtaining information from enemy territory.
HowReconnaissanceWorks
Reconnaissancegenerally follows seven steps:
- Collect initial information
- Determine the network range
- Identify active machines
- Find access points and open ports
- Fingerprint the operating system
- Discover services on ports
- Map the network
Using these steps, an attacker will aim to gain the following information about a network:
- File permissions
- Running network services
- OS platform
- Trust relationships
- User account information
One of the most common techniques involved withreconnaissanceisport scanning, which sends data to various TCP and UDP (user datagram protocol) ports on a device and evaluates the response.
Differences Between Passive and ActiveReconnaissance
There are two main types ofreconnaissance: active and passivereconnaissance.
Withactivereconnaissance, hackers interact directly with the computer system and attempt to obtain information through techniques like automated scanning or manual testing and tools like ping and netcat. Active recon is generally faster and more accurate, but riskier because it creates more noise within a system and has a higher chance of being detected.
Passivereconnaissancegathers information without directly interacting with systems, using tools such as Wireshark and Shodan and methods such as OS fingerprinting to gain information.
How To PreventReconnaissance
Organizations can use penetration testing to determine what their network would reveal in the event of areconnaissanceattack. Organizations canoutsource the workby hiring security testing professionals to carry out penetration testing, vulnerability assessment, compliance testing, etc.
During testing, organizations can deployport scanningtools (which scan large networks and determine which hosts are up) and vulnerability scanners (which find known vulnerabilities in the network).
SIEMsolutions can also detect source IPs that are running aport scanningtool in your network.
Otherreconnaissanceprevention techniques are highlighted in theMITRE ATT&CK Framework.
