Reconnaissance Methodology

The art of gathering intelligence without alerting your target

Passive Reconnaissance

Passive reconnaissance involves gathering information without directly interacting with the target systems, making it virtually undetectable.

OSINT Tools & Techniques

Search Engines & Databases

🔍 Google Dorking
Advanced search operators to find sensitive information
📡 Shodan
Internet-connected device search engine
🔬 Censys
Internet-wide scanning data analysis
👁️ ZoomEye
Cyberspace search engine
# Google Dorking Examples site:target.com filetype:pdf inurl:admin site:target.com "confidential" site:target.com cache:target.com

DNS & Domain Intelligence

🕰️ SecurityTrails
Historical DNS data and domain intelligence
📜 crt.sh
Certificate transparency logs
💾 DNSDumpster
DNS reconnaissance and mapping
🔍 Robtex
DNS and IP analysis tool

Social Media & People Search

💼 LinkedIn
Employee enumeration and organizational charts
👤 Pipl
People search engine
📊 Spokeo
Personal information aggregator

Code Repositories

Search targets in code repositories:
  • GitHub: Search for API keys, credentials, internal URLs
  • GitLab: Similar to GitHub for exposed repositories
  • Pastebin: Text sharing service often containing leaked data

Passive Reconnaissance Commands

# Whois information whois target.com
# DNS enumeration dig target.com any dig @8.8.8.8 target.com mx nslookup -type=ns target.com
# Reverse DNS dig -x [IP_ADDRESS]
# Zone transfer attempts dig axfr target.com @ns1.target.com
# Certificate transparency curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u

Active Reconnaissance

Active reconnaissance involves direct interaction with target systems and can potentially be detected by security monitoring tools.

⚠️ Warning: Active reconnaissance can be detected by intrusion detection systems and may trigger alerts. Always ensure you have proper authorization before conducting active reconnaissance.

Network Discovery

# Ping sweep nmap -sn 192.168.1.0/24
fping -g 192.168.1.0/24
# ARP scan (local network) arp-scan -l netdiscover -r 192.168.1.0/24
# TCP SYN scan nmap -sS -T4 192.168.1.0/24
# UDP scan nmap -sU --top-ports 1000 192.168.1.1

Active DNS Enumeration

# DNS brute force dnsrecon -d target.com -D /usr/share/wordlists/dnsmap.txt -t brt
fierce -dns target.com dnsenum target.com
# Subdomain brute force sublist3r -d target.com
amass enum -d target.com
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

Reconnaissance Methodology

Phase 1: Target Identification

  1. Define Scope: Understand what systems and domains are in scope
  2. Initial Intelligence: Gather basic information about the target organization
  3. Domain Enumeration: Identify all domains and subdomains associated with the target

Phase 2: Information Gathering

  1. OSINT Collection: Use passive techniques to gather intelligence
  2. Social Engineering Prep: Identify key personnel and organizational structure
  3. Technology Stack: Identify technologies, frameworks, and platforms in use

Phase 3: Active Enumeration

  1. Network Mapping: Discover live hosts and network topology
  2. Service Discovery: Identify running services and open ports
  3. Version Detection: Determine software versions and configurations

Advanced Reconnaissance Techniques

Email Harvesting

# theHarvester - Email and subdomain harvesting theharvester -d target.com -b all -l 500

Metadata Analysis

# FOCA - Document metadata analysis # Download documents from target website # Extract metadata using exiftool exiftool document.pdf

Social Media Intelligence

Social Media Reconnaissance Targets:
  • Employee information and org charts
  • Office locations and photos
  • Technology usage and preferences
  • Security awareness levels
  • Personal information for social engineering

Geolocation Intelligence

# IP geolocation curl "http://ipinfo.io/8.8.8.8" # Satellite imagery analysis # Google Earth, Bing Maps for physical reconnaissance

Reconnaissance Documentation

Information to Document

  • Domain Information: Registrar, DNS servers, contact information
  • Network Ranges: IP addresses and subnets associated with target
  • Subdomains: All discovered subdomains and their purposes
  • Email Addresses: Employee emails and potential usernames
  • Personnel: Key employees, roles, and social media profiles
  • Technologies: Web servers, frameworks, CMS platforms
  • Third-party Services: Cloud providers, CDNs, external integrations

Threat Intelligence Integration

Integrate reconnaissance with threat intelligence:
  • Check if target has been involved in previous breaches
  • Look for publicly disclosed vulnerabilities
  • Review security advisories and patch status
  • Analyze attack patterns against similar organizations

Legal and Ethical Considerations

⚠️ Important Legal Considerations:
  • Authorization: Ensure you have written permission before conducting reconnaissance
  • Scope Boundaries: Stay within defined boundaries and targets
  • Data Protection: Handle collected information responsibly
  • Third-party Services: Be aware of terms of service when using OSINT tools
  • Disclosure: Report findings responsibly through proper channels

Best Practices

  • Start with passive reconnaissance to minimize detection risk
  • Document all findings systematically
  • Verify information from multiple sources
  • Use VPNs and proxy services for anonymity
  • Maintain operational security throughout the process
  • Regular update reconnaissance data as it changes over time