CTF 101 Series: What is Reconnaissance?

A Capture-the-Flag or “CTF” is a cybersecurity competition designed to test and sharpen security skills through hands-on challenges that simulate real-world situations. MetaCTF offers training in eight different categories: Binary Exploitation, Cryptography, Web Exploitation, Forensics, Reconnaissance, Reverse Engineering, CyberRange, and Other / Miscellaneous.  This blog is part of a series that explains what each category covers, why the subject is important, and how to approach these problems.

What is Reconnaissance?

Recon (a.k.a. OSINT) involves performing reconnaissance on a target (usually a company or a person) by collecting information that is publicly available on the internet. This information could come from social media, voter registration databases, county records, or documents a company has published online. Recon can also include the collection of more technical information, like port scanning or DNS enumeration.

A hacker will perform recon in an effort to find and exploit weaknesses in a company’s security. If a hacker is thorough and patient enough, they can collect a lot of information about both companies and their employees. This information can be used to make highly targeted and personalized attacks.

For example, if a hacker is trying to breach a company’s network, they could take the following steps. First, apply a technique called Google Dorking to find all the documents your company has published online (both intentionally and unintentionally). Next, examine the metadata of the documents they find to figure out your user scheme (e.g. is it Joe.Schmoe@company.com, or jschmoe@company.com)? Then, the hacker can combine that information with LinkedIn to create a database of your employees and their email addresses. Voila, the hacker has a robust list of phishing targets.

But if the hacker is ambitious, they can go even further. They could cross reference their database with other public information to find outstanding debts or other signs of personal distress. That information can be used to create individualized attacks on your company’s most vulnerable employees.

How to solve a Recon CTF challenge

To start, expect to receive the name of some target company or individual, plus a goal. The objective may be to find the target’s email address, password, or home address.  

From there, the recon process is open ended. You will want to think like a private eye and brainstorm what information you might find on Google.

For example, if you are tasked with finding a target’s password, check out their social media profile. Do they have a picture of their new work-from-home setup? Did they accidentally leave any private information visible, like a sticky note with their password on their desktop?

The key is to keep brainstorming relevant information sources online, then follow each lead as far as it will take you.

Why hands-on Recon practice is helpful

Recon CTFs require the least technical knowledge to complete, and are therefore accessible to the broadest audiences. They are an excellent intro to the world of cybersecurity and CTFs. And because the hacker is often exploiting information or systems that did not require and engineering team to produce (i.e. public records, company documents, social media), MetaCTF's Recon challenges are relevant to nearly everyone in the workforce.

MetaCTF’s recon trainings puts your team in the perspective of the attacker. By learning how a hacker would find the information needed to construct and attack, your employees will understand the true potential impact of seemingly innocent behavior like sharing a document or posting on social media. These behaviors are not bad, indeed they are necessary to run a business. But if done improperly, they can expose individuals and your company to undue risk.

These small changes can have a serious impact on your bottom line and employee productivity. Business email compromise (BEC) attacks alone double in frequency every year and are expected to cost companies $5 billion in 2023, according to Garnter. Hands-on recon simulations can help build the mindset necessary to dodge these traps.

Resources to learn more about Recon

• GitHub thread Awesome OSINT: https://github.com/r3p3r/jivoi-awesome-osint
• Google Dorking Guide: https://www.hackthebox.com/blog/What-Is-Google-DorkingCheck if your email or phone is in a data breach: https://haveibeenpwned.com/

Want to learn more about cybersecurity training options for your team? Schedule a demo here or email us at contact@metactf.com.