Reconnaissance, Scanning, and Enumeration

Reconnaissance, Scanning, and Enumeration are the first three critical phases of the cyber attack lifecycle, fundamental to the GIAC Certified Incident Handler (GCIH) body of knowledge. **Reconnaissance** is the initial phase where an attacker gathers information about a target without directly interacting with the target systems. This includes passive techniques such as open-source intelligence (OSINT) gathering, reviewing public records, searching social media, analyzing DNS records, examining job postings for technology clues, and using tools like WHOIS lookups, Google dorking, and Shodan. The goal is to build a comprehensive profile of the target organization, its infrastructure, employees, and potential vulnerabilities without triggering any security alerts. **Scanning** is the active phase where attackers directly probe target systems to identify live hosts, open ports, running services, and potential vulnerabilities. Key techniques include network sweeps (ping sweeps), port scanning using tools like Nmap, vulnerability scanning with tools such as Nessus or OpenVAS, and OS fingerprinting. Scanning is categorized into network scanning, port scanning, and vulnerability scanning. Unlike reconnaissance, scanning involves direct interaction with target systems and can potentially be detected by intrusion detection systems (IDS) and firewalls. **Enumeration** goes deeper by actively extracting detailed information from discovered services and systems. This includes identifying user accounts, network shares, group memberships, application banners, SNMP data, DNS zone transfers, and service-specific details. Tools like enum4linux, SNMPwalk, ldapsearch, and NetBIOS enumeration utilities are commonly used. Enumeration often involves establishing active connections and crafting directed queries to extract actionable intelligence. For GCIH professionals, understanding these phases is essential for both detecting and responding to attacks. Incident handlers must recognize indicators of each phase in logs, network traffic, and security alerts to implement timely countermeasures, such as monitoring for unusual queries, implementing rate limiting, hardening services against enumeration, and deploying proper network segmentation to limit attacker visibility. Reconnaissance, Scanning, and Enumeration are the first three critical phases of the cyber attack lifecycle, fundamental to the GIAC Certified Incident Handler (GCIH) body of knowledge. **Reconnaissance** is the initial phase where an attacker gathers information about a target without directly in…