Domain 2 of CEH v11: Reconnaissance Techniques (21%)

Domains of CEH
CEH v11 includes the following domains
Information Security and Ethical Hacking Overview – 6%
Reconnaissance Techniques-21%
Phases of system hacking and Attack Techniques-17%
Network and perimeter hacking-14%
Web application hacking-16%
Wireless network hacking – 6%
Mobile platform, IoT and OT hacking -8%
Cloud Computing 6%
Cryptography-6%

We will be discussing the second domain of CEH, ‘Reconnaissance Techniques.
What is reconnaissance?
Reconnaissance is the first step that every ethical hacker takes. Reconnaissance is the first step in gathering all information about the target system and network.
To gather as much information as possible about the target, the ethical hacker follows these steps:
Collect the initial information
Determine the range of the network
Identifies active machines
Identifies the access ports as well as open ports
Fingerprint the operating system
Uncover services at ports
Finally, map them.
Different types of reconnaissance
There are two types:
Active reconnaissance: This is the act of interacting with the target system to gather information. Active reconnaissance can be performed by ethical hackers using various tools such as Netcat, Ping and Traceroute. This recon is more accurate and faster than traditional methods. However, the chances of being detected are very high since the ethical hacker is directly communicating with the target system.
Passive reconnaissance: This is the act of gathering information about a target network or computer without actually using it. It is a way to obtain data about a victim without them being aware. To perform passive reconnaissance, ethical hackers use tools such as Wireshark and Shodan.
Reconnaissance Techniques:
There are three types of reconnaissance techniques.
Reconnaissance and footprint
Network scanning
Enumeration
1. Footprint and reconnaissance: This technique is used to collect as much information about a target network, victim or system as possible. It allows hackers to compromise an organization’s infrastructure in many ways. This type of penetration testing can also help determine the security posture of the target.
You can either do footprinting passively or actively. Passive footprinting is a way to look at a company’s website, collect information, and active footprinting is a way to access sensitive data using social engineering techniques.
This phase is where ethical hackers will gather information such as:
IP addresses
Domain name
Information for employees
Namespaces
E-mails
Phone numbers
There are sub-branches to footprinting:
Network-based footprinting
Open-source footprinting
Integration of DNS
2. Network scanning: Network scanning is used to identify active ports, hosts, as well as the services used by the target app. As an example, let’s say you are an ethical hacker trying to find weaknesses in the application. To find those weak points, you use network scanning.
To hack a network you will need to find a weak spot in the system that can easily be exploited. You can find such network nodes by performing a Network Scanning operation.
What is the difference between network scanning and reconnaissance?
Imagine you are a policeman and are looking for a criminal. First, gather all information about the criminal, including their name, address, and daily routine. This is called reconnaissance. Next, you will need to find an entry point into the victim’s home. This is known as network scanning.
Types of network scanning
There are two types:
Port scanning: Port scanning, as the name implies, determines which ports are currently active on the network. Scanners send client requests to a number of ports on the target network, and then store details of the ports that responded to them. This is how active ports are found.
There are many types