Passive reconnaissance is an important tool for penetration testing and the beginning point of many data breaches. The process involves gathering available public information that could be used to compromise the organization. This section explores passive reconnaissance, how it applies to compromise networks, and how an organization can protect themselves from passive reconnaissance.
Passive reconnaissance is a key component of how malicious hackers and cybersecurity professionals alike operate. Passive reconnaissance involves gathering information on a target that is available through means that will not alert the network. This means information on public pages, publicly accessible databases, and other places that any other user could retrieve information for innocuous reasons. Because of this, organizations can be compromised by spear-phishing campaigns based on information gained through passive reconnaissance.
This section will explore the basics of passive reconnaissance, how it is applied in network breaches and penetration testing, and how an organization can secure themselves against passive reconnaissance.Specialized software has been developed in order to automate the process of reconnaissance and discover vulnerabilities in target networks.
Professional cybersecurity programs such as Maltego will scan an initial target then draw maps of network entities by repeated scanning and web crawling. This can reveal domain names, network hosting services, addresses to web servers, connected services and entities, and personally identifiable information connected to the organization. For example, a scanning tool can begin with a domain name and then scan for addresses that are connected to the domain and responsible for hosting and other services. The scanning tool can also search hosted pages for email addresses and other information that may be publicly available. Once the scan is complete, further scans can be carried out on newly discovered hosts or the results can be analyzed. Analysis can reveal sensitive information that is used to compromise the organization’s wireless network.
One of the most frequently used vectors of attack is the web hosting service of a target organization’s website. Compromising the web service or the account associated with the site will lead to the infiltration of the entire site. The hacker can use this to compromise the organization’s wireless network or simply gather data from the service. Passive reconnaissance tools can easily reveal hosting domains through a friendly user-interface and an armory of scanning types. Email addresses can be discovered by scanners and used for phishing campaigns, and personally identifiable information gathered through the scan can be used to develop advanced spear-phishing campaigns. Lastly, wireless access points can be discovered from scans and de-encrypted by password cracking software.
Passive reconnaissance is an invaluable asset for cybersecurity professionals and malicious hackers. Some scans will alert security software and system administrators to reconnaissance efforts. These types of scans are known as active reconnaissance; they are typically used after or in conjunction with passive reconnaissance. If the information can be found without compromising any aspect of the network’s security or alert system, it is simply passive reconnaissance.
Defending against passive reconnaissance is a multi-faceted task. It is impossible to protect the information you want accessible to the public from passive reconnaissance, but it is possible to carefully curate what organizational information is published. At least, many organizations will provide the contact information for their organization, and other organizations will provide lists of detailed profiles containing contact information. If this is necessary to the function of the organization, then defense against reconnaissance is a matter of secure communication practices on official channels.
All users in the organization should be wary of suspicious emails from unknown sources, but it’s also important to be wary of emails that could utilize information that is publicly available in order to be more convincing. In general, referencing the source of the communication is a good way to protect against phishing and spear-phishing attacks.