A reconnaissance attack is the initial phase of a cyberattack where the hacker gathers information about a target before launching an actual attack. It's like a thief casing a bank before the actual robbery.
During reconnaissance, attackers collect data about their target's systems, networks, employees, and vulnerabilities without actually causing damage or stealing data yet.
Types of Reconnaissance
1. Passive Reconnaissance: Gathering information without directly interacting with the target (e.g., searching public databases, social media).
2. Active Reconnaissance: Directly interacting with the target's systems to discover vulnerabilities (e.g., port scanning, ping sweeps).
"Knowing your enemy is the first step to defeating them. Reconnaissance is how cyber attackers get to know their targets."
Objective:
Use NMAP (network mapper) tool on Kali-Attacker machine to gather information (Active Reconnaissance) for discovering vulnerabilities in the network.
Here we have Kali-Attacker machine IP 192.168.1.8 which'll be used to launch all attacks. We already know that the target network is 192.168.1.0/24.
1. Let’s start Reconnaissance attack from Kali Linux Attacker using different tools & Commands. Open Kali-Attacker console and login into it using its username and password as kali/kali
2. Open the terminal from the top and change to sudo user if you want to using the below command. It'll ask for password (enter as kali)
sudo su
3. You can zoom in your terminal window if you want using CTL+SHIFT and +
Here we'll use NMAP tool to scan the network, you can take help on namp command. It'll tell you all you can do with this command with examples. Scroll down
nmap --help
4. In order to scan full network 192.168.1.0/24 use the following command. It'll which hosts are up with their IP and Mac addresses.
nmap -sP 192.168.1.0/24
5. Let's target IP 192.168.1.7 for further detailed reconnaissance on this particular machine.
nmap -O 192.168.1.7
Here you can see that some of the services like ssh, http, msrpc https, netbios etc. are opened and running windows XP. You can also try other machines and check which ports are opened with other details in those machines.
If you dig deep of reconnaissance attack on this Windows XP machine then use other options of NMAP.
nmap -sV 192.168.1.7
It gives you more detailed information about the application running on the system like ssh version, webserver and its version like apache in this case.
6. Now we know that which ports are opened and which version of applications are running. We can now also see the details of specific target port which are opened.
nmap -p 80 192.168.1.7
There several other ways to get the same information.
nmap -F 80 192.168.1.7
nmap 192.168.1.7
7. You can also check whether this device is alive or not using the command.
fping 192.168.1.7
There is another way to determine the type of webserver running along with other details using the following command.
whatweb 192.168.1.7
----------------------------------You can skip this if you want------------------
nikto -host 192.168.1.7
Note: If "nikto" does not exist, then please install it first using "sudo apt update" and "sudo apt install nikto" commands
nikto will provide the vulnerabilities that exist in an application running on the machine.
---------------------------------------------------------------------------------
8. You can also try
hping3 --scan 1-1024 192.168.1.7 -S --rand-source
It scans all specific ports on the machine (IP 192.168.1.7) with random source ports.
