In warfare, “reconnaissance” is the process of collecting information about enemy forces using different detection methods. In ethical hacking, reconnaissance is the first phase targeted to gather and learn as much as information available about the target using tools like internet sources, social engineering techniques, dumpster diving, email harvesting, Whois database, etc. This chapter introduces different tools and techniques used during the active and passive reconnaissance phases in detail. Reconnaissance consists of footprinting, scanning, and enumeration techniques used to covertly discover and collect information about a target system. During reconnaissance, an ethical hacker attempts to gather as much information about a target system as possible. It can use active (by directly interacting with the target which have risk of getting caught like social engineering methods) or passive (like visiting target website) information-gathering methods in order to identify the target and discover its IP address range, network, domain name, mail server, DNS records, employee names, organization charts, and company details. The chapter also provides the details of possible countermeasures to be implemented on website to avoid revealing more information to the attackers.
TopFootprinting or information gathering involves collecting as much information as possible about target. Passive information gathering or footprinting do not involve direct interaction with the target system or network. It does not send any packets to the service and hence involves creating less noise or remaining stealthier. It relies on publicly available sensitive information that belongs to network, system and/or organizational information. It tries to collect IP address, domain names, server names, software/os versions, DB schema details, TCP/UDP services running, protocols, passwords, SNMP information, system banners, employee details, location, phone no., comments in HTML sources, security policies etc. It also allows us to know security posture of target/network infrastructure and identify system vulnerabilities. Even if the information is extracted from a publicly accessible site, it is duty of any ethical hacker to handle this information as if it was labeled as restricted. Following are the tools used in this phase.
Visiting Target Website
Visit the target website using internet browsers, read about the target, find out what the organization do, find the hosting company, any contact details, important services, employee structure, success stories, examine the personal web sites of employees etc. Once you have the website address/ip address of a website, you can get further detail by using ip2location.com website (IP2LOCATION, 2018) as shown in Figure 1. We can monitor website traffic using web-stat, alexa, monitis, online reputation tracking tools which provides valuable information like total visitors, page views, bounce rate, geographical location of users visiting web, site ranking etc.
As shown in Figure 1, you can get ISP/hosting company details, location details, domain name etc. Small organizations may have a single IP address associated with them, but larger organizations usually have multiple IP addresses serving different domains and sub-domains.
Website History (ARCHIVE, 2018)
It is very easy to get a complete history of any website using www.archive.org as shown in Figure 2. You can enter a domain name in the search box to find out how the website was looking at a given point of time and what pages available on the website were on different dates. In this example you can see the website archive from year 2007 onwards.
Although, the site is useful to get the previous snapshot of our website; it also poses a risk of providing information related to website updates/correlated events/progress during time etc. to the attackers also. If you do not like anybody to see how your website progressed through different stages, then you can request archive.org to delete the history of your website.