Back to All Modules

Passive Reconnaissance

#Overview

Passive reconnaissance gathers intelligence without directly interacting with the target's infrastructure. Information comes from public sources: search engines, DNS records, certificate transparency logs, social media, job postings, and code repositories. This phase identifies domains, subdomains, IP ranges, technologies in use, employee names/roles, and potential entry points — all without sending a single packet to the target.

#Prerequisites

  • Web browser
  • Command-line DNS tools (dig, nslookup, host)
  • API keys for services like Shodan (optional but powerful)

#Execution

#WHOIS Lookup

# Basic WHOIS for domain registration info
whois example.com

# Regional WHOIS servers may have different data
whois -h whois.arin.net 192.0.2.1
BASH

WHOIS reveals: registrant organization, admin/tech contacts (emails, phones), name servers, registration dates, IP ranges. Privacy-protected WHOIS still shows the registrar and name servers.

#DNS Enumeration (Passive)

# Basic DNS record types
dig example.com ANY          # All records (often blocked)
dig example.com A            # IPv4 address
dig example.com AAAA         # IPv6 address
dig example.com MX           # Mail servers
dig example.com NS           # Name servers
dig example.com TXT          # TXT records (SPF, DKIM, DMARC)
dig example.com CNAME        # Canonical name
dig example.com SOA          # Start of Authority

# Zone transfer attempt (rarely works, but always try)
dig axfr @ns1.example.com example.com

# Reverse DNS lookup
dig -x 192.0.2.1

# DNS brute-force (subdomain discovery - passive with public resolvers)
dnsrecon -d example.com -t brt
BASH

#Certificate Transparency Logs

SSL/TLS certificates are publicly logged. This is the single best source of subdomains:

# crt.sh (web: https://crt.sh)
curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sort -u

# Certificate spotter
certspotter -domain example.com

# Subfinder (aggregates multiple sources)
subfinder -d example.com -silent
BASH

#Shodan

# Search for organization's exposed services
shodan search org:"Example Corp"
shodan search ssl:"example.com"
shodan search hostname:example.com

# Download results
shodan download example_org org:"Example Corp"
shodan parse --fields ip_str,port,org,hostnames example_org.json.gz
BASH

#Google Dorking

site:example.com                       # All indexed pages from domain
site:example.com filetype:pdf          # PDF documents
site:example.com filetype:xlsx         # Excel spreadsheets  
site:example.com inurl:admin           # Admin pages
site:example.com intitle:"index of"    # Directory listings
site:example.com intext:"password"     # Pages mentioning passwords
site:example.com ext:php               # PHP files
site:example.com -www                  # Subdomains excluding www
site:example.com inurl:login           # Login portals
TEXT

#GitHub / Code Repository Search

# GitHub search for sensitive information
# Web: https://github.com/search
"example.com" password
"example.com" secret
"example.com" api_key
"example.com" connectionString
"example.com" BEGIN RSA PRIVATE KEY
org:ExampleCorp password
BASH

#Employee & Technology Discovery

  • LinkedIn: Search for company employees, job titles, technologies mentioned in profiles
  • Job postings: Reveal tech stack (e.g., "5 years Kubernetes experience", "managing Cisco ASA firewalls")
  • Stack Overflow: Employees asking technical questions with internal details
  • SlideShare / Conference talks: Architecture diagrams, internal tools

#Archive.org (Wayback Machine)

# Historical snapshots of target website
# Web: https://web.archive.org/web/*/example.com
# Reveals old endpoints, forgotten pages, past vulnerabilities

# waybackurls tool
waybackurls example.com
BASH

#Amass (Comprehensive OSINT)

# Passive enumeration
amass enum -passive -d example.com -o amass_passive.txt

# Active enumeration (includes DNS brute-force, cert pulling, web scraping)
amass enum -active -d example.com -o amass_active.txt

# Intel (reverse whois, ASN discovery)
amass intel -org "Example Corp"
amass intel -asn 12345
BASH

#What to Extract

From passive recon, build a list of:

Asset TypeExamples
Root domainsexample.com, example.org
Subdomainswww.example.com, mail.example.com, vpn.example.com
IP ranges192.0.2.0/24
Email addressesadmin@example.com, john.doe@example.com
Employee namesJohn Doe, Jane Smith
TechnologiesApache, IIS, AWS, Azure, WordPress, React
Third-party servicesStatusPage, Zendesk, Salesforce

#ProjectDiscovery Tools

# httpx — Probing and technology detection
httpx -l subdomains.txt -status-code -title -tech-detect -o results.txt
# nuclei — Vulnerability scanning from recon data
nuclei -l subdomains.txt -t cves/ -t exposures/ -severity critical,high
# Install: apt install httpx nuclei  OR  go install github.com/projectdiscovery/httpx/cmd/httpx@latest
BASH

#Cloud Resource Discovery

# AWS S3 bucket enumeration
aws s3 ls s3://target-bucket --no-sign-request
# AWS: Use S3Scanner for bucket discovery
python3 s3scanner.py target.com
BASH

#Recon-ng Framework

recon-cli -m recon/domains-hosts/hackertarget -w example.com
# Interactive: recon-ng → marketplace install all → modules load ...
BASH

#theHarvester Detailed Usage

theHarvester -d example.com -b all -l 500
theHarvester -d example.com -b google,bing,linkedin -h   # -h: include DNS resolution
BASH

#Breach Data Lookup

# dehashed — Breach credential search (requires API key)
dehashed -d example.com -l 100
# hibp — HaveIBeenPwned check
pip install pwnedpasswords
BASH

#Sherlock — Username Enumeration

sherlock username
# Install: pip install sherlock-project
BASH

#Common Pitfalls

  • Out-of-scope assets: Verify discovered subdomains belong to the target before testing
  • Stale DNS records: Old A records may point to decommissioned servers or someone else's IP
  • CDN/WAF masking: Websites behind Cloudflare/Akamai hide the origin IP; use historical DNS, certificate logs, or direct IP scanning to find origin

#OPSEC Considerations

  • Passive recon is inherently stealthy since it doesn't touch the target
  • Shodan searches are logged by Shodan (not visible to target, but your search history is tracked)
  • GitHub code searches can be tracked by GitHub if you interact with repos (star/fork)
  • LinkedIn profile views may be visible to the target depending on their privacy settings
  • Consider using anonymous browsers/VPNs for all OSINT activities

#Post-Exploitation Value

Passive recon feeds directly into active scanning and enumeration. You now have a list of targets to scan, technologies to research vulnerabilities for, and naming conventions (usernames, email formats) for later password spraying or phishing.