Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
47 views12 pages

Active and Passive Recon Kali Linux OSINT

Uploaded by

Rafael Roel Robles Baez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
47 views12 pages

Active and Passive Recon Kali Linux OSINT

Uploaded by

Rafael Roel Robles Baez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Hack the Stack: Cisco Ethical Hacking

and Active and Passive Recon with


Kali Linux OSINT
Alexander Stevenson
Technical Advocate @ Learn with Cisco
Agenda
Cisco Networking Academy
Ethical Hacker course
Module 3: Information Gathering and Vulnerability Scanning

3.1 Performing Passive Reconnaissance


3.2 Performing Active Reconnaissance
3.3 Understanding the Art of Performing Vulnerability Scans
3.4 Understanding How to Analyze Vulnerability Scan Results

© 2025 Cisco and/or its a ffiliates. All rights reserved.


Reconnaissance
Reconnaissance (Recon) is always the initial step in both cyber attack and
defense. A hacker must first gather information about the target in order to be
successful.

There are two types of reconnaissance:

Passive reconnaissance is a method of listening and information gathering in


which the tools do not interact directly with the target device or network.

Active reconnaissance is a more offensive and intrusive method of information


gathering in which the tools used actually send out probes to the target network
or systems

© 2025 Cisco and/or its a ffiliates. All rights reserved.


3.1 Performing Passive Reconnaissance
Open Source Intelligence (OSINT) from an ethical hacking perspective involves
the collection and analysis of information that is publicly available to identify
vulnerabilities, gather data about targets, or understand the security posture of
an organization.
OSINT techniques are ethical and legal, involving the use of publicly accessible
sources such as:

• Public websites and forums


• Social media platforms
• Government and public records
• Search engines
• Open databases

© 2025 Cisco and/or its a ffiliates. All rights reserved.


3.2 Performing Active Reconnaissance
With each step of the information gathering phase, the goal is to gather
additional information about the target. The process of gathering this
information by sending sending specific requests or probes is called
enumeration.
This is opposed to fingerprinting, identifying specific operating systems,
software versions, etc., through port scanning.

Example:

• You enumerate the hosts on a subnet.


• Then, you fingerprint the OS of each host.

© 2025 Cisco and/or its a ffiliates. All rights reserved.


3.2 Performing Active Reconnaissance
Enumeration:
• Host, User, and Operating System Enumeration
• Network Share Enumeration
• Additional SMB Enumeration Examples
• Web Page/Web Application Enumeration (Content Discovery)

Fingerprinting:
• Operating System Fingerprinting
• Service Version Fingerprinting (e.g., SSH, HTTP, FTP versions)
• Application Framework Fingerprinting (e.g., WordPress, Joomla, ASP.NET)
• Device Type Fingerprinting (e.g., router, switch, firewall)
© 2025 Cisco and/or its a ffiliates. All rights reserved.
3.3 Understanding the Art of Performing
Vulnerability Scans
The type of vulnerability scan to use is usually driven by scan policy that is
created in the automated vulnerability scanning tool. Be careful to select only the
scan options that are less likely to cause issues. Let's take a closer look at the
following typical scan types:

• Unauthenticated Scans
• Authenticated Scans
• Discovery Scans
• Full Scans
• Stealth Scans
• Compliance Scans

© 2025 Cisco and/or its a ffiliates. All rights reserved.


3.3 Understanding the Art of Performing
Vulnerability Scans
With Spidering or Crawling, we generally do not interact with the server in
ways that would expose vulnerabilities (no probing for hidden data). Thus,
it can be considered active if the crawler intentionally requests hidden
URLs or non-linked content (e.g., brute-forcing URL paths), but in
standard usage it’s mostly observational (passive).

Goal: Collect publicly available content.


How it works: Automated scripts (like search engine bots) follow links to
index pages.
Use case: Mostly for indexing sites for search engines or data collection.
Example: Googlebot crawling all pages on a website.
© 2025 Cisco and/or its a ffiliates. All rights reserved.
3.4 Understanding How to Analyze Vulnerability
Scan Results
Running a vulnerability scan is really the easy part of the information
gathering and vulnerability identification process. The majority of the work
goes into analyzing the results you obtain from the tools you use for
vulnerability scanning. These tools are not foolproof; they can provide
false positives, and the false positives need to be sorted out to determine
what the actual vulnerabilities are.

When you are providing a report as a deliverable of a paid penetration


testing assignment, it is especially important that the report be accurate.

© 2025 Cisco and/or its a ffiliates. All rights reserved.


3.4 Understanding How to Analyze Vulnerability
Scan Results
How do you prioritize your findings for the next phase of your penetration test?
To determine the priority, you need to answer a few questions:

• What is the severity of the vulnerability?


• How many systems does the vulnerability apply to?
• How was the vulnerability detected?
• Was the vulnerability found with an automated scanner or manually?
• What is the value of the device on which the vulnerability was found?
• Is this device critical to your business or infrastructure?
• What is the attack vector, and does it apply to your environment?
• Is there a possible workaround or mitigation available?

© 2025 Cisco and/or its a ffiliates. All rights reserved.


Take the Ethical Hacker course
on the
Cisco Networking Academy
today:

https://www.netacad.com/
Thank you

© 2025 Cisco and/or its a ffiliates. All rights reserved.

You might also like