Reconnaissance is a pivotal part of penetration testing and bug bounty hunting, and having an understanding of an organization's assets is crucial for assessing its attack surface. Procuring complete and accurate information during this phase is often crucial for the success of the pentest. This initial step is crucial because it helps to identify the target system or network and collect information about its vulnerabilities and weaknesses.
This blog post series provides an in-depth look at the key reconnaissance techniques used for penetration testing and bug bounty hunting. In the first post, we discuss the two main types of reconnaissance: active and passive, and explain the advantages and disadvantages of each. The second post focuses on subdomain enumeration and subdomain brute forcing, which are important reconnaissance methods. The third post will cover live host discovery and port scanning, which helps identify open ports on a network and hosts to scan for vulnerabilities. Finally, the fourth post will discuss template-based scanning, a type of passive reconnaissance method. This blog post series is a great resource for anyone looking to learn more about the fundamentals of reconnaissance for bug bounty hunting.
What is Reconnaissance?
Reconnaissance is gathering information about a target system or network to identify potential vulnerabilities that can be exploited. This can involve various techniques such as analyzing publicly available information about the target, using tools to scan the target's network and systems for open ports and services, and trying to gather information about the target's employees and business practices.
The goal of reconnaissance is to gather as much information as possible about the target to create a detailed profile of the system or network and identify any potential weaknesses that can be exploited. This information can then be used to plan and execute a successful attack on the target.
There are different types of reconnaissance, including passive reconnaissance, which involves gathering information from publicly available sources without actively interacting with the target system or network, and active reconnaissance, which involves actively interacting with the target to gather information.
In simple words, reconnaissance does not guarantee a vulnerability, but allows one to gather assets and build the overall attack surface of the target.
Types of Reconnaissance
Active reconnaissance involves interacting with the target system or network to gather information. This includes techniques such as running a port scan on the server to identify open ports and services, attempting to access restricted pages or resources within the application, or using tools to try and identify vulnerabilities within the application or underlying system.
On the other hand, passive reconnaissance is gathering information from publicly available sources without actively interacting with the target system or network. This includes techniques such as analyzing the target application's website and social media presence, looking up information about the application's developers and users, and reviewing publicly available documents such as user manuals and support documentation.
The main difference between active and passive reconnaissance is the level of interaction with the target system or network. Active reconnaissance involves actively interacting with the target, while passive reconnaissance involves gathering information without actively interacting with it.
There are several advantages and disadvantages when performing reconnaissance during security assessments.
Advantages of Active Reconnaissance
- Identify active systems and services: Active reconnaissance allows you to identify which systems and services are actively running and responding to requests, rather than just those configured or present on the network.
- Comprehensive information gathering: Active reconnaissance allows you to gather more information about a target system or network. You can interact with the system directly and probe it for information. This can be useful for identifying vulnerabilities or weaknesses that may not be detectable through passive reconnaissance methods.
- Gather real-time information: Active reconnaissance allows you to gather information about a target system or network in real time, rather than relying on outdated or historical data. This can be useful for identifying current vulnerabilities or weaknesses in the system.
Disadvantages of Active Reconnaissance
- Risk of detection: Active reconnaissance involves actively interacting with the target system or network, which increases the risk of being detected by the target. This can trigger security alerts or defensive measures, disrupting the reconnaissance process.
- Risk of disruption: Active reconnaissance can also disrupt the target system or network, disrupting the target's operations and potentially causing damage. This can be especially risky if the target is a critical infrastructure or has high-security requirements.
- Increased time and resources: Active reconnaissance can be more time-consuming and resource-intensive than passive reconnaissance, as it involves actively interacting with the target and may require specialized tools and techniques.
Advantages of Passive Reconnaissance
- Lower risk of detection: Passive reconnaissance involves gathering information from publicly available sources without actively interacting with the target system or network, which reduces the risk of being detected by the target. This can be especially useful in cases where the target has high-security requirements or is sensitive to disruptions.
- Lower risk of disruption: Passive reconnaissance also involves a smaller risk of disrupting the target system or network, as it does not involve actively interacting with the target.
- Lower resource requirements: Passive reconnaissance is generally less resource-intensive than active reconnaissance, as it does not require specialized tools or techniques and can often be done using readily available information.
Disadvantages of Passive Reconnaissance
- Less accurate and comprehensive information: Passive reconnaissance relies on publicly available information, which may need to be more detailed and precise than information gathered through active reconnaissance.
- Limited ability to identify vulnerabilities: Passive reconnaissance does not involve actively interacting with the target, which limits the ability to use tools and techniques to identify vulnerabilities.
- Limited control over reconnaissance process: With passive reconnaissance, the security team is limited to the information that is publicly available and has less control over the process than with active reconnaissance.
In the next installment, we will look at some reconnaissance tools to learn about their features, duration of results and many more.
Author: Harsh Bothra, @harshbothra_
ProjectDiscovery Reconnaissance Series
Reconnaissance is an essential part of penetration testing and bug bounty hunting, as it is the process of gathering information about a target to identify potential attack vectors and vulnerabilities. This blog series provides an overview of the various reconnaissance techniques available, as well as advice on how to effectively utilize them to maximize the chances of success.
- Reconnaissance 101: A Deep Dive in Active & Passive Reconnaissance
- Reconnaissance 102: Subdomain Enumeration
- Reconnaissance 103: Host and Port Discovery
- Reconnaissance 104: Expanded Scanning
- Reconnaissance 105: Additional Types of Active Reconnaissance
Additional Resources & Further Reads