View queencitycyber.github.io on GitHub

Semi-passive Recon

Semi-passive: The goal of this phase of intelligence gathering is to obtain information by behaviors and activities that appear normal. So this means we are NOT probing or interrogating client owned assets to receive our information i.e. port scanning their network, brute-forcing sub domains, sending crafted payloads to test input validation, or otherwise actively engaging in information retrieval from the target. Again, the goal here is to make our information gathering appear like normal behavior – the key here is to not draw attention to ourselves. We are browsing the site normally, clicking on visible links and accessing public locations, downloading reference sheets, and even product whitepapers. We do not want to stick out.

Activities include: Identifying IP range, email addresses, phone numbers, or other personal information, extracting metadata from downloaded content, examining header information in emails sent to the target to identify protection mechanisms such as gateway AV scanner or phishing protection mechanisms. We can also check for the presence of a company-wide incident response team, job posting for existing technologies being used, outsourcing agreements, professional licenses, and even how often security related positions are posted to get a sense of turnover rate and the company stability.

What is meta-data? Think of it as data about data. It provides information about the data within a document or file. It usually comes in the form of the author/creator name, software used, time and date of creation, and locations within a computer network. It is important because it reveals information about the internal network infrastructure, usernames, email addresses, printer locations, etc.

Why should we identify professional licenses? This information may offer a glimpse into how the organization operates within certain guidelines. An example would be a company’s ISO standards certifications. Usually, these are listed on their site as a badge of honor, but can reveal underlying processes and guidelines they must follow. All of this information could affect how a tester would craft their engagement.

Common Tools

  1. Wappalyzer
  2. Shodan/Censys/ZoomEye
  3. Maltego
  4. FOCA
  5. DIG
  6. SMTP Bouncing
  7. Exploit-DB/GHDB