What is reconnaissance?
The term reconnaissance comes from its military use to describe an information-gathering mission.
The purpose is simply to obtain information, rather than to actively exploit the target. However, reconnaissance is often a preliminary step towards an active attempt to exploit the target system.
Passive reconnaissance is an attempt to gain information about targeted computers and networks without actively engaging with the systems, and can avoid detection.
In active reconnaissance, in contrast, the attacker engages with the target system, typically conducting a port scan to find any open ports.
Both active and passive reconnaissance are also used for ethical hacking, in which white hat hackers use attack methods to determine system vulnerabilities so that problems can be taken care of before the system falls prey to a real attack.
Passive Reconnaissance tools-
Netcraft is a UK company that tracks virtually every website on the planet. From this data, they’re able to calculate market share for web servers, uptime, etc., becoming one of the leading authorities for this type of information. They also offer some security services such an anti-phishing extension and phishing alerts.
Another service that Netcraft offers is data about nearly every website. This data can be extremely valuable to the hacker (ethical and malicious).
It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site’s relative link-structure.
You can then study the site for vulnerabilities and back-doors offline, without being detected.
Active Reconnaissance tools-
sqlmap is an open source active reconnaissance penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
This used to be free and open-source (nessus.org) but it is now a commercial product under Tenable network Security.
Nessus discovers all assets on your network — even hard-to-find assets like containers, VMs, mobile and guest devices – and informs you clearly and accurately about their vulnerabilities and prioritizes what you need to fix first. It is available as both a cloud and on-premises vulnerability scanning and management solution.
This active reconnaissance tool is pitched as a “vulnerability scanner”.