๐ What is Passive Recon?
Passive reconnaissance is the art of gathering intelligence about a target without directly engaging with its systems. This stealthy phase is all about observation without detection. Ethical hackers rely on publicly available information to build a complete profile before taking any active steps.
๐ฏ Why is Passive Recon Important?
- โ Helps identify potential attack vectors before detection systems are triggered
- โ Reduces risk during the early phases of penetration testing
- โ Builds a complete view of exposed digital footprints
- โ Essential for bug bounty hunters and red teamers alike
๐ Key Techniques in Passive Recon
1. Google Dorking
Use advanced Google search operators to uncover sensitive data, misconfigurations, or indexed files.
site:example.com filetype:pdf
intitle:"index of" "backup"
site:example.com inurl:login2. WHOIS Lookups
Discover domain ownership details, registration data, and contact information.
whois example.comOnline tools: DomainTools, Who.is
3. DNS & Subdomain Enumeration
Identify subdomains using certificate transparency logs, DNS tools, and third-party APIs.
crt.sh/?q=%25.example.com
dig NS example.com
amass enum -passive -d example.com4. OSINT Framework Tools
Use structured toolkits to automate data collection from public sources.
- theHarvester โ Collect emails, subdomains, IPs
- Maltego โ Visual data relationship mapping
- SpiderFoot โ Fully automated OSINT scanning
5. Social Media & Public Data Mining
Collect data from LinkedIn, Twitter, GitHub, and forums for usernames, technologies, and insider info.
- LinkedIn โ Company employees, technologies used
- GitHub โ Code leaks, repo history
- Twitter โ Infrastructure hints, outage reports
๐งญ Step-by-Step Passive Recon Workflow
- Define the target scope โ Domains, IPs, subnets, company names, technologies
- Start with Google Dorking โ Explore what search engines reveal
- Run WHOIS and DNS checks โ Collect registrant and infrastructure info
- Enumerate subdomains โ Use Amass, crt.sh, Sublist3r
- Leverage OSINT tools โ Automate data collection (SpiderFoot, theHarvester)
- Analyze social platforms โ Gather human intelligence (HUMINT)
- Document all findings โ Maintain logs, screenshots, and links
๐งช Real-World Passive Recon Example
Let's say your target is examplecorp.com. Here's how a passive recon might unfold:
# Discover subdomains via certificate transparency
https://crt.sh/?q=%25.examplecorp.com
# Run theHarvester
theHarvester -d examplecorp.com -b bing,linkedin,google
# GitHub username discovery
site:github.com examplecorp
# Use Amass (passive only)
amass enum -passive -d examplecorp.com๐ก Tips & Best Practices
- ๐ Always use passive methods first to avoid detection
- ๐ Document every finding โ even ones that seem minor
- โ๏ธ Combine manual searches with automation for scale
- ๐งญ Use a VPN or Tor browser when exploring sensitive sources
- ๐๏ธ Create asset maps: domains, IPs, email patterns, GitHub repos