2. Reconnaissance


Cyber Primer Online Learning

The course is part of this learning path


Course Description

This module will introduce some techniques used for reconnaissance and social engineering. The software simulations introduce some of the methods and software that can be used in reconnaissance.

  • Reconnaissance 
  • Social Engineering
  • Twitter Profiling  
  • Google Hacking  
  • Maltego  

Intended Audience  

Although perceived as an IT issue, cyber security is, in fact, a subject relevant to all business units. Cyber Primer is aimed at anyone with an interest in cyber security, whether they are looking to pursue a career as a penetration tester, or just want to get a feel for the world of cyber security.


There are no prerequisites for this course, however, participants are expected to have a basic understanding of computers and the internet.


We welcome all feedback and suggestions - please contact us at qa.elearningadmin@qa.com to let us know what you think.


The first stage of the cyber kill chain is recon. In this video, you'll be looking at some of the tools a threat actor can use to conduct recon on a target and build up a profile. You will cover:

- How to use Maltego to map large areas of an organization's human and technological attack surfaces.

- How to use Shodan to find and connect to unsecured devices.

- How to craft searches with Twitter to expand your attack surface and track individual users movements.

- How to craft searches with Google to uncover information leaks.

- How to craft searches with Facebook to understand your own online presence and what social engineering is and some of the tools to perform it.


During the recon stage, a threat actor will attempt to discover most of the information they need from open source intelligence, which is information that is freely available online. This can often be done without directly connecting to the target systems. This is called passive reconnaissance. They can also directly interact with target systems using network scanning tools that can detect the specific version of the operating system running on the remote system. The specific version of services being hosted on the remote system. The rules enforced on firewalls. Vulnerabilities that exist on remote systems. The DNS configuration. And the active subdomains that are not advertised or discoverable through search engines using special operators within search engines like Google. The attacker can uncover all kinds of information that an organization thought was hidden.


This could be internal documents. Not only is the information in these documents valuable, but may also contain metadata. Metadata may reveal internal usernames of employees that could enable online password attacks later on. Online mail clients like Outlook, Web Access, VPN endpoints, remote desktop connections, file servers and security cameras.


The first point of call for passive recon can be done using Google in a process known as Google Hacking. Google hacking is not about hacking Google itself. It's a way of crafting searches in a way that leverages Google to uncover information that an organization thought was hidden.


Google hacking allows us to uncover all kinds of things, such as a school database, backups, internal documents, passwords for a target's email address, and directories used by web servers for backups. It was invented by Johnny Long and has since spawned the Google Hacking Database, which is full of crafted search terms to discover all kinds of useful information. Google Hacking utilizes Google's inbuilt search operators to perform very specific searches that return only one kind of result. If we can define the thing we are looking for by using keywords, we can potentially find hidden domains. File extensions, directories, web page titles and specific strings such as @live.co.uk or @gmail.com.


The Google hacking database contains multiple Google search operators to locate very specific information. These combinations of search operators are known as Google dorks. Further to Google, a threat actor may also use Shodan. Shodan is a search engine like Google.


However, it is not used to find web pages. Instead, it is used to find unsecure devices. It's an immensely powerful tool that is used to discover unsecure devices that are exposed to the internet. It allows a threat actor to search through IP address ranges that are known to belong to the target and discover devices that are not properly secured. This can be anything from a webcam, toothbrushes and smart TVs through to industrial control systems that manage and control industrial processes.


The system could contain immense forces like nuclear energy or hydroelectric power stations. Shodan can be used to target and investigate a specific set of target IP addresses or ranges, or can simply be used to find all devices that say are vulnerable to shellshock or Heartbleed attacks wherever they may exist. After finding all of this open source information, it's useful to collate it. The entities discovered during an open source investigation can get out of hand quickly as new information is fed back to the intelligence cycle.


Maltego is an open source tool that can be used to collate all of the information gathered. Maltego can automate intelligence gathering, visualize the relationships between entities, uncover domain usernames from document metadata, uncover contact information from who is, and locate employees social media accounts.


Maltego is excellent at mapping both the human and the technological attack surfaces. After scoping the target organization, the threat actor may then need to gain details from personnel at the target organization, such as usernames and passwords, to gain access to the systems.


Acquiring these details is often done via social engineering. Social engineering is a method of using human interaction and social skills to obtain or compromise information about an organization or its computer systems. Targets could be key personalities within the organization, such as system administrators, C-suite individuals like the CEO or CIO and developers.


The attacker could then look for a key target's personal interests. Understanding what a person's interests are provides the foundation for any social engineering attack. For example, knowing that someone likes to refurbish vintage cars would allow an attacker to approach them with a service that may be of interest.


The attacker may also target a key personality’s friends. It might be that an individual has secured their online presence, but their friends may not have a friend. Sharing photos on social media may reveal a target's location and frequent photos at the same bar say after work on a Friday may clue the attacker in on a regular pattern. Facebook is a massively powerful tool for connecting people, groups, teams and colleagues and is used by approximately 2.4 billion people worldwide. Privacy of posts and content in Facebook is determined by the author of that content. An unintended consequence of this is that users that lock down their privacy settings are left with the impression that everything they do on Facebook is private. This assumption is a mistake. By performing crafted searches on Facebook, a threat actor can reveal comments that a user has made on a less private post, photos that a user has been tagged in on a less private post event.


Invitations where the owner of that event has set privacy to public, which is almost always the case. Events that the user intends to attend in the future and locations that the user has checked into this information can all be used for social engineering.


Twitter is used by approximately 330 million users worldwide. It can provide an insight into the lives of its users, as well as their whereabouts. This information can be queried by anyone through the Twitter developer API. A threat actor can harvest all tweets from a specific area, the location of a user while they are tweeting.


The frequency of a user's tweets and a user's frequent tweeting locations and times at those locations. This information can be used to build up a profile of a target in real time. In this video, we've looked at some of the tools a threat actor has at their disposal, including how Shodan can be used to discover and connect to unsecured devices. How Google can be used to uncover sensitive data leaks. How Maltego can quickly map large portions of an organization's human and technological attack surface. Social engineering and how social media can be used to harvest a target's information, such as how Facebook can be used to see the data a user thought was protected.


Building the foundation for social engineering attacks and how Twitter can be used to expand the attack surface, you'll now have the opportunity to attempt to use some of these tools. Watch the simulation videos, then have a go at them yourself.

About the Author
Learning Paths

Originating from a systems administration/network architecture career, a solid part of his career building networks for educational institutes. With security being a mainstay his implementation he grew a strong passion for everything cyber orientated especially social engineering. The educational experience led to him mentoring young women in IT, helping them to begin a cyber career. He is a recipient of the Cisco global cyber security scholarship. A CCNA Cyber Ops holder and elected for the CCNP Cyber Ops program.