Open Source Intelligence and Passive Reconnaissance

Information gathering is the way to gather all the relevant information from publicly available sources, and is often referred as Open Source Intelligence (OSINT). Passive reconnaissance through OSINT occurs during the first step of the kill chain when conducting a penetration test or an attack against a network or server target. An attacker will typically dedicate up to 75% of the overall work effort for a penetration test to reconnaissance, as it is this phase that allows the target to be defined, mapped, and explored for the vulnerabilities that will eventually lead to exploitation.

There are two types of reconnaissance: passive reconnaissance (direct and indirect) and active reconnaissance.

Generally, passive reconnaissance is concerned with analyzing information that is openly available, usually from the target itself or public sources online. On accessing this information, the tester or attacker does not interact with the target in an unusual manner – requests and activities will not be logged, or will not be traced directly to the tester. Therefore, passive reconnaissance is conducted first to minimize the direct contact that may signal an impending attack or identify the attacker.

In this chapter, you will learn the principles and practices of passive reconnaissance, which include the following:

• Basic principles of reconnaissance
• OSINT
• Online resources
• Using scripts to automatically gather OSINT data
• Obtaining user information
• Profiling users for password lists
• Using social media to extract words

Active reconnaissance, which involves direct interaction with the target, will be covered in Chapter 3, Active Reconnaissance of External and Internal Networks.