Attack reconnaissance

Reconnaissance: In this first stage, attackers collect information about the target organization by investigating its infrastructure, employees, partners, or customers. They may employ open-source intelligence (OSINT), social engineering tactics, or exploit known vulnerabilities in publicly accessible systems.

Stage 1: Reconnaissance

The prestigious entities being targeted in APT attacks have sufficient funding for sophisticated cybersecurity controls. Because of this, cyberattacks cannot begin their attack sequence with infiltration. Several reconnaissance campaigns are initially required to detect potential entry points into an organization's network.

Solutions commonly used for penetration testing and network analytics tools could clandestinely detect overlooked vulnerabilities that could facilitate an APT attack.

Some examples of such solutions are listed below. Each item links to further information.

Recon- NG (also on GitHub)
Censys
Open-Port checking tools
Datasploit (also on GitHub)
Aquatone (also on GitHub)
Spiderfoot
Shodan

  1. Passive Reconnaissance

    Description: Gathering information without directly interacting with the target. This type of reconnaissance is difficult to detect. Examples: Footprinting: Collecting information about the target's domain, IP addresses, and network infrastructure through publicly available sources. Social Engineering: Using social manipulation to obtain confidential information from employees or other insiders. DNS Querying: Gathering DNS information to identify subdomains, email servers, and other DNS records. WHOIS Lookup: Retrieving registration details of a domain to find out ownership, contact information, and infrastructure details. Web Scraping: Extracting information from the target's website, such as contact information, software versions, and organization structure.

action launch_whois_lookup() = {}

action launch_dns_query() = {}
2. Active Reconnaissance

Description: Directly interacting with the target's systems to gather information. This type of reconnaissance can be more easily detected.
Examples:
    Port Scanning: Scanning the target's network to identify open ports and services running on those ports.
    Network Scanning: Mapping the network topology to identify active devices, IP addresses, and their roles.
    Service Enumeration: Identifying the services running on the target's systems, including their versions and configurations.
    Operating System Fingerprinting: Determining the operating system of the target's systems through analysis of network traffic or system responses.
    Banner Grabbing: Capturing service banners to gather information about the software and version running on a server.


action endpoint_scanning(src:ip.endpoint, dst:ip.endpoint) = {}
action launch_tcp_null_scan() = {}

action launch_tcp_xmas_scan() = {}

action launch_tcp_ack_scan() = {}

action launch_tcp_window_scan() = {}

action launch_tcp_maimon_scan() = {}

action launch_dns_spoofer() = {}

action launch_dns_poisoning() = {}

action launch_dns_rebinding() = {}

action launch_dns_tunneling() = {}