1. Reconnaissance
Reconnaissance (TA0043)
Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.
Techniques Overview
- Active Scanning: Probing victim infrastructure via network traffic (Nmap, Masscan).
- Gather Victim Identity Information: Emails, credentials, employee names (OSINT).
- Gather Victim Network Information: Domains, IP ranges, topology.
- Search Open Technical Databases: DNS records, WHOIS, certificates (crt.sh).
Strategy
Red teams should perform reconnaissance to identify the attack surface, just as a real adversary would. This phase is critical for:
- Identifying Gaps: Finding unpatched assets or forgotten subdomains.
- Social Engineering Prep: Finding valid email addresses and organizational hierarchy.
- Payload Customization: Understanding the target's stack to tailor phishing lures and payloads.
Section Contents
-
Active Scanning
Probing victim infrastructure via network traffic to identify hosts, services, and vulnerabilities.
-
Gather Victim Host Information
Enumerating hardware, software, firmware, and client configurations to tailor attacks.
-
Gather Victim Identity Information
Advanced tradecraft for harvesting email addresses, employee profiles, and credentials to build high-fidelity targets.
-
Gather Victim Network Information
Mapping the attack surface: Subdomain enumeration, Cloud asset discovery, and DNS analysis.
-
Gather Victim Org Information
Understanding the target's business tempo, physical locations, and key roles.
-
Phishing for Information
Sending non-malicious lures to elicit information (replies, out-of-office, phone numbers).
-
Search Closed Sources
Leveraging paid or private datasets to gather intelligence.
-
Search Open Technical Databases
Leveraging public datasets like Certificate Transparency logs, Shodan, and WHOIS to find hidden assets.
-
Search Open Websites/Domains
Scouring the surface web, social media, and code repositories for exposed secrets and intel.
-
Wordlist Scanning
Using wordlists to brute-force hidden directories, files, and subdomains.
