Digital Reconnaissance & Recon Tools

The old adage, “knowledge is power,” is true in general, but in information security (infosec), knowledge is mission critical. Knowing what systems you have on your network isn’t just a “nice idea.” It is essential to ensuring that those systems are properly installed, maintained, and configured. Ditto for knowing what information about your organization is publicly accessible.

“Footprinting,” “reconnaissance,” or just “recon”, is one of the first things any attacker does before engaging a target, and for good reason. Before an attacker does anything, they want to find out as much as possible about their potential target. These days, there are a lot of tools and resources available to make recon comparatively easy, and if you want to protect your own organization, you should be using them, too.

Bob Brown’s SANS whitepaper titled, “Footprint Your Intranet,” discusses the importance of using modern scanning tools to properly map your organization’s intranet, and while the scope of his paper is limited to mapping the internal network(s), it is an easy stretch to consider mapping and/or otherwise documenting and monitoring how much of a footprint your organization has, both internally and externally. Brown states that mapping your internal resources needs to be part of an overall cybersecurity program, and he is absolutely right. Once you have an initial network map, updating it is comparatively easy. What’s more, periodic scans help ensure that, as your infrastructure evolves, your domain knowledge and documentation can remain current.

Comprehensive recon doesn’t just address internal networks, however. In my role as a technical editor for a company that does penetration testing, I have seen hundreds of pentest reports, and once the scope of an engagement has been established, the first action step taken is always recon. This is true for external, internal, and web app engagements alike.

For internal and external network scans, a lot of tools are available, but the one I see professional pentesters use most is Nmap. After all, it’s free, powerful, versatile, is well maintained, and has strong community support. Yes, there is a bit of a learning curve before full mastery of Nmap is possible, but the effort involved can bear amazing fruit. And don’t forget the strong community support aspect. If you are struggling to figure out how to scan something in particular, it is likely that someone else has faced the same challenge and found a workable solution.

For web app testing, Nessus, Burp Suite, and Nikto are popular, powerful, and configurable. Nessus is an automated scanner that can scan a wide range of network devices, and export the scan results to a variety of formats. It also ties detected vulnerabilities to the associated CVEs, and the reports include information and links about potential mitigation steps. The thing to be careful about with Nessus, however, is that it tends to throw a lot of false positives. For that reason, the best way to use Nessus is to use it for an initial scan to help identify potentially interesting systems, then manually verify whether or not a reported vulnerability actually exists.

Burp Suite is much less of a point-and-click sort of tool, and is an excellent way to reality-check Nessus results. Burp has scanning and mapping features, along with an impressive array of exploitation features. If I had known about Burp when I was still doing web development, I know I would have used it religiously on every web app and site I touched. If you want to find out for yourself, a lot of Burp Suite’s features are available in the free version, but if you want to really unlock its power, you will want to go pro.

Klaatu, barada, nikto…

Nikto is more like Nmap in that it is 1) a command-line tool, 2) it has a bit of a learning curve, and 3) it has a lot of community support and love. Unlike Nmap, Nikto is less about networks in general and more about web servers in particular. It identifies installed software via headers, favicons, and files; it can perform subdomain guessing; it can scan multiple ports or servers based on an input file; and it can be run through a proxy.

Another excellent tool for web app testing is the Wappalyzer web browser plug-in/addon . Unlike the other web tools referenced above, Wappalyzer helps you identify which specific components were used in a website. That can help you identify out of date components which may have vulnerabilities.

And good old fashioned OSINT, using Google dorks is the way to go if you want to find out more about an organization (or individual) in general.

You would be amazed at how many organizations are ignorant of their organizational footprint, and just how much information you can discover in a very short time using some or all of the tools referenced above. Do you really want others to know more about your organization than you do?

Links & References

Brown, B. (2001, December 8). Footprint your intranet. SANS Institute.

Dodt, C. (2019, January 16). Top 7 web application penetration testing tools [updated 2019]. Infosec Resources.

Fyodor. (n.d.). Nmap: the Network Mapper.

Poston, H. (2019, September 17). Top 10 network recon tools. Infosec Resources.

Sector035. (2019, December 20). Google dorks. We are

Wappalyzer. (n.d.). Find out what websites are built with.

Leave a Reply

Your email address will not be published. Required fields are marked *