🕵️‍♂️ Reconnaissance

Understand the first phase of ethical hacking - from passive OSINT to active scanning

What is Reconnaissance?

Reconnaissance is the first phase in the ethical hacking and penetration testing process. The goal is to gather as much information as possible about the target, either passively or actively, before launching an attack or vulnerability assessment.

🔍 Types of Reconnaissance

1. Passive Reconnaissance

Involves gathering information without directly interacting with the target system. The goal is to remain undetected. Examples:

  • Google Dorking (search engine hacking)
  • WHOIS & DNS lookups
  • Social media & data leaks (OSINT)
  • Subdomain enumeration using public sources

2. Active Reconnaissance

Involves direct interaction with the target system to gather detailed technical information. Examples:

  • Port scanning (Nmap, Masscan)
  • Service enumeration
  • Directory bruteforcing (Gobuster, Dirb)
  • Banner grabbing

🧠 Step-by-Step Reconnaissance Guide

Step 1: Define the Scope

Clarify what domains, IPs, systems, and services are in-scope. Always respect legal and ethical boundaries.

Step 2: Passive Recon Tools

Step 3: Active Recon Techniques

🌐 Real-World Example

# Find subdomains using crt.sh
https://crt.sh/?q=%25.targetdomain.com

# Run Nmap scan to find open ports
nmap -sC -sV -T4 targetdomain.com

# Use Gobuster to discover directories
gobuster dir -u https://targetdomain.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html

💡 Practical Tips

📚 Recommended Tools & Resources