Reconnaissance is often considered synonymous with footprinting of systems. The idea is to get as much knowledge about the target network as possible. One way of doing that is simple observation. One lesson we can take from the military at large is that like Recon Marines, SEALS, and Army Greet Berets, all of the elite reconnaissance experts, their job is not to close with and kill the enemy. They are to watch, listen, and observe for the sake of gathering intelligence. Another idea to think of reconnaissance is satellite imagery. Using high tech gizmos the ground is watched constantly for change and that imagery is then analyzed by an expert. All of these metaphorically feed into what becomes footprinting of computer systems.
There are a few risks down this path. Much of the literature around this topic looks at the personal computer and computer server as the targets. In military parlance that is like looking at the armor and trucks and missing the nuclear bombs. Be careful that when thinking of reconnaissance you consider the depth of the network and the touchstones to the network. For instance there is no reason for a corporation to not consider intrusion detection tools on the outside of the router to gather data about hacking attempts. Second, the honeypot and honeynet though easily detected (send a break command and if it trips it’s real). Routers, switches, hubs, bridges, network interface units, the ubiquitous PBX, the firewall, and all of the associated network equipment are stepping stones that should be mapped. This is not a trivial task.
The breadth of the task should be considered. What is the desired end result? What is the target? Where is the target logically located (network IP, subnet, domain, DNS, etc.)? Where is the target located physically (street address of system, country, building floor, etc.)? Though the neophyte might consider the physical location trivial the reality is that most protections of systems are clustered around the Internet Protocol layers of the OSI 7 Layer model. As such most of the tools are located within that area too. One key piece of advice when considering an exploitation in something such as cyber warfare is what isn’t protected. This often means moving outside of the “normal” protocols and considering sideways alternatives. As discussed in earlier sections it is the job of an adversary to consider the asymmetrical nature of an attack and attack the weakness. This is very Clausewitz view of the world. Why would you attack the fully patched firewall? Silly to be sure.
Use publicly available information such as Google, WHOIS, and interrogation of the system or network to gather more information. Once the scope (network, server, company, whatever) is figured out the next step is to enter the network. This is where magic happens. The principle most often cited is enumeration to determine the hosts available on a particular network. In the old days you could ping the broadcast address and all of the systems would instantly tell you where they were. Time though is the friend of the smaller adversary. Listening to the network and analyzing the results of DHCP requests will allow an attacker to pick up on the types and configurations of the systems on the network. This is a passive method of reconnaissance. Enumeration is perceived by almost every intrusion detection system as hostile. Luckily though system administrators will do us a favor.
In many cases simply sitting around and listening for a few weeks will payoff. What you don’t want to wait? That is why Marine Corps and Army snipers are so effective. Few people have the patience for the target to walk through the cross hairs. They want to go in guns blazing. The ability to be patient predicts success. While waiting as part of their normal security sweep many administrators will run NESSUS or NMAP against their network and gather the results of exploits. Since this is inside the network often many systems will go unpatched. Using a sniffer and a session recorder it would be possible to feed back into your version of scanning tool all of the telemetry it saw and receive the report of open exploits. There are several problems with this scenario but the concepts are sound.
Just for grins and giggles sometime list out all of the exploits (or a random sample) and look at where all of the exploits point on the OSI 7 Layer model.
Reconnaissance is a tricky bit of witchery.
Some things that the cyber warfare actor should consider is a some low level anti-forensics. How do you keep attribution from happening? One simple method is to use a series of third party proxies that don’t record IP’s. Another possible counter forensic technique would be to use The Onion Routing network. Other possible methods are to use a distributed botnet and user their connections to attack other systems. The idea is to obfuscate the trail. I have another post that details anti-forensic method of the end machine fairly consistently.