1
00:00:01,090 --> 00:00:04,120
Basic principles of reconnaissance.

2
00:00:13,780 --> 00:00:19,780
Reconnaissance or recon is the first step of the kill train when conducting a penetration test or an

3
00:00:19,780 --> 00:00:21,610
attack against a data target.

4
00:00:21,640 --> 00:00:26,350
It is conducted before the actual test or attacked on a target network.

5
00:00:26,380 --> 00:00:32,320
The findings will give us an idea of where additional reconnaissance may be required or the vulnerabilities

6
00:00:32,320 --> 00:00:35,770
that can be capitalized upon during the exploitation phase.

7
00:00:35,800 --> 00:00:42,790
Reconnaissance activities are segmented on a gradient of interactivity with a target network or device,

8
00:00:42,790 --> 00:00:49,750
so passive reconnaissance does not involve any malicious direct interaction with the target network.

9
00:00:49,750 --> 00:00:55,110
So the trackers, source IP address and activities are not logged.

10
00:00:55,120 --> 00:01:00,280
For example, a Google search for the target's email addresses will not leave a trail that the target

11
00:01:00,280 --> 00:01:01,030
can detect.

12
00:01:01,030 --> 00:01:06,670
So it's difficult, if not impossible, for the target to differentiate the passive reconnaissance from

13
00:01:06,670 --> 00:01:09,040
a normal business activities.

14
00:01:09,040 --> 00:01:14,560
So passive reconnaissance is divided into two categories direct or indirect.

15
00:01:14,560 --> 00:01:21,640
So direct passive reconnaissance involves the normal interactions that occur when an attacker expectedly

16
00:01:21,640 --> 00:01:22,990
interacts with the target.

17
00:01:22,990 --> 00:01:31,390
So, for example, an attacker will look on the corporate website with various pages and download documents

18
00:01:31,390 --> 00:01:32,680
for further study.

19
00:01:32,680 --> 00:01:40,210
So these interactions are expected user activities and are rarely detected as a prelude to an attack

20
00:01:40,210 --> 00:01:41,410
on the target.

21
00:01:41,890 --> 00:01:50,040
In indirect passive reconnaissance, there will be absolutely no interaction with the target organization.

22
00:01:50,050 --> 00:01:55,690
In contrast, active reconnaissance involves direct queries or other interactions.

23
00:01:55,690 --> 00:02:02,440
For example, port scanning of the target network that can trigger system alarms or low the target to

24
00:02:02,440 --> 00:02:05,590
capture the attacker's IP address and activities.

25
00:02:05,590 --> 00:02:13,030
So this information could be used, identify and arrest an attacker or use during legal proceedings.

26
00:02:13,030 --> 00:02:22,360
So therefore, passive reconnaissance carries a lot less risk, but its active counterpart has its limitations.

27
00:02:22,360 --> 00:02:29,440
Penetration testers or attackers generally follow a process of structured information gathering, moving

28
00:02:29,440 --> 00:02:30,520
from a broad scope.

29
00:02:30,520 --> 00:02:37,780
So for example, the business and or regulatory environments to something much more specific like user

30
00:02:37,780 --> 00:02:39,130
account data.

31
00:02:39,130 --> 00:02:46,300
So to be effective, testers should know exactly what they are looking for and how the data will be

32
00:02:46,300 --> 00:02:48,490
used before collection starts.

33
00:02:48,490 --> 00:02:54,790
So using passive reconnaissance and limiting the amount of data collected minimises the risk of being

34
00:02:54,790 --> 00:02:56,830
detected by the target.