This was an excellent read. Reconnaissance is the first step in the MITRE ATT&CK chain. It helps attackers find vulnerabilities on internal systems. Many times this is done by analyzing public facing web servers. There is a myriad of information to be gained from web-servers. These systems will show services and banners and the exact software versions that are being run on the server. The article referenced many tools to accomplish this. Some of these I have heard of and used in the past such as Shodan, and others I have not heard of such as Recon-ng.
Shodan is very useful as it will scan an IP and tell you what ports are open and many times what services are running on the website such as Apache, IIS, Nginx, etc. You need the IP address of the site you want to scan. Generally you can just plug a website URL into a DNS lookup tool and get the IP that way, then just plug it into Shodan. Recon-ng, according to the article is a command line tool that is included in Kali. It is a python script that works like Metasploit that queries Google and Shodan for information on a given a site for services and open ports. The article goes on to mention that once you determined a particle service is running such as Apache 2.4.4, http://www.cvedetails.com will allow you to research any know vulnerabilities against that service.
Questions for the class:
While Nmap and OpenVAS are standard programs for port scanning and basic enumeration, why are open source reconnaissance tools like Shodan and Google searches a better starting point in terms of stealth?
Mei X Wang says
Hi Anthony, I would assume open source reconnaissance tools are better starting points because of its wide scope. It can span the whole web and open sourced tools in general can be continuously improved by/for third parties as well because its larger target audience. Shodan and Google also have capabilities to have more specific searches which would help the user narrow down what they’re looking for while also using a wider range of resources.