DEPARTMENT OF ARTIFICIAL INTELLIGENCE AND DATA SCIENCE

22ADE53 – CYBER SECURITY

Unit-3 RECONNAISSANCE
Ms. Thivya Rajkumar AP/AI&DS
VCET
Reconnaissance
• The first phase in ethical hacking.
• Used to gather information about the target system.
• Helps in identifying vulnerabilities before an attack.
Types of Reconnaissance

1. Passive Reconnaissance
1. No direct interaction with the target.
2. Uses publicly available data.
3. Example: WHOIS lookup, Google Dorking.
4. Real World Example : Watching CCTV footage, checking social media, reading
news.
2. Active Reconnaissance
1. Direct interaction with the target system.
2. Involves scanning and enumeration.
3. Example: Nmap scanning, DNS enumeration.
4. Real World Example : Interrogating suspects, breaking into a crime scene.
Importance of Reconnaissance

• Helps penetration testers understand the target system.

• Identifies potential vulnerabilities.
• Used in network security assessments.
• Provides insight into the target’s digital footprint.
Tools for Reconnaissance
• Harvester – Gathers emails, subdomains, hosts from public sources.
• Whois – Retrieves domain registration details.
• Netcraft – Identifies web technologies and hosting details.
• Host Command – Finds IP addresses from domain names.
• DNS & Email Extraction – Collects DNS and email records.
• Social Engineering Reconnaissance – Uses human manipulation to
gather information.
Harvester Tool Overview

What is Harvester?
• A Python-based OSINT (Open Source Intelligence)tool.
• Collects emails, subdomains, hosts, employee names, and banners.
• Gathers data from search engines, PGP key servers, and SHODAN.
Why is it used?
• Helps ethical hackers see what information is publicly available about a target.
• Used in penetration testing and cybersecurity research.
Installing & Using Harvester

Step 1: Installing TheHarvester

Kali Linux: The Harvester comes pre-installed on most penetration testing
distributions like Kali Linux.
You can verify the installation by using:
theHarvester –h
Or
• If you wish to update to the latest version or need to install it, you can use the
following commands:
sudo apt update //used for kali
sudo apt install theHarvester //used to install theHarvester in kali
[Link] on Other Linux Distributions:
git clone [Link]
cd theHarvester
sudo pip3 install -r [Link]
Once installed, you can check whether it’s running properly by
executing:
theHarvester -h
Step 2: Understanding the Syntax and Basic Options
• -d <domain>: Specifies the domain to search.
• -b <source>: Defines the data source (e.g., yahoo, bing, shodan). You can
specify multiple sources separated by commas.
• -l <limit>: Limit the number of results fetched from the data sources.
• -f <filename>: Save the output into a file (in HTML format).
• -n: Perform DNS enumeration using search results.
• -t: Perform DNS TLD expansion.
• -s <start>: Start with a specific result number (useful when you want to
skip initial results).
• -v: Enable verbose mode for more detailed output.
Basic Usage Example: To search for a subdomain (e.g.,
[Link]) using Yahoo as the search engine:
Command
theHarvester -d [Link] -b yahoo

Refer :
[Link]
ool/
•.

Whois
What is Whois?

• A query protocol to retrieve domain registration details.

• Used to gather domain ownership, IP address, and hosting details.

Whois Lookup Command:

whois [Link]
How Attackers Use This?
•Find email contacts for phishing.
•Identify potential weaknesses in an organization’s infrastructure
Netcraft
• What is Netcraft?
• A cybersecurity tool used for detecting cybercrime, phishing, and fraudulent
domains.
• Provides security services like anti-fraud, anti-phishing, code review, and
penetration testing.
• Netcraft Extension
• A browser tool that helps lookup website information and protects against phishing
and malicious JavaScript.
• How to Use Netcraft?
• Visit Netcraft.
• Enter the website you want to analyze.
• Get details about hosting, technologies, and security risks.
Host
What is a Host?
• Any hardware device that connects to a network (computer, router, IoT
device).
• A host can send and receive data over a network.
Types of Hosts:
• Primary Host: The main system managing resources.
• Secondary Host: Supports communication but does not control major
operations.
Host Port & Hostname:
• A host port is the communication channel between the host and network.
• A hostname identifies a host in a network (e.g., [Link]).
Extracting Information from DNS

What is DNS?
• A core component of the Internet that translates domain names into IP
addresses.
• Attackers target DNS servers to gather information on a network.
Why is DNS Important in Reconnaissance?
• Provides valuable data about a target's network structure.
• Gaining access to DNS records is like obtaining a blueprint of an
organization’s internal network.
Example:
nslookup [Link]
dig [Link] ANY
Extracting Information from E-mail Servers
What is E-mail Reconnaissance?
• Involves extracting valuable information from emails.
• Attackers use social engineering to collect data on employees and business
partners.
Methods of E-mail Extraction:
• Manual Extraction: Copy and paste emails into a document for analysis.
• Automated Extraction: Use tools to scan and categorize email information.
How Attackers Use This Information?
• Identify internal operations and potential phishing targets.
• Gather intelligence on organizational structure.
Social Engineering
• Social engineering is the art of manipulating people into giving up confidential
information.
How Attackers Extract Emails & Use Them for Phishing:
• Harvesting Public Emails – Attackers use tools like Harvester to collect
company emails from public sources.
• Creating Fake Login Pages – Attackers send phishing emails with a link to a
fake login portal.
• Spear Phishing – Personalized email attacks using harvested emails.
• Whaling Attacks – Targeting high-level executives (CEO fraud).
• Business Email Compromise (BEC) – Using stolen credentials to impersonate
company executives.
Ethical Use & Defenses Against Reconnaissance

While reconnaissance is a necessary step in cybersecurity for penetration testers, it can also be
misused by malicious actors.
Ethical Hacking Considerations:
• Always have permission before scanning domains.
• Follow cybersecurity laws (e.g., GDPR, CFAA).
• Use ethical tools responsibly for penetration testing.
How Companies Defend Against Reconnaissance:
1. Hide Internal DNS Information – Limit exposure of unnecessary DNS records.
2. Implement SPF, DKIM, and DMARC – Prevent email spoofing attacks.
3. Use WHOIS Privacy Protection – Mask domain registrant details.
4. Enable DNSSEC – Prevent DNS hijacking and cache poisoning.
5. Monitor DNS & Email Activity – Detect unusual queries or large-scale email extractions.
6. Cybersecurity Awareness Training – Train employees to recognize phishing emails.
2016 Dyn DNS Attack Case Study

What Happened?
• A massive DDoS attack targeted Dyn, a major DNS provider.
• Attackers used a botnet of IoT devices infected with Mirai malware.
• The attack disrupted major websites like Twitter, Reddit, Netflix, and Amazon.
How Attackers Used DNS?
• Overloaded Dyn’s DNS servers, making websites unreachable.
• Exploited vulnerable IoT devices (default passwords, unpatched firmware).
• Created a botnet to send massive DNS queries, leading to failure.
Lessons Learned:
• Secure IoT devices with strong passwords & firmware updates.
• Implement DNS failover solutions to prevent outages.
• Use traffic filtering to detect and block DDoS attacks.
Activity-3 Given Date:28.02.25 Submission
date:7.03.25
How would you gather information about an unknown website?

The test domain is [Link] and find emails, subdomains, hosting details.
Use nslookup & dig on [Link] to extract DNS records

How companies secure themselves from reconnaissance.

Compare DNS records of two different domains.

Spot difference between [Link] and a smaller website.

Scanning
What is Scanning?
• The process of identifying systems, services, and vulnerabilities in a
network.
• Used by ethical hackers to improve security and by attackers to find
weaknesses.
Types of Scanning:
• Port Scanning – Identifies open ports and services.
• Network Scanning – Maps devices and their details.
• Vulnerability Scanning – Finds security weaknesses.
 Port Scanning
What is Port Scanning?
• The process of identifying open and available TCP/UDP ports on a system.
Why is it used?
• Helps security professionals detect weak entry points before attackers do.
• Scanning without permission is illegal.

Port Number Ranges:

Port Type Range Examples
Well-Known Ports 0-1023 HTTP (80), HTTPS (443), FTP (21), SSH (22)
Registered Ports 1024-49151 MySQL (3306), RDP (3389)
Dynamic Ports 49152-65535 Private messaging, VoIP calls
Port Scanning Techniques

Types of Port Scanning:

Scan Type Purpose
SYN Scan Half-open connection, fast & stealthy
Full Connect Scan Establishes full TCP handshake (easily detectable)
UDP Scan Checks open UDP ports like DNS (53)
XMAS Scan Sends unusual TCP flags to bypass security

Example (Nmap Command):

nmap -sS -p 22,80,443 [Link]

Scans for open SSH, HTTP, and HTTPS ports.

 Network Scanning
What is Network Scanning?
• Identifies devices, IP addresses, and services on a network.
Why is it important?
• Used by penetration testers to map a network and discover potential attack points.
Common Tools:

Tool Name Purpose

Nmap Scans IPs, ports, and services
Angry IP Scanner Quickly finds active hosts
SoftPerfect Scanner Detects devices and open ports
Wireshark Captures live network traffic
Vulnerability Scanning
What is Vulnerability Scanning?
• The process of identifying security weaknesses in a system.
How it Works:
• Detects system details (OS, services, software versions).
• Compares against known vulnerabilities (CVE database).
• Reports misconfigurations and security gaps.
Popular Vulnerability Scanners:
Tool Purpose
Nessus Identifies network security vulnerabilities
OpenVAS Open-source vulnerability assessment
Nikto Scans web servers for security issues
Qualys Cloud-based vulnerability management
Scanning Methodology
 Step Purpose Tools Used Defensive Measures
🔹 Nmap (nmap -sn
🔹 Disable ICMP responses
[Link]/24)
1. Check for Live Systems Identify active hosts on the network. 🔹 Implement IDS/IPS
🔹 Ping
🔹 Use network segmentation
🔹 ARP Scan
🔹 Nmap (nmap -p 1-1000
🔹 Close unused ports
[Link])
2. Check for Open Ports Detect open and vulnerable ports. 🔹 Enable firewall rules
🔹 Netcat
🔹 Implement port knocking
🔹 Angry IP Scanner
🔹 Nmap (nmap -sV [Link]) 🔹 🔹 Hide service version details
3. Service Identification Find running services & protocols. Netcat 🔹 Disable unnecessary services 🔹
🔹 Telnet Use intrusion detection
🔹 Netcat (nc -v [Link] 80) 🔹 🔹 Disable banner disclosure
4. Banner Grabbing & OS Gather OS & software details for
Telnet 🔹 Use honeypots
Fingerprinting exploitation.
🔹 Nmap (nmap -O [Link]) 🔹 Configure proper firewall rules
🔹 Nessus 🔹 Regular security patching
Scan for known security
5. Vulnerability Scanning 🔹 OpenVAS 🔹 Use endpoint protection
weaknesses.
🔹 Nikto (nikto -h [Link]) 🔹 Limit external scanning
🔹 Implement network
🔹 Maltego
Map network topology & vulnerable segmentation
6. Draw Network Diagrams 🔹 Zenmap (Nmap GUI)
hosts. 🔹 Monitor for unauthorized
🔹 Wireshark
mapping attempts
🔹 ProxyChains
🔹 Monitor outbound traffic
Hide attacker identity & bypass 🔹 Tor
7. Prepare Proxies 🔹 Block proxy tools & Tor exit
firewalls. 🔹 VPNs
nodes
🔹 SOCKS5
🔹 Brute Force: Hydra, John the
🔹 Implement strong authentication
Ripper
🔹 Enable logging & monitoring
8. Attack Phase Exploit identified vulnerabilities. 🔹 SQL Injection: sqlmap -u
🔹 Train employees for phishing
[Link]
 Scanning Methodology

How Scanning is Performed?

[Link] live hosts on the network (Ping Sweep Techniques).
[Link] open ports and services (Port Scanning).
[Link] the operating system and services running (Banner Grabbing &
OS Fingerprinting).
[Link] security vulnerabilities (Vulnerability Scanning).
Ping Sweep Techniques
•A Ping Sweep is a method used to check which devices are active on a network.
•ICMP (Internet Control Message Protocol) is used by the ping command.
How it Works:
•Sends an ICMP Echo Request to all hosts.
•Active hosts respond with an Echo Reply.
Example Command:
nmap -sn [Link]/24
ping -c 4 [Link]
Defensive Measures:
•Disable ICMP responses on firewalls.
•Use Intrusion Detection Systems (IDS) to detect repeated ICMP requests
•Monitor Network logs for unusual scanning behavior.
Ping Sweep Techniques
Scanning should be used ethically and only on authorized networks.
nmap command switches – Free and Open
Source Tool.

nmap is a powerful, cross-platform scanning tool for network auditing.

Command-line options allow scanning for live hosts, open ports, and OS details.
Defensive strategies like firewalls and IDS help prevent unauthorized scans.
nmap Command Switches
Scan Types
Introduction to SYN Scan
• A SYN scan is a stealthy network reconnaissance technique.
• Also called a half-open scan because it does not complete the TCP
three-way handshake.
• Helps identify open ports on a target system while avoiding detection.
How SYN Scanning Works
1. Attacker sends a SYN packet to the target.

2. Target responds:
1. If open, sends a SYN/ACK.
2. If closed, sends a RST (reset).
3. If filtered/firewalled, no response.

3. Attacker does not complete the handshake,

avoiding detection.
Advantages and Disadvantages of SYN
Scanning
Advantages:
Stealthy: Bypasses some IDS/IPS detection.
Fast: Faster than a full TCP connect scan.
Effective: Quickly identifies live services.
Disadvantages:
Requires root/admin privileges to send raw SYN packets.
Detectable by advanced IDS/IPS tools.
Firewalls can block SYN requests.
XMAS Scan
XMAS scans send a packet with the FIN, URG, and PSH flags set.
•If the port is open – there is no response.
•If the port is closed – the target responds with a RST/ACK packet.
•XMAS scans work only on target systems that follow the RFC 793 implementation
of TCP/IP and don’t work against any version of Windows.
FIN, NULL, and IDLE Scans
FIN Scan
• Sends a packet with just the FIN flag set.
• Receives the same response and has the same limitations as XMAS scans.
NULL Scan
• Sends a packet with no flags set.
• Similar to XMAS and FIN in its limitations and response.
IDLE Scan
• Uses a spoofed IP address to send a SYN packet to a target.
• Depending on the response, the port can be determined as open or closed.
• IDLE scans determine port scan responses by monitoring IP header
sequence numbers.
Banner Grabbing and OS Fingerprinting
Banner grabbing is the process of determining the OS running on a
remote system by opening a connection and reading the response.
• Many email, FTP, and web servers respond to a telnet connection
with OS name and version.
Hacking Tools:
1. SolarWinds Toolset, Queso, Harris Stat, and Cheops – Network
management tools.
2. Netcraft and HTTrack – Used for passive reconnaissance.
Active vs Passive Fingerprinting
Fingerprinting Type Description
Sends specially crafted packets to the target OS
Active Fingerprinting
and analyzes responses.
Compares responses with a database to identify
the OS.
TCP stack variations help distinguish different OS
types.
Easily detected by IDS or other security systems.
Passive Fingerprinting Gathers OS information without direct interaction.
Uses banner grabbing from error messages,
analyzing network traffic, and checking page
extensions.
Less accurate but harder to detect than active
fingerprinting.
• SYN scanning and banner grabbing are critical tools for ethical
hackers and attackers.

• Helps identify open ports, OS versions, and live systems.

• Security professionals should use firewalls, IDS, and SYN cookies

to prevent unauthorized reconnaissance.
Assignment Given date:5.03.25 Submission
Date: 13.03.25
1. What is reconnaissance in ethical hacking? Describe passive and active
reconnaissance techniques with examples of tools used for gathering
information from DNS, email servers, and social engineering methods.

2. Compare and contrast different types of port scanning techniques. Discuss

their advantages, disadvantages, and real-world use cases in both ethical
hacking and cyber attack.