Publicly available reconnaissance techniques, including web and newsgroup searches, Network Information Center (NIC) WHOIS querying, and Domain Name System (DNS) probing, are used to collect data about the structure of the target network from the Internet without actually scanning the network or necessarily probing it directly.

Initial reconnaissance is very important because it identifies hosts that aren’t properly fortified from attack. A determined attacker invests time in identifying peripheral networks and hosts, while companies and organizations concentrate their efforts on securing obvious public systems (such as public web and mail servers) but neglecting hosts and networks that lay off the beaten track.

It may well be the case that a determined attacker also enumerates networks of third party suppliers and business partners that, in turn, have access to the target network space. Nowadays such third parties often have dedicated links into areas of internal corporate network space through VPN tunnels and other links.

Key pieces of information that are gathered through initial reconnaissance include details of Internet-based network blocks, internal IP addresses gathered from DNS servers, insight into the target organization’s DNS structure (including domain names, subdomains, and hostnames), and IP network relationships between physical locations.

This information is then used to perform structured bulk network scanning and probing exercises to assess further the target network space and investigate potential vulnerabilities. Further reconnaissance involves extracting user details (including email addresses), telephone numbers, and office addresses.

After identifying public IP network blocks that are related to the target network space, analysts should carry out bulk TCP, UDP, and ICMP network scanning and probing to identify active hosts and accessible network services (e.g., HTTP, FTP, SMTP, POP3, etc.), that can in turn be abused to gain access to trusted network space.

Key pieces of information that are gathered through bulk network scanning include details of accessible hosts and their TCP and UDP network services, along with peripheral information such as details of ICMP messages to which target hosts respond, and insight into firewall or host-based filtering policies.

After gaining insight into accessible hosts and network services, analysts can begin offline analysis of the bulk results and investigate the latest vulnerabilities in accessible network services.