RECONNAISSANCE PROCESS

1. WHAT IS RECONNAISSANCE
Reconnaissance definition states that it is a significant instrument as a starting point of numerous data
hacking and for penetration testing. The cycle includes gathering data about the target machine that
could be utilized to discover its blemishes, weaknesses, and security vulnerabilities.

In the process of reconnaissance, hackers tend to be like detectives, gathering data, and information to
comprehend their victims. From looking at email records to open source data, they wish to know
about the organization better than the individuals who run and look after it. They focus on the security
part of the innovation, study the shortcomings, and utilize any weakness for their potential benefit.

Steps followed in reconnaissance –

 Accumulate inceptive data

 Decide the range of the network
 Recognize all active machines
 Get hold of the OS being used
 Uniquely mark the working framework
 Reveal services used on ports
 Understand the network map

2. THE TWO PHASES OF RECONNAISSANCE IN ETHICAL HACKING ARE

A. Active reconnaissance
B. Passive reconnaissance

A) Active reconnaissance
Dynamic reconnaissance is the kind of reconnaissance where you assemble data about the
framework/application by straightforwardly connecting with the framework. At the point when
you utilize Active reconnaissance, there is a high possibility that some data like your IP address is
known by the framework you are attempting to accumulate the data about.

B) Passive reconnaissance
On account of Passive reconnaissance, you assemble data without interfacing with the
framework/application you are attempting to think about. You accumulate data through web
indexes or freely available reports. At the point when you utilize Passive reconnaissance, it is highly
unlikely that the framework would know your IP address.

3. THE SUBPROCESSES OF RECONNAISSANCE ETHICAL HACKING ARE

A. Footprinting & Fingerprinting
 B. Enumeration
C. Scanning

A) Footprinting & Fingerprnting

Footprinting is gathering data about the target system which can be utilized to hack the system. To get
this data, a programmer may utilize different strategies with variation apparatuses.
Maximum time is spent in Footprinting. Information such as Firewall, OS used, and Security
configurations in the target system, IP address, Server configurations, VPN, URLs, Network map.
---------------------------------------------------------------------------
Footprinting is a part of reconnaissance process which is used for gathering possible information
about a target computer system or network. Footprinting could be both passive and active. Reviewing
a company’s website is an example of passive footprinting, whereas attempting to gain access to
sensitive information through social engineering is an example of active information gathering.
Footprinting is basically the first step where hacker gathers as much information as possible to find
ways to intrude into a target system or at least decide what type of attacks will be more suitable for
the target.
During this phase, a hacker can collect the following information −
1. Domain name
2. IP Addresses
3. Namespaces
4. Employee information
5. Phone numbers
6. E-mails
7. Job Information

1. Domain Name Information

You can use http://www.whois.com/whois website to get detailed information about a domain name
information including its owner, its registrar, date of registration, expiry, name server, owner's contact
information, etc.
Here is a sample record of www.tutorialspoint.com extracted from WHOIS Lookup −
2. Finding IP Address
You can use ping command at your prompt. This command is available on Windows as well as on
Linux OS.

3. Finding Hosting Company

Once you have the website address, you can get further detail by using ip2location.com website.
Following is the example to find out the details of an IP address –

How to overcome this from hackers?

If a computer system or network is linked with the Internet directly, then you cannot hide the IP
address and the related information such as the hosting company, its location, ISP, etc. If you have a
server containing very sensitive data, then it is recommended to keep it behind a secure proxy so that
hackers cannot get the exact details of your actual server. This way, it will be difficult for any
potential hacker to reach your server directly.

Another effective way of hiding your system IP and ultimately all the associated information is to go
through a Virtual Private Network (VPN). If you configure a VPN, then the whole traffic routes
through the VPN network, so your true IP address assigned by your ISP is always hidden.

4. IP Address Ranges
Small sites may have a single IP address associated with them, but larger websites usually have
multiple IP addresses serving different domains and sub-domains.
You can obtain a range of IP addresses assigned to a particular company using American Registry for
Internet Numbers (ARIN).

5. History of the Website

It is very easy to get a complete history of any website using www.archive.org
You can enter a domain name in the search box to find out how the website was looking at a given
point of time and what were the pages available on the website on different dates.

Tools for website and email footprinting:

 HTTrack (www.httrack.com)
 Black Widow (http://softbytelabs.com)
 WebRipper (www.calluna-software.com)
 Teleport Pro (www.tenmax.com)
 GNU Wget (www.gnu.org)
 Backstreet Browser (http://spadixbd.com)

Fingerprinting
The term OS fingerprinting in Ethical Hacking refers to any method used to determine what operating
system is running on a remote computer. This could be −
Active Fingerprinting − Active fingerprinting is accomplished by sending specially crafted packets to
a target machine and then noting down its response and analyzing the gathered information to
determine the target OS. In the following section, we have given an example to explain how you can
use NMAP tool to detect the OS of a target domain.
Passive Fingerprinting − Passive fingerprinting is based on sniffer traces from the remote system.
Based on the sniffer traces (such as Wireshark) of the packets, you can determine the operating
system of the remote host.
We have the following four important elements that we will look at to determine the operating system
−
TTL − What the operating system sets the Time-To-Live on the outbound packet.
Window Size − What the operating system sets the Window Size at.
DF − Does the operating system set the Don't Fragment bit.
TOS − Does the operating system set the Type of Service, and if so, at what.

By analyzing these factors of a packet, you may be able to determine the remote operating system.
This system is not 100% accurate, and works better for some operating systems than others.

Basic Steps
Before attacking a system, it is required that you know what operating system is hosting a website.
Once a target OS is known, then it becomes easy to determine which vulnerabilities might be present
to exploit the target system.
Below is a simple nmap command which can be used to identify the operating system serving a
website and all the opened ports associated with the domain name, i.e., the IP address.
$nmap -O -v tutorialspoint.com

Port Scanning
We have just seen information given by nmap command. This command lists down all the open ports
on a given server.

Ping Sweep
A ping sweep is a network scanning technique that you can use to determine which IP address from a
range of IP addresses map to live hosts. Ping Sweep is also known as ICMP sweep.
You can use fping command for ping sweep. This command is a ping-like program which uses the
Internet Control Message Protocol (ICMP) echo request to determine if a host is up.
fping is different from ping in that you can specify any number of hosts on the command line, or
specify a file containing the lists of hosts to ping. If a host does not respond within a certain time limit
and/or retry limit, it will be considered unreachable.

DNS Enumeration
Domain Name Server (DNS) is like a map or an address book. In fact, it is like a distributed database
which is used to translate an IP address 192.111.1.120 to a name www.example.com and vice versa.
DNS enumeration is the process of locating all the DNS servers and their corresponding records for
an organization. The idea is to gather as much interesting details as possible about your target before
initiating an attack.
You can use nslookup command available on Linux to get DNS and host-related information. In
addition, you can use the following DNSenum script to get detailed information about a domain −
DNSenum script can perform the following important operations −

 Get the host's addresses

 Get the nameservers
 Get the MX record
 Perform axfr queries on nameservers
 Get extra names and subdomains via Google scraping
 Brute force subdomains from file can also perform recursion on subdomain that has NS
records
 Calculate C class domain network ranges and perform whois queries on them
 Perform reverse lookups on netranges

Fingerprinting techniques
Fingerprinting techniques are based on detecting modification in packets produced by different
operating systems.
Common techniques are based on analyzing:

 IP TTL values.
 IP ID values.
 TCP Window size.
 TCP Options (generally, in TCP SYN and SYN+ACK packets).
 DHCP requests.
 ICMP requests.
 HTTP packets (generally, User-Agent field).
Other techniques are based on analyzing:

 Running services.
 Open port patterns.

Tools
There are different tools that are being used for Active Stack and Passive Stack Fingerprinting.
Active Fingerprinting Tools:
1. Nmap:
Nmap is the network discovering tools that many systems and network administrators found useful for
tasks such as network inventory, managing service upgrade schedules, and monitoring host or service
uptime.

Passive Fingerprinting Tools:

2. NetworkMiner:
It is a Network Forensic Analysis Tool for Windows. It is used to detect operating systems, sessions,
hostnames, open ports, etc. The main purpose of NetworkMiner is to collect data that can be used as
forensic evidence about
hosts on the network rather than to collect data regarding the traffic on the network.
3. P0f:
It is a versatile passive OS fingerprinting tool that is used to identify the remote system, how far it is
located, and its uptime. It also detects certain types of packet filters and the name of the ISP, while
remaining Passive as it does not generate any network traffic.

4. Satori:
Satori is one of the most frequently used passive fingerprinting programs that uses multiple protocols
for OS identification. It is available in both Windows and Linux platforms.

B) Enumeration
The enumeration in data security is the way toward extricating client names, network assets, machine
names, and different administrations from the target system. The assembled data is utilized to
distinguish the weaknesses or frail focuses on the security of the victim and afterward attempts to
misuse it.

Enumeration in information security is the process of extracting user names, machine names, network
resources, and other services from a system. All the gathered information is used to identify the
vulnerabilities or weak points in system security and then tries to exploit it.

Techniques for enumeration

There are many ways to collect data, such as network users, routing tables and Simple Network
Management Protocol (SNMP) information. Let’s discuss the possible ways an attacker might
enumerate a target network and what countermeasure can be taken to prevent these.
1) Extract User Names Using Email IDs:
Usually, email ID contains two parts; the one is Username, and the other is Domain name. The
structure of the email address is “username@domainname.” For instance, xyz@live.com is an email
ID, then xyz (Character preceding the ‘@’ symbol) is the user name and live.com (Character
proceeding the ‘@’ symbol) is the domain name.

2) Extracting Information Using the Default Passwords:

There are many online resources that publish many default passwords assigned by the manufacturer
for their products. Often users forget to change the default passwords that help an attacker to
enumerate their data easily.

3) Brute Force Active Directory:

Microsoft Active Directory is susceptible to a username enumeration weakness at the time of user-
supplied input validation. This is the consequence of a design error in the application. Attacker takes
benefits from it and exploits the weakness to enumerate valid usernames.

4) Extract Username Using SNMP:

By using SNMP APIs, attackers can guess the strings through which they can extract required
username.

5) Extract Information Using DNS Zone Transfer:

An Attacker can get valuable topological information about the target’s internal network using DNS
zone transfer.

Services and ports to enumerate:

TCP 53: DNS Zone Transfer:
DNS zone transfer relies on TCP 53 port rather than UDP 53. The TCP protocol helps to maintain a
consistent DNS database between DNS servers. DNS server always uses TCP protocol for the zone
transfer.
TCP 137: NetBIOS Name Service (NBNS):
NBNS, also known as Windows Internet Name Service (WINS), maintain a database of the NetBIOS
names for hosts and the corresponding IP address the host is using.
UDP 161: Simple Network Management Protocol (SNMP):
You can use the SNMP protocol for various devices and applications including firewall and routers to
communicate logging and management information with remote monitoring application.
TCP/UDP 389: Lightweight Directory Access Protocol (LDAP):
You can use the LDAP Internet protocol, Microsoft Active Directory and as well as some email
programs to look up contact information from a server.
TCP 25: Simple Mail Transfer Protocol (SMTP):
SMTP allows email to move across the internet and across the local internet. It runs on the
connection-oriented service provided by Transmission Control Protocol (TCP) and uses port 25.

Enumeration belongs to the first phase of Ethical Hacking, i.e., “Information Gathering”. This is a
process where the attacker establishes an active connection with the victim and try to discover as
much attack vectors as possible, which can be used to exploit the systems further.

Enumeration can be used to gain information on −

 Network shares
 SNMP data, if they are not secured properly
 IP tables
 Usernames of different systems
 Passwords policies lists
Enumerations depend on the services that the systems offer. They can be −

 DNS enumeration
 NTP enumeration
 SNMP enumeration
 Linux/Windows enumeration
 SMB enumeration

C) Scanning
Scanning is one of the most famous procedures that assailants use to find services that can be used to
misuse the frameworks. All the machines associated with the LAN, through a modem or into notable
ports are discovered in scanning.

By utilizing scanning, we can investigate data, for example, what services are executed, what clients
own those administrations, are incognito logins upheld, regardless of whether certain organization
administrations require validation and other related subtleties.

During reconnaissance, an ethical hacker attempts to gather as much information about a target
system as possible, following the seven steps listed below −

 Gather initial information

 Determine the network range
 Identify active machines
 Discover open ports and access points
  Fingerprint the operating system
 Uncover services on ports
 Map the network

4. THREE TYPES OF SCANNING UTILIZED ARE

Port scanning: This stage includes filtering the victim for the data like open ports, Live frameworks,
different administrations running on the host.
Port scanning is one of the most popular techniques that attacker uses to discover services, which can
exploit the systems. All the systems connected to the LAN or accessing network via a modem which
runs services that listen to well-known ports.
By using port scanning, we can explore information such as: What services are running, what users
own those services, is anonymous login are supported, whether certain network services require
authentication and other related details.
Vulnerability Scanning: Checking the victim for shortcomings or weaknesses which can be misused.
Generally finished with the assistance of automated software
Network Mapping: Finding the network’s topology, switches, and routers, firewalls (assuming any),
data, and drawing an organization graph with accessible data. This guide may fill in as a significant
snippet of data all through the hacking cycle.

Port scanning techniques

There are various port scanning techniques available. The well-known tools like Nmap and Nessus
have made port scanning process automated. The scanning technique includes:

Address Resolution Protocol (ARP) scan:

In this technique, a series of ARP broadcast is sent, and the value for the target IP address field is
incremented in each broadcast packet to discover active devices on the local network segment. This
scan helps us to map out the entire network.
Vanilla TCP connect scan:
It is the basic scanning technique that uses connect system call of an operating system to open a
connection to every port that is available.
TCP SYN (Half Open) scan:
SYN scanning is a technique that a malicious hacker uses to determine the state of a communications
port without establishing a full connection. These scans are called half open because the attacking
system doesn’t close the open connections.
TCP FIN Scan:
This scan can remain undetected through most firewalls, packet filters, and other scan detection
programs. It sends FIN packets to the targeted system and prepares a report for the response it
received.
TCP Reverse Ident Scan:
This scan discovers the username of the owner of any TCP connected process on the targeted system.
It helps an attacker to use the ident protocol to discover who owns the process by allowing connection
to open ports.
TCP XMAS Scan:
It is used to identify listening ports on the targeted system. The scan manipulates the URG, PSH and
FIN flags of the TCP header.
TCP ACK Scan:
It is used to identify active websites that may not respond to standard ICMP pings. The attacker uses
this method to determine the port status by acknowledgment received.
UDP ICMP Port Scan:
This scan is used to find high number ports, especially in Solaris systems. The scan is slow and
unreliable.
5. TOOLS FOR RECONNAISSANCE
A) Nmap
Nmap is presumably the most notable instrument for active reconnaissance ethical hacking. Nmap is a
scanner that checks in a network for insights concerning a framework and the projects running on it.
This is cultivated using a set-up of various sweep types that exploit the subtleties of how a service or
system works.

B) Nikto
Nikto is a web scanner that scans for vulnerabilities that can be utilized for surveillance. It can
identify a wide range of weaknesses but at the same time is not a covert scanner. Examining with
Nikto can be successful, however, it is effectively perceptible by a prevention system or an
interruption identification.

C) Nessus
Nessus is a business scanner for vulnerabilities. Its motivation is to distinguish weak applications
running in the network and gives an assortment of insights regarding possibly exploitable weaknesses.
Nessus is a paid scanner, however, the extensive data that it gives can make it an advantageous
venture for hacking.

D) Metasploit
Metasploit is a toolkit for exploitation. It contains a wide range of modules that have pre-packaged
adventures for various vulnerabilities. With Metasploit, even a fledgling programmer can break into a
wide scope of weak machines.

E) Shodan
Shodan is a web crawler for web associated devices. As the Internet of Things develops, people and
associations progressively are interfacing uncertain gadgets to the web. It is a tool that can be used for
Passive reconnaissance. However, using Shodan can be identified by prevention and detection
systems.

F) Google
In the tools used for passive reconnaissance, search engines come first. Google and other Search
engines can perform more remarkable pursuits than one might suspect and one has experienced. It
very well may be utilized by programmers and assailants to accomplish something that has been
named Google hacking. Fundamental inquiry strategies joined with cutting edge administrators can do
incredible harm.
G) OpenVAS
OpenVAS is a scanner for vulnerabilities that were created in light of the commercialization of
Nessus. The Nessus weakness scanner was already open-source, and, when it became closed-source,
OpenVAS was made off of the last open-source form to keep on giving a free other option. Therefore,
it gives a great deal of similar usefulness as Nessus, however, may come up short on a portion of the
highlights created since Nessus was marketed.