Introduction to Reconnaissance.


What is Reconnaissance?
Reconnaissance is the process of gathering information about a target organization or system. It includes collecting details such as:
Domain and network infrastructure
Security postures
Technologies in use
Internal architecture (if possible)
Reconnaissance is the first phase of ethical hacking and penetration testing. It helps an attacker (or ethical hacker) understand the target before launching an attack.
Types of Reconnaissance
Passive Reconnaissance
Active Reconnaissance
In this guide, we’ll focus only on passive reconnaissance.
1. Passive Reconnaissance
In passive reconnaissance, we collect information without directly interacting with the target system. That means we don’t send any packets to the target — instead, we use publicly available data from open sources (OSINT).
This approach is stealthy, and the target is usually unaware of the information gathering process.
Tools Used in Passive Reconnaissance:
Whois
A command-line tool to retrieve information about:
→ Domain names
→IP addresses
→Domain registration
It queries databases maintained by registrars and RIRs like ARIN, RIPE, APNIC.
Information you can get:
→Domain owner
→Registrar
→Registration and expiration dates
→Name servers (DNS)
→Contact emails
Netcraft
A powerful web-based tool for gathering information about:
→Domains
→Hosting infrastructure
→Cyber threats
What it reveals:
→Domain registrar
→Name servers
→Top-level domain (TLD) info
→IPv4 and IPv6 addresses
→Hosting country
→Organization name
→SSL/TLS certificate info
→Web server and site technologies
Wappalyzer
A browser extension that identifies the technologies used on a website.
Detects:
→CMS (e.g., WordPress)
→JavaScript frameworks
→E-commerce platforms
→Web servers
→Analytics tools
BuiltWith
Another technology profiler similar to Wappalyzer.
Shows:
→Tech stack (languages, frameworks)
→Hosting provider
→SSL certs
→Email services
theHarvester
A command-line OSINT tool for gathering:
→Email addresses
→Subdomains
→Hostnames
→Sources include: Google, Bing, Yahoo, LinkedIn, and others.
→Useful for mapping people and assets related to an organization.
Google Dorks
Also known as Google hacking.
Uses advanced search operators to find sensitive data indexed by Google.
Examples:
site:example.com filetype:pdf
intitle:index.of (to find directory listings)
inurl:admin or intext:password
Used to find:
→Hidden files/directories
→Login portals
→Misconfigurations
→Open cameras, backups, and more
Maltego
A visual intelligence and link analysis tool.
Helps find relationships between:
→People
→Domains
→Emails
→Social media
→IP addresses
→Organizations
Useful For:
Social engineering
Domain mapping
Deep OSINT investigations
Summary
Passive reconnaissance is a crucial phase in ethical hacking that allows you to gather valuable intel without alerting the target. It's stealthy, legal (when done responsibly), and forms the foundation for more in-depth investigations.
Subscribe to my newsletter
Read articles from SANJAYKUMAR ELKAPALLY directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
