Passive reconnaissance includes any attempt to gather data on a network without the attacker engaging directly with their target. This form of reconnaissance is much slower than active reconaissance, and doesn’t always produce actionable information. On the upside, there is virtually no chance the intended target will detect the passive reconnaissance attempt.
Passive and Active Reconnaissance
Any attempt to gather information about a computer or a network is considered reconnaissance. For attackers, the difference between passive and active reconnaissance is whether or not the information is acquired through direct contact with the system being attacked.
Passive reconnaissance occurs when information is gathered from the targeted system without engaging with the system directly, while active reconnaissance is the gathering of information via direct contact with the system.
Imagine a detective is looking into a murder case. Information about the case acquired through interviews, depositions, court proceedings, or anything involving contact with persons of interest would be analogous to active reconnaissance. The detective is interacting directly with the people involved or suspected.
The behind-the-scenes work on the case – such as reading case files, watching old footage, or performing general research about the murder –is analogous to passive reconnaisance. The detective is not directly engaging with any persons of interest, but is still collecting valuable information about the case.
Just like with cyber security, in the analogy above the indirect research is performed first. Only after a sizable amount of data is collected does the detective start bringing in people and gathering data via direct interaction with the people of interest.
Passive reconnaissance is generally the first step of any cyber attack since it allows the attacker to collect information without the potential of alerting the victim of the attack. Active reconnaissance, on the other hand, bears the risk of alerting the target of the attack. This is why attackers usually undertake passive reconnaissance before trying active reconnaissance.
You can learn more about active reconnaissance in our complete guide on the subject.
Common Passive Reconnaissance Techniques
The types of potential information attackers are trying to gather when performing passive reconnaissance are network IPs that are publicly listed, URLs, API endpoints, domain names, emails, usernames, employee information, software versioning, stack information, and anything else that may be helpful in the future when performing an impending cyber attack.
Much of this information can be found simply by going to a site and using Inspectlet or a similar tool. If API endpoints are exposed or have suboptimal security on them, an attacker can find this and make note of it.
Free tools like Wget allow anyone to download content from web servers with a simple linux command. From these downloads, attackers can glean information such as the hardware used, the software operating system, the stack used in the software, or sometimes even the versions of installed packages.
Package versioning can be extremely helpful for an attacker in the event that they are aware of a zero-day exploit in any of the packages. This is why it is always best practice to keep packages up to date.
Recently, Github launched an automated tool called Dependabot that analyzes repository dependencies and warns the owner of the repository of all known vulnerabilities for any package version. It will even recommend the safest version of the package to install and use instead. Paying attention to tools like this can help keep companies safe.
Probably the most common passive reconnaissance tool would be public hacking search engines, such as the Google hacking database. This database and others like it are full of common vulnerabilities on large sites, hacking tactics to try, potential ways to break into systems, etc. It is good practice for security engineers to search for their own domains on the engine to make sure there is no glaring vulnerability in their system for the world to see.
How to Protect Against Passive Reconnaissance
Unlike active reconnaissance, the point of passive reconnaissance is for the attacker to go unnoticed. It is difficult if not impossible to detect someone performing passive reconnaissance on a network, and therefore the best measures to safeguard information against passive reconnaissance are all preventative.
Some ideas for preventing an attacker from successfully performing passive reconnaissance are:
- Make as much code, network information, usernames, IPs, etc. as private as possible
- Keep repository packages up to date
- Use long passwords and change passwords often
- Ensure that code and endpoints exposed to the public are not exploitable and require some for of authentication
- Use key vaults or secret managers to prevent API and security keys from being exposed to the public
Probably the best way to prevent sensitive information from being exposed is to have engineers perform passive reconnaissance on their systems to see what they can find. Anything that they find that they don’t want public (such as domains, keys, and IP addresses) can be regenerated and made private. Passive reconnaissance is difficult to prevent, but routine self-reconnaissance efforts can catch potential vulnerabilities and fix them before they become actual problems.