Reconnaissance is the mission to obtain information by visual observation or other detection methods, about the activities and resources of an enemy or potential enemy, or about the meteorologic, hydrographic, or geographic characteristics of a particular area. In Cyber Security, the art is quite the same with some modifications. Today we will be writing about active and passive recon in the cyber realm; the differences are numerating the activity using external infrastructure. Basic OPSec:

  1. Use TOR.
  2. Use Algo before connecting to TOR.

Tools: Using VirusTotal for subdomains in the “Observed Subdomains”: title="" Using Censys for You can use SSL Certificates to gather details on internal domains and other domains within the environment: Below is a python script to scrape the details of a HTTPSSL Certificate in JSON format: [cce_bash width=”100%” theme=”blackboard”] #!/usr/bin/env python3 “"”Show server’s certificate as json. Usage: $ %(prog)s HOST [PORT] “”” import json import socket import ssl import sys def getcert(addr, timeout=None): “"”Retrieve server’s certificate at the specified address (host, port).””” # it is similar to ssl.get_server_certificate() but it returns a dict # and it verifies ssl unconditionally, assuming create_default_context does with socket.create_connection(addr, timeout=timeout) as sock: context = ssl.create_default_context() with context.wrap_socket(sock, server_hostname=addr[0]) as sslsock: return sslsock.getpeercert() def main(argv): host = argv[1] port = int(argv[2]) if len(argv) > 2 else 443 print(json.dumps(getcert((host, port)), indent=2, sort_keys=True)) if __name__ == “__main__”: main(sys.argv) [/cce_bash] Now let’s install JQ to slice and transform this structured data - [cce_bash width=”100%”] python3 | jq -r ‘.notAfter, .subjectAltName[][1]’ [/cce_bash]