You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Reconnaissance (recon) is the first active phase of a penetration test. It involves collecting as much information as possible about the target — before touching the target's systems directly. Good recon shapes your entire attack strategy and can reveal vulnerabilities without triggering any alarms.
Reminder: All techniques in this lesson must only be performed against targets you have written authorisation to test.
| Type | Definition | Detection Risk | Examples |
|---|---|---|---|
| Passive | Gathering info without interacting with the target | None | OSINT, Google dorking, WHOIS |
| Active | Directly probing the target's systems | Medium–High | DNS queries, port scans, pings |
graph TD
P["Passive Recon"] --> P1["Public records"]
P --> P2["Social media"]
P --> P3["Job postings"]
P --> P4["Google dorking"]
P --> P5["Shodan search"]
P1 --> PN["No direct contact with target systems"]
A["Active Recon"] --> A1["DNS enumeration"]
A --> A2["Port scanning"]
A --> A3["Banner grabbing"]
A --> A4["Web spidering"]
A --> A5["SNMP queries"]
A1 --> AN["Direct interaction with target systems"]
OSINT uses publicly available information. Key sources include:
# WHOIS lookup — domain registration details
whois example.com
# DNS lookups
dig example.com ANY
dig example.com MX
dig example.com TXT
# Reverse DNS
dig -x 93.184.216.34
# Find the ASN (Autonomous System Number)
whois -h whois.radb.net -- '-i origin AS15169'
Subdomains often expose development, staging, or internal services:
# Using subfinder (passive subdomain enumeration)
subfinder -d example.com -o subdomains.txt
# Using amass (comprehensive enumeration)
amass enum -passive -d example.com
# Using dnsrecon
dnsrecon -d example.com -t std
# DNS zone transfer attempt (active — only with authorisation)
dig @ns1.example.com example.com AXFR
| Tool | Purpose | URL |
|---|---|---|
| Shodan | Search engine for internet-connected devices | shodan.io |
| Censys | Internet-wide scanning data | censys.io |
| theHarvester | Email, subdomain, IP gathering | Built into Kali |
| Maltego | Visual link analysis and OSINT | maltego.com |
| Recon-ng | Modular OSINT framework | Built into Kali |
| SpiderFoot | Automated OSINT collection | spiderfoot.net |
Google advanced search operators can reveal sensitive information accidentally exposed on the web:
# Find login pages
site:example.com inurl:login
# Find exposed configuration files
site:example.com filetype:env OR filetype:cfg OR filetype:conf
# Find directory listings
site:example.com intitle:"Index of /"
# Find exposed documents
site:example.com filetype:pdf OR filetype:xlsx OR filetype:docx
# Find subdomains indexed by Google
site:*.example.com -www
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.