About Me
CompTIA PenTest+
1 Threats, Attacks, and Vulnerabilities
1-1 Common Threat Actors
1-2 Threat Intelligence Sources
1-3 Threat Actors and Motives
1-4 Threat Actor Tactics, Techniques, and Procedures (TTPs)
1-5 Vulnerability Types
1-6 Exploit Types
1-7 Attack Types
1-8 Threat Detection and Monitoring
1-9 Threat Hunting
1-10 Incident Response
2 Architecture and Design
2-1 Security Controls
2-2 Network Architecture
2-3 Cloud and Virtualization
2-4 Web Application Security
2-5 Wireless Security
2-6 Mobile Security
2-7 IoT Security
2-8 Industrial Control Systems (ICS) Security
2-9 Physical Security
2-10 Secure Software Development
3 Tools and Code
3-1 Penetration Testing Tools
3-2 Exploitation Tools
3-3 Post-Exploitation Tools
3-4 Reporting Tools
3-5 Scripting and Automation
3-6 Programming Languages
3-7 Code Analysis
3-8 Open Source Intelligence (OSINT) Tools
4 Planning and Scoping
4-1 Penetration Testing Methodologies
4-2 Legal and Compliance Considerations
4-3 Scope Definition
4-4 Risk Assessment
4-5 Threat Modeling
4-6 Information Gathering
4-7 Asset Identification
4-8 Data Classification
4-9 Business Impact Analysis
4-10 Penetration Testing Objectives
5 Information Gathering and Vulnerability Identification
5-1 Passive Reconnaissance
5-2 Active Reconnaissance
5-3 Vulnerability Scanning
5-4 Network Mapping
5-5 Service Identification
5-6 Web Application Scanning
5-7 Wireless Network Scanning
5-8 Social Engineering Techniques
5-9 OSINT Techniques
5-10 Vulnerability Databases
6 Attacks and Exploits
6-1 Exploit Development
6-2 Buffer Overflows
6-3 SQL Injection
6-4 Cross-Site Scripting (XSS)
6-5 Cross-Site Request Forgery (CSRF)
6-6 Command Injection
6-7 Privilege Escalation
6-8 Lateral Movement
6-9 Evasion Techniques
6-10 Exploit Delivery Methods
7 Penetration Testing Process
7-1 Pre-Engagement Activities
7-2 Reconnaissance
7-3 Scanning and Enumeration
7-4 Exploitation
7-5 Post-Exploitation
7-6 Reporting
7-7 Remediation
7-8 Retesting
7-9 Documentation and Evidence Collection
7-10 Communication and Coordination
8 Reporting and Communication
8-1 Report Structure
8-2 Executive Summary
8-3 Technical Findings
8-4 Risk Assessment
8-5 Remediation Recommendations
8-6 Legal and Compliance Considerations
8-7 Presentation Skills
8-8 Communication with Stakeholders
8-9 Documentation Standards
8-10 Continuous Improvement
9 Security and Compliance
9-1 Regulatory Requirements
9-2 Industry Standards
9-3 Compliance Audits
9-4 Data Protection
9-5 Privacy Laws
9-6 Incident Response Planning
9-7 Disaster Recovery Planning
9-8 Business Continuity Planning
9-9 Risk Management
9-10 Security Awareness Training
5.1 Passive Reconnaissance Explained

5.1 Passive Reconnaissance Explained

Key Concepts

1. Passive Reconnaissance

Passive Reconnaissance involves gathering information about a target without direct interaction. This method is non-intrusive and typically uses publicly available data sources such as search engines, social media, and public records.

Example: A penetration tester might use Google to search for publicly available documents, such as PDFs or spreadsheets, that contain sensitive information about the target organization.

2. Publicly Available Information (PAI)

Publicly Available Information (PAI) refers to data that is accessible to the public through various sources. This can include company websites, social media profiles, news articles, and government records.

Example: A penetration tester might gather information about a company's organizational structure, key personnel, and recent projects by analyzing their LinkedIn profiles and company press releases.

3. Search Engines

Search engines are powerful tools for passive reconnaissance. They can be used to find publicly available documents, websites, and other resources that provide valuable information about a target.

Example: A penetration tester might use Google Dorks to perform advanced searches, such as "site:targetdomain.com filetype:pdf" to find all PDF files hosted on the target's website.

4. Social Media Analysis

Social media platforms are rich sources of information about individuals and organizations. By analyzing social media profiles, penetration testers can gather insights into the target's activities, relationships, and potential vulnerabilities.

Example: A penetration tester might use tools like Maltego to map out the social network of a target organization, identifying key personnel and their connections.

5. WHOIS and DNS Queries

WHOIS and DNS queries are used to gather information about a target's domain name and IP addresses. WHOIS provides details such as the domain owner's contact information, while DNS queries can reveal the IP addresses associated with the domain.

Example: A penetration tester might use a WHOIS lookup tool to find the registration details of a target domain, such as the registrant's name and email address.

Examples and Analogies

Consider a detective investigating a crime as an analogy for passive reconnaissance:

1. Passive Reconnaissance: The detective gathers information from public records, news articles, and social media to build a profile of the suspect without directly interacting with them.

2. Publicly Available Information (PAI): The detective uses court records, news reports, and social media posts to gather intelligence about the suspect's past activities and associates.

3. Search Engines: The detective uses a search engine to find articles, documents, and other resources that provide clues about the suspect's whereabouts and activities.

4. Social Media Analysis: The detective analyzes the suspect's social media profiles to gather insights into their daily routines, relationships, and potential vulnerabilities.

5. WHOIS and DNS Queries: The detective uses public records to find the suspect's contact information and associates, similar to how a WHOIS lookup provides domain registration details.

By understanding and utilizing these passive reconnaissance techniques, penetration testers can gather valuable intelligence, identify potential vulnerabilities, and enhance their reconnaissance efforts.

© 2024 Ahmed Baheeg Khorshid. All rights reserved.