WEBVTT 00:01.090 --> 00:04.120 Basic principles of reconnaissance. 00:13.780 --> 00:19.780 Reconnaissance or recon is the first step of the kill train when conducting a penetration test or an 00:19.780 --> 00:21.610 attack against a data target. 00:21.640 --> 00:26.350 It is conducted before the actual test or attacked on a target network. 00:26.380 --> 00:32.320 The findings will give us an idea of where additional reconnaissance may be required or the vulnerabilities 00:32.320 --> 00:35.770 that can be capitalized upon during the exploitation phase. 00:35.800 --> 00:42.790 Reconnaissance activities are segmented on a gradient of interactivity with a target network or device, 00:42.790 --> 00:49.750 so passive reconnaissance does not involve any malicious direct interaction with the target network. 00:49.750 --> 00:55.110 So the trackers, source IP address and activities are not logged. 00:55.120 --> 01:00.280 For example, a Google search for the target's email addresses will not leave a trail that the target 01:00.280 --> 01:01.030 can detect. 01:01.030 --> 01:06.670 So it's difficult, if not impossible, for the target to differentiate the passive reconnaissance from 01:06.670 --> 01:09.040 a normal business activities. 01:09.040 --> 01:14.560 So passive reconnaissance is divided into two categories direct or indirect. 01:14.560 --> 01:21.640 So direct passive reconnaissance involves the normal interactions that occur when an attacker expectedly 01:21.640 --> 01:22.990 interacts with the target. 01:22.990 --> 01:31.390 So, for example, an attacker will look on the corporate website with various pages and download documents 01:31.390 --> 01:32.680 for further study. 01:32.680 --> 01:40.210 So these interactions are expected user activities and are rarely detected as a prelude to an attack 01:40.210 --> 01:41.410 on the target. 01:41.890 --> 01:50.040 In indirect passive reconnaissance, there will be absolutely no interaction with the target organization. 01:50.050 --> 01:55.690 In contrast, active reconnaissance involves direct queries or other interactions. 01:55.690 --> 02:02.440 For example, port scanning of the target network that can trigger system alarms or low the target to 02:02.440 --> 02:05.590 capture the attacker's IP address and activities. 02:05.590 --> 02:13.030 So this information could be used, identify and arrest an attacker or use during legal proceedings. 02:13.030 --> 02:22.360 So therefore, passive reconnaissance carries a lot less risk, but its active counterpart has its limitations. 02:22.360 --> 02:29.440 Penetration testers or attackers generally follow a process of structured information gathering, moving 02:29.440 --> 02:30.520 from a broad scope. 02:30.520 --> 02:37.780 So for example, the business and or regulatory environments to something much more specific like user 02:37.780 --> 02:39.130 account data. 02:39.130 --> 02:46.300 So to be effective, testers should know exactly what they are looking for and how the data will be 02:46.300 --> 02:48.490 used before collection starts. 02:48.490 --> 02:54.790 So using passive reconnaissance and limiting the amount of data collected minimises the risk of being 02:54.790 --> 02:56.830 detected by the target.