View queencitycyber.github.io on GitHub

Passive Recon

Passive: This form is usually only useful when the explicit goal of the reconnaissance phase is to never be detected by the organizations target. This profiling is technically difficult and thus hardly comes into scope, as you are never sending packets to the organization you are researching. This means the intelligence will be obtained through archival or out-of-band replication processes.

Activities include: Browsing Google cache or archived resources that do not directly link to the client, searching forums and help-sites where technicians may disclose issues or the technology their using and work email addresses, searching marketing information to find technology vendors, and using reverse-image searching to find vendor references.

Why discovering email addresses is useful: Email address harvesting is important because it provides us with a repeatable username format (eg. first initial of first name followed by last name) which can be added to a word list for future uses. It also provides us with targets for a potential phishing campaign.

Why is searching job postings and technical: forums useful? This is important because by viewing a list of open jobs at an organization, we can determine the types of technologies used internally. It’s also important to read the desired skills and experience sections as well. For example, a job posting titled “Junior Network System Architect” might not immediately reveal technologies used, under the desired skills it might read something like “CCNA preferred” or “JNCIA required”. This lets you know they most likely using Cisco or Juniper technologies.

Common Tools

  1. WHOIS

  2. Google Cache

  3. TinEye Reverse Image Search

  4. Financial reports eg. EDGAR (Electronic Data Gathering, Analysis, and Retrieval System); specifically the 10-K Annual

  5. Google Searching (sometimes referred to as Google Dorking), Shodan, Censys