This document outlines methods and tools used for reconnaissance in cybersecurity, emphasizing the importance of gathering information about target systems to identify vulnerabilities for potential attacks. It distinguishes between active and passive reconnaissance techniques and lists several tools such as Nmap, TheHarvester, and Wireshark for conducting these activities. The document also advises on protective measures organizations can take to defend against reconnaissance attacks.

1. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Tools and methods that are used
for Reconnaissance
Name:- Prajakta H Varpe

2. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Agenda:-
• To gather as much information as possible about the target
system to
plan an effective attack strategy
•
To identify vulnerabilities, gather data on network structure,
and
pinpoint weaknesses that can be exploited later
• To find weaknesses, vulnerabilities, holes, activity, and nodes
that can be used by attackers to go after an organization.

3. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Reconnaissance:-
is the preliminary phase of a cyber attack. It involves the systematic surveying or scanning of systems, networks, or web applications to gather information about potential
vulnerabilities that can be exploited.
1.Active Reconnaissance
Active reconnaissance involves a more direct interaction with the
target. It includes methods like network scanning, port scanning, and
vulnerability scanning.
2. Passive Reconnaissance
It involves collecting information without directly interacting with
the target system. Hackers using passive reconnaissance methods aim to
remain undetected while gathering as much information as possible.

4. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Tools
• NMAP
• Sublist3r
• theHarvester
• Nessus
• Maltigo
• Whois
• Recon-ng
• Metaspolit
• wireshark

5. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
1.whois:-
to provide information about domain ownership and registration.

6. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Nslookup:-
mainly use for Domain names, IP address mapping details, and DNS records.

7. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
3.sublist3r:-
collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search
engines such as Google, Yahoo, Bing, Baidu and Ask.

8. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
4.theHarvester:-
quickly and accurately catalog both e-mail addresses and subdomains that are
directly related to our target.

9. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
5.recon-ng:-
Recon-ng has a variety of options to configure, perform recon, and output results to different report types.

10. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Recon report for tesla.com:-

11. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
6.p0f:-
Routine network monitoring; detection of unauthorized network interconnects in
corporate environments; providing signals for abuse-prevention tools; and miscellanous
forensics.

12. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
7.Dig:-
domain information groper command, performs DNS lookups and displays the
result. troubleshoot DNS queries and responses, Investigate DNS configurations, Verify
record propagation, Diagnose DNS problems, Trace IP addresses

13. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
8.nmap:-
network exploration, host discovery, and security auditing. Used to help map an
entire network easily and find its open ports and services

14. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
9.nikto:-
scans web servers for dangerous files or CGIs, outdated server software and other
problems. It performs generic and server type specific checks. It also captures and prints any
cookies received.

15. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Open-Source Intelligence (OSINT) :-
• Maltego:
Visualizes connections between people, companies, and online data points. It
can help cybersecurity teams and fraud analysts research suspicious activities.
• Shodan:
A search engine that can find information on devices that are not easily
searchable, including those within the Internet of Things (IoT).
• Wireshark:
A passive recon tool that analyzes network traffic in real-time for Windows,
Mac, Unix, and Linux systems.
• Google:
A popular tool for OSINT investigators, but it can be overwhelming because
some queries can return millions of pages.

16. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Protect Themselves From Reconnaissance Attacks
• Network Monitoring:-
This involves regularly checking and analyzing network traffic to identify any
suspicious activity. Network monitoring can help detect reconnaissance activities such
as port scanning or network mapping. By catching these early signs, businesses can
take preventive measures before an actual attack takes place.
• Update software and systems:
Ensure that all software and systems are regularly updated
to fix known vulnerabilities.
• Implement strong access controls:
Implement strong access controls, data encryption, and vulnerability
management practices.

17. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
• Train employees:
Educate employees about phishing and other social engineering attacks.
• Use security tools:
Use tools like MainTegrity CSF to monitor, detect, and respond to
suspicious activities.
• Define your target network scope:
Identify and delineate the boundaries of the network that will be
the focus of the reconnaissance efforts.
• Identify critical assets:
Identify critical assets and potential vulnerabilities.

18. CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this
material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
Thank You!