Reconnaissance - The Art of Information Gathering¶

Welcome to reconnaissance. Here you'll learn how to gather intel on targets before doing anything else. Recon is a critical phase - it can make or break everything that comes after.

Why Reconnaissance Matters¶

It's about understanding your target. The more you know, the better you'll do. Think of it as doing homework before a test - skip it and you'll struggle.

Real story: During a pentest, I found an unprotected database just by checking public sources. I showed the client a critical vulnerability without touching a single system. That's the power of good recon.

Types of Reconnaissance¶

Passive Reconnaissance¶

You gather information without touching the target. Think of yourself as a detective watching from across the street - you see everything but nobody knows you're there.

Techniques:¶

• WHOIS Lookups: Find out who owns a domain and their contact information.
• DNS Queries: Discover subdomains and IP addresses associated with a domain.
• Social Media Scraping: Gather information from social media profiles.
• Public Records: Search for information in public databases.

Active Reconnaissance¶

You interact directly with the target. It's riskier because they might notice you, but sometimes you need to poke around to find what you're looking for.

Techniques:¶

• Port Scanning: Identify open ports and services running on a target.
• Network Mapping: Discover the network structure and devices.
• Vulnerability Scanning: Identify known vulnerabilities in services.

Tools for Reconnaissance¶

WHOIS Lookup¶

# Use the whois command to gather domain information
whois example.com

DNS Enumeration¶

# Use dig to perform DNS queries
dig example.com
dig axfr example.com @ns1.example.com  # Zone transfer (if allowed)

Subdomain Enumeration¶

# Use tools like Sublist3r or Amass for subdomain enumeration
sublist3r -d example.com
amass enum -d example.com

Social Media Scraping¶

• Maltego: A powerful tool for gathering information from social media and other public sources.
• SpiderFoot: An open-source intelligence automation tool that can gather data from various sources.

Port Scanning¶

# Use nmap for port scanning
nmap -sS -p- example.com  # Scan all ports
nmap -sV example.com      # Service version detection

Network Mapping¶

# Use traceroute to map the network path
traceroute example.com

Vulnerability Scanning¶

# Use tools like Nessus or OpenVAS for vulnerability scanning

Real World Application¶

Recon isn't just gathering data - it's about using it smartly. Find outdated software? Tailor your attack to exploit those specific vulnerabilities. Discover a dev subdomain? Check it first - dev environments are usually less secure.

Practice Exercises¶

1. WHOIS Lookup: Perform a WHOIS lookup on a domain of your choice and summarize the information you find.
2. DNS Enumeration: Use dig to gather DNS information about a target domain.
3. Subdomain Enumeration: Use Sublist3r or Amass to find subdomains for a target.
4. Port Scanning: Use Nmap to scan a target and identify open ports.
5. Network Mapping: Use traceroute to map the network path to a target.

Common Mistakes to Avoid¶

1. Being too obvious: When doing active recon, stay discreet. Don't hammer the target with requests.
2. Ignoring legal boundaries: Always get permission first. Unauthorized testing is illegal, period.
3. Skipping passive recon: You'll find tons of useful info without ever touching their systems. Don't skip this step.

Next Steps¶

Got the basics? Time to dive deeper into specific techniques and tools. Check out the detailed guides below for step-by-step instructions on everything from subdomain enumeration to social media OSINT.

Ready to keep going? You can also jump to Vulnerability Guides when you're ready.