30 CHAPTER 2 Reconnaissance ´ discovering and exploiting vulnerabilities. As tired as the cliche has become, the reconnaissance phase really does present one with the perfect opportunity to know your enemy. In most penetration testing scenarios, one is actually attacking an entityda corporation, government, or other organizationdand not an individual computer. If you accept that corporations today are frequently geographically dispersed and politically complex, you'll understand that their Internet presence is even more so. The simple fact is that if your objective is to attack the security of a modern organization over the Internet, your greatest challenge may very well be simply discovering where on the Internet that organization actually isdin its entirety. As computer security technologies and computer security skills improve, your chances of successfully compromising a given machine lessen. Furthermore, in targeted attacks, the most obvious options do not always guarantee success, and even 0-day exploits can be rendered useless by a well-designed Demilitarized Zone (DMZ) that successfully contains the attack. One might even argue that the real question for an attacker is not what the vulnerability is, but where it is. The rule is therefore simple: The more Internet-facing servers we can locate, the higher our chances of a successful compromise. 2.1 OBJECTIVE The objective of the reconnaissance phase is therefore to map a "real-world" target (a company, corporation, government, or other organization) to a cyberworld target, where "cyberworld target" is defined as a set of reachable and relevant IP addresses. This chapter explores the technologies and techniques used to make that translation happen. We'll also cover the human aspect of reconnaissance and how to use human reconnaissance to further map out our target. What is meant by "reachable" is really quite simple: If you can't reach an Internet Protocol (IP) over the Internet, you simply cannot directly attack it. Indirect attacks are, of course, still possible and we will be covering some indirect pene- tration methods as well. Scanning for "live" or "reachable" IP addresses in a given space is a well-established process and we describe it when covering enumeration in Chapter 3. The concept of "relevance" is a little trickier, however, and bears some discussion before we proceed. A given IP address is considered "relevant" to the target if it belongs to the target, is registered to the target, is used by the target, or simply serves the target in some way. Clearly, this goes far beyond simply attacking www.fake-inc.com. If Fake, Inc. is our target, Fake's web servers, mail servers, and hosted domain name system (DNS) servers all become targets, as does the FakeIncOnline.com e-commerce site hosted by an offshore provider. It may be even more complex than that however. If our target is a large orga- nization or part of a large organization, we also need to factor in the political structure of that organization when searching for relevant IP addresses. As we're