External reconnaissance is the process of gathering information about a target / organization.
Recon facets
- Organization: information regarding organizational structure, members / employees information (name, position, skills), emails, site locations, business relations, etc
- Technical: domain names, public-facing services, mail servers, remote access solutions, vendors in use, defensive solutions (e.g. web proxies, email gateways, firewalls, antivirus etc)
Gathering
- OSINT
- enumeration (proxy or VPN recommended)
Check the scope of the engagement first!
The red team must confirm with the client to determine on which premises the target services run, as (in the case of cloud hosting) specific cloud hosting services (e.g. AWS, Azure) have strict rules & requirements about security assessments (e.g. have to request beforehand for permission, etc). Sometimes organizations will also rent IP ranges from ISPs, so the IP addresses will appear to owned by an ISP.