Art of Reconnaissance (original) (raw)
Last Updated : 25 May, 2026
Reconnaissance (Recon) is the initial phase of ethical hacking that focuses on gathering information about a target system, network or organization to understand its attack surface and identify potential vulnerabilities.
- Maps digital footprint such as domains, IP addresses and technologies
- Can be passive (stealthy) or active (direct interaction)
- Uses sources like web data, network information and human intelligence
- Forms the basis for identifying risks and planning further security actions
Types of Reconnaissance
1. Passive Reconnaissance
It focuses on observation rather than engagement, making it stealthy but less detailed than active methods.
Information gathering without directly interacting with the target systems.
- Undetectable by the target
- Uses publicly available information
- No logs generated on target systems
- Lower risk, but potentially limited information
**Example: Like researching a company through newspaper articles and public records without ever calling them.
2. Active Reconnaissance
It involves hands-on probing of a target, trading stealth for more precise and up-to-date intelligence.
Direct interaction withtarget systems to gather information.
- Direct queries to target systems
- Potentially detectable (leaves traces)
- More detailed and current information
- Higher risk of detection
**Example: Similar to contacting a company directly to inquire about its services or physically visiting its office to gather information.
Reconnaissance Categories
These reconnaissance techniques help security professionals and attackers alike map out targets, identify weaknesses and plan further exploitation steps effectively.
1. In-Person Reconnaissance (Human Intelligence)
Physical observation and social engineering techniques.
**Methods:
- **Dumpster Diving: Searching discarded documents for sensitive information
- **Shoulder Surfing: Observing people entering passwords or sensitive data
- **Tailgating: Following authorized personnel into secure areas
- **Social Engineering: Manipulating people to divulge information
**Example: A security tester finds employee badges in a company's trash, revealing the badge format and employee naming conventions.
2. Google Dorking (Search Engine Intelligence)
Using advanced Google search operators to find sensitive information.
**Common Dorks:
GATE site:geeksforgeeks.org filetype:pdf cache:geeksforgeeks.org
Enter this command to get GATE related PDF filetypes on the website of geeksforgeeks.org
3. Web-Based Reconnaissance
Gathering information from websites, web applications and online services.
**Techniques:
- **Website Analysis: Technology stack, CMS versions, plugins
- **Directory Enumeration: Finding hidden files and folders
- **Subdomain Discovery: Identifying all subdomains
- **Web Archive Analysis: Using Wayback Machine for historical data
**Example: Discovering a forgotten subdomain **
dev.company.com**that contains development databases with test data.
4. IP Address-Based Reconnaissance
Information gathering using IP addresses and network infrastructure.
**Methods:
- **WHOIS Lookups: Domain and IP ownership information
- **DNS Enumeration: Finding DNS records and configurations
- **Network Scanning: Port scans, service identification
- **Geolocation: Physical location of servers
**Example: WHOIS lookup reveals that
company.comuses AWS servers in Virginia, helping narrow down the infrastructure setup.
Extracting information from social media platforms.
**Target Information:
- Employee details and roles
- Company culture and internal processes
- Technology preferences
- Personal information for social engineering
- Business relationships and partnerships
**Example: LinkedIn reveals that the company's IT manager recently posted about migrating to Microsoft Azure, indicating their cloud infrastructure.
6. Physical Device Reconnaissance
Information gathering from physical devices and infrastructure.
**Methods:
- **Wi-Fi Network Analysis: SSID enumeration, security protocols
- **Bluetooth Discovery: Nearby devices and services
- **RF Analysis: Radio frequency monitoring
- **IoT Device Discovery: Smart devices on networks
**Example: Discovering an unsecured printer on the network that stores copies of all printed documents or Weak Wi-Fi signal Strength.
7. Email Intelligence (EMAILINT)
Gathering information through email addresses and email infrastructure.
**Techniques:
- **Email Harvesting: Collecting email addresses from websites
- **Email Verification: Checking if emails exist
- **Email Header Analysis: Tracing email origins
- **Email Pattern Discovery: Understanding naming conventions
**Example: Finding that a company uses
firstname.lastname@company.comformat helps create targeted phishing campaigns.
8. Digital Footprints & Metadata Analysis
Analyzing digital traces left by targets.
**Sources:
- **Document Metadata: Author names, software versions, creation dates
- **Image EXIF Data: GPS coordinates, camera details, timestamps
- **Code Repositories: GitHub profiles, commit histories
- **Forum Posts: Technical discussions revealing infrastructure
**Example: A PDF on the company website contains metadata showing it was created by "John.Smith" on a Windows 10 machine, revealing an employee name and OS information.
9. Data Breach & Leaked Database Analysis
Leveraging compromised data from previous breaches.
**Sources:
- **HaveIBeenPwned: Email breach checking
- **Pastebin Sites: Leaked credentials and data dumps
- **Dark Web Marketplaces: Sold databases and credentials
- **Public Data Breaches: Analysis of known breaches
**Example: Discovering that several company email addresses were compromised in the 2019 Collection #1 breach, potentially providing password patterns.
10. DNS Intelligence
Deep analysis of DNS infrastructure and configurations.
**Methods:
- **Zone Transfers: Attempting to download DNS zone files
- **DNS Cache Snooping: Checking DNS resolver caches
- **Reverse DNS Lookups: Finding domains associated with IP ranges
- **DNS History: Tracking historical DNS changes
Web-Based Tools
| Category | Tool | Purpose |
|---|---|---|
| WHOIS/DNS | whois.net, dnsdumpster.com | Domain information and DNS records |
| Subdomains | sublist3r.online, crt.sh | Subdomain discovery |
| Google Dorking | google.com, dorksearch.com | Advanced search queries |
| Social Media | sherlock-project.github.io | Username searches across platforms |
| hunter.io, have-i-been-pwned.com | Email discovery and breach checking | |
| Website Analysis | builtwith.com, wappalyzer.com | Technology stack identification |
| Archives | web.archive.org | Historical website data |
| IP Intelligence | shodan.io, censys.io | Internet-connected device search |
| Leaked Databases | intelx.io, cracking.org | Access to leaked databases and forum data |
Kali Linux CLI Tools
Network & DNS Reconnaissance
- Commands for DNS Enumeration
dnsrecon -d example.com -t std dig example.com ANY fierce -dns example.com
- Commands for Subdomain discovery
sublist3r -d example.com
- Commands for Network scanning
nmap -sS -A XX.XX.XX.XX masscan -p1-65535 XX.XX.XX.XX --rate=10000
**Web Application Reconnaissance
- Directory/File Discovery
dirb http://example.com/// gobuster dir -u http://example.com/// -w /usr/share/wordlists/dirb/common.txt dirsearch -u http://example.com///
- Web Technology Identification
whatweb http://example.com/// wapiti -u http://example.com///
- Web crawling
wget --spider --recursive --no-verbose --output-file=spider.log http://example.com///
**Social Media & OSINT
- Username recon using sherlock tool
sherlock username
- Email harvesting
theharvester -d example.com -l 500 -b google maltego (GUI-based OSINT framework)
- Metadata analysis
exiftool document.pdf metagoofil -d example.com -t pdf -l 100 -n 25 -o results/
**Specialized Tools
- WHOIS information
whois example.com
- SSL Certificate analysis
sslscan target.com sslyze target.com
- Shodan Enumeration
shodan host 192.XX.XX.XX
**Framework Tools
- Recon-ng for Modular reconnaissance framework
recon-ng
- Spiderfoot for Automated OSINT Framework
spiderfoot -s example.com
- Killshot for Framework and Vulnerability Testing
git clone https://github.com/bahaabdelwahed/killshot%3C/span>**Note: Killshot is an open-source tool that integrates various pentesting tools. You may need to visit GitHub and refer to the README.txt file to understand its functionality and commands.