Pre-Attack Phase: Two Types of Information Gathering Flashcards
Two types of reconnaissance:
Passive:
When you’re gathering information within the public domain, generally without any interaction with the subject of the reconnaissance.
ex. articles/publications, job postings, document sifting, searching WHOIS databases, ect.
- also includes social engineering, but this could fall into either category depending on how you do it.
Active:
When you take any action in an attempt to map out the network, infrastructure, or social structure of your target company.
ex. network mapping, perimeter mapping, port scanning, web profiling, ect.
On the subject of active/passive social engineering:
Active social engineering: say if you see in a publication that an employee of the target company’s been fired and you engage them in a conversation, thinking that they’d be able to provide some more intimate information of the state of your target, then this’d be an example of active social engineering.
Passive social engineering is when you attempt to extract information regarding your target using information that is not w/in the target’s ownership and is not necessarily publicly available. (so, if there are any governmental records of your target company, you could make a call to town hall and request some information regarding them. Even in the cases where they refuse, sometimes you’ll be able to glean a bit just from the fact that the information you requested is somewhat more sensitive to your target for some reason.
As Ermin says, reconnaissance is incremental. If you gain enough information, eventually it’ll add up to something substantial).
On the subject of WHOIS:
WHOIS is a platform comprised of publicly accessible records that’ll help you gain a lot of information on individual ip addresses.
