02 - Reconnaissance
#Overview
Reconnaissance is the first and foundational phase of any penetration test. The goal is to gather as much information as possible about the target without triggering alarms. Quality reconnaissance directly determines the success rate of every subsequent phase -- the more you know before you touch a target, the fewer mistakes you make.
Reconnaissance is divided into two broad categories:
| Type | Description | Risk of Detection |
|---|---|---|
| Passive Recon | Gathering information without directly interacting with target infrastructure. Uses public sources, third-party services, and cached data. | Near zero |
| Active Recon | Direct interaction with target systems (DNS queries, pings, light probing) that may leave logs. | Low to moderate |
#Methodology
The reconnaissance phase follows a deliberate progression from safest to riskiest:
#1. OSINT / Passive Reconnaissance
Start with information that already exists in the public domain. Search engines, social media, job postings, breach databases, certificate transparency logs, and WHOIS records all hold valuable intelligence without ever touching the target's network.
- Technologies in use -- job postings, Stack Overflow profiles, LinkedIn
- Email format and usernames -- hunter.io, phonebook.cz, breach databases
- Subdomains -- certificate transparency logs (crt.sh), search engine dorks
- Leaked credentials -- dehashed, breach-parse, public dumps
- Employee names / org structure -- LinkedIn, company website, conference talks
#2. DNS Enumeration
Once passive OSINT is exhausted, begin DNS queries. These are low-noise and expected on the internet, but they do touch the target's authoritative name servers.
- Zone transfers (rarely work but always worth attempting)
- Subdomain brute-forcing with curated wordlists
- DNS record analysis (A, AAAA, MX, NS, TXT, CNAME, SOA)
- Reverse DNS lookups on IP ranges
#3. Light Active Probing
Only after passive and DNS recon are complete should you send any packets directly to target IPs.
- Identifying live hosts (ping sweeps, but prefer stealthier methods)
- Banner grabbing from public-facing services
- Technology stack fingerprinting (Wappalyzer, WhatWeb, BuiltWith)
#What's in This Section
| File | Covers |
|---|---|
passive-recon.md | OSINT sources, search engine dorks, certificate transparency, breach data, social media profiling, employee enumeration, technology stack discovery via public sources |
dns-enumeration.md | DNS record types, zone transfer attempts, subdomain brute-forcing (gobuster/dnsrecon), reverse DNS, wildcard detection, virtual host discovery |
#Cross-References
- 03-enumeration -- Once target scope and assets are mapped, move to active scanning and service enumeration
- 04-vulnerability-assessment -- Recon findings feed directly into vulnerability research
#Quick Reference: Recon Command Cheatsheet
# Passive
whois target.com
theHarvester -d target.com -b all
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq .
# DNS
dig +short target.com ANY
dnsrecon -d target.com -t std
gobuster dns -d target.com -w subdomains.txt
# Light Active
shodan search "org:target"
curl -s -I https://target.com