You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Reconnaissance (recon) is the first active phase of a penetration test, where you gather as much information as possible about the target. The goal is to understand the target's attack surface — its domains, IP addresses, technologies, employees, and potential entry points — before attempting any exploitation.
| Type | Description | Detection Risk | Examples |
|---|---|---|---|
| Passive | Gather information without directly interacting with the target | Very low | OSINT, public records, social media |
| Active | Directly interact with the target to gather information | Higher | Port scanning, DNS zone transfers, banner grabbing |
Tip: Always start with passive reconnaissance. It reveals a surprising amount of information without alerting the target's security team.
OSINT is the collection of publicly available information:
| Source | Information Gathered |
|---|---|
| Company website | Technology stack, employee names, job postings |
| Employee roles, technologies used, organisational structure | |
| GitHub/GitLab | Source code, API keys, configuration files |
| Job postings | Technologies in use (e.g., "Experience with AWS, Kubernetes required") |
| Press releases | Partnerships, infrastructure changes |
| SEC filings | IT spending, vendor relationships |
Query domain registration information:
whois example.com
This reveals:
Discover subdomains and DNS records:
# Query specific DNS record types
dig example.com MX # Mail servers
dig example.com NS # Name servers
dig example.com TXT # SPF, DKIM, verification records
dig example.com ANY # All available records
# Attempt a DNS zone transfer (often blocked)
dig axfr @ns1.example.com example.com
Use advanced Google search operators to find sensitive information:
| Dork | Purpose |
|---|---|
site:example.com filetype:pdf | Find PDF documents on the target domain |
site:example.com inurl:admin | Find admin pages |
site:example.com intitle:"index of" | Find directory listings |
site:example.com ext:sql | Find SQL database dumps |
site:example.com inurl:login | Find login pages |
"example.com" password filetype:log | Find log files containing passwords |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.