The Importance of Recon

When beginning any security assessment, whether it be a penetration test, bug bounty or a red team engagement, it is vitally important to perform as much recon as time will allow to ensure you discover any potential points of weakness that can be exploited which will allow you to complete your objective.

One of the key abilities to compromise a target is having enough information to find one of these weak points. For example, a small Internet footprint may mean that you need to phish users, and by performing enumeration of staff, DNS records and their technology stack you can then effectively create a phish targeting the right people, exploiting the right business process(es) and have it able to withstand scrutiny long enough for you to get on to the internal network and work towards your final objective(s).

Recon activities performed at the start of the engagement (or sometimes prior) should include the following:
1. Full DNS Enumeration:
- Name servers
- MX records
- CNAMES
- Subdomains
- Any reverse IP results if provided with an IP range
2. Locating Staff Members and their roles
- Provide information on reliably targeting phishing emails with regard to staff intra-relationships and trusted business processes
- Create a list of user accounts for password spraying
3. Email Addresses
- Identify email addresses for targeted phishing, as well as password spraying

As part of this enumeration there are a few tools or websites that I normally utilise for acquiring this information.

DNS:
1. amass (used in passive mode)
https://github.com/OWASP/Amass
2. dnsrecon
https://github.com/darkoperator/dnsrecon
3. sublist3r
https://github.com/aboul3la/Sublist3r

Emails:
1. hunter.io
https://hunter.io/
2. Target organisation website(s), theHarvester, leaked databases/passwords

Staff:
1. LinkedIn — gathercontacts
https://github.com/clr2of8/GatherContacts

All-in-One:
1. theHarvester
https://github.com/laramies/theHarvester

Not listed are sites such as crt.sh, censys.io or dnsdumpster.com as they tend to either not add much additional value or the tools listed already lookup the sites in question. I also haven’t listed fierce.pl, which is essentially a DNS brute force tool that I may occasionally use when the others aren’t returning many results or I simply just have an IP range that I can’t get reverse lookups for. It’s also a really good idea to output the results of all the above tooling to local files, so you can come back to it later.

There are more tools than the ones listed above, and I encourage you to have a play and work out which ones you are most comfortable using. Of course, you can also write your own custom tooling specific to your work flow.

Let me also give a couple of examples where full enumeration can come in handy in breaching the perimeter.

1. Subdomain Phishing
   The target organisation has a subdomain in their DNS records for a service on AWS, however enumeration reveals that the the host no longer exists. You determine you are able to register the subdomain in AWS, and this now becomes a trusted platform for phishing users at the target organisation (sub.target.xyz will be trusted, as it appears to be part of the target’s domain, despite you having registered the subdomain yourself, aka subdomain takeover).
2. Business Process Phishing
   The target organisation has a minimal Internet footprint — mostly just a website detailing services provided as well as a VPN portal. Through website enumeration, you identify a posting regarding a job opening within the company, as well as some staff emails to send CVs to. This now allows you to create a targeted phishing email exploiting a trusted business process, as CV emails will be expected by these users.
3. Business Process Web Application
   Full enumeration of the target IP range reveals a web application hosted on a subdomain that allows staff to upload files for sharing with other staff members internally. You are able to find default credentials on the web that work, and once logged in find the ability to essentially upload a reverse shell from an external website that gives you access to the host on the DMZ/internal network.

While the above examples are somewhat broad, they do highlight the effectiveness in detailed recon being key in breaching a target organisations perimeter.