Open Source Intelligence and Reconnaissance Flashcards
(12 cards)
Intelligence Gathering
an attacker gathers information on,
and maps networks, as well as probing them for exploitable
vulnerabilities to exploit them
- Information gathered during this phase guides the rest of the
penetration test - Arguably most important part of Penetration Testing
Types of reconnaissance
- Passive Reconnaissance – gathering information on a target
without their knowledge of your actions
o Example: Using the Internet to research a target (domain
registrations, web pages, email addresses
Active Reconnaissance – gathering information on a target where
the potential exists that your actions will be seen by the target
o Example: Port scanning the target domain’s network looking for
hosts and open services
Open-source Intelligence
- The action of searching
for publicly available
information via the
Internet, or “open
sources - Build an understanding
of the organisation, its
employees, and
relationships to other
organizations - Publicly available information
- News broadcasts
- Public request data
- Paywalled data
- Social Media
- Pastebin
- No specialist tools/techniques required
- Can be used for social engineering
- Can include passwords/names/IP
addresses
ways they can gather info passive
Infrastructure data collection
IP address range
* IP address of specific systems
* Device types
* Operating systems
* Services
Employees
* Names
* Roles
* Relationships (internal/external)
Websites
* Source code
* Comments
* Libraries
* Contact details
* Script types
Email Headers
* Obtaining email
addresses
* Querying the
domains email server
* Organisations
website
Terminology - 1
Sniffing: Capturing network traffic for analysis or replay.
Sniffer: Software or hardware tool that captures network packets.
SPAN / Mirror Port: Switch port configured to send a copy of all network traffic to the sniffer.
TAP (Test Access Point): Hardware device that passively copies network traffic
Promiscuous Mode – network card mode in
which the host listens to all traffic on the
network, not just what’s destined or addressed
only to itself.
How do packet sniffers work?
A packet sniffer puts the network interface into promiscuous mode, allowing it to capture all packets on the network segment, not just those addressed to it.
This lets the sniffer see all network traffic on that segment.
For effective sniffing, the sniffer must be within the same network block as the target traffic but can be anywhere inside that block
shared vs switched ethernet
Shared Ethernet:
All devices connected on the same network bus and broadcast domain.
Messages are broadcast to all devices; intended recipient reads the message.
Sniffer in promiscuous mode can passively listen to all traffic.
Sniffing is difficult to detect.
Switched Ethernet:
Devices connected to a switch that tracks MAC addresses and ports.
Packets are sent only to the intended recipient, not broadcasted.
More secure than shared Ethernet but not fully secure.
Sniffing possible via attacks like ARP spoofing (spoofing gateway MAC to intercept traffic).
Network Scanning
The process of actively probing remote networks to discover live hosts and
their open ports
Active Network Sniffing
The sniffer sends packets to trigger responses and capture network traffic.
It can manipulate network devices or hosts to intercept data not meant for it.
Examples include ARP Poisoning and MAC Flooding attacks
ICMP PING
Internet Control Message Protocol (ICMP)
Protocol number 1 in the IP suite
Does not carry user data
Used to check if computers are active and reachable (e.g., ping)
Traceroute
- Identify the path
from you to the
server - Shows where the
path fails
Transmission Control Protocol
Provides reliable, ordered, and error-checked delivery of data between applications
Establishes a connection before data transfer (connection-oriented)
- Establishes sessions to control packets arrival to their destination
- Includes the concept of a port which can be in one of three states:
o Open
o Closed
o Filtered
