View queencitycyber.github.io on GitHub

Active Recon

**Active **information gathering should be detected by our target. Here we would be sending our target different types of probes. These probes can be network scans identifying open ports and running services or identify defensive technologies. The point here is we are not concerned about being stealthy or unobtrusive, albeit nobody wants to be the person who brings down a critical network component because they were doing a network scan! This type of searching will most accurately mimic the type of techniques real attackers would use to gather their information (sharpen their axe) before moving on to the next stages of an attack or pen test.

Activities include: IP ranges and subdomains, DNS forward/reverse lookups and zone transfers, nameservers, banners, network device types, downloading the site for offline viewing/parsing, actively searching for unpublished directories, or legacy systems that may have been forgotten about. There exists tools (that we will cover) that help identify public facing defensive technologies such as web-application firewalls (WAFs), IDP/IPS solution, etc. Most of this activity falls in the typical reconnaissance phase of a penetration test, as to best simulate a real world attacker gathering as much actionable information, or intelligence, about an organization.

Common Tools

  1. Nmap

  2. SMTP Bouncing

  3. DNSENUM

  4. The Harvester

  5. Metagoofil

  6. Fierce