1.External Recon and Enumeration Principles

Core Principles

Passive vs. Active Reconnaissance:
- Passive: Gathering information without directly interacting with the target's systems (e.g., searching public databases, social media).
- Active: Directly interacting with the target's systems (e.g., scanning ports, probing services).
Scoping: Defining the boundaries of the engagement to avoid unintended consequences.
Information Gathering: The primary goal is to collect as much relevant information as possible about the target.
Iterative Process: Reconnaissance is not a one-time event; it's an ongoing process throughout the penetration test.
OSINT (Open-Source Intelligence): Utilizing publicly available information to gather intelligence.

IP Space: Identifying the target's network ranges and ASNs.
Domain Information: Discovering domain names, subdomains, DNS records, and registrars.
Schema Formats: Understanding naming conventions for usernames, email addresses, and other identifiers.
Data Disclosures: Finding publicly accessible documents, files, and other data that may contain sensitive information.
Breach Data: Identifying compromised credentials and other leaked data.

DNS Enumeration: Querying DNS servers to discover domain information.
Social Media Analysis: Gathering information from social media platforms.
Website Analysis: Examining the target's website for information and vulnerabilities.
Google Dorking: Using advanced search operators to find specific information.
Credential Hunting: Searching for leaked credentials in breach data sources.
Subdomain Enumeration: Discovering subdomains associated with the target domain.
ASN lookups: Discovering the owner of IP address blocks.

Staying Within Scope: Adhering to the agreed-upon boundaries of the engagement.
Obtaining Authorization: Ensuring that you have explicit permission to perform reconnaissance and penetration testing.
Protecting Sensitive Information: Handling any sensitive information that you discover responsibly.
Avoiding Unintended Harm: Taking precautions to avoid disrupting the target's systems or services.

Last updated 12 days ago

Core Principles

Passive vs. Active Reconnaissance:

Passive: Gathering information without directly interacting with the target's systems (e.g., searching public databases, social media).
Active: Directly interacting with the target's systems (e.g., scanning ports, probing services).

Scoping: Defining the boundaries of the engagement to avoid unintended consequences.

Information Gathering: The primary goal is to collect as much relevant information as possible about the target.

Iterative Process: Reconnaissance is not a one-time event; it's an ongoing process throughout the penetration test.

OSINT (Open-Source Intelligence): Utilizing publicly available information to gather intelligence.

Key Data Points:

IP Space: Identifying the target's network ranges and ASNs.

Domain Information: Discovering domain names, subdomains, DNS records, and registrars.

Schema Formats: Understanding naming conventions for usernames, email addresses, and other identifiers.

Data Disclosures: Finding publicly accessible documents, files, and other data that may contain sensitive information.

Breach Data: Identifying compromised credentials and other leaked data.

Essential Techniques:

DNS Enumeration: Querying DNS servers to discover domain information.

Social Media Analysis: Gathering information from social media platforms.

Website Analysis: Examining the target's website for information and vulnerabilities.

Google Dorking: Using advanced search operators to find specific information.

Credential Hunting: Searching for leaked credentials in breach data sources.

Subdomain Enumeration: Discovering subdomains associated with the target domain.

ASN lookups: Discovering the owner of IP address blocks.

Key Tools:

nslookup/dig: For DNS queries.

whois: For domain registration information.

BGP Toolkit: For ASN and IP address information.

Shodan/Censys: For discovering exposed devices and services.

Dehashed/HaveIBeenPwned: For checking breach data.

Sublist3r/Amass: For subdomain enumeration.

Trufflehog: For finding secrets in code repositories.

Domaintools/Viewdns.info: For domain information.

Ethical Considerations:

Staying Within Scope: Adhering to the agreed-upon boundaries of the engagement.

Obtaining Authorization: Ensuring that you have explicit permission to perform reconnaissance and penetration testing.

Protecting Sensitive Information: Handling any sensitive information that you discover responsibly.

Avoiding Unintended Harm: Taking precautions to avoid disrupting the target's systems or services.