This chapter focuses on the first steps you should take when assuming the role of an Internet-based attacker. An early avenue that any competent attacker would pursue involves querying entirely legal and public sources of information, such as WHOIS, DNS, and even web and newsgroup search engines including Google. Attackers can often build a clear picture of your network by launching indirect probes, without most network administrators even knowing. By identifying systems of interest (such as development or test systems), attackers can focus on specific areas of the target network later on.
This chapter comprehensively covers enumeration through Web and newsgroup searches, NIC querying, DNS querying, and SMTP probing.
The reconnaissance process is often interactive, repeating the full enumeration cycle when a new piece of information (such as a domain name or office address) is found. The scope of the assessment exercise usually defines the boundaries, which sometimes include testing third parties that you identify while performing in-depth enumeration. I know of a number of companies whose networks were compromised by extremely determined attackers breaking home user PCs that were using always-on cable modem connections and then "piggy backing" into the corporate network.