You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Reconnaissance (recon) is the first active phase of a penetration test. It involves collecting as much information as possible about the target — before touching the target's systems directly. Good recon shapes your entire attack strategy and can reveal vulnerabilities without triggering any alarms.
Reminder: All techniques in this lesson must only be performed against targets you have written authorisation to test.
| Type | Definition | Detection Risk | Examples |
|---|---|---|---|
| Passive | Gathering info without interacting with the target | None | OSINT, Google dorking, WHOIS |
| Active | Directly probing the target's systems | Medium–High | DNS queries, port scans, pings |
Passive Recon Active Recon
─────────────── ────────────────
│ Public records │ │ DNS enumeration │
│ Social media │ │ Port scanning │
│ Job postings │ │ Banner grabbing │
│ Google dorking │ │ Web spidering │
│ Shodan search │ │ SNMP queries │
───────────────── ─────────────────
│ │
▼ ▼
No direct Direct interaction
contact with with target systems
target systems
OSINT uses publicly available information. Key sources include:
# WHOIS lookup — domain registration details
whois example.com
# DNS lookups
dig example.com ANY
dig example.com MX
dig example.com TXT
# Reverse DNS
dig -x 93.184.216.34
# Find the ASN (Autonomous System Number)
whois -h whois.radb.net -- '-i origin AS15169'
Subdomains often expose development, staging, or internal services:
# Using subfinder (passive subdomain enumeration)
subfinder -d example.com -o subdomains.txt
# Using amass (comprehensive enumeration)
amass enum -passive -d example.com
# Using dnsrecon
dnsrecon -d example.com -t std
# DNS zone transfer attempt (active — only with authorisation)
dig @ns1.example.com example.com AXFR
| Tool | Purpose | URL |
|---|---|---|
| Shodan | Search engine for internet-connected devices | shodan.io |
| Censys | Internet-wide scanning data | censys.io |
| theHarvester | Email, subdomain, IP gathering | Built into Kali |
| Maltego | Visual link analysis and OSINT | maltego.com |
| Recon-ng | Modular OSINT framework | Built into Kali |
| SpiderFoot | Automated OSINT collection | spiderfoot.net |
Google advanced search operators can reveal sensitive information accidentally exposed on the web:
# Find login pages
site:example.com inurl:login
# Find exposed configuration files
site:example.com filetype:env OR filetype:cfg OR filetype:conf
# Find directory listings
site:example.com intitle:"Index of /"
# Find exposed documents
site:example.com filetype:pdf OR filetype:xlsx OR filetype:docx
# Find subdomains indexed by Google
site:*.example.com -www
# Find potential SQL errors (indicates possible injection points)
site:example.com intext:"sql syntax" OR intext:"mysql_fetch"
# Find exposed backup files
site:example.com filetype:bak OR filetype:sql OR filetype:old
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.