Introduction to Reconnaissance.

What is Reconnaissance?

Reconnaissance is the process of gathering information about a target organization or system. It includes collecting details such as:

Domain and network infrastructure

Security postures

Technologies in use

Internal architecture (if possible)

Reconnaissance is the first phase of ethical hacking and penetration testing. It helps an attacker (or ethical hacker) understand the target before launching an attack.


Types of Reconnaissance

  1. Passive Reconnaissance

  2. Active Reconnaissance

In this guide, we’ll focus only on passive reconnaissance.


1. Passive Reconnaissance

In passive reconnaissance, we collect information without directly interacting with the target system. That means we don’t send any packets to the target — instead, we use publicly available data from open sources (OSINT).

This approach is stealthy, and the target is usually unaware of the information gathering process.


Tools Used in Passive Reconnaissance:

  1. Whois

A command-line tool to retrieve information about:

→ Domain names

→IP addresses

→Domain registration

It queries databases maintained by registrars and RIRs like ARIN, RIPE, APNIC.

Information you can get:

→Domain owner

→Registrar

→Registration and expiration dates

→Name servers (DNS)

→Contact emails


  1. Netcraft

A powerful web-based tool for gathering information about:

→Domains

→Hosting infrastructure

→Cyber threats

What it reveals:

→Domain registrar

→Name servers

→Top-level domain (TLD) info

→IPv4 and IPv6 addresses

→Hosting country

→Organization name

→SSL/TLS certificate info

→Web server and site technologies


  1. Wappalyzer

A browser extension that identifies the technologies used on a website.

Detects:

→CMS (e.g., WordPress)

→JavaScript frameworks

→E-commerce platforms

→Web servers

→Analytics tools


  1. BuiltWith

Another technology profiler similar to Wappalyzer.

Shows:

→Tech stack (languages, frameworks)

→Hosting provider

→SSL certs

→Email services


  1. theHarvester

A command-line OSINT tool for gathering:

→Email addresses

→Subdomains

→Hostnames

→Sources include: Google, Bing, Yahoo, LinkedIn, and others.

→Useful for mapping people and assets related to an organization.


  1. Google Dorks

Also known as Google hacking.

Uses advanced search operators to find sensitive data indexed by Google.

Examples:

site:example.com filetype:pdf

intitle:index.of (to find directory listings)

inurl:admin or intext:password

Used to find:

→Hidden files/directories

→Login portals

→Misconfigurations

→Open cameras, backups, and more


  1. Maltego

A visual intelligence and link analysis tool.

Helps find relationships between:

→People

→Domains

→Emails

→Social media

→IP addresses

→Organizations

Useful For:

Social engineering

Domain mapping

Deep OSINT investigations


Summary

Passive reconnaissance is a crucial phase in ethical hacking that allows you to gather valuable intel without alerting the target. It's stealthy, legal (when done responsibly), and forms the foundation for more in-depth investigations.

0
Subscribe to my newsletter

Read articles from SANJAYKUMAR ELKAPALLY directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

SANJAYKUMAR ELKAPALLY
SANJAYKUMAR ELKAPALLY